On 7/28/2015 8:06 AM, Serge E. Hallyn wrote:
> On Tue, Jul 28, 2015 at 07:36:30AM -0700, Casey Schaufler wrote:
>> On 7/26/2015 6:27 PM, Sungbae Yoo wrote:
>>> So, Do you agree to allow the process to change its own labels?
>> No. This requires CAP_MAC_ADMIN. Smack is mandatory access control.
>> B
On Tue, Jul 28, 2015 at 07:36:30AM -0700, Casey Schaufler wrote:
> On 7/26/2015 6:27 PM, Sungbae Yoo wrote:
> > So, Do you agree to allow the process to change its own labels?
>
> No. This requires CAP_MAC_ADMIN. Smack is mandatory access control.
> Being in a namespace (as they are implemented to
, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn; linux-security-mod...@vger.kernel.org;
> linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
>
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yo
> -Original Message-
> From: Lukasz Pawelczyk [mailto:l.pawelc...@samsung.com]
> Sent: Friday, July 24, 2015 8:41 PM
> To: Sungbae Yoo; Casey Schaufler
> Cc: James Morris; Serge E. Hallyn;
> linux-security-mod...@vger.kernel.org; linux-kernel@vger.kernel.org
> Su
--
From: Lukasz Pawelczyk [mailto:l.pawelc...@samsung.com]
Sent: Friday, July 24, 2015 8:41 PM
To: Sungbae Yoo; Casey Schaufler
Cc: James Morris; Serge E. Hallyn; linux-security-mod...@vger.kernel.org;
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Smack: replace capable() with ns_capable()
On pią, 2
On 7/24/2015 4:40 AM, Lukasz Pawelczyk wrote:
> On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
>> If current task has capabilities, Smack operations (eg. Changing own
>> smack
>> label) should be available even inside of namespace.
>>
>> Signed-off-by: Sungbae Yoo
For the reasons Lukasz o
On pią, 2015-07-24 at 20:26 +0900, Sungbae Yoo wrote:
> If current task has capabilities, Smack operations (eg. Changing own
> smack
> label) should be available even inside of namespace.
>
> Signed-off-by: Sungbae Yoo
>
> diff --git a/security/smack/smack_access.c
> b/security/smack/smack_acc
If current task has capabilities, Smack operations (eg. Changing own smack
label) should be available even inside of namespace.
Signed-off-by: Sungbae Yoo
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 00f6b38..f6b2c35 100644
--- a/security/smack/smack_access.c
8 matches
Mail list logo