Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

From: James Morris
Date: Fri Mar 10 2017 - 20:05:58 EST

Next message: Ricardo Neri: "Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention"
Previous message: Guenter Roeck: "Re: [PATCH 4.10 000/167] 4.10.2-stable review"
In reply to: Serge E. Hallyn: "Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 10 Mar 2017, Stephen Smalley wrote:

> generic_permission() presently checks CAP_DAC_OVERRIDE prior to
> CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
> using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
> may not be required for the operation. Flip the order of the
> tests so that CAP_DAC_OVERRIDE is only checked when required for
> the operation.
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>

Acked-by: James Morris <james.l.morris@xxxxxxxxxx>

--
James Morris
<jmorris@xxxxxxxxx>

Next message: Ricardo Neri: "Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention"
Previous message: Guenter Roeck: "Re: [PATCH 4.10 000/167] 4.10.2-stable review"
In reply to: Serge E. Hallyn: "Re: [PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]