Re: PROBLEM: A Capability LSM Module serious bug

From: Serge E. Hallyn (hallyn@private)
Date: Mon Dec 08 2003 - 09:39:43 PST

Next message: Serge E. Hallyn: "Re: PROBLEM: A Capability LSM Module serious bug"

Previous message: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
In reply to: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Next in thread: Serge E. Hallyn: "Re: PROBLEM: A Capability LSM Module serious bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Another possible solution would be to have dummy.c correctly set
> > cap_effective to 0 on dummy_task_create.  Any opinions on the proper
> > way to go about this?
> 
> I think the dummy module is going to need to know more about
> capabilities.  Clearing the field completely will then leave the machine
> disfunctional for all the privileged daemons.

It wouldn't need to know any more than the recompute_capability_creds
knew.

But this also would impact performance.  The more I think about it, the
posted patch (tested, works great) is best.

thanks,  :)
-serge

Next message: Serge E. Hallyn: "Re: PROBLEM: A Capability LSM Module serious bug"
Previous message: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
In reply to: Chris Wright: "Re: PROBLEM: A Capability LSM Module serious bug"
Next in thread: Serge E. Hallyn: "Re: PROBLEM: A Capability LSM Module serious bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 09:41:38 PST