Re: [PATCH] System Wide Capability Bounding Set

From: Theodore Tso
Date: Thu Jan 06 2011 - 11:50:26 EST

Next message: Robert Richter: "[PATCH] x86, AMD, PCI: Add AMD northbridge PCI device id for CPUfamilies 12h and 14h"
Previous message: Florian Kriener: "BUG in fs/inode.c:429"
In reply to: Tetsuo Handa: "Re: [PATCH] System Wide Capability Bounding Set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 6, 2011, at 6:30 AM, Tetsuo Handa wrote:

> An LSM module can provide ability to aggregate several tasks into a group
> (called "security context" or "domain") and grant permissions against groups.
> We can selectively grant whatever capabilities against groups.
> Why do we need to get bothered by capability inheritance problem?

Yes, but LSM modules still can't stack, last I checked. So people would need to choose between this or SELinux, or build this capability into every single LSM module....

-- Ted

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert Richter: "[PATCH] x86, AMD, PCI: Add AMD northbridge PCI device id for CPUfamilies 12h and 14h"
Previous message: Florian Kriener: "BUG in fs/inode.c:429"
In reply to: Tetsuo Handa: "Re: [PATCH] System Wide Capability Bounding Set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]