Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jan 13, 2012 at 12:05 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>
> I'm confused.  The patch does "no security context changes on execve".

So that's what I wanted and thought you did, but your comment:

  "With my patch, selinux can already block the execve if it wants"

is what I reacted to. The "selinux *can*" and the "if it wants" part
was what made my hackles rise.

If it is not about what selinux can and what selinux wants, I'm happy.
The security manager shouldn't have any choices in the matter. No
'can', no 'want'.

Your choice of words made me think your patch had left that door open.

                 Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux