On Thu, 2007-10-25 at 17:41 -0700, Chris Wright wrote: > * Casey Schaufler ([EMAIL PROTECTED]) wrote: > > --- Chris Wright <[EMAIL PROTECTED]> wrote: > > > > > * Serge E. Hallyn ([EMAIL PROTECTED]) wrote: > > > > Here is a new version of the 64-bit capability patches I was supposed > > > > to send last week I think. > > > > > > > > This patch could stand alone without the 64-bit caps, but should > > > > definately not be applied anywhere until it has been better > > > > reviewed. It is the alternative to the patch removing the > > > > capability type checking code. > > > > > > How likely is > 64? > > > > If the Granularity Gremlins get loose the answer is 100%. > > DG/UX ended up with over 330. > > Yeah, I think a few systems ended up with > 64.
I think the current Solaris and FreeBSD implementations support extensible privilege sets, and that Solaris already has > 64. > > > Fortunately the GGs have a playpen already in SELinux. > > I suggest that the capabilities maintainer be very stingy > > and refer anyone who's need isn't pretty obvious there. > > This means that the folks who want to divide CAP_SYSADMIN > > are going to be disappointed with what they get, but some > > level of restraint is important. > > Sure, I guess my point is, if we open up to 64, how quickly > will we hit 65. Perhaps a generic bitmask is better, and then > we need a stricter type mode anyway. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
