Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Oct 2017 11:03:02 -0500
From: "Serge E. Hallyn" <>
To: Nicolas Belouin <>
Cc: Jan Kara <>, Theodore Ts'o <>,
	Andreas Dilger <>,
	Jaegeuk Kim <>, Chao Yu <>,
	David Woodhouse <>,
	Dave Kleikamp <>,
	Mark Fasheh <>, Joel Becker <>,
	Miklos Szeredi <>,
	Phillip Lougher <>,
	Richard Weinberger <>,
	Artem Bityutskiy <>,
	Adrian Hunter <>,
	Alexander Viro <>,
	Serge Hallyn <>, Paul Moore <>,
	Stephen Smalley <>,
	Eric Paris <>,
	James Morris <>,,,,,,,,,,,,,
Subject: Re: [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED

Quoting Nicolas Belouin (
> with CAP_SYS_ADMIN being bloated, the usefulness of using it to
> flag a process to be entrusted for e.g reading and writing trusted
> xattr is near zero.
> CAP_TRUSTED aims to provide userland with a way to mark a process as
> entrusted to do specific (not specially admin-centered) actions. It
> would for example allow a process to red/write the trusted xattrs.

You say "for example".  Are you intending to add more uses?  If so, what
are they?  If not, how about renaming it CAP_TRUSTED_XATTR?

What all does allowing writes to trusted xattrs give you?  There are
the overlayfs whiteouts, what else?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.