> But the kernel has also never implemented capability inheritance > - what happens to the capability bits when a process executes a > new program - in a correct manner.Actually, the inheritance behavior in the 2.4 kernel worked fine for me. The GPL'ed Martus Server software (available near the bottom of the Martus download page) implements my custom security model based on Linux capabilities. I wrote a caps command that root can execute to change the capabilities of other processes (it sets CAP_SETPCAP in the capability bounding set by poking /dev/mem, then forks and execs to acquire CAP_SETPCAP, then clears CAP_SETPCAP in the bounding set, then applies the user-specified capabilities to the user-specified processes). I wrote a few paragraphs describing the semantics of the 2.4 kernel's capabilities, based on my experimentation. My /etc/rc.d/init.d/martus startup script sets CAP_SETPCAP (plus a subset of the normal capabilities) in the inheritable set of the sshd listener and init, and then clears all capabilities in the bounding set (and in other processes running at startup time). So, a human that logs in gets (a reduced set of) the normal capabilities, but the application-listeners have no capabilities.
I even use my caps command to give CAP_NET_BIND_SERVICE to a non-root java, so it can open a privileged port (after which I remove CAP_NET_BIND_SERVICE).
But, all this was a lot of work. I'll just use SELinux when I move the software to the 2.6 kernel.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds