On Thu, May 14, 2020 at 8:08 AM Stephen Smalley
wrote:
>
> On Wed, May 13, 2020 at 7:13 PM David Howells wrote:
> >
> > Stephen Smalley wrote:
> >
> > > > (3) An override due to CAP_SYS_ADMIN.
> > >
> > > CAP_SYS_ADMIN should never skip SELinux checking. Even for Smack,
> > > there is a
On Wed, May 13, 2020 at 7:13 PM David Howells wrote:
>
> Stephen Smalley wrote:
>
> > > (3) An override due to CAP_SYS_ADMIN.
> >
> > CAP_SYS_ADMIN should never skip SELinux checking. Even for Smack,
> > there is a separate capability (CAP_MAC_ADMIN) for that purpose.
>
> The LSM doesn't get
On Tue, 2020-05-12 at 23:33 +0100, David Howells wrote:
> Since the meaning of combining the KEY_NEED_* constants is undefined, make
> it so that you can't do that by turning them into an enum.
>
> The enum is also given some extra values to represent special
> circumstances, such as:
>
> (1)
Casey Schaufler wrote:
> > - if (perm & ~KEY_NEED_ALL)
> > - return -EINVAL;
> > + switch (need_perm) {
> > + default:
> > + return -EACCES;
> ...
> Is the change from -EINVAL to -EACCES a bug fix?
> Does it introduce an incompatibility?
It shouldn't happen. All the
Paul Moore wrote:
> > + case KEY_NEED_VIEW: perm = KEY__VIEW; break;
> > + case KEY_NEED_READ: perm = KEY__READ; break;
> > + case KEY_NEED_WRITE:perm = KEY__WRITE; break;
> > + case KEY_NEED_SEARCH: perm = KEY__SEARCH; break;
> > +
Stephen Smalley wrote:
> > (3) An override due to CAP_SYS_ADMIN.
>
> CAP_SYS_ADMIN should never skip SELinux checking. Even for Smack,
> there is a separate capability (CAP_MAC_ADMIN) for that purpose.
The LSM doesn't get consulted at the moment. With this patch, it will get
consulted.
> >
On 5/12/2020 3:33 PM, David Howells wrote:
> Since the meaning of combining the KEY_NEED_* constants is undefined, make
> it so that you can't do that by turning them into an enum.
>
> The enum is also given some extra values to represent special
> circumstances, such as:
>
> (1) The '0' value is
On Tue, May 12, 2020 at 6:33 PM David Howells wrote:
>
> Since the meaning of combining the KEY_NEED_* constants is undefined, make
> it so that you can't do that by turning them into an enum.
>
> The enum is also given some extra values to represent special
> circumstances, such as:
>
> (1) The
On Tue, May 12, 2020 at 6:33 PM David Howells wrote:
> Since the meaning of combining the KEY_NEED_* constants is undefined, make
> it so that you can't do that by turning them into an enum.
>
> The enum is also given some extra values to represent special
> circumstances, such as:
>
> (1) The
Since the meaning of combining the KEY_NEED_* constants is undefined, make
it so that you can't do that by turning them into an enum.
The enum is also given some extra values to represent special
circumstances, such as:
(1) The '0' value is reserved and causes a warning to trap the parameter
10 matches
Mail list logo
