how to install and setup cap from p4?

[Brian F. Feldman]

"Brian F. Feldman" <green at FreeBSD.org> wrote:
> "Ilmar S. Habibulin" <ilmar at watson.org> wrote:
> > 
> > Well, i tried "make world kernel KERNCONF=MYKERNEL" with "options
> > CAPABILITIES" and got unbootable to multiuser system. I can't even mount
> > filesystems - access is denied(operation not permitted).
> > I'll try to figure it out, but maybe there is some guide?
> 
> There are two problems which you will have to solve to get this working 
> (both easy, of course).  First, you must have extended attributes on your 
> filesystems set up for system/posix1e.cap; you can see how to do this from 
> the documentation in src/sys/ufs.  Turning on extattr autostarting for UFS 
> is also a very good plan here :)
> 
> Second, after you have a system with posix1e.cap extended attributes set up, 
> install world again to get install(1) to set persistent capability flags on 
> any pertinent files.  After the files have these attributes (i.e., "getfcap 
> -m /bin/true" should give you "all=ei:CAP_SETPCAP="), your system should 
> have inheritence permitted for the system binaries, and you should be able 
> to use the base system with capabilities.
> 
> I hope this helps!

These are the exact steps I followed in setting up my system, at least, with 
the exception of really one thing: I set 
kern.security.bsd.suser_compat_hack_enabled=1 in my /boot/loader.conf.  
Other than this, I don't know what the problem could be (except that somehow 
the binaries might not have the proper capabilities set on them....)

I went from a -CURRENT system and upgraded to a TrustedBSD-CAP system, so I 
know for certain I made the upgrade path work...

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green at FreeBSD.org                    `------------------------------'



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message