> > Not a good model. Any removal of filters and passing them to a task > > should be explicit. The behaviour really ought to be to permit the > > intentional setting of explicit filters then passing them, not touch the > > default behaviour. > > Yeah, well, then I guess it'll have to be a separate ioctl to switch > SG_IO for !root users.
My first thought would be to have the basic behaviour as allowed IFF passes user filter && CAP_SYS_RAWIO || passes 'root' filter that allows untrusted to also push unprivileged filters for their own purposes (consider things like exokernel experiments or just trying to ensure a raw disk emulation doesn't go wrong). The default user feature would be 'allow anything'. then add a way to 'set' the root filter only if you have CAP_SYS_RAWIO with the default 'root' filter being the current hardcoded filter. That also means that a normal app running as superuser for some reason would set its user filter and any accidentally inherited descriptors will be less dangerous as the are today. It also means a CAP_SYS_RAWIO capable app can still use filters itself as good programming practise. It effectively means you have to deliberately and intentionally set up an 'inherited' extra rights case. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/