Quoting Rob Landley (r...@landley.net): > The fact that you need multiple sets of capabilities per process > (permitted, inheritable, effective), plus MORE sets (plural) of > capabilities attached to executable files, plus the "capability > bounding set" which is presumably so selinux can mess with it, plus
The bounding set was in large part a workaround for the absence of the user namespace (and, at the time, the devices cgroup). (Now libcap-ng uses it to try and make capabilities generally easier to use.) -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/