[Linux-privs-discuss] Re: Capabilities/privileges and bounding sets

[Andrew Morgan]

So, Robert and I had a long email exchange off-line and here is the
bounding set API:

   int cap_set_bound(cap_t cap_d, cap_flag_t flavor);
   cap_t cap_get_bound(cap_flag_t flavor);

The rationale for this API is simply that it is a minimal change to the
POSIX one, and leverages everything that the POSIX one offers.

Basically, the getting and setting of the bounding set is done using a
regular cap_t structure. Since the bounding set is a single capability
set, we need a method for selecting one of the three capability setsto
use when we query or set the bounding set - this is what the cap_flag_t
argument is for.

The bounding set is the 'X' in the capability rules:

       pI' = pI
       pP' = ( fP & X ) | ( fI & pI )
       pE' = fE & pP' .

Example usage:

   cap_d = cap_get_proc();
   cap_set_bound(cap_d, CAP_INHERITABLE)

This bounds the children of the current process with the process'
current inheritable set. [Incidentally, this is what the latest libcap
and Linux kernel patch provides.]

Cheers

Andrew
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message