Hi all, I am implementing a network namespace bringing isolation at the IP layer. This namespace rely on the L2 namespaces which gives network device virtualization and socket isolation.
One of the my concern is to have the L3 network namespace losing its CAP_NET_ADMIN capability when it is spawned because we want to forbid any kind of IP configuration. This behavior should work either the security is not configured in the kernel. The proposed solution modify the capable function. It is small but with the drawback of having the new security modules to take care of this. The other solution is to modify the security_ops structure and add a specific function for checking cap_net_admin which will to do extra checking when the network namespace is configured. But that means to change all CAP_NET_ADMIN capabilty checking in the network code by the new security function and that impacts 70 files. -- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
