I'm having trouble reviewing the patch: I'm not spotting the pattern of which checks should be used when. I'll summarize what I'm seeing here, as much for me in the future as anything else:
cg_getattr - is_child_cgroup - caller_is_in_ancestor - fc_may_access - caller_is_in_ancestor - fc_may_access
cg_opendir - caller_may_see_dir - fc_may_access
cg_readdir - caller_is_in_ancestor
cg_open - caller_may_see_dir - fc_may_access
cg_read - fc_may_access
cg_write - fc_may_access
cg_chown - is_child_cgroup - is_privileged_over
cg_chmod - is_child_cgroup - is_privileged_over
cg_mkdir - caller_is_in_ancestor - fc_may_access - caller_is_in_ancestor
Incidentally, what prevents the controller or cgroup here from containing shell metacharacters?
cg_rmdir - caller_is_in_ancestor - fc_may_access - caller_is_in_ancestor
Does this summary look correct? Did I summarize it correctly? Does it accurately express what needs to be done?
Thanks
I'm having trouble reviewing the patch: I'm not spotting the pattern of
which checks should be used when. I'll summarize what I'm seeing here, as
much for me in the future as anything else:
cg_getattr is_in_ancestor is_in_ancestor
- is_child_cgroup
- caller_
- fc_may_access
- caller_
- fc_may_access
cg_opendir
- caller_may_see_dir
- fc_may_access
cg_readdir is_in_ancestor
- caller_
cg_open
- caller_may_see_dir
- fc_may_access
cg_read
- fc_may_access
cg_write
- fc_may_access
cg_chown
- is_child_cgroup
- is_privileged_over
cg_chmod
- is_child_cgroup
- is_privileged_over
cg_mkdir is_in_ancestor is_in_ancestor
- caller_
- fc_may_access
- caller_
Incidentally, what prevents the controller or cgroup here from containing
shell metacharacters?
cg_rmdir is_in_ancestor is_in_ancestor
- caller_
- fc_may_access
- caller_
Does this summary look correct? Did I summarize it correctly? Does it
accurately express what needs to be done?
Thanks