Pavel Machek wrote:
> [...]
> > Now, with all of that being said, if you don't want the full
> > POSIX model, it's probably easier to simply leave things the way they
> > are right now, and not try to put anything in the filesystem. Just
>
> I'd like to see elfcap in kernel ;-). That gives verifiable way to
> know that process drops its capabilities.
Not workable. We would also nead coffcap, javacap, scriptcap, etc. We really
need to store the capabilities in the filesystem(s).
Storing three capability sets per executable on the filesystem gives us all we
need:
- It defined the least capabilities a process gets after exec (What some seem to
call the ``forced'' set of capabilities).
- It defines which capabilities may be inherited from the parent process.
- It also defines the effective capabilities.
This means that we can even get around making some apps capability aware (they
simply get a reduced set of capabilities from exec).
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, a.gruenbacher@computer.org
Contact information: http://www.bestbits.at/~agruenba
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:27 EST