On Thu, May 5, 2011 at 10:58, Hans de Goede<hdegoede@redhat.com> wrote:
With Bas' approach every game binary (or rather the sources it is build
from) still needs to be patches to use the passed in fd, rather then trying
to open the highscore file itself.
Correct. This is inevitable unless upstreams adopt either patch.
As for auditing:
1) The highscore parsing code should still be audited in either case, since
someone subverting the game will still be able to write malicious content
to it in either case
Correct, but that still means fewer places to audit.
2) The rest of the code will be a simple standardizes snippet directly at
the start of main, and once control is passed this snippet all elevated
rights are permanently gone, see here for the snippet Fedora is using:
http://fedoraproject.org/wiki/SIGs/Games/Packaging
The other approach would also result in one single snippet (unless I
am forgetting something)?