Can the cap dropping be changed to happen in a way such that only those capabilities are dropped that existed when the program was compiled? That said, I know nothing about capability APIs or internals.
Posted Mar 13, 2013 21:49 UTC (Wed) by mjg59 (subscriber, #23239)
[Link]
Imagine a /dev/halt_catch_fire that requires CAP_SYS_RAWIO. Your application runs as root but drops all capabilities, so you never bother making sure that it doesn't accidentally touch /dev/halt_catch-fire. Later, someone decides to add a more fine-grained capability and now either CAP_SYS_RAWIO *or* CAP_SYS_HALT_CATCH_FIRE is sufficient. Your application was previously incapable of setting the machine on fire, but now it can.
