Re: [RFC][PATCH] Unprivileged: Disable acquisition of privileges

From: Eric W. Biederman
Date: Tue Dec 29 2009 - 23:33:21 EST

Next message: Dmitry Torokhov: "Re: [PATCH]drivers/input/mouse/hgpk.c:430 unused variable 'dev'"
Previous message: Eric W. Biederman: "Re: RFC: disablenetwork facility. (v4)"
In reply to: Bryan Donlan: "Re: [RFC][PATCH] Unprivileged: Disable acquisition of privileges"
Next in thread: Bryan Donlan: "Re: [RFC][PATCH] Unprivileged: Disable acquisition of privileges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bryan Donlan <bdonlan@xxxxxxxxx> writes:

> Is this sufficient for other security models such as selinux or
> TOMOYO? Can processes in these models gain privileges through means
> not restricted here?

The LSM is primarily about returning -EPERM more often.
Except for the prctl and the capability hooks I am not aware
of anywhere a LSM can increase a processes capabilities.

> Also, perhaps there should be a corresponding GET prctl?

Probably for the final version.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Torokhov: "Re: [PATCH]drivers/input/mouse/hgpk.c:430 unused variable 'dev'"
Previous message: Eric W. Biederman: "Re: RFC: disablenetwork facility. (v4)"
In reply to: Bryan Donlan: "Re: [RFC][PATCH] Unprivileged: Disable acquisition of privileges"
Next in thread: Bryan Donlan: "Re: [RFC][PATCH] Unprivileged: Disable acquisition of privileges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]