Re: Upstream first policy

From: Alan Cox
Date: Tue Mar 09 2010 - 18:01:52 EST

Next message: Randy Dunlap: "Re: [PATCH -mm 1/3] Documentation: convert PCI-DMA-mapping.txt touse the generic DMA API"
Previous message: Andrea Righi: "[PATCH -mmotm 3/5] page_cgroup: introduce file cache flags"
In reply to: Florian Mickler: "Re: Upstream first policy"
Next in thread: Eric W. Biederman: "Re: Upstream first policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> time. If pathnames were not fundamentally important we could apply
> a patch like the one below and allow unprivileged users to unshare
> the mount namespace and mount filesystems wherever. There is nothing
> fundamental about those operations that require root privileges except
> that you are manipulating the pathnames of objects.

And in a purely SELinux enviromnment your patch would work out because
you could use labels to control this stuff.

> - if (!capable(CAP_SYS_ADMIN))
> - return -EPERM;
> -

It does raise the question about whether you can do it if you had a
namespace property of "ignore suidness". I'm not sure thats enough
however.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Randy Dunlap: "Re: [PATCH -mm 1/3] Documentation: convert PCI-DMA-mapping.txt touse the generic DMA API"
Previous message: Andrea Righi: "[PATCH -mmotm 3/5] page_cgroup: introduce file cache flags"
In reply to: Florian Mickler: "Re: Upstream first policy"
Next in thread: Eric W. Biederman: "Re: Upstream first policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]