> Tested how? First of all, this change is not about functionality, only about permissions. I wrote 3 testcases which calls ioctl() with TIOCSTI, TIOCCONS, TIOCVHANGUP respectively. Then execute them on the origin kernel and patched kernel. Running it on both sets of kernels gives the same result. However, through the system error message, and the kernel log output I added, I confirmed that the relevant functionality under the origin kernel requires sys_admin, and under the patched kernel requires sys_tty_config. Indeed, it doesn't have much to do with the distro either, I just tested it on Debian, and similar tests can be done on other distros. > Why did you just change these 3 usages, and not all of them? Why are > these "safe" but the others not? There are 5 capability checks in this file, all using sys_admin. The first one is in the tiocsti function, in commit 690c8b804ad2 ("TIOCSTI: always enable for CAP_SYS_ADMIN"), sys_admin was introduced for a special application BRLTTY, so I hesitated to change it. In fact, BRLTTY has both sys_admin and sys_tty_config, so modify the kernel's permission check, will not affect BRLTTY's function. The other permission check is located in a different function, not triggered by ioctl, so it's not written together. > And most importantly of all, why make this change at all? Who is using > capabilities these days in a fine-grained way to warrent this type of > modification? I guess you are right, there's not a lot of people using capabilities. But the idea of a least privilege design is still tempting from a security point of view. The scarce use of capabilities is related to its problematic implementation, and we hope to promote its use by improving its implementation. sys_admin is a relatively large privilege, which may pose a risk to the system (check the cve list: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAP_SYS_ADMIN ), and by reducing the unnecessary use of sys_admin, we can avoid some of the risks. In particular, the linux capability has been designed with sys_tty_config, so it should take over the privileges originally managed by sys_admin related to TTY. Best regards, Jingzi