On 06/13/16 20:32, Andy Lutomirski wrote: > On Mon, Jun 13, 2016 at 12:44 PM, Topi Miettinen <toiwoton@xxxxxxxxx> wrote: >> Track what capabilities are actually used and present the current >> situation in /proc/self/status. > > What for? Excerpt from the cover letter: "There are many basic ways to control processes, including capabilities, cgroups and resource limits. However, there are far fewer ways to find out useful values for the limits, except blind trial and error. This patch series attempts to fix that by giving at least a nice starting point from the actual maximum values. I looked where each limit is checked and added a call to limit bump nearby. Capabilities [RFC 01/18] capabilities: track actually used capabilities Currently, there is no way to know which capabilities are actually used. Even the source code is only implicit, in-depth knowledge of each capability must be used when analyzing a program to judge which capabilities the program will exercise." Should I perhaps cite some of this in the commit? > > What is the intended behavior on fork()? Whatever the intended > behavior is, there should IMO be a selftest for it. > > --Andy > The capabilities could be tracked from three points of daemon initialization sequence onwards: fork() setpcap() exec() fork() case would be logical as the /proc entry is per task. But if you consider the tools to set the capabilities (for example systemd unit files), there can be between fork() and exec() further preparations which need more capabilities than the program itself needs. setpcap() is probably the real point after which we are interested if the capabilities are enough. The amount of setup between setpcap() and exec() is probably very low. -Topi -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
