undefined | Better HN

0 pointsgizmo6865mo ago0 comments

Linux capabilities have a hook in the Linux Security Module (LSM) system, so you can write an LSM module to do whatever centralized management system you want.

The only LSM I have much experience is SELinux, which capabilities directly as SELinux permissions. I imagine most other general purpose LSMs do simmilar.

I could imagine an LSM that implements a policy of allowing capabilties based on UID/GID; although I'm not aware of any current LSMs that do that.

0 comments

M95D5mo ago

And why does it have to be that complicated? Why can't we just

  echo "CAP_KILL CAP_SYS_NICE /usr/bin/htop" >> /proc/sys/kernel/some_file
  echo "CAP_FOWNER CAP_CHOWN /usr/bin/mc" >> /proc/sys/kernel/some_file

or simply

  cp /etc/caps /proc/sys/kernel/caps

to apply all of them at once?

j / k navigate · click thread line to collapse