Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756557AbXFXQTE (ORCPT ); Sun, 24 Jun 2007 12:19:04 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755366AbXFXQS5 (ORCPT ); Sun, 24 Jun 2007 12:18:57 -0400 Received: from mail5.sea5.speakeasy.net ([69.17.117.7]:49283 "EHLO mail5.sea5.speakeasy.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755256AbXFXQS4 (ORCPT ); Sun, 24 Jun 2007 12:18:56 -0400 Date: Sun, 24 Jun 2007 12:18:52 -0400 (EDT) From: James Morris X-X-Sender: jmorris@localhost.localdomain To: "Serge E. Hallyn" cc: Andrew Morgan , "Serge E. Hallyn" , Chris Wright , Andrew Morgan , casey@schaufler-ca.com, Andrew Morton , Stephen Smalley , linux-security-module@vger.kernel.org, lkml , Arjan van de Ven Subject: Re: implement-file-posix-capabilities.patch In-Reply-To: <20070624155100.GA5167@vino.hallyn.com> Message-ID: References: <20070611123714.GA2063@sergelap.austin.ibm.com> <878322.98602.qm@web36606.mail.mud.yahoo.com> <20070617135239.GA17689@sergelap> <4676007F.7060503@kernel.org> <20070618044017.GW3723@sequoia.sous-sol.org> <20070620171037.GA28670@sergelap.ibm.com> <20070620174613.GF3723@sequoia.sous-sol.org> <20070621160011.GB9913@sergelap.austin.ibm.com> <467CD63B.4000703@kernel.org> <20070624155100.GA5167@vino.hallyn.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1193 Lines: 32 On Sun, 24 Jun 2007, Serge E. Hallyn wrote: > > 2) Allocate capability bit-31 for CAP_SETFCAP, and use it to gate > > whether the user can set this xattr on a file or not. CAP_SYS_ADMIN is > > way too overloaded and this functionality is special. > > The functionality is special, but someone with CAP_SYS_ADMIN can always > unload the capability module and create the security.capability xattr > using the dummy module. > > If we do add this cap, do we want to make it apply to all security.* > xattrs? The underlying issue here is the notion of security mechanisms which are built as loadable modules. It's not useful for any in-tree users, and introduces several unnecessary problems which then need to be addressed. A better approach would be to make LSM a statically linked interface. This would also allow us to unexport the LSM symbols and reduce the API abuse by third-party modules. - James -- James Morris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/