adding CAP_RESERVED_# bits
Paul Moore
paul at paul-moore.com
Sat Jun 7 02:11:21 UTC 2025
On Fri, Jun 6, 2025 at 1:58 PM Luigi Semenzato <semenzato at google.com> wrote:
>
> Recently I inquired about the decision process for adding a CAP_DRM
> bit to capability.h (to become DRM master). It occurred to me that
> the process for adding ANY bit would be fraught with controversies (to
> say the least).
>
> So I looked into maintaining a patch in our own kernel sources, but
> that was surprisingly messy due to the build-time dependencies of
> capability.h and the way we maintain and share sources internally for
> multiple kernel versions. This would have been quite simple if there
> were a few reserved bits, such as CAP_RESERVED_0, ..,
> CAP_RESERVED_<N-1> with, say, N=3.
>
> Would this also be controversial?
Yes, and likely rejected too. The upstream Linux kernel generally
doesn't make any sacrifices to support out-of-tree kernel code, and
giving up precious capability bitmap space would definitely be
considered a sacrifice.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list