| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6599ad830803151757n1901db95tad78d11761e2cb92@mail.gmail.com> Date: Sun, 16 Mar 2008 08:57:36 +0800 From: "Paul Menage" <menage@...gle.com> To: "Serge E. Hallyn" <serue@...ibm.com> Cc: lkml <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, "Greg KH" <greg@...ah.com>, "Stephen Smalley" <sds@...ch.ncsc.mil>, "Casey Schaufler" <casey@...aufler-ca.com>, "Pavel Emelianov" <xemul@...nvz.org> Subject: Re: [RFC] cgroups: implement device whitelist lsm (v2) On Fri, Mar 14, 2008 at 10:35 PM, Serge E. Hallyn <serue@...ibm.com> wrote: > > > Why aren't the > > existing cgroup security semantics sufficient? > > Because the point of this is to provide some restrictions to otherwise > privileged users, and cgroups only provides dac-based permissions. > > But that doesn't mean that I'm not doing too much. I could just add a > CAP_SYS_ADMIN or CAP_CONT_OVERRIDE+CAP_SYS_ADMIN check, and not restrict > which cgroups a task can move to. Does that sound good? Sounds reasonable. Paul -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists