lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 3 Nov 2006 14:47:06 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Stephen Smalley <sds@...ho.nsa.gov>
Cc:	"Serge E. Hallyn" <serue@...ibm.com>,
	20060906182719.GB24670@...gelap.austin.ibm.com,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] security: introduce fs caps

Quoting Stephen Smalley (sds@...ho.nsa.gov):
> On Fri, 2006-11-03 at 14:00 -0600, Serge E. Hallyn wrote:
> > Quoting chris friedhoff (chris@...edhoff.org):
> > > The patch applies cleanly , compiles and runs smoothly against 2.6.18.1.
> > > 
> > > I'm running slackware-current with a 2.6.18.1 kernel on an ext3
> > > filesystem.
> > > 
> > > Background why I use the patch:
> > > With 2.6.18 to create a tuntap interface CAP_NET_ADMIN is required.
> > > Qemu uses tuntap to create a tap interface as a virtual net interface.
> > > Instead now running qemu with root privileges to give it the right
> > > to create a tap interface, i granted qemu with the help of the patch and
> > > Kaigai Kohei's userspace tools the cap-net_admin capability. So qemu
> > > runs again without root privilege but has now the right to create the
> > > tap interface.
> > > 
> > > Thanks for the patch. It reduces my the need of suid-bit progs.
> > > It should be given a spin in -mm.
> > 
> > One question is, if this were to be tested in -mm, do we want to keep
> > this mutually exclusive from selinux through config, or should selinux
> > stack on top of this?
> 
> Given that SELinux already stacks with capability and you aren't using
> the security fields (last I looked), it would seem trivial to enable
> stacking with fscaps (just add a few secondary_ops calls to the SELinux
> hooks, right?).

Yup, I just wasn't sure if there would be actual objections to the idea
of enabling both at once.

I'll send out a patch - just as soon as I figure out where I left the
src to begin with :)

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ