Re: [PATCH] Realtime LSM

[Jack O'Quin]

Chris Wright <chrisw@xxxxxxxx> writes:

> * Jack O'Quin (joq@xxxxxx) wrote:
> > Chris Wright <chrisw@xxxxxxxx> writes:
> > > use in_group_p
> > 
> > I looked at that, it wasn't clear to me whether to use in_group_p() or
> > in_egroup_p().  How do you choose?
> 
> For most cases they'll be identical.  The difference is whether you're
> comparing the fsgid or the egid.  The former is what's used for file
> access, the latter might make more sense in your case.  However, in
> 99.9% of the cases you care about fsgid == egid, so it's a wash.  So,
> in_egroup_p matches a bit better.  Relative to the other patches...

Thanks.  I was familiar with gid, and egid from other Unix kernels,
but fsgid is new to me.  

In what cases does it *differ* from the effective group ID?

> --- security/realtime.c~rm_CONFIG_SECURITY	2004-10-08 16:16:35.000000000 -0700
> +++ security/realtime.c	2004-10-08 21:06:28.020084984 -0700
> @@ -66,7 +66,7 @@
>  	if ((gid == e_gid) || (gid == current->gid))
>  		return 1;
>  
> -	return in_group_p(gid);
> +	return in_egroup_p(gid);
>  }
>  
>  static int realtime_bprm_set_security(struct linux_binprm *bprm)

This adds a test against current->egid in addition to the explicit
check of current->gid.  I don't see any problem with that.  AFAICT,
the current->gid check is still useful.
-- 
  joq
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/