On Sat, Aug 15, 2009 at 12:22 PM, Andrew G. Morgan<morgan@kernel.org> wrote:
Hrm I know that was more of the intent of POSIX file capabilities
(AFAICT), but I was under the impression that the full picture of
capabilities in linux were more about moving away from a default-on,
binary superuser privilege policy. But you'd know what your intentions
were better than me :)
I was hoping that a process inheritance approach wouldn't be considered
the same as root inheritance is now. It operates with the same
granularity as the file-based approach except that it allows these
lesser privilege sets to be limited in time for a binary. E.g.,
it'd be nice if pulseaudio could be started with privileges only at,
let's say, login-time for a user and not when a remote attacker needs to
bypass mmap_min_addr.
That's a perfectly nice workaround (especially since it'd be easy enough
to pair with some symlinks), but I am interested in both issues --
xattr-less filesystems and the inflexibility of filesystem-based
security policy.
If the patch (and my intentions) are irreconcilably at odds with the
capability system (and securebits) goals, then I can definitely evaluate
other avenues as well as revisit the underpinnings of my plans. I was
just hoping that this would fit in under the current umbrella (e.g., like
the other root-to-capability-mode transition fixups).
If it's a hopeless case, please let me know! However, I'm happy to
make any number of changes if something like this is feasible.
thanks!
will
--
