Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
From: James Morris
Date: Fri Mar 10 2017 - 20:05:58 EST
On Fri, 10 Mar 2017, Stephen Smalley wrote:
> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Acked-by: James Morris <james.l.morris@xxxxxxxxxx>
--
James Morris
<jmorris@xxxxxxxxx>