[PATCH] capabilities: Introduce CAP_RESTORE
casey at schaufler-ca.com
Wed May 27 16:46:00 UTC 2020
On 5/27/2020 9:37 AM, Nicolas Viennot wrote:
>>> If I understand part of CRIU correctly, then we only need read-access
>>> for the current user. I am sure Andrei, Pavel or Cyrill will correct
>>> me if I am wrong concerning map_files.
>> If I do "ls -l /proc/self/map_files" I get the link name and link content.
>> While I can't open /proc/self/map_files/7fbde0c3200-7fbde0c3300 I can read that it points to /usr/lib64/ld-2.30.so, which is something I can open and read. Sure, it's an extra step, but it's no big deal. It does raise the question of what value comes from disallowing open via the symlink.
> Reading the symlink doesn't work in two cases:
> 1) The file has been deleted
In which case you won't be able to read it directly from
the symlink, either.
> 2) The file is a memfd file
Ditto? Or is there some other problem?
More information about the Linux-security-module-archive