Christian Heimes <li...@cheimes.de> added the comment:
> That's interesting. In Linux, for example, I would expect the access() > and faccessat() system calls to also check mandatory permissions. I > know from experience that at least the [i]mmutable file attribute is > checked. access(2) takes extended file attributes like immutable bit and CAPS into account. For example it returns True for access("testfile", R_OK) for testfile with DAC permission 0o000 and process context with CAP_DAC_OVERRIDE. I would also bet that it handles POSIX ACLs correcty. But LSM and seccomp are not evaluated by access() -- at least SELinux is not. A seccomp syscall filter can have a BPF program attached to. It's a powerful feature that allows filtering and blocking by syscall argument. $ python3 >>> os.access("testfile", os.R_OK) True >>> open("testfile") Traceback (most recent call last): ... PermissionError: [Errno 13] Permission denied: 'testfile' # ausearch -m AVC ... time->Fri Nov 27 16:14:31 2020 type=AVC msg=audit(1606490071.292:4204): avc: denied { read } for pid=293015 comm="httpd" name="testfile" dev="dm-0" ino=399163 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:testcontext_t:s0 tclass=file permissive=0 ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42481> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com