ALT Linux kernel packages development
 help / color / mirror / Atom feed
From: "Vladimir D. Seleznev" <vseleznv@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH v5] AltHa: handle setcap binaries in the same way as setuid ones
Date: Mon, 30 May 2022 18:24:12 +0300
Message-ID: <YpThnBjF2iWo+aDW@portlab> (raw)
In-Reply-To: <20220530151125.yq4sncfwc5ns44jx@altlinux.org>

On Mon, May 30, 2022 at 06:11:25PM +0300, Vitaly Chikunov wrote:
> Vladimir,
> 
> On Mon, May 30, 2022 at 02:48:56PM +0300, Vladimir D. Seleznev wrote:
> > On Mon, May 23, 2022 at 01:44:04PM +0000, Vladimir D. Seleznev wrote:
> > > altha.nosuid facility controls what binaries can raise user privilleges.
> > > Prior to this commit it only handled setuid binaries, but it was still
> > > possible to raise privilleges via setcaps. Now it handles both setuid
> > > and setcap binaries.
> > > 
> > > Signed-off-by: Vladimir D. Seleznev <vseleznv@altlinux.org>
> > > ---
> > >  Documentation/admin-guide/LSM/AltHa.rst |  6 ++--
> > >  security/altha/Kconfig                  |  2 +-
> > >  security/altha/altha_lsm.c              | 47 ++++++++++++++++++++-----
> > >  3 files changed, 43 insertions(+), 12 deletions(-)
> > > 
> > 
> > Ping
> 
> What about tests?

I'm not ready to put efforts for tests at this moment. Please apply the
patch, the tests can be a future work for this module.

> ps. I also have additional thoughts about this protection concept itself.

-- 
   WBR,
   Vladimir D. Seleznev


  reply	other threads:[~2022-05-30 15:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-23 13:44 Vladimir D. Seleznev
2022-05-30 11:48 ` Vladimir D. Seleznev
2022-05-30 15:11   ` Vitaly Chikunov
2022-05-30 15:24     ` Vladimir D. Seleznev [this message]
2022-05-30 15:45       ` Dmitry V. Levin
2022-05-30 21:28         ` Vladimir D. Seleznev
2022-05-31  6:45           ` Dmitry V. Levin
2022-05-31 22:47             ` Vladimir D. Seleznev
2022-06-01  1:06               ` Vitaly Chikunov
2022-05-30 17:08 ` Andrey Savchenko
2022-05-30 21:29   ` Vladimir D. Seleznev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YpThnBjF2iWo+aDW@portlab \
    --to=vseleznv@altlinux.org \
    --cc=devel-kernel@lists.altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

ALT Linux kernel packages development

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
		devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
	public-inbox-index devel-kernel

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git