Then if/once we re-compile the kernel / use linux hardened, we’d also “just use CAP_SYS_ADMIN”. Good enough?
Perhaps just suggest it to them? Let’s see what they say. Since the patch is already done (looks like “90%” of the work), would be good to go a bit further and suggest it to them. Even if they say no, someone might look at the code and have a useful comment. Even in case of no comment could mean someone had a look and didn’t have anything negative to say. Then also we could know their reaction and wouldn’t need to assume it.
Also this seems rushing far ahead. The way I see it:
- figure out how to automatically compile the kernel package on user’s machine during APT upgrades using Debian stock kernel at all
- do the same with Linux Hardened (I didn’t manage yet to use Debian’s packaging files in combination with Linux Hardened.)
- go beyond Linux Hardened, think about becoming even safer than Linux Hardened
Looks like we’re discussing 3) while steps 1) and 2) are far away.