lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 2 Sep 2017 08:31:05 +0200
From:   Djalal Harouni <>
To:     Kees Cook <>
Cc:     "Serge E. Hallyn" <>,
        Rusty Russell <>,
        "David S . Miller" <>,
        Jessica Yu <>,
        LKML <>,
        Network Development <>,
        linux-security-module <>,
        Andy Lutomirski <>,
        Andrew Morton <>,
        James Morris <>,
        Paul Moore <>,
        Stephen Smalley <>,
        Greg Kroah-Hartman <>,
        Tetsuo Handa <>,
        Ingo Molnar <>,
        Linux API <>,
        Dongsu Park <>,
        Casey Schaufler <>,
        Jonathan Corbet <>,
        Arnaldo Carvalho de Melo <>,
        Mauro Carvalho Chehab <>,
        Peter Zijlstra <>,
        Zendyani <>,
        "" <>,
        Al Viro <>,
        Ben Hutchings <>
Subject: Re: [PATCH v4 next 1/3] modules:capabilities: allow
 __request_module() to take a capability argument

Hi Kees,

On Thu, Jun 1, 2017 at 9:10 PM, Kees Cook <> wrote:
> On Thu, Jun 1, 2017 at 7:56 AM, Djalal Harouni <> wrote:
>> BTW Kees, also in next version I won't remove the
>> capable(CAP_NET_ADMIN) check from [1]
>> even if there is the new request_module_cap(), I would like it to be
>> in a different patches, this way we go incremental
>> and maybe it is better to merge what we have now ?  and follow up
>> later, and of course if other maintainers agree too!
> Yes, incremental. I would suggest first creating the API changes to
> move a basic require_cap test into the LSM (which would drop the
> open-coded capable() checks in the net code), and then add the
> autoload logic in the following patches. That way the "infrastructure"
> changes happen separately and do not change any behaviors, but moves
> the caps test down where its wanted in the LSM, before then augmenting
> the logic.
>> I just need a bit of free time to check again everything and will send
>> a v5 with all requested changes.
> Great, thank you!

So sorry was busy these last months, I picked it again, will send v5 after the
merge window.

Kees I am looking on a way to integrate a test for it, we should use
something like
the example here [1] or maybe something else ? and which module to use ?

I still did not sort this out, if anyone has some suggestions, thank
you in advance!



Powered by blists - more mailing lists