From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753758AbaGGOLk (ORCPT ); Mon, 7 Jul 2014 10:11:40 -0400 Received: from mail-qa0-f52.google.com ([209.85.216.52]:56938 "EHLO mail-qa0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753566AbaGGOLe (ORCPT ); Mon, 7 Jul 2014 10:11:34 -0400 MIME-Version: 1.0 In-Reply-To: <53BA9094.9080401@redhat.com> References: <1404124096-21445-1-git-send-email-drysdale@google.com> <53B51E81.4090700@redhat.com> <20140703183927.GA1629@google.com> <53B651C5.80602@redhat.com> <53BA9094.9080401@redhat.com> From: David Drysdale Date: Mon, 7 Jul 2014 15:11:08 +0100 Message-ID: Subject: Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) To: Paolo Bonzini Cc: LSM List , "linux-kernel@vger.kernel.org" , Greg Kroah-Hartman , Alexander Viro , Meredydd Luff , Kees Cook , James Morris , Linux API , qemu-devel Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 7, 2014 at 1:20 PM, Paolo Bonzini wrote: > Il 07/07/2014 12:29, David Drysdale ha scritto: >> Capsicum capabilities are associated with the file descriptor (a la >> F_GETFD), not the open file itself -- different FDs with different >> associated rights can map to the same underlying open file. > > > Good to know, thanks. I suppose you have testcases that cover this. > > Paolo Yeah, there's lots of tests at: https://github.com/google/capsicum-test (which is in a separate repo so it's easy to run against FreeBSD as well as the Linux code); in particular https://github.com/google/capsicum-test/blob/dev/capability-fd.cc has various interactions of capability FDs.