Re: [PATCH v3 2/3] Documentation: security-bugs: explain what is and is not a security bug

[Willy Tarreau]

Hi Jon,

On Wed, May 13, 2026 at 03:04:21PM -0600, Jonathan Corbet wrote:
> Willy Tarreau <w@xxxxxx> writes:
> 
> > On Wed, May 13, 2026 at 06:52:00AM -0600, Jonathan Corbet wrote:
> 
> >> I definitely wouldn't argue for making it longer, and enumerating all of
> >> the make-me-root capabilities would be silly.  I would consider just
> >> replacing CAP_SYS_ADMIN with "elevated capabilities" or some such.  That
> >> might rule out legitimate reports where some capability provides an
> >> access it shouldn't, but I suspect you could live with that :)
> >
> > I think it could indeed work like this, without denaturating the rest
> > of the paragraph and having broader coverage. Do you think you could
> > amend/update it ? I'm not trying to add you any burden, it's just that
> > it will take me more time before I provide an update :-/
> 
> How's the following?

Looks good, thank you! In case this is needed:

  Acked-by: Willy Tarreau <w@xxxxxx>

> (While I was there, I noticed that threat-model.rst has no SPDX line;
> what's your preference there?)

I didn't notice any was needed, I tried to get inspiration from other
files for the format (I'm still not familiar with the rst format
though this time I could successfully install the tools). Same for
the label at the top BTW, I just did what I found somewhere else,
probably security-bugs.rst which is similar (no SPDX line and has a
label). So regarding SPDX, I do not have any preference. If one is
needed, let's pick what's used by default, I do not care, as long
as it allows the doc to be published.

Thanks,
Willy

> Thanks,
> 
> jon
> 
> >From 1e15a25142583e312dcc504b0279d47508cbfdab Mon Sep 17 00:00:00 2001
> From: Jonathan Corbet <corbet@xxxxxxx>
> Date: Wed, 13 May 2026 14:58:53 -0600
> Subject: [PATCH 2/2] docs: threat-model: don't limit root capabilities to
>  CAP_SYS_ADMIN
> 
> The threat-model document says that only users with CAP_SYS_ADMIN can carry
> out a number of admin-level tasks, but there are numerous capabilities that
> can confer that sort of power.  Generalize the text slightly to make it
> clear that CAP_SYS_ADMIN is not the only all-powerful capability.
> 
> Signed-off-by: Jonathan Corbet <corbet@xxxxxxx>
> ---
>  Documentation/process/threat-model.rst | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/process/threat-model.rst b/Documentation/process/threat-model.rst
> index 91da52f7114fd..f177b8d3c1caf 100644
> --- a/Documentation/process/threat-model.rst
> +++ b/Documentation/process/threat-model.rst
> @@ -62,7 +62,8 @@ on common processors featuring privilege levels and memory management units:
>  
>  * **Capability-based protection**:
>  
> -  * users not having the ``CAP_SYS_ADMIN`` capability may not alter the
> +  * users not having elevated capabilities (including but not limited to
> +    CAP_SYS_ADMIN) may not alter the
>      kernel's configuration, memory nor state, change other users' view of the
>      file system layout, grant any user capabilities they do not have, nor
>      affect the system's availability (shutdown, reboot, panic, hang, or making
> -- 
> 2.53.0