Titus D. Winters wrote: >I think the issue is that the logic is wrong (or unclear at the least.) > >Currently it is saying: >if (you are rootish, own the process, or the module lets you) you can >renice things > >And Roy suggests: >if ((you are rootish or own the process) AND (the module lets you)) you >can renice things. I haven't been following this thread carefully, but if your summary is correct, I too prefer the latter (Roy's suggestion). For Janus, we found it critical (when sandboxing root processes) to be able to add restrictions that are stricter than what the base kernel enforces. IMHO, it is crucial to be able to enforce policies where root is nothing special, and if I'm not mistaken, only Roy's suggestion enables this. (Am I missing something?) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 17:17:39 PDT