Either I missed some discussion or there is some misinformation here. CAP_SETPCAP is dangerous when CONFIG_SECURITY_FILE_CAPABILITIES=n because then it allows a task to grant capabilities to other tasks. So when CONFIG_SECURITY_FILE_CAPABILITIES=n, then CAP_SETPCAP is taken away at boot. Note however that init can reinsert it into the bounding set using /proc/sys/kernel/cap-bound. Only init can do it.
CAP_SETPCAP is safe when CONFIG_SECURITY_FILE_CAPABILITIES=y, because all it then allows is adding capabilities to the inheritable set (if they are in the bounding set). From there, it (or a child) needs to execute a file with the same bits in the file inheritable set in order to be able to get them into the permitted set. In other words, it's a way for login to grant capabilities to login sessions. I'd like to see CONFIG_SECURITY_FILE_CAPABILITIES enabled so I can start using them on my ubuntu laptop, like I used to on my old laptop. -- ubuntu kernel removes CAP_SETPCAP https://bugs.launchpad.net/bugs/95089 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
