[I'm sorry. I no longer follow discussion carefully. It is much too
much of it.]
> >> Precicely my point: PERL scripts (any scripts, come to that) can't
> >> be written to encode security capabilities within them in a secure
> >> way.
>
> > And binary executables can't either, for exactly the same reasons.
>
> Who's said they can? Your claim was that there's NOTHING related to
> capabilities that can be stored within the file itself, and I for one
> just don't believe that.
>
> As I made clear from the start, I believe that the ONLY security
> related capabilities that should be encoded in a file are those of the
> "I can't action my intended task without these capabilities, so refuse
> to run me if I can't be granted them" variety, which information MUST
> belong in the file itself - it makes no sense at all to put it
> anywhere else.
Why should not ELF executable be allowed to say "Well, I do not know
what I would do with RAW_PORT_ACCESS capability, so I do not want to
get that capability. Take it away from me". Every executable can say
this, btw, at beggining of main. I do not see why saying it in
executable headers is different.
Pavel
PS: And yes, it makes a difference because by putting it in headers
you can _check_ if it drops capability properly.
-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/