[PATCH 2/2] security.capability: fix conversions on getxattr
Eric W. Biederman
ebiederm at xmission.com
Thu Jan 28 20:49:35 UTC 2021
Miklos Szeredi <miklos at szeredi.hu> writes:
> On Thu, Jan 28, 2021 at 9:24 PM Eric W. Biederman <ebiederm at xmission.com> wrote:
>
>> <aside>
>> From our previous discussions I would also argue it would be good
>> if there was a bypass that skipped all conversions if the reader
>> and the filesystem are in the same user namespace.
>> </aside>
>
> That's however just an optimization (AFAICS) that only makes sense if
> it helps a read world workload. I'm not convinced that that's the
> case.
It is definitely a different issue.
>From previous conversations with Serge, there is a concern with a
sysadmin wanting to see what is actually on disk. In case there are
bugs that care about the different layout. Just passing everything
through when no translation is necessary will allow that kind of
diagnosis.
As your patch demonstrates we already have had bugs in this area
so being able to get at the raw data may help people if they get into a
situation where bugs matter.
Eric
More information about the Linux-security-module-archive
mailing list