On Wed, Jul 29, 2015 at 07:05:19PM +0200, Lukasz Pawelczyk wrote:
> > Anyway, if this patchset is simply about making smack work in user_ns
> > at all, I'll reread with that in mind :)
>
> Would appreciate.
Ok - thanks for your patience. I "get" it now. Will go back to the
actual patches and
On Wed, Jul 29, 2015 at 07:05:19PM +0200, Lukasz Pawelczyk wrote:
Anyway, if this patchset is simply about making smack work in user_ns
at all, I'll reread with that in mind :)
Would appreciate.
Ok - thanks for your patience. I get it now. Will go back to the
actual patches and review
Just a clarification, from my previous email:
> 3. (expcetion #2) About the: "Without the host admin doing anything.".
> With this namespace you delegate part of CAP_MAC_ADMIN privilege to an
> unprivileged user (as with any other namespace). There is now way that
> this will not involve host
On Wed, Jul 29, 2015 at 06:13:59PM +0200, Lukasz Pawelczyk wrote:
> Appologise for sending my previous email in HTML, this email address
> was never meant to be used with lists. I resend in plain text.
>
> On Wed, Jul 29, 2015 at 5:25 PM, Serge E. Hallyn wrote:
>
> >> +Enabling Smack related
On Wed, Jul 29, 2015 at 6:13 PM, Lukasz Pawelczyk wrote:
> With this namespace you delegate part of CAP_MAC_ADMIN privilege to an
> unprivileged user (as with any other namespace).
Ok, maybe the part in the brackets is an overstatement. Mostly with
namespaces you create a full abstraction of
Appologise for sending my previous email in HTML, this email address
was never meant to be used with lists. I resend in plain text.
On Wed, Jul 29, 2015 at 5:25 PM, Serge E. Hallyn wrote:
>> +Enabling Smack related capabilities (CAP_MAC_ADMIN and
>> +CAP_MAC_OVERRIDE) is main goal of Smack
On Fri, Jul 24, 2015 at 12:04:45PM +0200, Lukasz Pawelczyk wrote:
> +--- Design ideas ---
> +
> +"Smack namespace" is rather "Smack labels namespace" as not the whole
> +MAC is namespaced, only the labels. There is a great analogy between
> +Smack labels namespace and the user namespace part that
Appologise for sending my previous email in HTML, this email address
was never meant to be used with lists. I resend in plain text.
On Wed, Jul 29, 2015 at 5:25 PM, Serge E. Hallyn se...@hallyn.com wrote:
+Enabling Smack related capabilities (CAP_MAC_ADMIN and
+CAP_MAC_OVERRIDE) is main goal
On Fri, Jul 24, 2015 at 12:04:45PM +0200, Lukasz Pawelczyk wrote:
+--- Design ideas ---
+
+Smack namespace is rather Smack labels namespace as not the whole
+MAC is namespaced, only the labels. There is a great analogy between
+Smack labels namespace and the user namespace part that remaps
On Wed, Jul 29, 2015 at 06:13:59PM +0200, Lukasz Pawelczyk wrote:
Appologise for sending my previous email in HTML, this email address
was never meant to be used with lists. I resend in plain text.
On Wed, Jul 29, 2015 at 5:25 PM, Serge E. Hallyn se...@hallyn.com wrote:
+Enabling Smack
Just a clarification, from my previous email:
3. (expcetion #2) About the: Without the host admin doing anything..
With this namespace you delegate part of CAP_MAC_ADMIN privilege to an
unprivileged user (as with any other namespace). There is now way that
this will not involve host admin.
On Wed, Jul 29, 2015 at 6:13 PM, Lukasz Pawelczyk hav...@gmail.com wrote:
With this namespace you delegate part of CAP_MAC_ADMIN privilege to an
unprivileged user (as with any other namespace).
Ok, maybe the part in the brackets is an overstatement. Mostly with
namespaces you create a full
Adds Documentation/smack-namespace.txt.
Signed-off-by: Lukasz Pawelczyk
Reviewed-by: Casey Schaufler
---
Documentation/security/00-INDEX| 2 +
Documentation/security/Smack-namespace.txt | 231 +
MAINTAINERS| 1 +
Adds Documentation/smack-namespace.txt.
Signed-off-by: Lukasz Pawelczyk l.pawelc...@samsung.com
Reviewed-by: Casey Schaufler ca...@schaufler-ca.com
---
Documentation/security/00-INDEX| 2 +
Documentation/security/Smack-namespace.txt | 231 +
MAINTAINERS
14 matches
Mail list logo
