On Thu, Jan 12, 2012 at 3:27 PM, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote: > > It's a change of user context. Things like ptrace and file permissions > basically mean you can't build a barrier between stuff running as the > same uid to a great extent except with heavy restricting, but saying > "you can't become someone else" is very useful. Not just "someone else". The guarantee basically has to be "you can't change your security context". Where "become somebody else" is part of it, but any capability changes etc would be part of it too. So it should disable all games with capabilities etc. And I don't think selinux really should be all that much of a problem - we should just make sure that selinux would honor such a bit, and refuse to do any op that would change any selinux capabilities either. Same goes for other security models. And that may include restricting the ways a binary can be executed totally outside of suid/sgid bits. For example, if you consider binaries under /home to have different selinxu rules than system binaries in /usr/bin, then a cross-execute from one to the other may not work, regardless of whether it's suid or not. I think that is the kind of guarantee a sandbox environment really wants: "I'm setting up a sandbox, you'd better not change the permissions on me regardless of what crazy things I do". Linus -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html