lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 16 Jan 2010 20:58:27 -0800
From:	"Andrew G. Morgan" <>
To:	Michael Stone <>
	Andi Kleen <>, David Lang <>,
	Oliver Hartkopp <>,
	Alan Cox <>,
	Herbert Xu <>,
	Valdis Kletnieks <>,
	Bryan Donlan <>,
	Evgeniy Polyakov <>,
	"C. Scott Ananian" <>,
	James Morris <>,
	"Eric W. Biederman" <>,
	Bernie Innocenti <>,
	Mark Seaborn <>,
	Randy Dunlap <>,
	Américo Wang <>,
	Tetsuo Handa <>,
	Samir Bellabes <>,
	Casey Schaufler <>,
	"Serge E. Hallyn" <>, Pavel Machek <>,
	Al Viro <>,
	Kyle Moffett <>
Subject: Re: disablenetwork (v5): Require CAP_SETPCAP to enable

On Sat, Jan 16, 2010 at 8:48 PM, Michael Stone <> wrote:
> Andrew Morgan wrote:
>> Please use CAP_NET_ADMIN for this feature (and add the corresponding
>> comment in include/linux/capabilities.h).
> Sure.
> However, to make sure I understand the purpose of the adjustment, would you
> mind saying a word or two about what considerations cause you to recommend
> CAP_NET_ADMIN instead of (or in addition to?) CAP_SETPCAP?

If you take a look at the capabilities.h file, you'll see that each of
the capabilities is preceded by an explanation of what privilege it

CAP_SETPCAP refers to privileged manipulation of capabilities
(permission to violate the normal capability rules) and nothing to do
with the network.

You are adding something akin to a per-process tree firewall setting -
deny/enable network access to this process. I think you'll agree that
the CAP_NET_ADMIN description is a much better match for this.



> Thanks for your feedback,
> Michael
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists