[kernel-hardening] [PATCHv4 1/2] capability: introduce sysctl for controlled user-ns capability whitelist
Geo Kozey
geokozey at mailfence.com
Wed Jan 3 14:28:49 UTC 2018
> From: Mahesh Bandewar <maheshb at google.com>
>
> The default value set (for kernel.controlled_userns_caps_whitelist) is
> CAP_FULL_SET indicating that no capability is controlled by default to
> maintain compatibility with the existing behavior of user-ns. Administrator
> will have to modify this sysctl to control any capability as such. e.g. to
> control CAP_NET_RAW the mask need to be changed like -
>
> # sysctl -q kernel.controlled_userns_caps_whitelist
> kernel.controlled_userns_caps_whitelist = 1f,ffffffff
> # sysctl -w kernel.controlled_userns_caps_whitelist=1f,ffffdfff
> kernel.controlled_userns_caps_whitelist = 1f,ffffdfff
>
> For bit-to-mask conversion please check include/uapi/linux/capability.h
> file.
Is it possible to make those sysctl values human readable? That would make
admins life easier.
Yours sincerely
G. K.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list