On 2016-04-15 12:48, Linus Torvalds wrote:
> On Fri, Apr 15, 2016 at 8:46 AM, Emrah Demir <ed at abdsec.com> wrote:
>>
>> file_ns_capable bring some problems.
>
> No it does not. file_ns_capable() is _required_ for security. We have
> had several security issues with file IO doing "capable()", and it's
> wrong and insecure.
Of course file_ns_capable() is required, I didn't know you made some
changes in include/linux/seq_file.h file
>> I used capable and now there is no problem as far as I tested.
>
> You just screwed up the security, and with your change, a suid
> application can be fooled into making the hidden data available to
> non-secure users.
>
Sorry for screwing up the security. I would never wish to do that. As
you said a suid application could screw up things.
> "capable()" is wrong. For file reading, you *have* to use
> file_ns_capable(). It really is that simple. You should not test the
> capabilities of the process, you should be testing the capabilities of
> the file descriptor, which comes from the *open-time* capabilities.
>
> It sounds like you applied just the patch to kernel/resource.c,
> without applying the infrastructure patch.
>
> You also need commit 34dbbcdbf633 ("Make file credentials available to
> the seqfile interfaces").
>
Yeah, you are right. I didn't see that commit. It's okay now. Thank you!
-Emrah
