| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jul 2015 18:24:03 +0200 From: Lukasz Pawelczyk <havner@...il.com> To: "Serge E. Hallyn" <serge@...lyn.com> Cc: Lukasz Pawelczyk <l.pawelczyk@...sung.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, Al Viro <viro@...iv.linux.org.uk>, Alexey Dobriyan <adobriyan@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...capital.net>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, David Howells <dhowells@...hat.com>, Eric Dumazet <edumazet@...gle.com>, Eric Paris <eparis@...isplace.org>, Fabian Frederick <fabf@...net.be>, Greg KH <gregkh@...uxfoundation.org>, James Morris <james.l.morris@...cle.com>, Jiri Slaby <jslaby@...e.com>, Joe Perches <joe@...ches.com>, John Johansen <john.johansen@...onical.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Mauro Carvalho Chehab <mchehab@....samsung.com>, NeilBrown <neilb@...e.de>, Oleg Nesterov <oleg@...hat.com>, Paul Moore <paul@...l-moore.com>, Stephen Smalley <sds@...ho.nsa.gov>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Zefan Li <lizefan@...wei.com>, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov Subject: Re: [PATCH v3 11/11] smack: documentation for the Smack namespace On Wed, Jul 29, 2015 at 6:13 PM, Lukasz Pawelczyk <havner@...il.com> wrote: > With this namespace you delegate part of CAP_MAC_ADMIN privilege to an > unprivileged user (as with any other namespace). Ok, maybe the part in the brackets is an overstatement. Mostly with namespaces you create a full abstraction of some object and give user priviledges to that object (e.g. uts structure, network interfaces, with UTS and NET namespaces, etc). This is rather not possible with Smack, as being a security module it has to retain its core security paradigm. It cannot be a separate LSM within a host LSM (remember the part about changing process own label and changing any other object label, mostly a file). So Smack namespace really as I see it has big analogy to user namespace. You cannot abstract UIDs completely in a namespace as those UIDs do live in a host as well. If you want to have some capabilities over them, admin has to agree to that explicitly. Thanks, Lukasz -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists