Serge E. Hallyn wrote:
Quoting Crispin Cowan ([EMAIL PROTECTED]):
I think that CAP_NS_OVERRIDE|CAP_SYS_PTRACE is a problem because of the
Oops, yeah I meant .
Cool. With then I have no problem at all.
Thanks,
Crispin
--
Crispin Cowan, Ph.D.
Quoting Crispin Cowan ([EMAIL PROTECTED]):
Serge E. Hallyn wrote:
Quoting Casey Schaufler ([EMAIL PROTECTED]):
Could y'all bring me up to speed on what this is intended to
accomplish so that I can understand the Smack implications?
It's basically like ptracing a process,
Serge E. Hallyn wrote:
Quoting Crispin Cowan ([EMAIL PROTECTED]):
Is there to be an LSM hook, so that modules can decide on an arbitrary
decision of whether to allow a hijack? So that this do the right
SELinux thing can be generalized for all LSMs to do the right thing.
Currently:
PROTECTED], Stephen Smalley [EMAIL PROTECTED], James Morris
[EMAIL PROTECTED], Serge E. Hallyn [EMAIL PROTECTED]
Assunto: Re: [PATCH 2/2] hijack: update task_alloc_security
Data: 27/11/07 02:38
Mark Nelson wrote:
gt; Subject: [PATCH 2/2] hijack: update task_alloc_security
gt;
gt; Update
: update task_alloc_security
Data: 27/11/07 02:38
Mark Nelson wrote:
gt; Subject: [PATCH 2/2] hijack: update task_alloc_security
gt;
gt; Update task_alloc_security() to take the hijacked task as a second
gt; argument.
gt;
gt; For the selinux version, refuse permission if hijack_src
Serge E. Hallyn wrote:
Quoting Stephen Smalley ([EMAIL PROTECTED]):
I agree with this part - we don't want people to have to choose between
using containers and using selinux, so if hijack is going to be a
requirement for effective use of containers, then we need to make them
work
--- Mark Nelson [EMAIL PROTECTED] wrote:
Subject: [PATCH 2/2] hijack: update task_alloc_security
Update task_alloc_security() to take the hijacked task as a second
argument.
Could y'all bring me up to speed on what this is intended to
accomplish so that I can understand the Smack