Sebastien Marie wrote: > - if an exec'ed program starts with herited TAME flags: the > initialisation of the program would be difficult as it would be > already tamed.
i've been thinking about this some more. true in some cases, but i think in many cases, what we are banning should be banned in the child as well. for example, tar execs gzip. tar doesn't need sockets, neither does gzip. (in the specific case of tar, guenther has done something different, but let's consider this more abstractly.) if i want to exec a program now, that means the entire code path up to exec() can't use tame() anywhere. that seems bad. if i know the execed program won't create new files or sockets, i'd like to remove those capabilities form the parent too. yes, maybe the parent will need to go into the exec() with a few extra permissions in order to let the child initialize, but a few extra permissions can still be less than *all* permissions, as required today.
