Enchanced support for POSIX Capabilities

Discuss and suggest new grsecurity features

Enchanced support for POSIX Capabilities

Postby dexter » Thu Nov 06, 2003 8:33 am

Hi. I'm missing following features in grsecurity.

* Full CAPs for init process
* New formula for evolving capabilities. It would allow to inherit capabilities limits to child processes. I.e. it would be possible to run ping without root setuid and with CAP_NET_RAW.
* Checking inherited CAP_SET[UG]ID before s[ug]id. It would deny to change euid and egid if inherited CAP_SETUID or CAP_SETGID wasn't set.

I wrote the patch for kernel 2.4.22, based on documentation from libcap library. See http://people.debian.org/~dexter/lcap/

Any chance to implement these features by grsecurity?
dexter
 
Posts: 1
Joined: Thu Nov 06, 2003 7:53 am

Return to grsecurity development