Enchanced support for POSIX Capabilities
Posted: Thu Nov 06, 2003 8:33 am
Hi. I'm missing following features in grsecurity.
* Full CAPs for init process
* New formula for evolving capabilities. It would allow to inherit capabilities limits to child processes. I.e. it would be possible to run ping without root setuid and with CAP_NET_RAW.
* Checking inherited CAP_SET[UG]ID before s[ug]id. It would deny to change euid and egid if inherited CAP_SETUID or CAP_SETGID wasn't set.
I wrote the patch for kernel 2.4.22, based on documentation from libcap library. See http://people.debian.org/~dexter/lcap/
Any chance to implement these features by grsecurity?
* Full CAPs for init process
* New formula for evolving capabilities. It would allow to inherit capabilities limits to child processes. I.e. it would be possible to run ping without root setuid and with CAP_NET_RAW.
* Checking inherited CAP_SET[UG]ID before s[ug]id. It would deny to change euid and egid if inherited CAP_SETUID or CAP_SETGID wasn't set.
I wrote the patch for kernel 2.4.22, based on documentation from libcap library. See http://people.debian.org/~dexter/lcap/
Any chance to implement these features by grsecurity?