On Fri, Dec 7, 2012 at 11:21 AM, Serge Hallyn
<[email protected]> wrote:
> Quoting Andy Lutomirski ([email protected]):
>> Signed-off-by: Andy Lutomirski <[email protected]>
>> ---
>> Documentation/security/capabilities.txt | 161
>> ++++++++++++++++++++++++++++++++
>> 1 file changed, 161 insertions(+)
>> create mode 100644 Documentation/security/capabilities.txt
>
> TBH, I think a pointer to the capabilities.7 man page would be better.
> (plus, if you feel they are needed, updates to the man page)
Updating capabilities.7 wouldn't be a bad idea, but IMO it certainly
needs work. For example, it says:
Inheritable:
This is a set of capabilities preserved across an execve(2). It
provides a mechanism for a process to assign capabilities to the
permitted set of the new program during an execve(2).
This is, at best, misleading.
Permitted says:
If a thread drops a capability from its permitted set, it can
never reacquire that capability (unless it execve(2)s either a
set-user-ID-root program, or a program whose associated file
capabilities grant that capability).
That's just not true (e.g. if uid == 0).
The text later on is better, but I think it would be helpful to have a
detailed and succinct description of what's going on.
I would be happy to revise this patch to reference capabilities.7.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
