> However, I'm not sure whether this cap_dirty thing is generally
> useful, or whether all that is needed is a special-case for
> CAP_RAW_IO. Generalizing it through cap_dirty, however is probably as
> simple as a patch implementing a single PF_RAWIO flag.
We can use it for all sorts of things. We might, for
instance use it in the scheduler, in network or VM
stuff or in other places.
Another use for it is to let the programmer of
security-dangerous programs know how much of the
capabilities requested are actually used.
This might give better security in the long run
because programs will only ask for the capabilities
they actually need.
Exporting it in /proc probably _is_ a good idea.
You can just disallow access to other users and
return zero when p->euid!=p->uid.
Rik.
+-------------------------------------------+--------------------------+
| Linux: - LinuxHQ MM-patches page | Scouting webmaster |
| - kswapd ask-him & complain-to guy | Vries cubscout leader |
| http://www.phys.uu.nl/~riel/ | <H.H.vanRiel@phys.uu.nl> |
+-------------------------------------------+--------------------------+
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu