Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933344AbbBBTGB (ORCPT ); Mon, 2 Feb 2015 14:06:01 -0500 Received: from mail-ig0-f175.google.com ([209.85.213.175]:56293 "EHLO mail-ig0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932785AbbBBTF7 (ORCPT ); Mon, 2 Feb 2015 14:05:59 -0500 Message-ID: <54CFCA6C.4030004@gmail.com> Date: Mon, 02 Feb 2015 14:05:16 -0500 From: Austin S Hemmelgarn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Mimi Zohar , Serge Hallyn CC: Casey Schaufler , Christoph Lameter , Serge Hallyn , Andy Lutomirski , Jonathan Corbet , Aaron Jones , "Ted Ts'o" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, akpm@linuxfoundation.org Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities References: <54CFB9B8.8020701@schaufler-ca.com> <20150202180806.GE24351@ubuntumail> <1422902826.30131.38.camel@dhcp-9-2-203-236.watson.ibm.com> In-Reply-To: <1422902826.30131.38.camel@dhcp-9-2-203-236.watson.ibm.com> x-hashcash: 1:21:150202:zohar@linux.vnet.ibm.com::66ca3313696b1db275d82ac4bb8ed6b2:5135fea77bdbc78 x-hashcash: 1:21:150202:serge.hallyn@ubuntu.com::dd005b0e8f56f1c29a684ac9013ba66b:8d3f6226feab9c81 x-hashcash: 1:21:150202:casey@schaufler-ca.com::5c311d6ff8bf4fd3c76eca8f1c5c59c6:3daf14827bc0e887 x-hashcash: 1:21:150202:cl@linux.com::729c7336742afce0a4a9ab4e1826f975:dc6a281fd0863305 x-hashcash: 1:21:150202:serge.hallyn@canonical.com::4670f4360bc9d52e4322e49b4e2e516a:e99ad20063fd4082 x-hashcash: 1:21:150202:luto@amacapital.net::adccf8cc42d9c11123175b263abdd2af:8b92c126533a9272 x-hashcash: 1:21:150202:corbet@lwn.net::877068ed67c9a76698bb0ed05c281b7e:99ddd78ee983283f x-hashcash: 1:21:150202:aaronmdjones@gmail.com::59b25df1aab6207de620405f16af870:c6eb4078059151a5 x-hashcash: 1:21:150202:tytso@mit.edu::f0da32190df741f5c447a7dfceabf08:7976b141a5207034 x-hashcash: 1:21:150202:linux-security-module@vger.kernel.org::b5a38d97aae211f3c6fe4c86d6c65233:4191889321cf1464 x-hashcash: 1:21:150202:linux-kernel@vger.kernel.org::b671b7354e106c97f9505f002c1972ed:5aaa910a67ae25f6 x-hashcash: 1:21:150202:akpm@linuxfoundation.org::51186636f80e86a962c4fd0c81011d1:8329937afa6ddf94 x-stampprotocols: hashcash:1:17;mbound:0:10:3000:5000 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080306090306040209080807" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5241 Lines: 95 This is a cryptographically signed message in MIME format. --------------ms080306090306040209080807 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-02-02 13:47, Mimi Zohar wrote: > On Mon, 2015-02-02 at 18:08 +0000, Serge Hallyn wrote: >> Quoting Casey Schaufler (casey@schaufler-ca.com): >>> I'm game to participate in such an effort. The POSIX scheme >>> is workable, but given that it's 20 years old and hasn't >>> developed real traction it's hard to call it successful. >> >> Over the years we've several times discussed possible reasons for this= >> and how to help. I personally think it's two things: 1. lack of >> toolchain and fs support. The fact that we cannot to this day enable >> ping using capabilities by default because of cpio, tar and non-xattr >> filesystems is disheartening. > > We're working on resolving the CPIO issue. tar currently supports > xattrs. At this point, how many non-xattr filesystems are there really= ? > FAT*, and UFS immediately come to mind, and I know of people who use UFS = for their root filesystem. There are a handful (ext* included) that=20 need an option turned on in the kernel config, and possibly also a mount = option added. IIRC, the Linux NFS client has no xattr support, and that is very widely = used because it's easier to set up than any alternatives. --------------ms080306090306040209080807 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFuDCC BbQwggOcoAMCAQICAw9gVDANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNDA4 MDgxMTMwNDRaFw0xNTAyMDQxMTMwNDRaMGMxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEj MCEGCSqGSIb3DQEJARYUYWhmZXJyb2luN0BnbWFpbC5jb20xIjAgBgkqhkiG9w0BCQEWE2Fo ZW1tZWxnQG9oaW9ndC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdmm8R BM5D6fGiB6rpogPZbLYu6CkU6834rcJepfmxKnLarYUYM593/VGygfaaHAyuc8qLaRA3u1M0 Qp29flqmhv1VDTBZ+zFu6JgHjTDniBii1KOZRo0qV3jC5NvaS8KUM67+eQBjm29LhBWVi3+e a8jLxmogFXV0NGej+GHIr5zA9qKz2WJOEoGh0EfqZ2MQTmozcGI43/oqIYhRj8fRMkWXLUAF WsLzPQMpK19hD8fqwlxQWhBV8gsGRG54K5pyaQsjne7m89SF5M8JkNJPH39tHEvfv2Vhf7EM Y4WGyhLAULSlym1AI1uUHR1FfJaj3AChaEJZli/AdajYsqc7AgMBAAGjggFZMIIBVTAMBgNV HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUg Zm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8E BAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEE AYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v b2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwuY2FjZXJ0Lm9y Zy9yZXZva2UuY3JsMDQGA1UdEQQtMCuBFGFoZmVycm9pbjdAZ21haWwuY29tgRNhaGVtbWVs Z0BvaGlvZ3QuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQCr4klxcZU/PDRBpUtlb+d6JXl2dfto OUP/6g19dpx6Ekt2pV1eujpIj5whh5KlCSPUgtHZI7BcksLSczQbxNDvRu6LNKqGJGvcp99k cWL1Z6BsgtvxWKkOmy1vB+2aPfDiQQiMCCLAqXwHiNDZhSkwmGsJ7KHMWgF/dRVDnsl6aOQZ jAcBMpUZxzA/bv4nY2PylVdqJWp9N7x86TF9sda1zRZiyUwy83eFTDNzefYPtc4MLppcaD4g Wt8U6T2ffQfCWVzDirhg4WmDH3MybDItjkSB2/+pgGOS4lgtEBMHzAGQqQ+5PojTHRyqu9Jc O59oIGrTaOtKV9nDeDtzNaQZgygJItJi9GoAl68AmIHxpS1rZUNV6X8ydFrEweFdRTVWhUEL 70Cnx84YBojXv01LYBSZaq18K8cERPLaIrUD2go+2ffjdE9ejvYDhNBllY+ufvRizIjQA1uC OdktVAN6auQob94kOOsWpoMSrzHHvOvVW/kbokmKzaLtcs9+nJoL+vPi2AyzbaoQASVZYOGW pE3daA0F5FJfcPZKCwd5wdnmT3dU1IRUxa5vMmgjP20lkfP8tCPtvZv2mmI2Nw5SaXNY4gVu WQrvkV2in+TnGqgEIwUrLVbx9G6PSYZZs07czhO+Q1iVuKdAwjL/AYK0Us9v50acIzbl5CWw ZGj3wjGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMPYFQwCQYFKw4DAhoFAKCCAfUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwMjAyMTkwNTE2 WjAjBgkqhkiG9w0BCQQxFgQU5S98d3zsSObMa1F1C2sv97f8X7EwbAYJKoZIhvcNAQkPMV8w XTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAE MYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0 Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnAgMPYFQwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj YWNlcnQub3JnAgMPYFQwDQYJKoZIhvcNAQEBBQAEggEANsB+2WeTUgoYYWqsn0o/uvZofJgA 4IzP9nZ813XhwCwyHZGA84GDpwrESEROeNUwz/VmJtvtcluRvRzxIICKAqfyQZWRFXBBMuWq SB51vOBUQ5p14kI/6yruomuMZXkmOeRhKDHu+RgOX19knuBwPAqCNaBh2ta7csIPykf2n3iH nLjeBwMS4KQd7pJAOy7YcqXkhCcLhT8v4KVR4kmZPuWTf64/mZ3O4eVgoajmwR3Vhxa6XZGl BEXYVk2grLwfkqNR/iygGe7ZYsClbv6yiUNT5+Jo6M4Cw6IhQAgu2Aa/idItjDslf/JZ6T3a L8eJLjxbQGPqR2ej14CZ2HfxsAAAAAAAAA== --------------ms080306090306040209080807-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/