On Sun, Nov 05, 2017 at 01:56:35PM +1100, Aleksa Sarai wrote: > Previously, the only capability effectively required to operate on the > /proc/scsi interface was CAP_DAC_OVERRIDE (or for some other files, > having an fsuid of GLOBAL_ROOT_UID was enough). This means that > semi-privileged processes could interfere with core components of a > system (such as causing a DoS by removing the underlying SCSI device of > the host's / mount). Given that the previous patch didn't even compile, I worry that you have not tested this at all to see what breaks/changes in userspace with this type of user-visable api change. What did you do to test this? thanks, greg k-h
