Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface

From: Serge E. Hallyn
Date: Thu Jul 14 2016 - 16:22:01 EST


Quoting Kees Cook (keescook@xxxxxxxxxxxx):
> On Thu, Jul 14, 2016 at 10:49 AM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:
> > Kees, you said adding a capability is hard - can you expound on that?
>
> Best I can find at the moment was discussion around CAP_COMPROMISE_KERNEL:
> http://thread.gmane.org/gmane.linux.kernel/1459165

Hm, the last discussion I recall around that topic involved a confusing
negative capability iirc, I assume CAP_COMPROMISE_KERNEL was the revamped
version.

> Basically, adding a new capability for an interface can create
> userspace compatibility problems (though perhaps in this case, it's a
> new interface, so a new capability would be okay, but it's such a
> narrow use-case and CAP_SYS_NICE fits fine).

Right, there are two ways they can be added. For new functionality,
no big deal. (Of course we'd like to avoid going beyond 64 bits of cap
too soon, so don't want to go crazy).

The other is when we want to split off a more fine-grained version of
an existing capability. Then we just have to make sure that the coarser
pre-existing capability continues to work as expected. Breaking out
CAP_SYSLOG from CAP_SYS_ADMIN was an example of that.

-serge