Crispin Cowan <[EMAIL PROTECTED]> writes: The document should be a good base for a merge.
> * A confined process can operate on a file descriptor passed to it > by an unconfined process, even if it manipulates a file not in the > confined process's profile. To block this attack, confine the > process that passed the file descriptor. That is the only thing that tripped me up a bit while reading the document. Can you expand a bit on the reasons why the fd is not rechecked in the context of the target process? Best do it in a new version of the document. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
