Hello, this patch series is my attempt to fix an issue when user can clear capabilites of arbitrary file he can look up for example by running chown on it (this got assigned CVE-2015-1350). The problem is that we call security_inode_killpriv() before checking permissions in inode_change_ok(). This patch set moves that call into inode_change_ok() after permissions are checked - the only trouble is that we need to give dentry instead of inode there and that is not completely trivial in some cases - I'd like to have a review from XFS, Ceph, and FUSE people to verify I didn't miss anything. Anyway, have a look how the result looks like... Honza _______________________________________________ xfs mailing list xfs@xxxxxxxxxxx http://oss.sgi.com/mailman/listinfo/xfs
