On Fri, 13 Jul 2007, Serge E. Hallyn wrote: > >From 3549aced829f84237ddc3ccfa571b8a938cae173 Mon Sep 17 00:00:00 2001 > From: Serge E. Hallyn <[EMAIL PROTECTED]> > Date: Fri, 13 Jul 2007 12:17:45 -0400 > Subject: [PATCH 2/2] file capabilities: change fE to a bool > > The fE was previously a full capset which was masked with the > calculated new_permitted to get the process' new effective set. > It is now a single bit in the xattr. This patch changes > bprm->cap_effective to a boolean. When that boolean is false, > then P'e is the empty set. When the boolean is true, then P'e is > set equal to P'p (new_permitted). The rationale for this is that > either the application does not know about capabilities, and > needs to start with all permitted caps in its effective set, or > it does know about capabilities, and can start with an empty > effective set and enable the caps it wants when it wants. > > Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]> -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
