Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938571AbcLPAcK (ORCPT ); Thu, 15 Dec 2016 19:32:10 -0500 Received: from mail-oi0-f46.google.com ([209.85.218.46]:33667 "EHLO mail-oi0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933365AbcLPAcD (ORCPT ); Thu, 15 Dec 2016 19:32:03 -0500 MIME-Version: 1.0 In-Reply-To: <9ed6371f-3d38-45b1-a85b-1fbb3e5b4fc7@schaufler-ca.com> References: <43dcc6dc-265b-5eaf-3a70-701e05200b9f@gmail.com> <9ed6371f-3d38-45b1-a85b-1fbb3e5b4fc7@schaufler-ca.com> From: John Stultz Date: Thu, 15 Dec 2016 16:31:40 -0800 Message-ID: Subject: Re: RFC: capabilities(7): notes for kernel developers To: Casey Schaufler Cc: "Michael Kerrisk (man-pages)" , "Serge E. Hallyn" , James Morris , Kees Cook , Andy Lutomirski , Jann Horn , "Eric W. Biederman" , linux-man , linux-security-module , lkml Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 756 Lines: 20 On Thu, Dec 15, 2016 at 12:40 PM, Casey Schaufler wrote: > On 12/15/2016 11:41 AM, Michael Kerrisk (man-pages) wrote: >> On 12/15/2016 05:29 PM, Casey Schaufler wrote: >>> CAP_WAKE_ALARM could readily be CAP_TIME. >> Actually, I don't quite understand what you mean with that sentence. >> Could you elaborate? > > Should have said CAP_SYS_TIME > > Setting an alarm could be considered a time management function, > depending on what it actually does. Just a nit here. CAP_WAKE_ALARM is more about the privilege of waking a system from suspend, while CAP_SYS_TIME covers the ability to set the time. One wouldn't necessarily want to give applications which could wake a system up the capability to also set the time. thanks -john