On Tue, 2009-08-18 at 16:39 +0900, OGAWA Hirofumi wrote: > [Sorry if this killed thread. My ISP seems to be stopping email server > now. I've read this email from web archive.] > > >> @@ -2711,12 +2711,17 @@ static int selinux_inode_permission(stru > >> static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) > >> { > >> const struct cred *cred = current_cred(); > >> + unsigned int ia_valid = iattr->ia_valid; > >> > >> - if (iattr->ia_valid & ATTR_FORCE) > >> - return 0; > >> + /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ > >> + if (ia_valid & ATTR_FORCE) { > >> + ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE); > >> + if (!ia_valid) > >> + return 0; > >> > > > > So if I read this correctly, (ATTR_FORCE| ATTR_KILL_SUID|ATTR_MODE) will > > not return here, since 'ia_valid' will be ATTR_FORCE finally. > > > > I think you forgot to clear ATTR_FORCE here... > > Whoops, good catch. Fortunately, it doesn't seem to have actual problem, > but it's bug obviously, and sorry for that. Fixed patch was attached. You can add my: Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> -- Stephen Smalley National Security Agency -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html