search for: cap_setpcap

...change, such that it understands the new kernel command line "drop_capabilities=" that specifies a comma separated list of capability names that should be dropped before switching over to the next init in the boot strap (typically on the root disk). When processing capabilities to drop, CAP_SETPCAP is special cased to be dropped last, so that the order that capabilities are given does not cause dropping of later enumerated capabilities to fail if it is listed early on. Dropping of capabilities happens in three parts. We explicitly drop the capability from init's inherited masks. We als...

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by

I am wondering what is the interaction between SE Linux and the kernel "capabilities" in CentOS 5.1? I'm trying to open a raw socket and keep getting permission denied errors. I've tried using the lcap library to find that CAP_SETPCAP appears to be off in the kernel. For compliance reasons, I don't want to turn this on. I've also tried a hand-crafted SE Linux module policy. I have verified that the test program runs in the correct SE Linux domain and it generates no audit errors, but it still fails to open the po...

> > systems which no longer seem to have this. This file contained an archive of > > the trojan''s that were inserted into the compromised system - does anybody know > > what is in these trojans? > > Check the Linux RootKit ... (LRK).. > > Typically LRK to use config-files.. (and typically LRK-users to place > files in /dev.. find /dev -type f | grep -v

> How do I start a process with a limited set of capabilities under > another uid? > > Use the sucap utility which changes uid from root without loosing any > capabilities. Normally all capabilities are cleared when changing uid > from root. The sucap utility requires the CAP_SETPCAP capability. > The following example starts updated under uid updated and gid updated > with CAP_SYS_ADMIN raised in the Effective set. > > sucap updated updated execcap 'cap_sys_admin=eip' update > Or if your kernel has support of file capiblies create a version of wine w...

...oderick wrote: > >> I am wondering what is the interaction between SE Linux and the >> kernel "capabilities" in CentOS 5.1? I'm trying to open a raw socket >> and keep getting permission denied errors. I've tried using the lcap >> library to find that CAP_SETPCAP appears to be off in the kernel. For >> compliance reasons, I don't want to turn this on. I've also tried a >> hand-crafted SE Linux module policy. I have verified that the test >> program runs in the correct SE Linux domain and it generates no audit >> errors, b...