On Thu, Jan 12, 2012 at 7:11 PM, Andrew Lutomirski <luto@xxxxxxx> wrote: > (Also, preventing dropping of privileges will probably make a patch > more complicted -- I'll have to find and update all the places that > allow dropping privileges.) An alternative approach might be that the restricted bit drops all privileges that allows privilege changes in either direction. E.g., - set restricted bit -- adds a check anywhere MNT_NOSUID is -- sets securebit to SECURE_NOROOT|..LOCKED -- drops CAP_SETUID, CAP_DAC_OVERRIDE, ... -- set the caps bounding set to the minimum the restricted bit allows That may deviate from the intent (by re-using caps), but it could keep some of the privilege transition checking code the same. Just a thought, will -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
