David Howells <dhowells@xxxxxxxxxx> wrote: > > This means that it expects to trigger those capability checks as part of > > its subsequent actions. Raising those capabilities temporarily in its > > credentials will pass the capability module checks but won't address the > > corresponding SELinux checks (both capability and file-based), so you'll > > end up triggering an entire set of checks against the current process' > > credentials. This same pattern is repeated elsewhere in overlayfs. > > Hmmm... Yes. I need to check whether the lower file can be read *before* > overriding the creds. Actually, I think ovl_permission() does sufficient checks on the lower inode by calling __inode_permission() upon it. David _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
