LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* "Default Linux Capabilities" default in 2.6.24
@ 2008-01-25 1:12 Matt LaPlante
2008-01-29 2:10 ` Matt LaPlante
0 siblings, 1 reply; 5+ messages in thread
From: Matt LaPlante @ 2008-01-25 1:12 UTC (permalink / raw)
To: linux-kernel
I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
---
Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
---
However the help text recommends saying Yes.
---
This enables the "default" Linux capabilities functionality.
If you are unsure how to answer this question, answer Y.
---
Does this seem incongruous? Also, what's the "question"? :)
Thanks,
Matt LaPlante
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Default Linux Capabilities" default in 2.6.24
2008-01-25 1:12 "Default Linux Capabilities" default in 2.6.24 Matt LaPlante
@ 2008-01-29 2:10 ` Matt LaPlante
2008-01-29 2:48 ` James Morris
0 siblings, 1 reply; 5+ messages in thread
From: Matt LaPlante @ 2008-01-29 2:10 UTC (permalink / raw)
To: linux-kernel
On Thu, 24 Jan 2008 19:12:01 -0600
Matt LaPlante <kernel1@cyberdogtech.com> wrote:
>
> I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
>
> ---
> Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> ---
>
> However the help text recommends saying Yes.
>
> ---
> This enables the "default" Linux capabilities functionality.
> If you are unsure how to answer this question, answer Y.
> ---
>
> Does this seem incongruous? Also, what's the "question"? :)
>
> Thanks,
> Matt LaPlante
Anyone?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Default Linux Capabilities" default in 2.6.24
2008-01-29 2:10 ` Matt LaPlante
@ 2008-01-29 2:48 ` James Morris
2008-01-29 13:08 ` Serge E. Hallyn
0 siblings, 1 reply; 5+ messages in thread
From: James Morris @ 2008-01-29 2:48 UTC (permalink / raw)
To: Matt LaPlante; +Cc: linux-kernel, linux-security-module
On Mon, 28 Jan 2008, Matt LaPlante wrote:
> On Thu, 24 Jan 2008 19:12:01 -0600
> Matt LaPlante <kernel1@cyberdogtech.com> wrote:
>
> >
> > I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
> >
> > ---
> > Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > ---
> >
> > However the help text recommends saying Yes.
> >
> > ---
> > This enables the "default" Linux capabilities functionality.
> > If you are unsure how to answer this question, answer Y.
> > ---
> >
> > Does this seem incongruous? Also, what's the "question"? :)
> >
> > Thanks,
> > Matt LaPlante
>
> Anyone?
I think this should be default y.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Default Linux Capabilities" default in 2.6.24
2008-01-29 2:48 ` James Morris
@ 2008-01-29 13:08 ` Serge E. Hallyn
2008-01-29 16:44 ` Matt LaPlante
0 siblings, 1 reply; 5+ messages in thread
From: Serge E. Hallyn @ 2008-01-29 13:08 UTC (permalink / raw)
To: James Morris; +Cc: Matt LaPlante, linux-kernel, linux-security-module
Quoting James Morris (jmorris@namei.org):
> On Mon, 28 Jan 2008, Matt LaPlante wrote:
>
> > On Thu, 24 Jan 2008 19:12:01 -0600
> > Matt LaPlante <kernel1@cyberdogtech.com> wrote:
> >
> > >
> > > I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > >
> > > ---
> > > Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > ---
> > >
> > > However the help text recommends saying Yes.
> > >
> > > ---
> > > This enables the "default" Linux capabilities functionality.
> > > If you are unsure how to answer this question, answer Y.
> > > ---
> > >
> > > Does this seem incongruous? Also, what's the "question"? :)
> > >
> > > Thanks,
> > > Matt LaPlante
> >
> > Anyone?
>
> I think this should be default y.
True, it was made the default when CONFIG_SECURITY=n a few years ago,
and switching it off when toggling CONFIG_SECURITY is probably unsafe
for unsuspecting users/testers.
Thanks Matt.
-serge
>From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
From: sergeh@us.ibm.com <hallyn@kernel.(none)>
Date: Tue, 29 Jan 2008 05:04:43 -0800
Subject: [PATCH 1/1] security: compile capabilities by default
Capabilities have long been the default when CONFIG_SECURITY=n,
and its help text suggests turning it on when CONFIG_SECURITY=y.
But it is set to default n.
Default it to y instead.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
---
security/Kconfig | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/security/Kconfig b/security/Kconfig
index 8086e61..389e151 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
config SECURITY_CAPABILITIES
bool "Default Linux Capabilities"
depends on SECURITY
+ default y
help
This enables the "default" Linux capabilities functionality.
If you are unsure how to answer this question, answer Y.
--
1.5.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: "Default Linux Capabilities" default in 2.6.24
2008-01-29 13:08 ` Serge E. Hallyn
@ 2008-01-29 16:44 ` Matt LaPlante
0 siblings, 0 replies; 5+ messages in thread
From: Matt LaPlante @ 2008-01-29 16:44 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: James Morris, linux-kernel, linux-security-module
On Tue, 29 Jan 2008 07:08:25 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:
> Quoting James Morris (jmorris@namei.org):
> > On Mon, 28 Jan 2008, Matt LaPlante wrote:
> >
> > > On Thu, 24 Jan 2008 19:12:01 -0600
> > > Matt LaPlante <kernel1@cyberdogtech.com> wrote:
> > >
> > > >
> > > > I'm doing a make oldconfig with the new 2.6.24 kernel. I came to the prompt for "Default Linux Capabilities" which defaults to No:
> > > >
> > > > ---
> > > > Default Linux Capabilities (SECURITY_CAPABILITIES) [N/y/?] (NEW) ?
> > > > ---
> > > >
> > > > However the help text recommends saying Yes.
> > > >
> > > > ---
> > > > This enables the "default" Linux capabilities functionality.
> > > > If you are unsure how to answer this question, answer Y.
> > > > ---
> > > >
> > > > Does this seem incongruous? Also, what's the "question"? :)
> > > >
> > > > Thanks,
> > > > Matt LaPlante
> > >
> > > Anyone?
> >
> > I think this should be default y.
>
> True, it was made the default when CONFIG_SECURITY=n a few years ago,
> and switching it off when toggling CONFIG_SECURITY is probably unsafe
> for unsuspecting users/testers.
>
> Thanks Matt.
>
> -serge
>
> From 0528f582de5534b972abddbb3294a3fb11435a21 Mon Sep 17 00:00:00 2001
> From: sergeh@us.ibm.com <hallyn@kernel.(none)>
> Date: Tue, 29 Jan 2008 05:04:43 -0800
> Subject: [PATCH 1/1] security: compile capabilities by default
>
> Capabilities have long been the default when CONFIG_SECURITY=n,
> and its help text suggests turning it on when CONFIG_SECURITY=y.
> But it is set to default n.
>
> Default it to y instead.
>
> Signed-off-by: Serge Hallyn <serue@us.ibm.com>
> ---
> security/Kconfig | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 8086e61..389e151 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -76,6 +76,7 @@ config SECURITY_NETWORK_XFRM
> config SECURITY_CAPABILITIES
> bool "Default Linux Capabilities"
> depends on SECURITY
> + default y
> help
> This enables the "default" Linux capabilities functionality.
> If you are unsure how to answer this question, answer Y.
> --
> 1.5.1
>
Acked-by: Matt LaPlante <kernel1@cyberdogtech.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-01-29 16:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-01-25 1:12 "Default Linux Capabilities" default in 2.6.24 Matt LaPlante
2008-01-29 2:10 ` Matt LaPlante
2008-01-29 2:48 ` James Morris
2008-01-29 13:08 ` Serge E. Hallyn
2008-01-29 16:44 ` Matt LaPlante
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).