Re: [PATCH] capabilities, take 3 (Re: [PATCH] capabilites, take 2)

From: Valdis . Kletnieks
Date: Fri May 14 2004 - 00:33:31 EST


On Thu, 13 May 2004 22:04:15 PDT, Chris Wright said:

> Well, I wonder what IRIX does? They support capabilities and had a
> reasonable sized hand in the draft. No point in making it impossible
> to port apps. It's not that I'm a strong fan of Posix caps, but
> compatibility (even with a partially complete draft) with defacto
> standards is not entirely unreasonable.

The IRIX 6.5 manpage says:


A process has three, possibly empty, sets of capabilities. The permitted
capability set is the maximum set of capabilities for the process. The
effective capability set contains those capabilities that are currently
active for the process. The inherited capability set contains those
capabilities that the process may pass to the next process image across
exec(2).

Only capabilities in a process' effective capability set allow the
process to perform restricted operations. A process may use capability
management functions to add or remove capabilities from its effective
capability set. However the capabilities that a process can make
effective are limited to those that exist in its permitted capability
set.

Only capabilities in the process' inherited capability set can be passed
across exec(2).

Capabilities are also associated with files. There may or may not be a
capability set associated with a specific file. If a file has no
capability set, execution of this file through an exec(2) will leave the
process' capability set unchanged. If a file has a capability set,
execution of file will affect the process' capability set in the
following way: a file's inherited capability set further constrains the
process inherited capabilities that are passed from one process image to
another. The file's permitted capability set contains the capabilities
that are unconditionally permitted to a process upon execution of that
file. The file's effective capabilities are the capabilities that become
immediately active for the process upon execution of the file.

More precisely described, the process capability assignment algorithm is:

I-proc-new = I-proc-old & I-file
P-proc-new = P-file | (I-proc-new & P-proc-old)
E-proc-new = P-proc-new & E-file

File capabilities are supported only on XFS filesystems.

Note that Irix has *3* capability vectors attached to a file....

Attachment: pgp00000.pgp
Description: PGP signature