Re: [RFC PATCH v3] security,capability: pass object information to security_capable

Thursday, 15 August 2019

On Thu, 15 Aug 2019, Aaron Goidel wrote:

...
 In SELinux this new information is leveraged here to perform an
 additional inode based check for capabilities relevant to inodes. Since
 the inode provided to capable_wrt_inode_uidgid() is a const argument,
 this also required propagating const down to dump_common_audit_data() and
 dropping the use of d_find_alias() to find an alias for the inode. This
 was sketchy to begin with and should be obsoleted by a separate change
 that will allow LSMs to trigger audit collection for all file-related
 information. 
Will the audit logs look the same once the 2nd patch is applied? We need 
to be careful about breaking existing userland.

-- 
James Morris
<jmorris(a)namei.org&gt;

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [RFC PATCH v3] security,capability: pass object information to security_capable