David Howells <[email protected]> wrote: > > This means that it expects to trigger those capability checks as part of > > its subsequent actions. Raising those capabilities temporarily in its > > credentials will pass the capability module checks but won't address the > > corresponding SELinux checks (both capability and file-based), so you'll > > end up triggering an entire set of checks against the current process' > > credentials. This same pattern is repeated elsewhere in overlayfs. > > Hmmm... Yes. I need to check whether the lower file can be read *before* > overriding the creds.
Actually, I think ovl_permission() does sufficient checks on the lower inode by calling __inode_permission() upon it. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
