On Mon, 2015-02-02 at 18:08 +0000, Serge Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): > > I'm game to participate in such an effort. The POSIX scheme > > is workable, but given that it's 20 years old and hasn't > > developed real traction it's hard to call it successful. > > Over the years we've several times discussed possible reasons for this > and how to help. I personally think it's two things: 1. lack of > toolchain and fs support. The fact that we cannot to this day enable > ping using capabilities by default because of cpio, tar and non-xattr > filesystems is disheartening.
We're working on resolving the CPIO issue. tar currently supports xattrs. At this point, how many non-xattr filesystems are there really? Mimi > 2. It's hard for users and applications > to know what caps they need. yes the API is a bear to use, but we can > hide that behind fancier libraries. But using capabilities requires too > much in-depth knowledge of precisely what caps you might need for > whatever operations library may now do when you asked for something. > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/