From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752173AbcGNUV5 (ORCPT <rfc822;w@1wt.eu>);
	Thu, 14 Jul 2016 16:21:57 -0400
Received: from h2.hallyn.com ([78.46.35.8]:36332 "EHLO h2.hallyn.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751224AbcGNUVz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 14 Jul 2016 16:21:55 -0400
Date: Thu, 14 Jul 2016 15:21:53 -0500
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>, John Stultz <john.stultz@linaro.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Arjan van de Ven <arjan@linux.intel.com>,
        lkml <linux-kernel@vger.kernel.org>, Oren Laadan <orenl@cellrox.com>,
        Ruchi Kandoi <kandoiruchi@google.com>,
        Rom Lemarchand <romlem@android.com>,
        Android Kernel Team <kernel-team@android.com>,
        Todd Kjos <tkjos@google.com>, Colin Cross <ccross@android.com>,
        Nick Kralevich <nnk@google.com>, Dmitry Shmidt <dimitrysh@google.com>,
        Elliott Hughes <enh@google.com>
Subject: Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface
Message-ID: <20160714202153.GA5332@mail.hallyn.com>
References: <1455671191-32105-1-git-send-email-john.stultz@linaro.org>
 <1455671191-32105-3-git-send-email-john.stultz@linaro.org>
 <CALAqxLUsJ8Aph76mJ9xZWry56xvL8wKy+HVbgh=NQ-fimFUtJg@mail.gmail.com>
 <CAGXu5jJwAVdKBKUgWgGvwoHn8p7bNWMVK8+BNqmaE+Q7TrT1rA@mail.gmail.com>
 <20160714124806.GB31333@mail.hallyn.com>
 <CALAqxLWb6LaLro-dCYF1Upm1=4Dag1JfrmsxrjWhc6x-keGzkg@mail.gmail.com>
 <CAGXu5jLtwanTYJeFSw1GjPTfd=k1LXv0bkCP3y0A57_xjj92yQ@mail.gmail.com>
 <20160714174918.GA3302@mail.hallyn.com>
 <CAGXu5jJWDs9PkAvDsByMy8Yb+98T75nBzfH4H898pCvrTEBTYw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jJWDs9PkAvDsByMy8Yb+98T75nBzfH4H898pCvrTEBTYw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Kees Cook (keescook@chromium.org):
> On Thu, Jul 14, 2016 at 10:49 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > Kees, you said adding a capability is hard - can you expound on that?
> 
> Best I can find at the moment was discussion around CAP_COMPROMISE_KERNEL:
> http://thread.gmane.org/gmane.linux.kernel/1459165

Hm, the last discussion I recall around that topic involved a confusing
negative capability iirc, I assume CAP_COMPROMISE_KERNEL was the revamped
version.

> Basically, adding a new capability for an interface can create
> userspace compatibility problems (though perhaps in this case, it's a
> new interface, so a new capability would be okay, but it's such a
> narrow use-case and CAP_SYS_NICE fits fine).

Right, there are two ways they can be added.  For new functionality,
no big deal.  (Of course we'd like to avoid going beyond 64 bits of cap
too soon, so don't want to go crazy).

The other is when we want to split off a more fine-grained version of
an existing capability.  Then we just have to make sure that the coarser
pre-existing capability continues to work as expected.  Breaking out
CAP_SYSLOG from CAP_SYS_ADMIN was an example of that.

-serge