Re: security capabilities on filesystems

From: Lukasz Stelmach
Date: Sun Jan 29 2006 - 19:32:34 EST


Peter Gordon wrote:

>>I've poke around for some information but all I got (was this lousy t-shirt)
>>that there is no support for capablities stored on a filesystem. However, I'd
>>like to ask if there are any chances to see this feature soon.
>
> What do you mean exactly? Ext2 (and its journalled cousin, Ext3; I'm
> not certain of other filesystems) can both store POSIX-style Access
> Control Lists (ACLs) and SELinux labeling as part of the inode
> metadata.

Reiserfs, xfs and jfs too.

Yet they all can't store, or I don't know how to set it up, POSIX
capabilities for executables. Those like CAP_NET_RAW or CAP_SYS_RAWIO.
The former is useful for ping the latter (was?) for X11. I know that this
functionality can be achived with SELinux but it's to havy-weight for me.
I'd rather implement BSD seclevels and capabilities.

> Hope this helps.

I am afraid no :-(

Bye.
--
ByÅo mi bardzo miÅo. Czwarta pospolita klÄska, [...]
>Åukasz< JuÅ nie katolicka lecz zÅodziejska. (c)PP

Attachment: signature.asc
Description: OpenPGP digital signature