On Thu, 14 Mar 2002 17:15, Richard Gooch wrote:
> Russell Coker writes:
> > The following patch for devfsd.c makes it close the .devfsd file on exec.
> >
> > At the moment the only problem that the open file handle causes is
> > that it's against my security policy for the domain insmod_t to read
> > devfs_t domain character devices. But there could be more serious
> > issues that I haven't considered.
>
> Well, I can't think of any problems, but since the .devfsd file isn't
> needed by anything else, it's probably a good idea to close it. Done.
It should be pretty safe as devfsd only spawns non-hostile processes where
the user can't control the parameters or the environment, (by default it's
only modprobe). Also the kernel appeared to have some enforcement for only
one open file handle anyway.
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
|