On Mon, 30 Mar 2015, Andy Lutomirski wrote: > > Would this suffice? It puts the CAP_SETPCAP limitation back to how it > > was in my earlier patch. > I really don't like that variant. CAP_SETPCAP is dangerous and so > absurdly powerful that people really shouldn't hand it out. According to man 7 capabilities CAP_SETPCAP is required to setup securebits. This hides the functionality behind yet another stage of security and obscures this ability somewhat more? -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
