Re: [PATCH] capabilities, take 3 (Re: [PATCH] capabilites, take 2)

[Valdis . Kletnieks]

On Thu, 13 May 2004 22:04:15 PDT, Chris Wright said:

> Well, I wonder what IRIX does?  They support capabilities and had a
> reasonable sized hand in the draft.  No point in making it impossible
> to port apps.  It's not that I'm a strong fan of Posix caps, but
> compatibility (even with a partially complete draft) with defacto
> standards is not entirely unreasonable.

The IRIX 6.5 manpage says:


    A process has three, possibly empty, sets of capabilities.  The permitted
     capability set is the maximum set of capabilities for the process.  The
     effective capability set contains those capabilities that are currently
     active for the process.  The inherited capability set contains those
     capabilities that the process may pass to the next process image across
     exec(2).

     Only capabilities in a process' effective capability set allow the
     process to perform restricted operations.  A process may use capability
     management functions to add or remove capabilities from its effective
     capability set.  However the capabilities that a process can make
     effective are limited to those that exist in its permitted capability
     set.

     Only capabilities in the process' inherited capability set can be passed
     across exec(2).

     Capabilities are also associated with files.  There may or may not be a
     capability set associated with a specific file.  If a file has no
     capability set, execution of this file through an exec(2) will leave the
     process' capability set unchanged.  If a file has a capability set,
     execution of file will affect the process' capability set in the
     following way: a file's inherited capability set further constrains the
     process inherited capabilities that are passed from one process image to
     another. The file's permitted capability set contains the capabilities
     that are unconditionally permitted to a process upon execution of that
     file.  The file's effective capabilities are the capabilities that become
     immediately active for the process upon execution of the file.

     More precisely described, the process capability assignment algorithm is:

              I-proc-new = I-proc-old & I-file
              P-proc-new = P-file | (I-proc-new & P-proc-old)
              E-proc-new = P-proc-new & E-file

     File capabilities are supported only on XFS filesystems.

Note that Irix has *3* capability vectors attached to a file....

Attachment: pgp00000.pgp
Description: PGP signature