security: Review findings (Holger, John)

Signed-off-by: Holger Dengler <dengler@linutronix.de>
author: Holger Dengler <dengler@linutronix.de> 2016-10-28 16:57:24 +0200
committer: Holger Dengler <dengler@linutronix.de> 2016-10-28 16:57:47 +0200
commit: cd03b6d85930eaf8f68240cd3e91a6bcf5035c53 (patch)
tree: 809649e3234fb7d57ef394f8853ea4c80499a8f1 /security/advanced
parent: 84508a664655fa1fac11711cb6ecfcba0e571a8f (diff)
2 files changed, 3 insertions, 1 deletions
diff --git a/security/advanced/frm_capabilities.tex b/security/advanced/frm_capabilities.tex
index 5acd8e9..d4a2890 100644
--- a/security/advanced/frm_capabilities.tex
+++ b/security/advanced/frm_capabilities.tex
@@ -205,7 +205,7 @@ Scenario for dropping capabilities in suid-root processes
  \item effective: drop all
  \item permitted: keep only required
  \end{itemize}
-\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS, 1))
+\item preserve capabilities (prctl(PR\_SET\_KEEPCAPS, 1))
 \item set all UIDs to non-zero
 \item raise capability in effecive set before calling a privileged syscall
 \item drop capability from effective set after syscall
diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex
index c63b6b2..5b907e6 100644
--- a/security/advanced/frm_namespace_container.tex
+++ b/security/advanced/frm_namespace_container.tex
@@ -37,6 +37,8 @@
 \begin{itemize}
 \item Mount: \\
       Provide different filesystem
+\item PID: \\
+      Provide new Process-ID scope
 \item IPC: \\
       Provide isolated inter process communication entities
 \item Network: \\
author	Holger Dengler <dengler@linutronix.de>	2016-10-28 16:57:24 +0200
committer	Holger Dengler <dengler@linutronix.de>	2016-10-28 16:57:47 +0200
commit	cd03b6d85930eaf8f68240cd3e91a6bcf5035c53 (patch)
tree	809649e3234fb7d57ef394f8853ea4c80499a8f1 /security/advanced
parent	84508a664655fa1fac11711cb6ecfcba0e571a8f (diff)