On Iau, 2005-10-13 at 14:02 +0200, Carsten Otte wrote: > While the big sledgehammer CAP_DIAG works, I would prefer a bunch > of smaller special purpose hammers.
So you add a "required cap bits" to your diag driver interface and use "0" for useful unpriviledged diag calls. It doesn't make the problem any harder to solve, and anything that is hard or is policy related gets CAP_SYS_RAWIO and is punted to user space policy management ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
