Quoting Paul Moore (paul.moore@xxxxxx): > On Wednesday 05 August 2009 10:13:50 am Serge E. Hallyn wrote: > > Quoting Paul Moore (paul.moore@xxxxxx): > > [NOTE: my email has been out all day due to some mysterious FS issue so my > apologies for not replying sooner] > > ... > > > The checks before and after this patch are not equivalent. Post-patch, > > one must always have CAP_NET_ADMIN to do the attach, whereas pre-patch > > you only needed those if current_cred() did not own the tun device. Is > > that intentional? > > Nope, just a goof on my part; I misread the booleans and haven't fully tested > the patch yet so it slipped out, thanks for catching it. This brings up a > good point, would we rather move the TUN owner/group checks into the cap_tun_* > functions or move the capable() call back into the TUN driver? The answer > wasn't clear to me when I was looking at the code before and the uniqueness of > the TUN driver doesn't help much in this regard. I see the question being asked as: Does this device belong to the caller and, if not, is the caller privileged to act anyway?' So I think the capable call should be moved back into the tun driver, followed by a separate security_tun_dev_attach() check, since that is a separate, restrictive question. thanks, -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
