| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170726030007.GA10087@mail.hallyn.com>
Date: Tue, 25 Jul 2017 22:00:07 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
Stefan Berger <stefanb@...ux.vnet.ibm.com>,
Mimi Zohar <zohar@...ibm.com>, Theodore Ts'o <tytso@....edu>,
containers@...ts.linux-foundation.org, lkp@...org,
linux-kernel@...r.kernel.org, tycho@...ker.com,
James.Bottomley@...senPartnership.com, vgoyal@...hat.com,
christian.brauner@...lbox.org, amir73il@...il.com,
linux-security-module@...r.kernel.org, casey@...aufler-ca.com
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > Which brings us to the semantic question of would it be nice to have
> > stacked IMA/EVM on the same file.
> >
> > I really don't think we do. I think allowing multiple keys for
> > different part of trusting files is easy enough that we should have no
> > need to fight over which keys do which.
>
> We definitely want to support different policies on the native and in
> the namespace with different keys and keyrings.
Ok, so Stefan's code to support userspace in a container reading
security.ima and getting back the value for security.ima@...=1000
(if 1000 is the kuid of the container's root user) is in fact
useful to IMA?
Powered by blists - more mailing lists