Re: [PATCH v3 11/11] smack: documentation for the Smack namespace
From: Lukasz Pawelczyk
Date: Wed Jul 29 2015 - 12:24:13 EST
On Wed, Jul 29, 2015 at 6:13 PM, Lukasz Pawelczyk <havner@xxxxxxxxx> wrote:
> With this namespace you delegate part of CAP_MAC_ADMIN privilege to an
> unprivileged user (as with any other namespace).
Ok, maybe the part in the brackets is an overstatement. Mostly with
namespaces you create a full abstraction of some object and give user
priviledges to that object (e.g. uts structure, network interfaces,
with UTS and NET namespaces, etc). This is rather not possible with
Smack, as being a security module it has to retain its core security
paradigm. It cannot be a separate LSM within a host LSM (remember the
part about changing process own label and changing any other object
label, mostly a file). So Smack namespace really as I see it has big
analogy to user namespace. You cannot abstract UIDs completely in a
namespace as those UIDs do live in a host as well. If you want to have
some capabilities over them, admin has to agree to that explicitly.
Thanks,
Lukasz
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/