[Vserver] Can only remove bcapabilities with vattribute but not add it again

Mon, 01 May 2006 07:35:23 -0700 

Hello
I 'm playing  with  vattribute it seems that I can remove bcapabilities:

/root/reducecap --show
           Capability Effective  Permitted  Inheritable
CAP_CHOWN                  X         X
......
CAP_MKNOD                  X         X
CAP_LEASE                  X         X
CAP_QUOTACTL               X         X



vattribute --set --xid 328 --bcap ~MKNOD


/root/reducecap --show
           Capability Effective  Permitted  Inheritable
CAP_CHOWN                  X         X
.....
CAP_SYS_TTY_CONFIG         X         X
CAP_MKNOD
CAP_LEASE                  X         X
CAP_QUOTACTL               X         X

but not add it:

vattribute --set --xid 328 --bcap MKNOD

/root/reducecap --show
           Capability Effective  Permitted  Inheritable
CAP_CHOWN                  X         X
.....
CAP_SYS_TTY_CONFIG         X         X
CAP_MKNOD
CAP_LEASE                  X         X
CAP_QUOTACTL               X         X

security feature ?

with ccap I can remove and add:

vattribute --set --xid 328 --ccap raw_icmp
cat /proc/virtual/328/status
UseCnt: 67
Tasks:  35
Flags:  0000000202020050
BCaps:  fffffffff7fffeff
CCaps:  0000000000000101
Ticks:  0

vattribute --set --xid 328 --ccap ~raw_icmp

cat /proc/virtual/328/status
UseCnt: 67
Tasks:  35
Flags:  0000000202020050
BCaps:  fffffffff7fffeff
CCaps:  0000000000000001
Ticks:  0

vserver-info..
Versions:
                  Kernel: 2.6.16-1.2096_FC4.vs2.0.2.0.rc17.1smp
                  VS-API: 0x00020001
                  util-vserver: 0.30.210; Apr 15 2006, 20:07:50

Features:
                      CC: gcc, gcc (GCC) 4.0.2 20051125 (Red Hat 4.0.2-8)
                     CXX: g++, g++ (GCC) 4.0.2 20051125 (Red Hat 4.0.2-8)
                CPPFLAGS: ''
CFLAGS: '-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -m32 -march=i386 -mtune=pentium4 -fasynchronous-unwind-tables -std=c99 -Wall -pedantic -W -funit-at-a-time' CXXFLAGS: '-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -m32 -march=i386 -mtune=pentium4 -fasynchronous-unwind-tables -ansi -Wall -pedantic -W -fmessage-length=0 -funit-at-a-time' 
              build/host: i686-redhat-linux-gnu/i686-redhat-linux-gnu
            Use dietlibc: yes
      Build C++ programs: yes
      Build C99 programs: yes
          Available APIs: compat,v11,fscompat,v13,net,oldproc,olduts
           ext2fs Source: e2fsprogs
   syscall(2) invocation: alternative
     vserver(2) syscall#: 273/glibc

Paths:
                  prefix: /usr
       sysconf-Directory: /etc
           cfg-Directory: /etc/vservers
        initrd-Directory: /etc/rc.d/init.d
      pkgstate-Directory: /var/run/vservers
         vserver-Rootdir: /vservers



_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to