25.04.2024 03:43, Andy Lutomirski пишет:
But you missed the FMODE_CRED part!
OK, I thought its not needed if fd is limited to the one created by the same process. But your explanation is quite clear on that its needed anyway, or otherwise the unsuspecting process doesn't fully drop his privs. Thank you for explaining that bit. Which leaves just one question: is such an opt-in enough or not? Viro points it may not be enough, but doesn't explain why exactly. Maybe we need such an opt-in, and it should be dropped on exec() and on passing via unix fd? I don't know what additional restrictions are needed, as Viro didn't clarify that part, but the opt-in is needed for sure.
