On Wed, Apr 24, 2013 at 2:30 PM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Wed, Apr 24, 2013 at 1:35 PM, Kees Cook <keesc...@chromium.org> wrote: >> >> That said, I much prefer doing the privilege test at read time since >> that means passing a file descriptor to another process doesn't mean >> the new process can just continue reading. > > Bullshit. > > That's exactly the wrong kind of thinking. If you had privileges to > open something, and you pass it off, it's *your* choice.
Yes, this is what I was pointing out originally. The semantics of /proc/kmsg do exactly that: check at open time, which is much cleaner. Solving the permissions checking delta between the syslog via syscall and syslog via /proc/kmsg was the original intent of the code so that capabilities could be dropped after open. And when /dev/kmsg came along, it didn't follow either convention. I just want to see the behavior standardized. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
