On fork, you just filter the capabilities through the global
securebits. When you (extremely seldom) change the global securebits,
you walk the process-tree. Alternatively, you can AND a process'
capabilities with the global securebits on each call to capable()
(which is the new name for suser() in linux-privs).
btw, using capabilities is just as fast as suser() is currently
[except that testing for 0 is faster on some architectures than
testing whether a bit is set], and is faster than checking for suser
_and_ securelevel.
astor
-- Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway http://www.guardian.no/- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu