On Tue, 19 Jun 2001, Shane Kerr wrote: > I guess my only question is: Will "purely restrictive" hooks allow > modules that allow non-root users to bind privileged ports, chroot, and > possibly setuid/setgid? To be precise, the idea is that all of the LSM hooks other than capable() will be purely restrictive. As soon as we arrive at a consensus on the right approach to moving capabilities out of the base kernel into a module, the base capable() function will once again be reduced to merely calling the LSM capable() hook, so a security module will be able to grant traditionally superuser privileges to non-superuser processes. The capabilities security module will be a module that provides this kind of functionality. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 05:25:26 PDT