From: David Madore <david.madore@ens.fr>
To: Joshua Brindle <method@gentoo.org>
Cc: Pavel Machek <pavel@ucw.cz>, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Linux Kernel mailing-list <linux-kernel@vger.kernel.org>,
LSM mailing-list <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
Date: Sun, 17 Sep 2006 23:16:02 +0200 [thread overview]
Message-ID: <20060917211602.GA6215@clipper.ens.fr> (raw)
In-Reply-To: <450DB274.1010404@gentoo.org>
On Sun, Sep 17, 2006 at 04:39:16PM -0400, Joshua Brindle wrote:
> The benefits of this are so minuscule and the cost is so high if you are
> ever to use it that it simply won't happen..
I'm withdrawing that patch anyway, in favor of a LSM-style approach,
the "cuppabilities" module (cf. the patch I posted a couple of hours
ago with that word in the title, and I'll be posting a new version in
a day or so, or cf. <URL:
http://www.madore.org/~david/linux/cuppabilities/
>). In this case, the relative cost will be lower since the
security_ops->inode_permission() hook is called no matter what.
But I agree that the value of restricting open() is very dubious and
it was intended mostly as a demonstration. So if there is strong
opposition to this sort of thing, I'll remove it.
Happy hacking,
--
David A. Madore
(david.madore@ens.fr,
http://www.madore.org/~david/ )
next prev parent reply other threads:[~2006-09-17 21:16 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-10 13:37 [PATCH 1/4] security: capabilities patch (version 0.4.4), part 1/4: enlarge capability sets David Madore
2006-09-10 13:41 ` [PATCH 2/4] security: capabilities patch (version 0.4.4), part 2/4: change inheritance semantics David Madore
2006-09-10 13:42 ` [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities David Madore
2006-09-10 16:23 ` Alan Cox
2006-09-10 16:09 ` David Madore
2006-09-11 8:06 ` James Morris
2006-09-11 12:03 ` Joshua Brindle
2006-09-11 16:22 ` Casey Schaufler
2006-09-17 18:06 ` Pavel Machek
2006-09-10 17:56 ` Joshua Brindle
2006-09-10 20:03 ` David Madore
2006-09-11 6:10 ` Jan Engelhardt
2006-09-11 6:51 ` David Madore
2006-09-11 13:42 ` Stephen Smalley
2006-09-17 18:14 ` Pavel Machek
2006-09-17 20:39 ` Joshua Brindle
2006-09-17 21:16 ` David Madore [this message]
2006-09-18 11:46 ` Joshua Brindle
2006-09-18 11:58 ` David Madore
2006-09-18 12:04 ` Pavel Machek
2006-09-18 12:12 ` Joshua Brindle
2006-09-18 16:02 ` Casey Schaufler
2006-09-19 0:25 ` Joshua Brindle
2006-09-19 3:46 ` Casey Schaufler
2006-09-19 4:09 ` Joshua Brindle
2006-09-19 15:54 ` Casey Schaufler
2006-09-19 18:27 ` Pavel Machek
2006-09-10 13:44 ` David Madore
2006-09-10 13:46 ` [PATCH 4/4] security: capabilities patch (version 0.4.4), part 4/4: add filesystem support David Madore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060917211602.GA6215@clipper.ens.fr \
--to=david.madore@ens.fr \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=method@gentoo.org \
--cc=pavel@ucw.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.