Re: [PATCH 2/2] capabilities: introduce per-process capability bounding set (v7)

From: Andrew Morgan <morgan_at_nospam>
Date: Sat Nov 17 2007 - 04:22:42 GMT
To: "Serge E. Hallyn" <serue@us.ibm.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote: >> I also think we should use CAP_SETPCAP for the privilege of manipulating >> the bounding set. In many ways irrevocably removing a permission >> requires the same level of due care as adding one (to pI).
>
> Aside from being heavy-handed, it also means that we are restricting the
> use of per-process capability bounding sets to kernels with file
> capabilities compiled in, right? Are we ok with that?
>

I am. :-)

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHPmyQQheEq9QabfIRAnnbAJ0c22LPNc1EnjWyvR4ZrwcyAiJDrgCeOdTj TJFJwUK7UMkeX5M9ULzbN44=
=LMQP
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

This message: [ Message body ]
Next message: Andrew Morgan: "Re: [PATCH] 64 bit capabilities"
Previous message: Serge E. Hallyn: "Re: [PATCH 2/2] capabilities: introduce per-process capability bounding set (v7)"
In reply to: Serge E. Hallyn: "Re: [PATCH 2/2] capabilities: introduce per-process capability bounding set (v7)"
Next in thread: Serge E. Hallyn: "[PATCH RFC] cgroups: implement device whitelist cgroup+lsm"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]