On Thu, Feb 24, 2022 at 04:39:44PM -0800, Casey Schaufler wrote: > What I'd want to see is multiple users where the use of CAP_USERFAULTD > is independent of the use of CAP_SYS_PTRACE. That is, the programs would > never require CAP_SYS_PTRACE. There should be demonstrated real value. > Not just that a compromised program with CAP_SYS_PTRACE can do bad things, > but that the programs with CAP_USERFAULTDD are somehow susceptible to > being exploited to doing those bad things. Hypothetical users are just > that, and often don't materialize. I kind of have the same question indeed.. The use case we're talking about is VM migration, and the in-question subject is literally the migration process or thread. Isn't that a trusted piece of software already? Then the question is why the extra capability (in CAP_PTRACE but not in CAP_UFFD) could bring much risk to the system. Axel, did I miss something important? Thanks, -- Peter Xu
