Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754183AbdFMVJ5 (ORCPT ); Tue, 13 Jun 2017 17:09:57 -0400 Received: from mail-it0-f42.google.com ([209.85.214.42]:37509 "EHLO mail-it0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753680AbdFMVJy (ORCPT ); Tue, 13 Jun 2017 17:09:54 -0400 Date: Tue, 13 Jun 2017 15:09:47 -0600 From: Tycho Andersen To: Mimi Zohar Cc: Stefan Berger , James Bottomley , containers@lists.linux-foundation.org, LKML , xiaolong.ye@intel.com, "Eric W. Biederman" , lkp@01.org Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities Message-ID: <20170613210947.ypsx223d4n6742zx@smitten> References: <20170508044408.GA11400@mail.hallyn.com> <20170508181156.GA23112@mail.hallyn.com> <9f80188c-df03-066a-5dac-785cc711d064@linux.vnet.ibm.com> <20170613171422.i5vsylhqqo736car@smitten> <1497375902.7379.25.camel@HansenPartnership.com> <20170613204612.uztqywc7topa6g2h@smitten> <8933bf11-7ca2-fa12-8d51-46d94d94a182@linux.vnet.ibm.com> <20170613205312.gre2s6a3zsrjnyos@smitten> <1497387570.21594.427.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1497387570.21594.427.camel@linux.vnet.ibm.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 249 Lines: 9 On Tue, Jun 13, 2017 at 04:59:30PM -0400, Mimi Zohar wrote: > Assuming you want to support container specific executables, you would > want them specifically signed by a key not on the system IMA keyring. Yes, this is a good point. Cheers, Tycho