> * Devices are given standard filter matching the device class. Any > !CAP_SYS_RAWIO user can only issue commands allowed by the filter. > > * CAP_SYS_RAWIO can issue an ioctl to disable the filter all > accessors of the fd and transfer it. > > That should be enough, no?
No a - there are lots of cases you want to allow only a subset of commands. b - if you are using a BPF filter which is the obvious way to do it then the flexibility comes for free without any extra complexity as the kernel provides a generic implementation, and even a JIT for complex cases. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
