[PATCH 0/3] Enable namespaced file capabilities
Serge E. Hallyn
serge at hallyn.com
Fri Jun 23 17:01:08 UTC 2017
Quoting Casey Schaufler (casey at schaufler-ca.com):
> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey at schaufler-ca.com):
> >> Or maybe just security.ns.capability, taking James' comment into account.
> > That last one may be suitable as an option, useful for his particular
> > (somewhat barbaric :) use case, but it's not ok for the general solution.
>
> security.ns at uid=100.capability
I'm ok with this. It gives protection from older kernels, and puts
the 'ns at uid=' at predictable locations for security and trusted.
> It makes the namespace part explicit and separate from
> the rest of the attribute name. It also generalizes for
> other attributes.
>
> security.ns at uid=1000 at smack=WestOfOne.SMACK64
Looks good to me.
Do we want to say that '.' ends the attribute list? That of
course means '.' cannot be in the attributes. Perhaps end
with '@@' instead? Just a thought.
What do others think?
thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list