Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

On 10/31/07, Crispin Cowan [EMAIL PROTECTED] wrote: Peter Dolding wrote: Lets end the bitrot. Start having bits go into the main OS security features where they should be. Linus categorically rejected this idea, several times, very clearly. He did so because the security community

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

2007/10/31, Crispin Cowan [EMAIL PROTECTED]: Peter Dolding wrote: Lets end the bitrot. Start having bits go into the main OS security features where they should be. Linus categorically rejected this idea, several times, very clearly. He did so because the security community cannot agree

Re: [PATCH] 2.6.23: Filesystem capabilities 0.17

Quoting Olaf Dietsche ([EMAIL PROTECTED]): This patch implements filesystem capabilities. It allows to run privileged executables without the need for suid root. Changes: - updated to 2.6.23 - fix const correctness - fix secureexec This patch is available at:

Re: [PATCH 1/2] VFS/Security: Rework inode_getsecurity and callers to return resulting buffer

On Sat, 2007-10-27 at 08:14 +1000, James Morris wrote: On Fri, 26 Oct 2007, Serge E. Hallyn wrote: It wouldn't be much effort to rebase this patch against Linus's latest tree. I am assuming that the static lsm patch is in there based on the recent discussion on LKML? Oh, sorry for

[PATCH] file capabilities: allow sigcont within session (v2)

From 5bff8967f45a35f858b96ca673d9bf98eac53d49 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Wed, 31 Oct 2007 11:22:04 -0500 Subject: [PATCH 1/1] file capabilities: allow sigcont within session (v2) (This is a proposed fix to

Possible missing security checks in usbfs?

Hello, I found several places performing mknod and mkdir operations without the proper security_inode_permission/mknod/mkdir checks. But I am not sure if it is that usbfs does not use LSM at all or there are real security violations. One such example is as follows. In

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

The Clear and Important thing is there is already a single security framework. The single security framework is the security that exists when no LSM is loaded. It turns out the more I look most of my model already exists just not being used effectively. There is a capabilities frame work at

Re: Linux Security *Module* Framework (Was: LSM conversion to static interface)

On 11/1/07, Casey Schaufler [EMAIL PROTECTED] wrote: --- Peter Dolding [EMAIL PROTECTED] wrote: Improvements to the single security framework are getting over looked. Please post proposed patches. I would have personally though selinux would have done Posix file capabilities as a

Re: Possible missing security checks in usbfs?

On Wed, Oct 31, 2007 at 07:02:27PM -0500, Tan, Lin wrote: Hello, I found several places performing mknod and mkdir operations without the proper security_inode_permission/mknod/mkdir checks. But I am not sure if it is that usbfs does not use LSM at all or there are real security violations.

Re: [PATCH] file capabilities: allow sigcont within session (v2)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [kernel/signal.c:check_kill_permission() could probably benefit from getting more consistently indented!] I'm not sure I can grok your comment. Did you mean: /* as per, check_kill_permission(), permit if tasks have same uid */ As to content: