On Fri, Aug 26, 2005 at 02:00:56PM -0400, Stephen Smalley wrote:
>
> That makes capability part of the core kernel again, just like DAC,
> which means that you can never override a capability denial in your
> module. We sometimes want to override the capability implementation,
> not just apply further restrictions after it. cap_inode_setxattr and
> cap_inode_removexattr are examples; they prohibit any access to _all_
Right, the rationale behind cap_stack.c. Good point. I'd forgotten that.
I guess selective internal composition is the way to go.
Tony
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
|
|