On Tue, 30 Nov 2004 14:08:27 CST, "Serge E. Hallyn" said: > I don't think that calling of capable from modules is a problem, because it > is not actually called from any module's capable itself. It's used to > check for specific privileges, and if any stacked LSM does not want to > grant that privilege, then any action depending on that privilege should > probably be refused. Hmm.. so whatever is running the hooks calls LSM A, which decides to check whether CAP_FOO is asserted. As a result, it ends up calling LSM B's code - quite possibly getting us into a situation where: 1) LSM A denies the request because LSM B's code said "no". 2) even though LSM B's code didn't see a problem with granting the request, because it never even bothers to check for CAP_FOO in the hook for that request. Consider a secondary LSM that doesn't check for inode xattrs, but SELinux calls it for CAP_SYS_ADMIN anyhow in selinux_inode_setxattr(). (Fortunately for us, the current commoncap.c *does* do The Same Check in its cap_inode_setxattr()). Either that, or I just threw a -ENOCAFFEINE.. ;)
This archive was generated by hypermail 2.1.3 : Tue Nov 30 2004 - 12:45:00 PST