Re: [PATCH] [request for inclusion] Realtime LSM

[Chris Wright]

* Valdis.Kletnieks@xxxxxx (Valdis.Kletnieks@xxxxxx) wrote:
> On Fri, 07 Jan 2005 13:49:41 PST, Andrew Morton said:
> 
> > Chris Wright <chrisw@xxxxxxxx> wrote:
> 
> > > Last I checked they could be controlled separately in that module.  It
> > > has been suggested (by me and others) that one possible solution would
> > > be to expand it to be generic for all caps.
> > 
> > Maybe this is the way?
> 
> We already *know* how to (in principle) fix the capabilities system to make
> it useful.  We should probably investigate doing that and at the same time
> fixing the current CAP_SYS_ADMIN mess (which we also have at least some ideas
> on fixing). The remaining problem is possible breakage of software that's doing
> capability things The Old Way (as the inheritance rules are incompatible).

Fixing CAP_SYS_ADMIN whole other can o' worms.  No point in tangling the
two.

> Linus at one time said that a 2.7 might open if there was some issue that
> caused enough disruption to require a fork - could this be it, or does somebody
> have a better way to address the backward-combatability problem?

There's at least two ways.  Introduce a new capability module or introduce
a PF flag to opt in.  Neither are great

-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/