Re: [PATCH] Realtime LSM

[Chris Wright]

* Jack O'Quin (joq@xxxxxx) wrote:
> Thanks.  I was familiar with gid, and egid from other Unix kernels,
> but fsgid is new to me.  
> 
> In what cases does it *differ* from the effective group ID?

If the program calls setfsgid.  It would typically only do this if it
wanted to assume a new gid for filesystem access on behalf of someone
else (e.g. file server).

> > --- security/realtime.c~rm_CONFIG_SECURITY	2004-10-08 16:16:35.000000000 -0700
> > +++ security/realtime.c	2004-10-08 21:06:28.020084984 -0700
> > @@ -66,7 +66,7 @@
> >  	if ((gid == e_gid) || (gid == current->gid))
> >  		return 1;
> >  
> > -	return in_group_p(gid);
> > +	return in_egroup_p(gid);
> >  }
> >  
> >  static int realtime_bprm_set_security(struct linux_binprm *bprm)
> 
> This adds a test against current->egid in addition to the explicit
> check of current->gid.  I don't see any problem with that.  AFAICT,
> the current->gid check is still useful.

The egid makes a setgid-audio program be meaningful as well.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/