From: One Thousand Gnomes Subject: Re: General flags to turn things off (getrandom, pid lookup, etc) Date: Wed, 30 Jul 2014 15:37:58 +0100 Message-ID: <20140730153758.6431fafa@alan.etchedpixels.co.uk> References: <20140725223550.3153f436@alan.etchedpixels.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: "Eric W. Biederman" , Julien Tinnes , David Drysdale , Al Viro , Paolo Bonzini , LSM List , Greg Kroah-Hartman , Paul Moore , James Morris , Linux API , Meredydd Luff , Christoph Hellwig , "linux-kernel@vger.kernel.org" , Kees Cook , "Theodore Ts'o" , Henrique de Moraes Holschuh , linux-crypto@vger.kernel.org To: Andy Lutomirski Return-path: Received: from lxorguk.ukuu.org.uk ([81.2.110.251]:38872 "EHLO lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753725AbaG3OjV (ORCPT ); Wed, 30 Jul 2014 10:39:21 -0400 In-Reply-To: Sender: linux-crypto-owner@vger.kernel.org List-ID: > > We sort of have one. It's called capable(). Just needs extending to cover > > anything else you care about, and probably all the numeric constants > > replacing with textual names. > > > > Except that it's all backwards: these are things that default to *on*, > and people might want them to turn off. capable() is totally fscked > if you want otherwise unprivileged users to carry capabilities around The userspace API is, but capable() as a userspace API and capable() as an in kernel check are only connected by history. For the in kernel part you can either teach everyone another disjoint API or we can have a single API in kernel for saying "is XYZ allowed".