From: Matt LaPlante <kernel1@cyberdogtech.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: "Default Linux Capabilities" default in 2.6.24
Date: Tue, 29 Jan 2008 10:44:28 -0600 [thread overview]
Message-ID: <20080129104428.787c6c6f.kernel1@cyberdogtech.com> (raw)
In-Reply-To: <20080129130825.GD28931@sergelap.austin.ibm.com>
On Tue, 29 Jan 2008 07:08:25 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:
> Quoting James Morris (jmorris@namei.org):
> > On Mon, 28 Jan 2008, Matt LaPlante wrote:
> >
> > > On Thu, 24 Jan 2008 19:12:01 -0600
> > > Matt LaPlante <kernel1@cyberdogtech.com> wrote:
> > >
> > > >
> > > > I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > > >
> > > > ---
> > > > Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > > ---
> > > >
> > > > However the help text recommends saying Yes.
> > > >
> > > > ---
> > > > This enables the "default" Linux capabilities functionality.
> > > > If you are unsure how to answer this question, answer Y.
> > > > ---
> > > >
> > > > Does this seem incongruous? Also, what's the "question"? :)
> > > >
> > > > Thanks,
> > > > Matt LaPlante
> > >
> > > Anyone?
> >
> > I think this should be default y.
>
> True, it was made the default when CONFIG_SECURITY=n a few years ago,
> and switching it off when toggling CONFIG_SECURITY is probably unsafe
> for unsuspecting users/testers.
>
> Thanks Matt.
>
> -serge
>
> From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
> From: sergeh@us.ibm.com <hallyn@kernel.(none)>
> Date: Tue, 29 Jan 2008 05:04:43 -0800
> Subject: [PATCH 1/1] security: compile capabilities by default
>
> Capabilities have long been the default when CONFIG_SECURITY=n,
> and its help text suggests turning it on when CONFIG_SECURITY=y.
> But it is set to default n.
>
> Default it to y instead.
>
> Signed-off-by: Serge Hallyn <serue@us.ibm.com>
> ---
> security/Kconfig | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 8086e61..389e151 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
> config SECURITY_CAPABILITIES
> bool "Default Linux Capabilities"
> depends on SECURITY
> + default y
> help
> This enables the "default" Linux capabilities functionality.
> If you are unsure how to answer this question, answer Y.
> --
> 1.5.1
>
Acked-by: Matt LaPlante <kernel1@cyberdogtech.com>
prev parent reply other threads:[~2008-01-29 16:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-25 1:12 "Default Linux Capabilities" default in 2.6.24 Matt LaPlante
2008-01-29 2:10 ` Matt LaPlante
2008-01-29 2:48 ` James Morris
2008-01-29 13:08 ` Serge E. Hallyn
2008-01-29 16:44 ` Matt LaPlante [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080129104428.787c6c6f.kernel1@cyberdogtech.com \
--to=kernel1@cyberdogtech.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox