On Thu, Sep 10, 2015 at 09:03:08AM -0500, Serge E. Hallyn wrote:
> On Thu, Sep 10, 2015 at 09:01:20AM -0500, Serge E. Hallyn wrote:
> > On Thu, Sep 10, 2015 at 02:51:28PM +0100, David Drysdale wrote:
> > > On Thu, Sep 10, 2015 at 2:43 PM, Serge E. Hallyn wrote:
> > > > On Tue, Sep 08, 2015 at 07:2
On Thu, Sep 10, 2015 at 09:01:20AM -0500, Serge E. Hallyn wrote:
> On Thu, Sep 10, 2015 at 02:51:28PM +0100, David Drysdale wrote:
> > On Thu, Sep 10, 2015 at 2:43 PM, Serge E. Hallyn wrote:
> > > On Tue, Sep 08, 2015 at 07:25:17PM -0500, Eric W. Biederman wrote:
> > >> Andy Lutomirski writes:
>
On Thu, Sep 10, 2015 at 02:51:28PM +0100, David Drysdale wrote:
> On Thu, Sep 10, 2015 at 2:43 PM, Serge E. Hallyn wrote:
> > On Tue, Sep 08, 2015 at 07:25:17PM -0500, Eric W. Biederman wrote:
> >> Andy Lutomirski writes:
> >>
> >> > On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
> >> > wrot
On Thu, Sep 10, 2015 at 2:43 PM, Serge E. Hallyn wrote:
> On Tue, Sep 08, 2015 at 07:25:17PM -0500, Eric W. Biederman wrote:
>> Andy Lutomirski writes:
>>
>> > On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
>> > wrote:
>>
>> >> Perhaps I had missed it but I don't recall capsicum being able t
On Tue, Sep 08, 2015 at 07:25:17PM -0500, Eric W. Biederman wrote:
> Andy Lutomirski writes:
>
> > On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
> > wrote:
>
> >> Perhaps I had missed it but I don't recall capsicum being able to wrap
> >> things like reboot(2).
> >>
> >
> > Ah, so you want
On Wed, Sep 09, 2015 at 02:33:14PM -0500, Eric W. Biederman wrote:
...
> If I assume that anything file descriptor based will need another
> mechanism to filter what is allowed on a file descriptor, and as such
> will need a different mechanism (capsicum perhaps?). That handily
> reduces the pro
On Wed, Sep 09, 2015 at 06:27:06PM +0100, David Drysdale wrote:
> On Wed, Sep 9, 2015 at 1:25 AM, Eric W. Biederman
> wrote:
> > Andy Lutomirski writes:
> > > On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
> > > wrote:
>
> (From this perspective, the limitation that seccomp-bpf programs onl
David Drysdale writes:
> On Wed, Sep 9, 2015 at 1:25 AM, Eric W. Biederman
> wrote:
>> Andy Lutomirski writes:
>> > On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
>> > wrote:
>>
>> >> Perhaps I had missed it but I don't recall capsicum being able to wrap
>> >> things like reboot(2).
>> >>
On Wed, Sep 9, 2015 at 1:25 AM, Eric W. Biederman wrote:
> Andy Lutomirski writes:
> > On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
> > wrote:
>
> >> Perhaps I had missed it but I don't recall capsicum being able to wrap
> >> things like reboot(2).
> >>
> >
> > Ah, so you want to be able t
Andy Lutomirski writes:
> On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman
> wrote:
>> Perhaps I had missed it but I don't recall capsicum being able to wrap
>> things like reboot(2).
>>
>
> Ah, so you want to be able to grant BPF-defined capabilities :)
Pretty much.
Where I am focusing is
On Tue, Sep 8, 2015 at 4:07 PM, Eric W. Biederman wrote:
> Andy Lutomirski writes:
>
>> On Tue, Sep 8, 2015 at 3:35 PM, Eric W. Biederman
>> wrote:
>>>
>>> I was thinking a bit about the problem of allowing another process to
>>> perform a subset of what your process can perform, and it occured
Andy Lutomirski writes:
> On Tue, Sep 8, 2015 at 3:35 PM, Eric W. Biederman
> wrote:
>>
>> I was thinking a bit about the problem of allowing another process to
>> perform a subset of what your process can perform, and it occured to me
>> there might be something conceptually simple we can do.
On Tue, Sep 8, 2015 at 3:35 PM, Eric W. Biederman wrote:
>
> I was thinking a bit about the problem of allowing another process to
> perform a subset of what your process can perform, and it occured to me
> there might be something conceptually simple we can do.
>
> Have a system call fsyscall tha
I was thinking a bit about the problem of allowing another process to
perform a subset of what your process can perform, and it occured to me
there might be something conceptually simple we can do.
Have a system call fsyscall that takes a file descriptor the system call
number and the parameters
14 matches
Mail list logo