Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> Or maybe just security.ns.capability, taking James' comment into account. > > That last one may be suitable as an option, useful for his particular > > (somewhat barbaric :) use case, but it's not ok for the general solution. > > security.ns@uid=100.capability
I'm ok with this. It gives protection from older kernels, and puts the 'ns@uid=' at predictable locations for security and trusted. > It makes the namespace part explicit and separate from > the rest of the attribute name. It also generalizes for > other attributes. > > security.ns@uid=1000@smack=WestOfOne.SMACK64 Looks good to me. Do we want to say that '.' ends the attribute list? That of course means '.' cannot be in the attributes. Perhaps end with '@@' instead? Just a thought. What do others think? thanks, -serge
