Re: [PATCH] System Wide Capability Bounding Set

From: Tetsuo Handa
Date: Thu Jan 06 2011 - 06:30:34 EST

Next message: Zachary Amsden: "Re: [KVM TSC trapping / migration 1/2] Add TSC trapping for SVM andVMX"
Previous message: M. Mohan Kumar: "[PATCH] [V4] fs/9p: TREADLINK bugfix"
In reply to: Eric Paris: "[PATCH] System Wide Capability Bounding Set"
Next in thread: Theodore Tso: "Re: [PATCH] System Wide Capability Bounding Set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Paris wrote:
> Not so long ago the global capability bounding set was removed from the
> kernel. Instead we created a new per task capability bounding set which
> was inherited by children.

An LSM module can provide ability to aggregate several tasks into a group
(called "security context" or "domain") and grant permissions against groups.
We can selectively grant whatever capabilities against groups.
Why do we need to get bothered by capability inheritance problem?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Zachary Amsden: "Re: [KVM TSC trapping / migration 1/2] Add TSC trapping for SVM andVMX"
Previous message: M. Mohan Kumar: "[PATCH] [V4] fs/9p: TREADLINK bugfix"
In reply to: Eric Paris: "[PATCH] System Wide Capability Bounding Set"
Next in thread: Theodore Tso: "Re: [PATCH] System Wide Capability Bounding Set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]