Re: [RFC] capabilities: Ambient capabilities

From: Andy Lutomirski
Date: Fri Mar 13 2015 - 15:03:55 EST

On Fri, Mar 13, 2015 at 11:52 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> All this said, almost half of the capabilities, if passed to flawed
> children with attacker controlled execution, can be elevated to full
> root privileges pretty easily[1], so I think any documentation around
> this feature should include some pretty dire warnings about using
> this.

That's a good point. I'll make sure to document that.

It's worth noting that, for many applications, that list is
overstated. For example, many of the suggested privilege escalations
don't work if you're in a sufficiently restrictive mount namespace.

For my own use, I plan on adding only CAP_NET_BIND_SERVICE and
CAP_NET_RAW to pA, and I'll be layering seccomp on top to the extent


> -Kees
> [1]
> --
> Kees Cook
> Chrome OS Security

Andy Lutomirski
AMA Capital Management, LLC
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at