Re: PROBLEM: A Capability LSM Module serious bug

From: Serge E. Hallyn (hallyn@private)
Date: Mon Dec 08 2003 - 08:48:54 PST

  • Next message: liangbin01@private: "Re: PROBLEM: A Capability LSM Module serious bug"

    > I think patch to capability.c maybe a better way to fix this bug. Because 
    > dummy.c is a simple superuser mechanism, capability should be not visible 
    > to it. And capability modules may be extended to file system so as to 
    The main question is do we declare cap_effective to belong solely to
    capability.c, or do we want capability.c to trust previous LSM's
    computations of those values?  So, even with the current case, if we
    insmod, rmmod, then re-insmod capability, do we want to revoke all
    previous cap_* computations?
    It seems reasonable for it "belong" to capability.c (and I've heard of
    noone else wanting to use it).  I just don't think we've explicitly
    declared this to be the case.

    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 08:50:37 PST