"Serge E. Hallyn" <[email protected]> writes:
> Quoting Serge E. Hallyn ([email protected]):
>> This patch implements file (posix) capabilities. This allows
>> a binary to gain a subset of root's capabilities without having
>> the file actually be setuid root.
>>
>> There are some other implementations out there taking various
>> approaches. This patch keeps all the changes within the
>> capability LSM, and stores the file capabilities in xattrs
>> named "security.capability". First question is, do we want
>> this in the kernel? Second is, is this sort of implementation
>> we'd want?
>>
>> Some userspace tools to manipulate the fscaps are at
>> www.sr71.net/~hallyn/fscaps/. For instance,
>>
>> setcap writeroot "cap_dac_read_search,cap_dac_override+eip"
>>
>> allows the 'writeroot' testcase to write to /root/ab when
>> run as a normal user.
>>
>> This patch doesn't address the need to update
>> cap_bprm_secureexec().
Looking at your ondisk format it doesn't look like you include a
version. There is no reason to believe the current set of kernel
capabilities is fixed for all time. So we need some for of
forward/backward compatibility. Maybe in the cap name?
Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
