Re: [PATCH 5/9] Make use of permissions, returned by kobj_lookup
From: Casey Schaufler
Date: Fri Mar 07 2008 - 15:57:53 EST
--- Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> On Fri, 2008-03-07 at 12:30 -0600, Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (casey@xxxxxxxxxxxxxxxx):
> > >
> > > --- "Serge E. Hallyn" <serue@xxxxxxxxxx> wrote:
> > >
> > > > ...
> > > >
> > > > Until user namespaces are complete, selinux seems the only good
> solution
> > > > to offer isolation.
> > >
> > > Smack does it better and cheaper. (Unless you define good==selinux)
> > > (insert smiley)
> >
> > Ah, thanks - I hadn't looked into it, but yes IIUC smack should
> > definately work. I'll have to give that a shot.
>
> Not if you want to confine uid 0. smack doesn't control capabilities,
> even the ones used to override it.
>
> So you'd have to at least configure your per-process bset and file caps
> rather carefully. And even then you have to watch out for things with
> CAP_MAC* or CAP_SETPCAP.
Shrug. As if getting 800,000 lines of policy definition
for a thousand applications completely correct is going to be easier.
Casey Schaufler
casey@xxxxxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/