On Fri, Dec 7, 2012 at 11:21 AM, Serge Hallyn <serge.hal...@canonical.com> wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> Signed-off-by: Andy Lutomirski <l...@amacapital.net> >> --- >> Documentation/security/capabilities.txt | 161 >> ++++++++++++++++++++++++++++++++ >> 1 file changed, 161 insertions(+) >> create mode 100644 Documentation/security/capabilities.txt > > TBH, I think a pointer to the capabilities.7 man page would be better. > (plus, if you feel they are needed, updates to the man page)
Updating capabilities.7 wouldn't be a bad idea, but IMO it certainly needs work. For example, it says: Inheritable: This is a set of capabilities preserved across an execve(2). It provides a mechanism for a process to assign capabilities to the permitted set of the new program during an execve(2). This is, at best, misleading. Permitted says: If a thread drops a capability from its permitted set, it can never reacquire that capability (unless it execve(2)s either a set-user-ID-root program, or a program whose associated file capabilities grant that capability). That's just not true (e.g. if uid == 0). The text later on is better, but I think it would be helpful to have a detailed and succinct description of what's going on. I would be happy to revise this patch to reference capabilities.7. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/