Hi list,
this thread[1] about setsockopt(...,...,SO_SNDBUFFORCE), which
triggers widely due to systemd, let me think about the recent SELinux
kernel fixes: the reordering of dac_read_search and dac_override and
also the cap_wake_alarm fix.
Would it make sense to test, if the send buffer is really set to a
higher value than wmem_max, before testing for the cap_net_admin
permission[2]?
(might also apply to SO_RCVBUFFORCE)
Best regards,
Christian Göttsche
[1] http://oss.tresys.com/pipermail/refpolicy/2017-March/009185.html
[2] https://github.com/torvalds/linux/blob/ae50dfd61665086e617cc9e554a1285d52765670/net/core/sock.c#L715
p.s.: friendly ping on https://marc.info/?l=selinux&m=148944677530753&w=2
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
