> On the other hand, disabling CAP_SYS_RAWIO *definitely* breaks expected > functionality - firmware loading and the fibmap ioctl are probably the > most obvious. And changing the use of CAP_SYS_RAWIO potentially breaks > userspace expectations, so we're kind of stuck there. Actually I know how to describe the problem better. Whitelist v Blacklist. Going around adding extra cases for CAP_SYS_RAWIO is a fails insecure model. Going around adding CAP_SYS_RAWIO || CAP_SYS_RAWIO_SEC is a 'fails secure' case. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
