search for: cap_audit_control

Displaying 3 results from an estimated 3 matches for "cap_audit_control".

2011 Dec 07
1
lxc capabilities
...e is some way to control the capabilities assigned to the container processes. With lxc-tools, I can specify a configuration option, lxc.cap.drop, which causes the container processes to drop the specified privileges. My libvirt containers seem to run with cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin which is rather more permissive than I'd like. In particular, cap_sys_boot allows a container to reboot the host machine. I am running libvirt-0.9.2 from squeeze-backports on debian squeeze. Cheers, -C-
2011 Aug 03
1
[PATCH v2] kinit: Add drop_capabilities support.
...AP(CAP_SYS_PTRACE), + MAKE_CAP(CAP_SYS_PACCT), + MAKE_CAP(CAP_SYS_ADMIN), + MAKE_CAP(CAP_SYS_BOOT), + MAKE_CAP(CAP_SYS_NICE), + MAKE_CAP(CAP_SYS_RESOURCE), + MAKE_CAP(CAP_SYS_TIME), + MAKE_CAP(CAP_SYS_TTY_CONFIG), + MAKE_CAP(CAP_MKNOD), + MAKE_CAP(CAP_LEASE), + MAKE_CAP(CAP_AUDIT_WRITE), + MAKE_CAP(CAP_AUDIT_CONTROL), + MAKE_CAP(CAP_SETFCAP), + MAKE_CAP(CAP_MAC_OVERRIDE), + MAKE_CAP(CAP_MAC_ADMIN), + MAKE_CAP(CAP_SYSLOG), +}; + +static void fail(const char *fmt, ...) __attribute__((format(printf, 1, 2))); +static void fail(const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + vfprintf(stderr, fmt...
2011 Jul 19
4
[PATCH v1 0/2] Support dropping of capabilities from early userspace.
This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by