On 30 Nov 2012, at 22:54, Bill Harris wrote:
The existence of CAP_CONNECT and CAP_BIND is currently a bit contradictory -- we allocated the bits as they were common file descriptor methods, but can't use them in that form. There are a number of such loose ends in the design -- Pawel's ongoing work as part of the Casper project will clean up several, although at the cost of some API disruption. (In particular, he has found he had to tweak some of the capability rights to permit constructs such as append-only capabilities on files -- which is very useful, but didn't quite fit our original model.) We're going to try to minimise disruption but may merge a few API changes to FreeBSD as we retained "experimental status" for Capsicum so can afford a bit of disruption. As there are some rather neat downstream Capsicum projects going on, I want to avoid too much disruption.