-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
KaiGai,
I've just tried to build this with a separate obj tree: make O=/path.../
~ the build failed as follows:
~ CC security/dummy.o
~ CC security/inode.o
~ CAPSsecurity/cap_names.h
/bin/sh: security/../scripts/mkcapnames.sh: No
|
| Andrew
~From 006ddf6903983dd596e360ab1ab8e537b29fab46 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan [EMAIL PROTECTED]
Date: Mon, 18 Feb 2008 15:23:28 -0800
Subject: [PATCH] Implement per-process securebits
|
[This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES
~ is enabled
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew G. Morgan wrote:
| Serge E. Hallyn wrote:
| | It all looks good to me.
| |
| | Since we've confirmed that wireshark uses capabilities it must be using
| | prctl(PR_SET_KEEPCAPS), so running it might be a good way to verify
that
| | your
:00 2001
From: Andrew G. Morgan [EMAIL PROTECTED]
Date: Mon, 18 Feb 2008 15:23:28 -0800
Subject: [PATCH] Implement per-process securebits
[This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES
is enabled at configure time.]
Filesystem capability support makes it possible to do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge E. Hallyn wrote:
| Andrew, this pretty much was bound to happen... we need to figure out
| what our approach here should be. My preference is still to allow
| signals when p-uid==current-uid so long as !SECURE_NOROOT. Then as
| people start
)
| + if (p-uid == current-uid)
| return 0;
Signed-off-by: Andrew G. Morgan [EMAIL PROTECTED]
Cheers
Andrew
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFHuOWf+bHCR3gb8jsRAr5jAKCQ9MTWW9VNKGbbhacygeI6G7kqTACcCMEP
hyz+xgh91wN3+6dcL72S85c=
=Fjd8
-END PGP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
KaiGai,
Thanks for trying to accommodate me :-)
Kohei KaiGai wrote:
| In addition, Andrew suggested me to export these translation by symlinks
| to reduce the number of invocation of system call.
Yes, I wanted to make use of readlink() instead of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ismail Dönmez wrote:
| What I meant to ask was what does per-process securebits brings as
extra.
It allows you to create a legacy free process tree. For example, a
chroot, or container (which Serge can obviously explain in more detail),
environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew Morton wrote:
| On Fri, 01 Feb 2008 00:11:37 -0800 Andrew G. Morgan
[EMAIL PROTECTED] wrote:
|
| [This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES
| is enabled at configure time.]
|
| Patches like this scare the pants
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| Quoting Andrew G. Morgan ([EMAIL PROTECTED]):
| -BEGIN PGP SIGNED MESSAGE-
| Hash: SHA1
|
| Here is the patch to add per-process securebits.
|
| Its all code that lives inside the capability LSM and the new
+QIf4=
=0EgW
-END PGP SIGNATURE-
From 0e9d2531f3e6b6d9f4bf7b71f6661844a51eb661 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan [EMAIL PROTECTED]
Date: Thu, 31 Jan 2008 23:08:53 -0800
Subject: [PATCH] Implement per-process securebits
[This patch represents a no-op unless
/Linux)
iD8DBQFHoXKG+bHCR3gb8jsRAon4AJ9bGGOjHhzxpgiGdShkcjEYr1+vUwCeJPYh
YqNC8gHO/Kx4ST61G6ZwTXA=
=2fdu
-END PGP SIGNATURE-
From 6a63d67f37e50dd2031b3a050ebac1e64eae916e Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan [EMAIL PROTECTED]
Date: Wed, 23 Jan 2008 23:45:21 -0800
Subject: [PATCH
-
From 16fe33a1f6ab9957c83d4e74b67a25f920f2e7ba Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan [EMAIL PROTECTED]
Date: Wed, 23 Jan 2008 23:45:21 -0800
Subject: [PATCH] Implement per-process, prctl-based, securebits
With filesystem capabilities it is now possible to do away with
(set)uid-0 based
13 matches
Mail list logo