On Fri, Aug 26, 2005 at 02:00:56PM -0400, Stephen Smalley wrote: > > That makes capability part of the core kernel again, just like DAC, > which means that you can never override a capability denial in your > module. We sometimes want to override the capability implementation, > not just apply further restrictions after it. cap_inode_setxattr and > cap_inode_removexattr are examples; they prohibit any access to _all_
Right, the rationale behind cap_stack.c. Good point. I'd forgotten that. I guess selective internal composition is the way to go. Tony - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
