UidSEC LSM
This module extends the standard UN*X resource protection model adding
some features useful for untrusted multiuser systems
Current features
* Deny usage of dmesg to unprivileged users
* Hide processes of other users to unprivileged users (example: sam
can only see his
On Fri, 13 Jul 2007, Serge E. Hallyn wrote:
Finally, future format compatibility is reduced. If
a security.capability xattr is found with too new a version,
don't run the binary.
I wonder if the behavior of this should be configurable, so that the admin
can decide what to do here. She may
On Fri, 13 Jul 2007, Serge E. Hallyn wrote:
From 3549aced829f84237ddc3ccfa571b8a938cae173 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn [EMAIL PROTECTED]
Date: Fri, 13 Jul 2007 12:17:45 -0400
Subject: [PATCH 2/2] file capabilities: change fE to a bool
The fE was previously a full capset
Quoting James Morris ([EMAIL PROTECTED]):
On Fri, 13 Jul 2007, Serge E. Hallyn wrote:
Finally, future format compatibility is reduced. If
a security.capability xattr is found with too new a version,
don't run the binary.
I wonder if the behavior of this should be configurable, so that
Smack is the Simplified Mandatory Access Control Kernel.
Smack implements mandatory access control (MAC) using labels
attached to tasks and data containers, including files, SVIPC,
and other tasks. Smack is a kernel based scheme that requires
an absolute minimum of application support and a very