* Lorenzo Hernandez Garcia-Hierro (lorenzohgh@private) wrote: > El jue, 10-11-2005 a las 00:04 -0800, Chris Wright escribió: > > 4) Passing capability could mean elimination of capable() call from > > relevant ioctl code. Tempting, but this obfuscates the security check. > > But keeping it means it's likely called twice. > > You're right. During development we found an issue which was already > being worked out by upstream, it was related to one capability, also > with a check "hard coded" in a SELinux hook (security/selinux/hooks.c). > We decided to leave the capable() callbacks, hence double-making the > capability checking (in hook call and inside the proper _ioctl() > function). Need to decide what one needs to get removed. Yes. With the table it's dedundant to have the call, although it's then much less clear from looking at a particular case what the privilege checking is. > Keep in mind that we should make the capability checking code in the > hook, available to *any* interfaces, and not making it SELinux dependent > due to the problems that would take place when an user doesn't compile > SELinux support in the kernel. That's the problem, we can't remove the > capable() check until we ensure that we can check the capability without Yes, of course. You'd simply place the call to capable() in the hook. thanks, -chris
This archive was generated by hypermail 2.1.3 : Thu Nov 10 2005 - 08:29:11 PST