On Fri, 14 Mar 2008, Stephen Smalley wrote: > Alternatively, we could default to returning FILE__IOCTL from > file_to_av() if the f_mode has neither FMODE_READ nor FMODE_WRITE, and > thus check ioctl permission on exec or transfer, thereby validating such > descriptors early as with normal r/w descriptors and catching leaks of > them prior to attempted usage. I think this sounds like a good plan. > > selinux_dentry_open() though doesn't need to check anything in this > case; its checking is only required for descriptors that can later be > used in read/write operations. > > -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
