David Howells <dhowells@xxxxxxxxxx> wrote: > > This means that it expects to trigger those capability checks as part of > > its subsequent actions. Raising those capabilities temporarily in its > > credentials will pass the capability module checks but won't address the > > corresponding SELinux checks (both capability and file-based), so you'll > > end up triggering an entire set of checks against the current process' > > credentials. This same pattern is repeated elsewhere in overlayfs. > > Hmmm... Yes. I need to check whether the lower file can be read *before* > overriding the creds. Actually, I think ovl_permission() does sufficient checks on the lower inode by calling __inode_permission() upon it. David -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
