> > Please could you have the /dev/raw RAW_SETBIND ioctl require
> > CAP_SYS_ADMIN?
>
> That is the _only_ thing which /dev/raw is there for. We already go
> through the VFS permissions layer in this case --- do we really need
> another permissions check internally?
I think so. When we get a proper [sg]etflags, immutable block
devices become usefully possible. This is a potential way around
that.
> If you really want such a check, I'll certainly accept patches!
Here's one against the raw.c in 2.3.12pre7.
Matthew.
--- raw.c.orig Wed Jul 28 11:33:36 1999
+++ raw.c Wed Jul 28 11:34:57 1999
@@ -12,6 +12,7 @@
#include <linux/iobuf.h>
#include <linux/major.h>
#include <linux/blkdev.h>
+#include <linux/capability.h>
#include <linux/raw.h>
#include <asm/uaccess.h>
@@ -233,6 +234,11 @@
}
if (command == RAW_SETBIND) {
+ if (!capable(CAP_SYS_ADMIN)) { /* XXX - CAP_MKNOD eventually */
+ err = -EPERM;
+ break;
+ }
+
/*
* For now, we don't need to check that the underlying
* block device is present or not: we can do that when
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/