Possible mistake in commit 3ca459eaba1b ("tun: fix group permission check")
stsp
stsp2 at yandex.ru
Tue Jan 28 14:58:40 UTC 2025
28.01.2025 17:45, stsp пишет:
> 28.01.2025 17:20, Ondrej Mosnacek пишет:
>> That could work, but the semantics become a bit weird, actually: When
>> you set both uid and gid, one of them needs to match. If you unset
>> uid/gid, you get a stricter condition (gid/uid must match). And if you
>> then also unset the other one, you suddenly get a less strict
>> condition than the first two - nothing has to match.
> Maybe this means that
> unsetting with -1 is something
> that shouldn't be done and/or
> allowed?
> In this case you only stricten.
> Modulo the inability to set both
> user/group at the same time,
> so you still get "less strict" when
> setting group after user already
> set...
It may actually be possible to
add the ioctl to set both at once.
In this case you also reset both
(with the same ioctl or add another
one for resetting both), which
makes the problem fully solved.
More information about the Linux-security-module-archive
mailing list