Thanks for the comments, they are all right on.
> - error = secondary_ops->capset_check(target, effective, inheritable, permitted);
> - if (error)
> - return error;
> -
> + if (secondary_ops) {
> + int error = secondary_ops->capset_check(target, effective,
> + inheritable, permitted);
> + if (error)
> + return error;
> + }
> return task_has_perm(current, target, PROCESS__SETCAP);
> }
> </snip>
>
> Why did you make this conditional on secondary_ops, vs. any other hook?
A mistake in manually reverting an older patch, in both instances.
> I'm not sure about the interface for get/set:
> - I would think you would want it to be equally possible to implement
> them as functions rather than macros (i.e. explicitly pass by pointer
> arguments that are going to be set),
I'm not sure what you mean by this.
> - I would think that you would want to allow existing forms like:
> struct inode_security_struct *isec = inode->i_security;
> to be able to be converted more easily to something like:
> struct inode_security_struct *isec = security_get_value(inode, ID);
I would prefer that, but passing in the struct inode_security_struct lets
the security_get_value() get the container_of the hlist_head itself,
since it can do typeof(*isec). Otherwise the calling code has to do
it. The change in semantics is pretty un-C-like, though. Is it agreed
the benefit is not worthwhile? Is there another way of accomplishing this
that I'm not seeing?
thanks,
-serge
This archive was generated by hypermail 2.1.3 : Sat Nov 13 2004 - 06:16:36 PST