Re: disable-cap-mlock

[Chris Wright]

* Andrew Morton (akpm@xxxxxxxx) wrote:
> http://www.zip.com.au/~akpm/linux/patches/stuff/pam_cap-akpm.tar.gz

Cool, thanks.

> That's my point, Chris.  "the feature is bollixed, so let's write a ton of
> new parallel stuff but not fix the original code".  This is how cruft
> accumulates.

Yes, OK, point well-taken.

> > Our goal was actually to keep is compatible.  All of it's limitations
> > predate the security stuff.
> 
> Either the fine-grained capabilities are fixable, or they should be deleted
> and we go back to suser().  One of those things should have happened before
> adding more code, surely?

I s'pose we rather viewed the behaviour as legacy...stuck with, don't
muck with...Making it usable is certainly better than going back to
suser(), so let's procede that way and reconcile the mistake.

> > IIRC, changing those (existing) securebits settings creates an unusable
> > machine.  Again, I think there was some anticipation of the fs bits
> > going in later.  Perhaps those securebits pieces could just be removed.
> 
> OK.  Do you have time to do the honours?

Sure thing.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/