[PATCH] kernel/sys.c: fix and improve control flow in __sys_setres[ug]id()
Eric W. Biederman
ebiederm at xmission.com
Thu Feb 16 16:07:53 UTC 2023
Andrew Morton <akpm at linux-foundation.org> writes:
> On Wed, 15 Feb 2023 14:18:07 +0100 Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
>> 1. First determine if CAP_SET[UG]ID is required and only then call
>> ns_capable_setid(), to avoid bogus LSM (SELinux) denials.
>
> Can we please have more details on the selinux failures? Under what
> circumstances? What is the end-user impact?
It is puzzling the structure with having the capability check first
dates to 2.1.104 (when a hand coded test for root was replaced
with capable(CAP_SETID). Which means the basic structure and logic
of the code is even older than that.
Eric
More information about the Linux-security-module-archive
mailing list