Page 1 of 1

Enchanced support for POSIX Capabilities

PostPosted: Thu Nov 06, 2003 8:33 am
by dexter
Hi. I'm missing following features in grsecurity.

* Full CAPs for init process
* New formula for evolving capabilities. It would allow to inherit capabilities limits to child processes. I.e. it would be possible to run ping without root setuid and with CAP_NET_RAW.
* Checking inherited CAP_SET[UG]ID before s[ug]id. It would deny to change euid and egid if inherited CAP_SETUID or CAP_SETGID wasn't set.

I wrote the patch for kernel 2.4.22, based on documentation from libcap library. See http://people.debian.org/~dexter/lcap/

Any chance to implement these features by grsecurity?