On Fri, 2013-02-08 at 13:02 -0800, Kees Cook wrote:
> I don't find it unreasonable to drop all caps and lose access to
> sensitive things. :) That's sort of the point, really. I think a cap
> is the best match. It seems like it should either be a cap or a
> namespace flag, but the latter seems messy.
Yeah, I think it's an expected outcome, but it means that if (say) qemu
drops privileges, qemu can no longer access PCI resources - even on
non-secure boot systems. That breaks existing userspace.
��.n��������+%�������w��{.n�����{����*�jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
