Capabilities/privileges and bounding sets
Robert Watson
rwatson at FreeBSD.org
Sun Sep 17 20:49:11 GMT 2000
Andrew,
I've been thinking through some of the implementation details on bounding
sets and tend to agree with your conclusion that it is possibly to
implement the required bounding exclusively through the X parameter in the
inheritance properties. Right now, in my implementation I am providing a
cap_set_proc_mask(cap_t cap) call, which allows the setting of the process
mask, as I'm not currently including it in the base three flags for the
capability set. I'm not entirely decided if this is the right means for
managing the inherited capability mask as yet; the other possibility we've
been thinking about is to add CAP_BOUND, a new flag for each capability,
indicating whether that capability is permitted acording the the current
bound.
Robert N M Watson
robert at fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list