On 2/13/2013 2:26 PM, H. Peter Anvin wrote: > On 02/13/2013 09:51 AM, Casey Schaufler wrote: >> >> You can't add a new capability where there is an existing capability >> that can be remotely argued to be appropriate. >> >> If you tried to "fix" CAP_SYS_RAWIO and/or CAP_SYS_ADMIN you'd end >> up with hundreds of capabilities. >> >> Your particular problem is *not* so important that you get a >> capability all to yourself. >> > > {facepalm} > > This is exactly the kind of thinking which has led to the capability > system being so bloody useless. The reason the capability system is "bloody useless" is that no one wants to update the core system applications to use it in favor of good old fashioned worked for dad and works for me too superuser. > > Capabilities need to be associated with resources, not use cases. There is no such thing as a "resource" in the Linux security policy model. The Linux security policy model is based on subjects (tasks) accessing objects (e.g. files). Capabilities provide a granular mechanism for granting privilege to violate the Linux security policy. Because in the Bad Old days of Unix "superuser privilege" also granted rights to preform configuration activities it was not possible to eliminate the superuser without extending the capability mechanism to include these. Thus, there are two sorts of capabilities, those controlling privileged access and those controlling restricted activities. In both cases what you are controlling is an activity. Sorry, but that is the way it is defined. I understand that you want capabilities to be associated with resources. That is *not* what we have, and arguing that its what we should have is pointless because Linux does not even have a concept of resources. > > -hpa > > -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html