Re: [PATCH 3/4] security: capabilities patch (version 0.4.4), part 3/4: introduce new capabilities
From: David Madore
Date: Sun Sep 17 2006 - 17:16:36 EST
On Sun, Sep 17, 2006 at 04:39:16PM -0400, Joshua Brindle wrote:
> The benefits of this are so minuscule and the cost is so high if you are
> ever to use it that it simply won't happen..
I'm withdrawing that patch anyway, in favor of a LSM-style approach,
the "cuppabilities" module (cf. the patch I posted a couple of hours
ago with that word in the title, and I'll be posting a new version in
a day or so, or cf. <URL:
http://www.madore.org/~david/linux/cuppabilities/
>). In this case, the relative cost will be lower since the
security_ops->inode_permission() hook is called no matter what.
But I agree that the value of restricting open() is very dubious and
it was intended mostly as a demonstration. So if there is strong
opposition to this sort of thing, I'll remove it.
Happy hacking,
--
David A. Madore
(david.madore@xxxxxx,
http://www.madore.org/~david/ )
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/