Re: capabilitiescompute_cred

From: Stephen Smalley
Date: Fri Apr 02 2004 - 16:50:50 EST

Next message: Andrea Arcangeli: "Re: [RFC][PATCH 1/3] radix priority search tree - objrmap complexity fix"
Previous message: Pavel Machek: "Re: [RFC][PATCH 1/3] radix priority search tree - objrmap complexity fix"
In reply to: Chris Wright: "Re: capabilitiescompute_cred"
Next in thread: Andy Lutomirski: "Re: capabilitiescompute_cred"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-04-02 at 15:21, Andy Lutomirski wrote:
> I agree in principle, but it would still be nice to have a simple way to
> have useful capabilities without setting up a MAC system. I don't see a
> capabilities fix adding any significant amount of code; it just takes
> some effort to get it right.

I'm not opposed to making the existing capability logic more useable; I
just think that capabilities will ultimately be superseded by TE.

> You can find my attempts to get it right in the
> linux-kernel archives, and I'll probably try to get something into 2.7
> when it forks. With or without MAC, having a functioning capability
> system wouldn't hurt security.

Does revising the capability logic need to wait on 2.7? Have you
changed the logic significantly since the last patch you posted to lkml?

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: [RFC][PATCH 1/3] radix priority search tree - objrmap complexity fix"
Previous message: Pavel Machek: "Re: [RFC][PATCH 1/3] radix priority search tree - objrmap complexity fix"
In reply to: Chris Wright: "Re: capabilitiescompute_cred"
Next in thread: Andy Lutomirski: "Re: capabilitiescompute_cred"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]