Re: [PATCH] scaled-back caps, take 4
From: Andy Lutomirski
Date: Mon May 17 2004 - 02:21:56 EST
Chris Wright wrote:
* Olaf Dietsche (olaf+list.linux-kernel@xxxxxxxxxxxxxxx) wrote:
Andy Lutomirski <luto@xxxxxxxxxxxxx> writes:
cap_2.6.6-mm2_4.patch: New stripped-back capabilities.
fs/exec.c | 15 ++++-
include/linux/binfmts.h | 9 ++-
security/commoncap.c | 130 ++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 136 insertions(+), 18 deletions(-)
[patch]
Why don't you provide this as a configurable andycap.c module?
I think, this is the whole point of LSM.
I agree, if we can't find a clean way to do it. However, note this
includes changes to core. And it's nice to fix this for the base case.
On the other hand, this version has minimal changes to core (it adds a new
field to linux_binprm and makes fs/exec.c fill in some extra information).
These changes shouldn't break any existing code, as the current behavior
is for bprm->cap_* to be undefined when bprm_set_security is called. None
of this is strictly necessary for my patch, but it makes it a lot cleaner.
So, if the core changes were merged, my caps semantics could be maintained
as a (fairly simple) separate LSM. That prevents it working with SELinux
or other (non-stacking) LSMs loaded.
--Andy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/