OpenVZ Forum


Home » Mailing lists » Devel » [RFC PATCH 1/2] capabilities: define CONFIG_COMMONCAP
Re: [PATCH 2/2] capabilities: introduce per-process capability bounding set (v7) [message #23452 is a reply to message #23451] Sat, 17 November 2007 04:22 Go to previous messageGo to previous message
Andrew Morgan is currently offline  Andrew Morgan
Messages: 9
Registered: September 2007
Junior Member
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote:
>> I also think we should use CAP_SETPCAP for the privilege of manipulating
>> the bounding set. In many ways irrevocably removing a permission
>> requires the same level of due care as adding one (to pI).
> 
> Aside from being heavy-handed, it also means that we are restricting the 
> use of per-process capability bounding sets to kernels with file
> capabilities compiled in, right?  Are we ok with that?
> 

I am. :-)

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHPmyQQheEq9QabfIRAnnbAJ0c22LPNc1EnjWyvR4ZrwcyAiJDrgCeOdTj
TJFJwUK7UMkeX5M9ULzbN44=
=LMQP
-----END PGP SIGNATURE-----
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: netns refcounting
Next Topic: cleanup in workq and dst_destroy
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Wed Oct 08 11:13:11 GMT 2025

Total time taken to generate the page: 0.15049 seconds
Powered by FUDforum Powered by Virtuozzo Containers