Lines Matching +full:non +full:- +full:empty

6 system-wide allowlist. These restrictions also prohibit the given UIDs/GIDs
15 CAP_SETUID is granted to programs running as root or those running as a non-root
24 tree of processes under non-root user(s) in the first place. Specifically,
28 lesser-privileged user -- not elevate privileges. Unfortunately, there is no
34 The main use case for this LSM is to allow a non-root program to transition to
35 other untrusted uids without full blown CAP_SETUID capabilities. The non-root
38 of CAP_SETUID since the non-root program cannot take advantage of CAP_SETUID to
40 namespace). The higher level goal is to allow for uid-based sandboxing of system
42 non-root programs can drop to even-lesser-privileged uids. This is especially
43 relevant when one non-root daemon on the system should be allowed to spawn other
45 basically-root-equivalent CAP_SETUID.
52 -------------------------------
64 that rely on certain process-spawning semantics in Linux.
67 -------------------
80 that owns the network namespace -- not necessarily the user namespace under
83 initial namespace. This is a deal-breaker for any application that expects to
89 -------------------
90 None of the other in-tree LSMs have the capability to gate setid transitions, or
105 Writing an empty string "" will flush the policy. Again, configuring a policy