On Mon, 2003-06-02 at 06:44, Andrew Morton wrote: > Chris Wright <chrisat_private> wrote: > > > > security_capable() returns 0 if that capability bit is set. > > That's just bizarre. Is there any logic behind it? The LSM access control hooks all return 0 on success (i.e. permission granted) and negative error code on failure, like most of the rest of the kernel interfaces (e.g. consider permission()). Hence, the security_capable() hook returns 0 when the capability is granted to the specified task. Naturally, the capable() function (which now internally calls security_capable) preserves the old interface, and most callers still invoke it rather than directly calling security_capable(). However, the oom killer code is performing a capability test for a task other than current; hence, it makes a direct call to the security_capable() hook that supports passing a particular task, unlike the capable() function. -- Stephen Smalley <sdsat_private> National Security Agency _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jun 02 2003 - 05:52:33 PDT