Re: [RFC] cgroups: implement device whitelist lsm (v2)

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Paul Menage

Subject: Re: [RFC] cgroups: implement device whitelist lsm (v2)

Date: Saturday, March 15, 2008 - 5:57 pm

On Fri, Mar 14, 2008 at 10:35 PM, Serge E. Hallyn <serue@us.ibm.com> wrote:
quoted text>
>  > Why aren't the
>  > existing cgroup security semantics sufficient?
>
>  Because the point of this is to provide some restrictions to otherwise
>  privileged users, and cgroups only provides dac-based permissions.
>
>  But that doesn't mean that I'm not doing too much.  I could just add a
>  CAP_SYS_ADMIN or CAP_CONT_OVERRIDE+CAP_SYS_ADMIN check, and not restrict
>  which cgroups a task can move to.  Does that sound good?

Sounds reasonable.

Paul
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Wed Mar 12, 8:27 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), James Morris, (Thu Mar 13, 2:25 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Thu Mar 13, 6:18 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), James Morris, (Thu Mar 13, 6:50 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Thu Mar 13, 7:38 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), James Morris, (Thu Mar 13, 3:27 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Thu Mar 13, 3:46 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), James Morris, (Thu Mar 13, 4:49 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Thu Mar 13, 6:41 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Casey Schaufler, (Thu Mar 13, 7:51 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Greg KH, (Thu Mar 13, 9:47 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Paul Menage, (Fri Mar 14, 2:16 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Paul Menage, (Fri Mar 14, 2:18 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Pavel Emelyanov, (Fri Mar 14, 2:28 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 6:54 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 6:58 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Pavel Emelyanov, (Fri Mar 14, 6:58 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 7:00 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Pavel Emelyanov, (Fri Mar 14, 7:05 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 7:05 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Paul Menage, (Fri Mar 14, 7:12 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Paul Menage, (Fri Mar 14, 7:15 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 7:35 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 7:37 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 7:42 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Pavel Emelyanov, (Fri Mar 14, 8:07 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Serge E. Hallyn, (Fri Mar 14, 8:45 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Pavel Emelyanov, (Fri Mar 14, 8:54 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Stephen Smalley, (Fri Mar 14, 9:57 am)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Paul Menage, (Sat Mar 15, 5:57 pm)

Re: [RFC] cgroups: implement device whitelist lsm (v2), Paul Menage, (Sat Mar 15, 5:59 pm)

Navigation

Popular discussions


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	[PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset
Tony Breeds	[LGUEST] Look in object dir for .config
git: