[kernel-hardening] [PATCHv4 1/2] capability: introduce sysctl for controlled user-ns capability whitelist

Geo Kozey geokozey at mailfence.com
Wed Jan 3 14:28:49 UTC 2018


> From: Mahesh Bandewar <maheshb at google.com>
> 
> The default value set (for kernel.controlled_userns_caps_whitelist) is
> CAP_FULL_SET indicating that no capability is controlled by default to
> maintain compatibility with the existing behavior of user-ns. Administrator
> will have to modify this sysctl to control any capability as such. e.g. to
> control CAP_NET_RAW the mask need to be changed like -
> 
>   # sysctl -q kernel.controlled_userns_caps_whitelist
>   kernel.controlled_userns_caps_whitelist = 1f,ffffffff
>   # sysctl -w kernel.controlled_userns_caps_whitelist=1f,ffffdfff
>   kernel.controlled_userns_caps_whitelist = 1f,ffffdfff
> 
> For bit-to-mask conversion please check include/uapi/linux/capability.h
> file.

Is it possible to make those sysctl values human readable? That would make
admins life easier.

Yours sincerely

G. K.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list