Re: RFC: disablenetwork facility. (v4)

From: Eric W. Biederman
Date: Tue Dec 29 2009 - 15:57:04 EST

Next message: Vikram Dhillon: "Re: what's the purpose of MAXHOSTNAMELEN?"
Previous message: Emese Revfy: "Re: [PATCH 1/1] Constify struct kset_uevent_ops for 2.6.33-rc2"
In reply to: Bryan Donlan: "Re: RFC: disablenetwork facility. (v4)"
Next in thread: Serge E. Hallyn: "Re: RFC: disablenetwork facility. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bryan Donlan <bdonlan@xxxxxxxxx> writes:

> It's probably reasonable to require that real == effective == saved ==
> fs UID (and same for GID); anything else brings up sticky issues of
> "which UID is a higher capability?"
> If a process does this call, it's effectively saying that the only way
> it's going to be accessing resources beyond its current UID and
> capabilities is by talking to another process over a (unix domain)
> socket.

Makes sense. Especially for the initial implementation,
and it keeps the code size small.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vikram Dhillon: "Re: what's the purpose of MAXHOSTNAMELEN?"
Previous message: Emese Revfy: "Re: [PATCH 1/1] Constify struct kset_uevent_ops for 2.6.33-rc2"
In reply to: Bryan Donlan: "Re: RFC: disablenetwork facility. (v4)"
Next in thread: Serge E. Hallyn: "Re: RFC: disablenetwork facility. (v4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]