On Mon, 30 Mar 2015, Andy Lutomirski wrote:
> > Would this suffice? It puts the CAP_SETPCAP limitation back to how it
> > was in my earlier patch.
> I really don't like that variant. CAP_SETPCAP is dangerous and so
> absurdly powerful that people really shouldn't hand it out.
According to
man 7 capabilities
CAP_SETPCAP is required to setup securebits.
This hides the functionality behind yet another stage of security and
obscures this ability somewhat more?
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
