On Thu, 2014-03-13 at 21:26 +0000, One Thousand Gnomes wrote: > > On the other hand, disabling CAP_SYS_RAWIO *definitely* breaks expected > > functionality - firmware loading and the fibmap ioctl are probably the > > most obvious. And changing the use of CAP_SYS_RAWIO potentially breaks > > userspace expectations, so we're kind of stuck there. > > Actually I know how to describe the problem better. > > Whitelist v Blacklist. > > Going around adding extra cases for CAP_SYS_RAWIO is a fails insecure > model. Going around adding CAP_SYS_RAWIO || CAP_SYS_RAWIO_SEC is a 'fails > secure' case. We've already been through this. We can't add new capabilities. It breaks existing userspace. -- Matthew Garrett <matthew.garrett@xxxxxxxxxx> ��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥