On 04/19/16 at 09:20am, Linus Torvalds wrote: > On Tue, Apr 19, 2016 at 2:04 AM, Dave Young <dyoung at redhat.com> wrote: > > > > It is not clear how to handle it, maybe we can assume nobody is using it as > > non-root, leave it as is or just add |CAP_SYS_BOOT for /proc/iomem? > > Pretty much nobody uses fine-grained capabilities anyway - they are > one of those bad security things that generally add more complexity > than value(*) - so I wouldn't worry about it unless you actually find > something that cares. Agreed that leaving it as is should be fine according to you said about fine-grained capabilities usage. Thanks Dave
