Dumping ground for notes on supporting filesystem capabilities.

== Open Questions ==
 * Filesystems without xattr support (NFS, etc).  Possible solutions:
   * VFS 'xattr_backing_file' mount option
   * union mount with xattr-capable ext3 over xattr-challenged NFS
   * stackable FS
   * Wait for fs's to support xattrs :)
 * Determine possible caps needed for programs.  Perhaps:
   * walk compiled assembly, listing caps
     * definately needed (i.e. cap_sys_admin for mount)
     * possibly needed (i.e. cap_dac_override)
   * audit?
   * kprobe
   * wrap application in MAC (eg. apparmor) policy and put it in allowed auditing (apparmor complain mode) and collect list of capabilities used.
 * library to wrap syscalls to enable caps
   * tries syscall(SYS_xyz), if fail with -EPERM/EACCESS, then
   * oldcaps = enable_eff_cap_by_syscall(SYS_xyz)
     * looks through library of (syscall->caps_list) pairs
     * copies any x in caps_list which is in pP to pE
     * retries SYS_xyz
     * resets oldcaps

== Blockers ==
 * "rsync -AXa" works, but "AX" should be part of "a"
 * cpio fails
 * tar fails
  * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=254615
  * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=451932
   * http://old.nabble.com/patches-for-acl%2C-xattrs%2C-and-selinux-support-ts21075155.html
 * dpkg-deb does not know about xattrs.

== Good ==
 * "cp -a" works

== Bad ==
 * NFS does not support xattr

== Ugly ==
 * libcap2's pam_cap has unexpected parsing results (should allow multiple matches on user)

== Fixed ==
 * libcap2-bin does not install pam_cap.so into the common-auth stack automatically (LP: #534658).