subject:"\[PATCH resend 1\/2\] capability\: introduce sysctl for controlled user\-ns capability whitelist"

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread महेश बंडेवार

On Fri, Nov 10, 2017 at 1:30 PM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): > ... >> >> >> >> == >> >> >> >> +controlled_userns_caps_whitelist >> >> + >> >> +Capability mask that is whitelisted

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread Serge E. Hallyn

Quoting Mahesh Bandewar (महेश बंडेवार) (mahe...@google.com): ... > >> > >> == > >> > >> +controlled_userns_caps_whitelist > >> + > >> +Capability mask that is whitelisted for "controlled" user namespaces. > >> +Any capability that is miss

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread महेश बंडेवार

On Fri, Nov 10, 2017 at 2:30 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This > > I understand the arguments in favor of whitelists in most cases for > security purposes.

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread महेश बंडेवार

On Fri, Nov 10, 2017 at 2:22 AM, Serge E. Hallyn wrote: > Quoting Mahesh Bandewar (mah...@bandewar.net): >> From: Mahesh Bandewar >> >> Add a sysctl variable kernel.controlled_userns_caps_whitelist. This >> takes input as capability mask expressed as two comma separated hex >> u32 words. The mask

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread Serge E. Hallyn

Quoting Mahesh Bandewar (mah...@bandewar.net): > From: Mahesh Bandewar > > Add a sysctl variable kernel.controlled_userns_caps_whitelist. This I understand the arguments in favor of whitelists in most cases for security purposes. But given that you've said the goal here is to prevent use of a c

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-09 Thread Serge E. Hallyn

Quoting Mahesh Bandewar (mah...@bandewar.net): > From: Mahesh Bandewar > > Add a sysctl variable kernel.controlled_userns_caps_whitelist. This > takes input as capability mask expressed as two comma separated hex > u32 words. The mask, however, is stored in kernel as kernel_cap_t type. > > Any c

[PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

2017-11-02 Thread Mahesh Bandewar

From: Mahesh Bandewar Add a sysctl variable kernel.controlled_userns_caps_whitelist. This takes input as capability mask expressed as two comma separated hex u32 words. The mask, however, is stored in kernel as kernel_cap_t type. Any capabilities that are not part of this mask will be controlled

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

Re: [PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

[PATCH resend 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

7 matches

Site Navigation

Mail list logo

Footer information