Searched hist:"2 a4c2242" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/fs/ |
| H A D | namei.c | 2a4c2242 Fri Mar 10 11:14:18 CST 2017 Stephen Smalley <sds@tycho.nsa.gov> fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2a4c2242 Fri Mar 10 11:14:18 CST 2017 Stephen Smalley <sds@tycho.nsa.gov> fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
|