On Wed, Apr 24, 2013 at 2:30 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Wed, Apr 24, 2013 at 1:35 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> >> That said, I much prefer doing the privilege test at read time since >> that means passing a file descriptor to another process doesn't mean >> the new process can just continue reading. > > Bullshit. > > That's exactly the wrong kind of thinking. If you had privileges to > open something, and you pass it off, it's *your* choice. Yes, this is what I was pointing out originally. The semantics of /proc/kmsg do exactly that: check at open time, which is much cleaner. Solving the permissions checking delta between the syslog via syscall and syslog via /proc/kmsg was the original intent of the code so that capabilities could be dropped after open. And when /dev/kmsg came along, it didn't follow either convention. I just want to see the behavior standardized. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html