Displaying 5 results from an estimated 5 matches for "cap_sys_module".
2011 Dec 07
1
lxc capabilities
...libvirt lxc driver, and wondering if there is
some way to control the capabilities assigned to the container processes.
With lxc-tools, I can specify a configuration option, lxc.cap.drop,
which causes the container processes to drop the specified privileges.
My libvirt containers seem to run with
cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
which is rather more permissive than I'd like. In particular,
cap_sys_boot allows a container to reboot the host machine.
I am running libvirt-0.9.2 from squeeze-backports on debian squeeze.
Cheers,
-C-
2007 Feb 27
0
Capability dropping support patch
...t. The patch
attached to this email has been tested and seems to work for me. I
have also attached instead of inline to solve problems with spaces/tabs.
The patch will, on systems that have libcap support, drop capabilities
that Dovecot doesn't need. For example there is no need for
CAP_SYS_MODULE, which enables module loading or
CAP_SYS_PTRACE/CAP_SYS_ADMIN/etc. If libcap isn't installed then
nothing will change, this is a compile-time only enhancement that
isn't configurable.
Personally I did not find that CAP_SYS_CHROOT was needed in order for
me to authenticate and acce...
2012 Jul 31
4
BTRFS crash on mount with 3.4.4
...wer state changed by ACPI to D3
[ 94.732456] ehci_hcd 0000:00:1a.0: power state changed by ACPI to D3
[ 99.219571] tun: Universal TUN/TAP device driver, 1.6
[ 99.219581] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 99.219945] Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-tun instead.
[ 99.225243] Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-tun instead.
[ 99.230935] Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Us...
2011 Aug 03
1
[PATCH v2] kinit: Add drop_capabilities support.
...P(CAP_KILL),
+ MAKE_CAP(CAP_SETGID),
+ MAKE_CAP(CAP_SETUID),
+ MAKE_CAP(CAP_SETPCAP),
+ MAKE_CAP(CAP_LINUX_IMMUTABLE),
+ MAKE_CAP(CAP_NET_BIND_SERVICE),
+ MAKE_CAP(CAP_NET_BROADCAST),
+ MAKE_CAP(CAP_NET_ADMIN),
+ MAKE_CAP(CAP_NET_RAW),
+ MAKE_CAP(CAP_IPC_LOCK),
+ MAKE_CAP(CAP_IPC_OWNER),
+ MAKE_CAP(CAP_SYS_MODULE),
+ MAKE_CAP(CAP_SYS_RAWIO),
+ MAKE_CAP(CAP_SYS_CHROOT),
+ MAKE_CAP(CAP_SYS_PTRACE),
+ MAKE_CAP(CAP_SYS_PACCT),
+ MAKE_CAP(CAP_SYS_ADMIN),
+ MAKE_CAP(CAP_SYS_BOOT),
+ MAKE_CAP(CAP_SYS_NICE),
+ MAKE_CAP(CAP_SYS_RESOURCE),
+ MAKE_CAP(CAP_SYS_TIME),
+ MAKE_CAP(CAP_SYS_TTY_CONFIG),
+ MAKE_CAP(CAP_MKNOD...
2011 Jul 19
4
[PATCH v1 0/2] Support dropping of capabilities from early userspace.
This patchset applies to klibc mainline. As is it will probably collide
with Maximilian's recent patch to rename run-init to switch_root posted
last week.
To boot an untrusted environment with certain capabilities locked out,
we'd like to be able to drop the capabilities up front from early
userspace, before we actually transition onto the root volume.
This patchset implements this by