Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > [...] >>> >>> My point is that all of these need some way to

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, May 4, 2017 at 6:07 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > [...] >>> >>> My point is that all of these need some way to handle configuration >>> and inheritance, and I don't think

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Hi Serge, On Thu, May 4, 2017 at 4:58 PM, Serge E. Hallyn wrote: > On Thu, May 04, 2017 at 03:07:49PM +0200, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Hi Serge, On Thu, May 4, 2017 at 4:58 PM, Serge E. Hallyn wrote: > On Thu, May 04, 2017 at 03:07:49PM +0200, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski >> > wrote: >> [...] >> >> >> >> My point is that

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, May 04, 2017 at 03:07:49PM +0200, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: > > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski > > wrote: > [...] > >> > >> My point is that all of these need some way to handle

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, May 04, 2017 at 03:07:49PM +0200, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: > > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski > > wrote: > [...] > >> > >> My point is that all of these need some way to handle configuration > >> and inheritance,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: [...] >> >> My point is that all of these need some way to handle configuration >> and inheritance, and I don't think that a bunch of per-task

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: [...] >> >> My point is that all of these need some way to handle configuration >> and inheritance, and I don't think that a bunch of per-task prctls is >> the right way. As just an

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, Apr 27, 2017 at 4:07 AM, Rusty Russell wrote: > Djalal Harouni writes: >> Hi Rusty, >> >> On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: >>> Djalal Harouni writes: When value is (1), task must

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, Apr 27, 2017 at 4:07 AM, Rusty Russell wrote: > Djalal Harouni writes: >> Hi Rusty, >> >> On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: >>> Djalal Harouni writes: When value is (1), task must have CAP_SYS_MODULE to be able to trigger a module auto-load operation, or

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Djalal Harouni writes: > Hi Rusty, > > On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: >> Djalal Harouni writes: >>> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a >>> module auto-load operation, or

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Djalal Harouni writes: > Hi Rusty, > > On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: >> Djalal Harouni writes: >>> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a >>> module auto-load operation, or CAP_NET_ADMIN for modules with a >>> 'netdev-%s' alias. >> >>

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Hi Rusty, On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: > Djalal Harouni writes: >> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a >> module auto-load operation, or CAP_NET_ADMIN for modules with a >> 'netdev-%s' alias.

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Hi Rusty, On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: > Djalal Harouni writes: >> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a >> module auto-load operation, or CAP_NET_ADMIN for modules with a >> 'netdev-%s' alias. > > Sorry, the magic 'netdev-' prefix is

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Mon, Apr 24, 2017 at 8:02 PM, Kees Cook wrote: > On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: >>> On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Mon, Apr 24, 2017 at 8:02 PM, Kees Cook wrote: > On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: >>> On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: > On

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: >> On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: >>> On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: >> On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: >>> On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: >

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: > On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: >>> On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: > On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: >>> On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: >>> [...] >>> * DCCP use after free CVE-2017-6074 >>> * n_hldc

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Djalal Harouni writes: > When value is (1), task must have CAP_SYS_MODULE to be able to trigger a > module auto-load operation, or CAP_NET_ADMIN for modules with a > 'netdev-%s' alias. Sorry, the magic 'netdev-' prefix is a crawling horror. To do this properly, you need to

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Djalal Harouni writes: > When value is (1), task must have CAP_SYS_MODULE to be able to trigger a > module auto-load operation, or CAP_NET_ADMIN for modules with a > 'netdev-%s' alias. Sorry, the magic 'netdev-' prefix is a crawling horror. To do this properly, you need to hand the capability

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: >> [...] > I personally like my implicit_rights idea, and it might

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: >> [...] > I personally like my implicit_rights idea, and it might be interesting > to prototype it. I

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: > On

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] I personally like my implicit_rights idea, and it might be interesting to prototype it. >>> >>> I don't like blocking a needed

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] I personally like my implicit_rights idea, and it might be interesting to prototype it. >>> >>> I don't like blocking a needed feature behind a large super-feature

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 5:13 PM, Casey Schaufler wrote: > On 4/21/2017 5:00 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 4:52 PM, Casey Schaufler >> wrote: >>> On 4/21/2017 4:28 PM, Andy Lutomirski wrote: On Fri, Apr 21, 2017 at 4:19

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 5:13 PM, Casey Schaufler wrote: > On 4/21/2017 5:00 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 4:52 PM, Casey Schaufler >> wrote: >>> On 4/21/2017 4:28 PM, Andy Lutomirski wrote: On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: > On Wed, Apr 19,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 2:12 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] I personally like my implicit_rights idea, and it might be interesting to prototype it. >>> >>> I don't like blocking a needed

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 2:12 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] I personally like my implicit_rights idea, and it might be interesting to prototype it. >>> >>> I don't like blocking a needed feature behind a large super-feature

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On 4/21/2017 5:00 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:52 PM, Casey Schaufler > wrote: >> On 4/21/2017 4:28 PM, Andy Lutomirski wrote: >>> On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: On Wed, Apr 19, 2017 at 7:41 PM,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On 4/21/2017 5:00 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:52 PM, Casey Schaufler > wrote: >> On 4/21/2017 4:28 PM, Andy Lutomirski wrote: >>> On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: > On Wed, Apr 19, 2017

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: [...] >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> >> I don't like blocking a needed feature behind a large super-feature >> that doesn't exist yet. We'd be able to

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: [...] >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> >> I don't like blocking a needed feature behind a large super-feature >> that doesn't exist yet. We'd be able to refactor this code

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:52 PM, Casey Schaufler wrote: > On 4/21/2017 4:28 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >>> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: On Wed,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:52 PM, Casey Schaufler wrote: > On 4/21/2017 4:28 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >>> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: > On Wed, Apr 19,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On 4/21/2017 4:28 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: On Wed, Apr 19,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On 4/21/2017 4:28 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: > On Wed, Apr 19,

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:40 PM, Kees Cook wrote: > On Fri, Apr 21, 2017 at 4:28 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >>> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:40 PM, Kees Cook wrote: > On Fri, Apr 21, 2017 at 4:28 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >>> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: > On Wed, Apr

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:28 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:28 PM, Andy Lutomirski wrote: > On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: > On

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: > On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: >>> On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Fri, Apr 21, 2017 at 4:19 PM, Kees Cook wrote: > On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: >> On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: >>> On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: > +/*

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: > On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 7:41 PM, Andy Lutomirski wrote: > On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: >> On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: >>> On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: +/* Sets task's modules_autoload */ +static inline int

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: > On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: >> On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: >>> +/* Sets task's modules_autoload */ >>> +static inline int

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 4:43 PM, Kees Cook wrote: > On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: >> On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: >>> +/* Sets task's modules_autoload */ >>> +static inline int task_set_modules_autoload(struct task_struct *task, >>> +

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Hi Djalal, [auto build test ERROR on security/next] [also build test ERROR on next-20170419] [cannot apply to linus/master v4.11-rc7] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url:

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

Hi Djalal, [auto build test ERROR on security/next] [also build test ERROR on next-20170419] [cannot apply to linus/master v4.11-rc7] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url:

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: > On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: >> +/* Sets task's modules_autoload */ >> +static inline int task_set_modules_autoload(struct task_struct *task, >> +

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 4:15 PM, Andy Lutomirski wrote: > On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: >> +/* Sets task's modules_autoload */ >> +static inline int task_set_modules_autoload(struct task_struct *task, >> + unsigned long value) >>

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: > Previous patches added the global "modules_autoload" restriction. This patch > make it possible to support process trees, containers, and sandboxes by > providing an inherited per-task "modules_autoload" flag that cannot

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: > Previous patches added the global "modules_autoload" restriction. This patch > make it possible to support process trees, containers, and sandboxes by > providing an inherited per-task "modules_autoload" flag that cannot be > re-enabled

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, Apr 20, 2017 at 12:20 AM, Djalal Harouni wrote: [...] > +/* Returns task's modules_autoload */ > +static inline void task_copy_modules_autoload(struct task_struct *dest, > + struct task_struct *src) > +{ > +

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

On Thu, Apr 20, 2017 at 12:20 AM, Djalal Harouni wrote: [...] > +/* Returns task's modules_autoload */ > +static inline void task_copy_modules_autoload(struct task_struct *dest, > + struct task_struct *src) > +{ > + dest->modules_autoload =