linux-security-module November 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: [PATCH 2/2] capabilities: introduce p

Re: [PATCH 2/2] capabilities: introduce per-process capability bounding set (v7)

From: Andrew Morgan <morgan_at_nospam>
Date: Sat Nov 17 2007 - 04:22:42 GMT
To: "Serge E. Hallyn" <serue@us.ibm.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote: >> I also think we should use CAP_SETPCAP for the privilege of manipulating >> the bounding set. In many ways irrevocably removing a permission >> requires the same level of due care as adding one (to pI).
>
> Aside from being heavy-handed, it also means that we are restricting the
> use of per-process capability bounding sets to kernels with file
> capabilities compiled in, right? Are we ok with that?
>

I am. :-)

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHPmyQQheEq9QabfIRAnnbAJ0c22LPNc1EnjWyvR4ZrwcyAiJDrgCeOdTj TJFJwUK7UMkeX5M9ULzbN44=
=LMQP
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html