On Fri, Dec 02, 2005 at 03:04:31PM +0200, Elad Efrat wrote:
>
> 1. An admin can chown a device to give a user a special role -- true,
>    but Veriexec does an explicit suser() (and there's no, at the moment,
>    intention to change that). This should be addressed by capabilities,
>    if any.

I don't agree with Nathan on the use of sysctl, but removing the device
as entry point is IMO a very bad thing for Veriexec. Consider the need
for the device a security feature for Veriexec, but a bug e.g. for ps /
netstat etc.

Joerg