From: Joshua Brindle <method@gentoo.org>
To: David Madore <david.madore@ens.fr>
Cc: Linux Kernel mailing-list <linux-kernel@vger.kernel.org>,
LSM mailing-list <linux-security-module@vger.kernel.org>
Subject: Re: capabilities patch: trying a more "consensual" approach
Date: Tue, 12 Sep 2006 08:16:34 -0400 [thread overview]
Message-ID: <4506A522.90005@gentoo.org> (raw)
In-Reply-To: <20060911212826.GA9606@clipper.ens.fr>
David Madore wrote:
> Hello again,
>
> Given the rather cold reception that my "capabilities" patch has met,
> it is obvious that it will never be accepted in any official kernel,
> so I am now abandoning it and will try to suggest a different approach
> that, in my opinion, isn't nearly as useful or expressive, but which
> should probably be much more acceptable to those who found fault with
> my previous patch, since it follows various suggestions which I
> received on the list.
>
> First, attempt to implement POSIX draft semantics for inheritance as
> closely as the current situation will allow. (I think this is wrong,
> but many people seem to care, and POSIX semantics is still better than
> no semantics at all.) Actual filesystem support can come later (Serge
> Hallyn has a patch for that), but in the meantime it would be useful
> to add some (per-filesystem) mount options to specify the default
> "inheritable" and "effective" capability sets. In the absence of this
> mount option, the behavior would be entirely unchanged, so everyone
> should be happy. With the mount options, capabilities will be
> somewhat inheritable (only "somewhat", though, because with the POSIX
> semantics, even with a default set, you can't force a non-caps-aware
> process to gain caps in such a way that it will pass it on to its
> children).
>
> Second, suppress the idea of "regular" capabilities, and implement
> them with Linux Security Module hooks (the module could be called,
> say, "cuppabilities"). This won't do as much, but we can probably
> still get a few things done that way. Unfortunately, the
> cuppabilities won't (can't) follow the same inheritance rules as
> capabilities, and this might be a bit confusing. But better than
> nothing.
>
> Is there some objection to this scheme? I should start coding it in a
> couple of weeks.
>
Do you have a practical use case for this? It still doesn't address the
questionable capabilities or the fact that the policy is embedded in the
processes all over the system and therefore there is no analyzable
system policy.
next prev parent reply other threads:[~2006-09-12 12:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-11 21:28 capabilities patch: trying a more "consensual" approach David Madore
2006-09-12 12:16 ` Joshua Brindle [this message]
2006-09-15 22:52 ` David Madore
2006-09-18 12:59 ` Stephen Smalley
2006-09-21 21:33 ` Crispin Cowan
2006-09-19 19:46 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4506A522.90005@gentoo.org \
--to=method@gentoo.org \
--cc=david.madore@ens.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox