I am currently trying to tie down the capability bounding set on one of my
servers. CAP_SYS_RAWIO and CAP_SYS_MODULE have been a great success (although
dropping CAP_SYS_RAWIO seems to prevent reading /proc/sys/kernel/cap-bound).
I now want to drop CAP_LINUX_IMMUTABLE, and have (I think) done that. However,
it seems to make no difference to my ability to set or clear the immutable
attribute. I tried this on ext2 and ext3 filesystems just to be on the safe
side.
[root@henry /boot]# lcap CAP_LINUX_IMMUTABLE
[root@henry /boot]# lsattr ./vmlinux-2.4.2-2smp
---i--------- ./vmlinux-2.4.2-2smp
[root@henry /boot]# chattr -i ./vmlinux-2.4.2-2smp
[root@henry /boot]# lsattr ./vmlinux-2.4.2-2smp
------------- ./vmlinux-2.4.2-2smp
[root@henry /boot]# chattr +i ./vmlinux-2.4.2-2smp
[root@henry /boot]# lsattr ./vmlinux-2.4.2-2smp
---i--------- ./vmlinux-2.4.2-2smp
I thought that giving up CAP_SYS_RAWIO may have forfeited my ability to drop
any further caps, so I rebooted and dropped CAP_SYS_MODULE and
CAP_LINUX_IMMUTABLE first, just to be on the safe side. This made no visible
difference.
Am I doing anything obviously dumb?
Sean
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/