From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Chris Wright <chrisw@sous-sol.org>
Cc: greg@kroah.com, morgan@kernel.org, serue@us.ibm.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3] exporting capability name/code pairs (for 2.6.26)
Date: Wed, 14 May 2008 14:57:56 +0900 [thread overview]
Message-ID: <482A7F64.50705@ak.jp.nec.com> (raw)
In-Reply-To: <20080514005238.GZ17453@sequoia.sous-sol.org>
Chris Wright wrote:
> * KaiGai Kohei (kaigai@ak.jp.nec.com) wrote:
>> Chris, what is the status of the patch?
>
> I still don't understand how ...
Hmm...
>>> When we run a userspace utility on the latest kernel, it has to be compiled
>>> with kernel-headers which have same capability set at least.
>>> If installed userspace utility does not support newly added capabilities,
>>> it requires users to rebuild their utilities when they update the kernel.
>>>
>>> Typically, kernel developer faces this kind of version mismatching.
>>> When they boots their kernel with new capabilities, it also requires to
>>> rebuild libcap. Then, they have to revert it, when they boots with normal
>>> kernel.
>>>
>>> If libcap can know what capabilities are supported on the running kernel
>>> automatically, it does not need users to rebuild libcap concurrently.
>
> ...libcap can do anything meaningful here with capabilities it doesn't
> know about? This interface is already versioned, what is wrong is old
> cap version on new kernel (clearly new cap version on old kernel would
> have to fall back to older cap version)?
The versioning info is just a hint in this case.
The major purpose of this patch is to save steps of maintainance.
When we tries to run a application using a new capability provided by
the latest kernel, we have to rebuild libcap to follow kernel updates.
If we can obtain an information what capabilities are supported in
the running kernel, we don't need to rebuild libcap for the latest
kernel everytime.
For example, we got CAP_MAC_ADMIN at 2.6.25. If an application tries to
use it, we have to replace libcap for 2.6.24 by libcap for 2.6.25.
Although, we don't get any updates in libcap. :-(
In addition, I noticed it will be usefull for applications which have
a possibility to use arbitary number of capabilities, like busybox
if setcap/getcap stuff is ported.
(IMO, we should not use libcap for busybox, because its first priority
is to reduce binary size, limited to minimun functionalities.)
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
next prev parent reply other threads:[~2008-05-14 6:00 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-25 6:06 [PATCH 0/3] exporting capability name/code pairs (final#2) Kohei KaiGai
2008-02-25 6:10 ` [PATCH 1/3] add a private data field within kobj_attribute structure (final#2) Kohei KaiGai
2008-02-25 6:51 ` Greg KH
2008-02-25 6:57 ` Kohei KaiGai
2008-02-25 7:47 ` Greg KH
2008-02-25 10:04 ` Kohei KaiGai
2008-02-26 20:09 ` Greg KH
2008-02-28 5:49 ` Valdis.Kletnieks
2008-03-03 4:42 ` Kohei KaiGai
2008-02-25 6:10 ` [PATCH 2/3] exporting capability name/code pairs (final#2) Kohei KaiGai
2008-02-26 14:55 ` Andrew G. Morgan
2008-02-26 20:58 ` Serge E. Hallyn
2008-03-07 4:30 ` Kohei KaiGai
2008-03-07 4:53 ` Greg KH
2008-02-25 6:10 ` [PATCH 3/3] a new example to use kobject/kobj_attribute (final#2) Kohei KaiGai
2008-04-22 11:12 ` [PATCH 0/3] exporting capability name/code pairs (for 2.6.26) KaiGai Kohei
2008-04-22 11:17 ` [PATCH 1/3] add a private data field within kobj_attribute structure KaiGai Kohei
2008-04-22 11:18 ` [PATCH 2/3] exporting capability name/code pairs KaiGai Kohei
2008-04-22 11:18 ` [PATCH 3/3] a new example to use kobject/kobj_attribute KaiGai Kohei
2008-04-22 19:29 ` [PATCH 0/3] exporting capability name/code pairs (for 2.6.26) Alexey Dobriyan
2008-04-23 0:38 ` KaiGai Kohei
2008-04-23 7:03 ` Alexey Dobriyan
2008-04-23 7:37 ` KaiGai Kohei
2008-05-13 22:12 ` Alexey Dobriyan
2008-05-14 0:34 ` KaiGai Kohei
2008-04-23 5:37 ` Chris Wright
2008-04-23 7:15 ` KaiGai Kohei
2008-05-14 0:36 ` KaiGai Kohei
2008-05-14 0:52 ` Chris Wright
2008-05-14 5:57 ` KaiGai Kohei [this message]
2008-05-15 5:48 ` Andrew Morgan
2008-05-15 7:47 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=482A7F64.50705@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=chrisw@sous-sol.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox