[Toybox] Using toybox for poking around weird namespaces?
Rob Landley
rob at landley.net
Sat Oct 25 21:20:08 PDT 2014
On 10/25/14 10:28, stephen Turner wrote:
> Isnt part of the idea behind kiss is security? And if you were to
> include selinux wouldnt you want to reduce that code as well?
Yes, but "all or none" is the easiest granularity.
If we have a thing in toybox to set selinux entries (which this
apparently does), then we should at least have code in cp/mv to preserve
them, and code in "ls" to display them. (I'm reluctant to have _partial_
support for something, which is by itself useless.)
I honestly don't know what the rest of the minimum support criteria
_are_. I suppose I could grep busybox to see which command names it
shows up in there. My own experience with it was either figuring out how
to phrase "noselinux" for the system at hand, or leaving it as somebody
else's problem for sysadmin du jour who wanted it.
The thing is: often you have to know a problem domain really well in
order to say what the minimal set of required functionality actually
_is_. I do not know selinux that well. I have a decent understanding of
classic unix security and I think that _is_ the minimal subset. (Modulo
groups being sort of a legacy feature, especially once containers go in.)
I want to add container support on top of classic unix security, but
unfortunately the people implementing it have a hammer (capabilities!
selinux! extended attributes! systemd!) and thus will _find_ excuses to
use this crap despite its seeming uselessness...
Possibly containers _don't_ actually need this mess. I really hope not.
But I don't feel I understand the concept well enough to go all:
http://www.girlgeniusonline.com/comic.php?date=20030625
on it yet. (It sounds like Andy may already have done so, but I need to
learn more to evaluate it.)
But I've kinda been hip-deep in sed this past week...
Rob
1414297208.0
More information about the Toybox
mailing list