diff options
Diffstat (limited to 'readme.rst')
| -rw-r--r-- | readme.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/readme.rst b/readme.rst new file mode 100644 index 0000000..f7820b7 --- /dev/null +++ b/readme.rst @@ -0,0 +1,9 @@ +The first example drops caps except setuid/gid, then change to a user, then +regain a specific capability. + +The second example sets the inheritable caps and drops all caps except +setuid/gid, then change to a user, then execve a program which is assumed to +have same set of inheritable caps sets in its xattrs + effective flag. Thus +the result is the launched program has only a specific capability and nobody +can automatically gain (as opposed to effective + permited file caps) the +allowed capability. Only the runner can do it. |