On Thu, 2012-01-12 at 08:14 -0800, Andrew Lutomirski wrote: > The longer I linger on lists and see neat ideas like this, the more I > get annoyed that execve is magical. I dream of a distribution that > doesn't use setuid, file capabilities, selinux transitions on exec, or > any other privilege changes on exec *at all*. Is that the fear with filtering on execv? That if we have filters on an execv calling a setuid program that we change the behavior of that privileged program and might cause unexpected results? In that case, just have execv fail if filtering is enabled and we are execing a setuid program. But I don't see why non "magical" execv's should be prohibited. -- Steve -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html