> I think patch to capability.c maybe a better way to fix this bug. Because > dummy.c is a simple superuser mechanism, capability should be not visible > to it. And capability modules may be extended to file system so as to The main question is do we declare cap_effective to belong solely to capability.c, or do we want capability.c to trust previous LSM's computations of those values? So, even with the current case, if we insmod, rmmod, then re-insmod capability, do we want to revoke all previous cap_* computations? It seems reasonable for it "belong" to capability.c (and I've heard of noone else wanting to use it). I just don't think we've explicitly declared this to be the case.
This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 08:50:37 PST