Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > and then use this newly created mapping function in [...] > > > selinux_watch_key() > > > > No, I think I should just hard-code KEY__VIEW there. > > FWIW, my comment was based on a version of linux-next where you were > making policycap based permission adjustments to KEY_VIEW and I > thought you would want the same adjustments to be applied to both > access control points. That code appears to now be gone in > linux-next. I don't think I changed KEY_VIEW specifically; anyway, that code is on hold for the moment since it collides with this. What I was wondering is if I should change KEY_NEED_xxx from a bitmask into an enum to remove the confusion about whether or not you're allowed to provide multiple 'needs' OR'd together. > > + perm = selinux_keyperm_to_av(need_perm); > > ... and add a check for (perm < 0) as discussed above if we stick with > the switch statement. Actually, there was supposed to be a: if (!perm) return -EPERM; after that line. David
