From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Lameter Subject: Re: [PATCH] capabilities: Ambient capability set V1 Date: Tue, 24 Feb 2015 09:58:13 -0600 (CST) Message-ID: References: <20150223161625.GD25477@ubuntumail> <20150223164623.GB32181@mail.hallyn.com> <20150223181553.GE25477@ubuntumail> <20150224051928.GA14755@mail.hallyn.com> <20150224154715.GA20682@mail.hallyn.com> Content-Type: TEXT/PLAIN; charset=US-ASCII Return-path: In-Reply-To: <20150224154715.GA20682@mail.hallyn.com> Sender: linux-kernel-owner@vger.kernel.org To: "Serge E. Hallyn" Cc: Serge Hallyn , Serge Hallyn , Andy Lutomirski , Aaron Jones , Ted Ts'o , linux-security-module@vger.kernel.org, akpm@linuxfoundation.org, "Andrew G. Morgan" , Mimi Zohar , Austin S Hemmelgarn , Markku Savela , Jarkko Sakkinen , linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Michael Kerrisk , Jonathan Corbet List-Id: linux-api@vger.kernel.org On Tue, 24 Feb 2015, Serge E. Hallyn wrote: > The other way to look at it then is that it's basically as though the > privileged task (which has CAP_SETFCAP) could've just added fI=full to > all binaries on the filesystem; instead it's using the ambient set > so that the risk from fI=full is contained to its own process tree. The way that our internal patch works is to leave these things alone and just check the ambient mask in the *capable*() functions. That way the behavior of the existing cap bits does not change but the ambient caps stay available. Apps have no surprises.