how are new CAP_* added? CAP_{DISPLAY,DRM,GPU}?
Luigi Semenzato
semenzato at google.com
Mon Apr 28 22:19:24 UTC 2025
I have a use case for adding a CAP_DRM, or similar, to replace the
CAP_SYS_ADMIN in drivers/gpu/drm/drm_auth.c for the purpose of
becoming the DRM master.
I am not an expert on either DRM or capabilities, and I am wondering
how one can decide the appropriate level of granularity for a new
capability. Is CAP_DRM general enough (but not too much), or should
it be CAP_GPU, or CAP_DISPLAY? Or perhaps capabilities should be
discouraged for this case?
Thanks!
On Mon, Apr 28, 2025 at 3:16 PM Luigi Semenzato <semenzato at google.com> wrote:
>
> I have a use case for adding a CAP_DRM, or similar, to replace the CAP_SYS_ADMIN in drivers/gpu/drm/drm_auth.c for the purpose of becoming the DRM master.
>
> I am not an expert on either DRM or capabilities, and I am wondering how one can decide the appropriate level of granularity for a new capability. Is CAP_DRM general enough (but not too much), or should it be CAP_GPU, or CAP_DISPLAY? Or perhaps capabilities should be discouraged for this case?
>
> Thanks!
>
More information about the Linux-security-module-archive
mailing list