From: Matt LaPlante <kernel1@cyberdogtech.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: "Default Linux Capabilities" default in 2.6.24
Date: Tue, 29 Jan 2008 10:44:28 -0600 [thread overview]
Message-ID: <20080129104428.787c6c6f.kernel1@cyberdogtech.com> (raw)
In-Reply-To: <20080129130825.GD28931@sergelap.austin.ibm.com>
On Tue, 29 Jan 2008 07:08:25 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:
> Quoting James Morris (jmorris@namei.org):
> > On Mon, 28 Jan 2008, Matt LaPlante wrote:
> >
> > > On Thu, 24 Jan 2008 19:12:01 -0600
> > > Matt LaPlante <kernel1@cyberdogtech.com> wrote:
> > >
> > > >
> > > > I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > > >
> > > > ---
> > > > Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > > ---
> > > >
> > > > However the help text recommends saying Yes.
> > > >
> > > > ---
> > > > This enables the "default" Linux capabilities functionality.
> > > > If you are unsure how to answer this question, answer Y.
> > > > ---
> > > >
> > > > Does this seem incongruous? Also, what's the "question"? :)
> > > >
> > > > Thanks,
> > > > Matt LaPlante
> > >
> > > Anyone?
> >
> > I think this should be default y.
>
> True, it was made the default when CONFIG_SECURITY=n a few years ago,
> and switching it off when toggling CONFIG_SECURITY is probably unsafe
> for unsuspecting users/testers.
>
> Thanks Matt.
>
> -serge
>
> From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
> From: sergeh@us.ibm.com <hallyn@kernel.(none)>
> Date: Tue, 29 Jan 2008 05:04:43 -0800
> Subject: [PATCH 1/1] security: compile capabilities by default
>
> Capabilities have long been the default when CONFIG_SECURITY=n,
> and its help text suggests turning it on when CONFIG_SECURITY=y.
> But it is set to default n.
>
> Default it to y instead.
>
> Signed-off-by: Serge Hallyn <serue@us.ibm.com>
> ---
> security/Kconfig | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 8086e61..389e151 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
> config SECURITY_CAPABILITIES
> bool "Default Linux Capabilities"
> depends on SECURITY
> + default y
> help
> This enables the "default" Linux capabilities functionality.
> If you are unsure how to answer this question, answer Y.
> --
> 1.5.1
>
Acked-by: Matt LaPlante <kernel1@cyberdogtech.com>
prev parent reply other threads:[~2008-01-29 16:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-25 1:12 "Default Linux Capabilities" default in 2.6.24 Matt LaPlante
2008-01-29 2:10 ` Matt LaPlante
2008-01-29 2:48 ` James Morris
2008-01-29 13:08 ` Serge E. Hallyn
2008-01-29 16:44 ` Matt LaPlante [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080129104428.787c6c6f.kernel1@cyberdogtech.com \
--to=kernel1@cyberdogtech.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.