Re: another memlockd patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote:
> > +allow memlockd_t self:unix_dgram_socket { create connect };
> 
> the unix dgram socket creating is probably redundant and implied with
> logging_send_logs_msg() as journald uses dgram_sendto for logging?

You are correct, that is redundant.  Chris shall I submit the patch again or 
would it be easier to just delete that line when you merge?

> > +# cache /etc/shadow too
> > +auth_read_shadow(memlockd_t)
> 
> Hmm since /etc/shadow is mode 000, how is memlock able to read this
> without cap_dac_read_search access. is that implied?

/etc/shadow is mode 640 on Debian.

On other distributions the choice is either more permissions for memlockd or a 
configuration that doesn't cache /etc/shadow.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/






[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux