On Mon, 2006-09-18 at 14:04 +0200, Pavel Machek wrote: > Hi! > > > > > The benefits of this are so minuscule and the cost is so high if you are > > > > ever to use it that it simply won't happen.. > > > > > > I'm withdrawing that patch anyway, in favor of a LSM-style approach, > > > the "cuppabilities" module (cf. the patch I posted a couple of hours > > > ago with that word in the title, and I'll be posting a new version in > > > a day or so, or cf. <URL: > > > http://www.madore.org/~david/linux/cuppabilities/ > > > >). In this case, the relative cost will be lower since the > > > security_ops->inode_permission() hook is called no matter what. > > > > > > > You misunderstand. I don't mean the performance cost is high, I mean the > > cost of an application to actually be able to run without open() (what I > > was saying before, static built, no glibc, no conf files, no name > > lookups, etc). I never see this being used in the real world because of > > the extreme limitations. > > It is already being used. See config_seccomp. Where are the users? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
- References:
- [PATCH 1/4] security: capabilities patch (version 0.4.4), part 1/4: enlarge capability sets
- From: David Madore <[email protected]>
- [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: David Madore <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: Alan Cox <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: Joshua Brindle <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: Pavel Machek <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: Joshua Brindle <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: David Madore <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: Joshua Brindle <[email protected]>
- Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- From: Pavel Machek <[email protected]>
- [PATCH 1/4] security: capabilities patch (version 0.4.4), part 1/4: enlarge capability sets
- Prev by Date: Re: [PATCH 1/11] LTTng-core 0.5.111 : Relay+DebugFS (DebugFS fix)
- Next by Date: [Patch] fix: sched_clock() use in zfcp driver
- Previous by thread: Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- Next by thread: Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
- Index(es):
 |