Quoting Andrew G. Morgan ([EMAIL PROTECTED]):
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Here is the patch to add per-process securebits.
>
> Its all code that lives inside the capability LSM and the new securebits
> implementation is only active if CONFIG_SECURITY_FILE_CAPABILITIES is
>
At Monday 04 February 2008 around 18:45:24 Serge E. Hallyn wrote:
> Quoting Andrew G. Morgan ([EMAIL PROTECTED]):
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Ismail D??nmez wrote:
> > | What I meant to ask was what does "per-process securebits" brings as
> >
> > extra.
> >
> > It
On Mon, 4 Feb 2008 18:17:22 +
Pavel Machek <[EMAIL PROTECTED]> wrote:
> On Fri 2008-02-01 20:07:01, James Morris wrote:
> > On Fri, 1 Feb 2008, Andrew Morton wrote:
> >
> > > Really? I'd feel a lot more comfortable if yesterday's version 1 had led
> > > to a stream of comments from suitably-
On Fri 2008-02-01 20:07:01, James Morris wrote:
> On Fri, 1 Feb 2008, Andrew Morton wrote:
>
> > Really? I'd feel a lot more comfortable if yesterday's version 1 had led
> > to a stream of comments from suitably-knowledgeable kernel developers which
> > indicated that those developers had scrutin
Quoting Andrew G. Morgan ([EMAIL PROTECTED]):
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ismail D??nmez wrote:
> | What I meant to ask was what does "per-process securebits" brings as
> extra.
>
> It allows you to create a legacy free process tree. For example, a
> chroot, or container (
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ismail Dönmez wrote:
| What I meant to ask was what does "per-process securebits" brings as
extra.
It allows you to create a legacy free process tree. For example, a
chroot, or container (which Serge can obviously explain in more detail),
environment
At Monday 04 February 2008 around 02:49:29 Andrew G. Morgan wrote:
> Another way to put this is that there needs to be some application code
> and documentation available to guide the way... Adding such things to
> the example programs in libcap2 helped me find the 24-rc2 CAP_SETPCAP
> bug and unti
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ismail � wrote:
| At Sunday 03 February 2008 around 08:18:12 Andrew Morton wrote:
|> So how do we ever get to the stage where we can recommend that
distributors
|> turn these things on, and have them agree with us?
|
| FWIW with my distributor hat on
At Sunday 03 February 2008 around 08:18:12 Andrew Morton wrote:
> So how do we ever get to the stage where we can recommend that distributors
> turn these things on, and have them agree with us?
FWIW with my distributor hat on I think File system capabilities are very nice
and enables one to ship
On Sat, 02 Feb 2008 22:01:51 -0800 "Andrew G. Morgan" <[EMAIL PROTECTED]> wrote:
> Here is the very very long version (which took some time to write, and I
> thought was a bit much to spam these lists with):
>
> http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html
Thanks. Imag
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
| Quoting Andrew G. Morgan ([EMAIL PROTECTED]):
|> -BEGIN PGP SIGNED MESSAGE-
|> Hash: SHA1
|>
|> Here is the patch to add per-process securebits.
|>
|> Its all code that lives inside the capability LSM and the new s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew Morton wrote:
| On Fri, 01 Feb 2008 00:11:37 -0800 "Andrew G. Morgan"
<[EMAIL PROTECTED]> wrote:
|
|> [This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES
|> is enabled at configure time.]
|
| Patches like this scare the pan
Quoting Andrew G. Morgan ([EMAIL PROTECTED]):
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Here is the patch to add per-process securebits.
>
> Its all code that lives inside the capability LSM and the new securebits
> implementation is only active if CONFIG_SECURITY_FILE_CAPABILITIES is
>
On Fri, 1 Feb 2008, Andrew Morton wrote:
> Really? I'd feel a lot more comfortable if yesterday's version 1 had led
> to a stream of comments from suitably-knowledgeable kernel developers which
> indicated that those developers had scrutinised this code from every
> conceivable angle and had decl
On Fri, 01 Feb 2008 00:11:37 -0800 "Andrew G. Morgan" <[EMAIL PROTECTED]> wrote:
> [This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES
> is enabled at configure time.]
Patches like this scare the pants off me.
I'd have to recommend that distributors not enable this feature (
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Here is the patch to add per-process securebits.
Its all code that lives inside the capability LSM and the new securebits
implementation is only active if CONFIG_SECURITY_FILE_CAPABILITIES is
enabled (it doesn't make much sense to support this featur
16 matches
Mail list logo
