From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amerigo Wang Subject: Re: [Patch 1/2] selinux: ajust rules for ATTR_FORCE Date: Tue, 18 Aug 2009 16:46:29 +0800 Message-ID: <4A8A6A65.3010907@redhat.com> References: <20090817071001.5913.94767.sendpatchset@localhost.localdomain> <20090817071011.5913.69970.sendpatchset@localhost.localdomain> <1250511313.3629.103.camel@moss-pluto.epoch.ncsc.mil> <87prau5ld1.fsf@devron.myhome.or.jp> <1250536052.3629.154.camel@moss-pluto.epoch.ncsc.mil> <873a7q441a.fsf@devron.myhome.or.jp> <1250538981.3629.184.camel@moss-pluto.epoch.ncsc.mil> <87fxbq19qs.fsf@devron.myhome.or.jp> <87my5yxidt.fsf@devron.myhome.or.jp> <87y6pha7vv.fsf@devron.myhome.or.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Stephen Smalley , linux-kernel@vger.kernel.org, esandeen@redhat.com, eteo@redhat.com, eparis@redhat.com, linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org, viro@zeniv.linux.org.uk To: OGAWA Hirofumi Return-path: In-Reply-To: <87y6pha7vv.fsf@devron.myhome.or.jp> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org OGAWA Hirofumi wrote: > [Sorry if this killed thread. My ISP seems to be stopping email server > now. I've read this email from web archive.] > > >>> @@ -2711,12 +2711,17 @@ static int selinux_inode_permission(stru >>> static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) >>> { >>> const struct cred *cred = current_cred(); >>> + unsigned int ia_valid = iattr->ia_valid; >>> >>> - if (iattr->ia_valid & ATTR_FORCE) >>> - return 0; >>> + /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ >>> + if (ia_valid & ATTR_FORCE) { >>> + ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE); >>> + if (!ia_valid) >>> + return 0; >>> >>> >> So if I read this correctly, (ATTR_FORCE| ATTR_KILL_SUID|ATTR_MODE) will >> not return here, since 'ia_valid' will be ATTR_FORCE finally. >> >> I think you forgot to clear ATTR_FORCE here... >> > > Whoops, good catch. Fortunately, it doesn't seem to have actual problem, > but it's bug obviously, and sorry for that. Fixed patch was attached. > This version looks OK for me! Stephen, any objections? Thank you!