Re: "Default Linux Capabilities" default in 2.6.24

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: James Morris <jmorris@...>

Cc: Matt LaPlante <kernel1@...>, <linux-kernel@...>, <linux-security-module@...>

Subject: Re: "Default Linux Capabilities" default in 2.6.24

Date: Tuesday, January 29, 2008 - 9:08 am

Quoting James Morris (jmorris@namei.org):
quoted text> On Mon, 28 Jan 2008, Matt LaPlante wrote:
> 
> > On Thu, 24 Jan 2008 19:12:01 -0600
> > Matt LaPlante <kernel1@cyberdogtech.com> wrote:
> > 
> > > 
> > > I'm doing a make oldconfig with the new 2.6.24 kernel.  I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > > 
> > > ---
> > >  Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > ---
> > > 
> > > However the help text recommends saying Yes.
> > > 
> > > ---
> > >  This enables the "default" Linux capabilities functionality.
> > >  If you are unsure how to answer this question, answer Y.
> > > ---
> > > 
> > > Does this seem incongruous?  Also, what's the "question"? :)
> > > 
> > > Thanks, 
> > > Matt LaPlante
> > 
> > Anyone?
> 
> I think this should be default y.

True, it was made the default when CONFIG_SECURITY=n a few years ago,
and switching it off when toggling CONFIG_SECURITY is probably unsafe
for unsuspecting users/testers.

Thanks Matt.

-serge

From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
From: sergeh@us.ibm.com <hallyn@kernel.(none)>
Date: Tue, 29 Jan 2008 05:04:43 -0800
Subject: [PATCH 1/1] security: compile capabilities by default

Capabilities have long been the default when CONFIG_SECURITY=n,
and its help text suggests turning it on when CONFIG_SECURITY=y.
But it is set to default n.

Default it to y instead.

Signed-off-by: Serge Hallyn <serue@us.ibm.com>
---
 security/Kconfig |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/security/Kconfig b/security/Kconfig
index 8086e61..389e151 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
 config SECURITY_CAPABILITIES
 	bool "Default Linux Capabilities"
 	depends on SECURITY
+	default y
 	help
 	  This enables the "default" Linux capabilities functionality.
 	  If you are unsure how to answer this question, answer Y.
-- 
1.5.1

--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

"Default Linux Capabilities" default in 2.6.24, Matt LaPlante, (Thu Jan 24, 9:12 pm)

Re: "Default Linux Capabilities" default in 2.6.24, Matt LaPlante, (Mon Jan 28, 10:10 pm)

Re: "Default Linux Capabilities" default in 2.6.24, James Morris, (Mon Jan 28, 10:48 pm)

Re: "Default Linux Capabilities" default in 2.6.24, Serge E. Hallyn, (Tue Jan 29, 9:08 am)

Re: "Default Linux Capabilities" default in 2.6.24, Matt LaPlante, (Tue Jan 29, 12:44 pm)


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
david	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Eric Paris	[RFC 0/5] [TALPA] Intro to a linux interface for on access scanning
Linus Torvalds	Linux 2.6.25-rc4
git:

linux-netdev:
David Miller	[GIT]: Networking
Gerrit Renker	[PATCH 13/37] dccp: Deprecate Ack Ratio sysctl
Vladimir Ivashchenko	Re: HTB accuracy for high speed
Jarek Poplawski	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
openbsd-misc:

Re: "Default Linux Capabilities" default in 2.6.24

Online users