Displaying 1 result from an estimated 1 matches for "capbset_drop".
2011 Jul 15
1
[PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm
...ake CAP_SYS_RAWIO away from everything ?
>>
>
> Alright, I see your point. ? ISTR that CAP_SYS_RAWIO was required for
> accessing block devices directly, but this doesn't seem to be the
> case.
>
> I think the approach I'll try next is to try and drop it with
> PR_CAPBSET_DROP from early userspace's init.
>
For my use-case, I'd like to have a system boot with a non-default
bounding set of posix capabilities. I'd like the system to *never* be
able to use these capabilities, so I'd like to drop them early on when
userland starts up. Given this require...