** On May 16, Peter Makholm scribbled: > grendel@vip.net.pl (Marek Habersack) writes: > > > > - support for capabilities (see > > > Patches for ext2 support for capabilities on the 2.3 kernels can be found in > > the Linux kernel archive > > (ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.3/) > > linux-privs implements Posix Capabilities (the now given up posix 6 (I > think) which is only a very restricted model of capabilities (if even > that). That's correct. Also, the limit to 32 capabilities (with 28 existing now) is simply ridiculous. > I hasn't very much to do with the capabillity concept a number of > research OSes (including eros) works with. I think that real effective > capability support would require a major rewrite of large part of the > kernel. (VFS, VM, the view of proceses in general) I think the only problems right now are the size of the capability set, lack of file system support (yes, in VFS) and lack of ability to dynamically register/unregister capabilities. The capabilities are checked almost everywhere in the kernel right now, so the infrastructure is there, but it's faaaar from perfect. marek
Attachment:
pgpmpk0eIFnWV.pgp
Description: PGP signature