From b3406fe7469ec1511d08d6d4c7461a3714247de9 Mon Sep 17 00:00:00 2001
From: VG <vg@devys.org>
Date: Tue, 8 Mar 2016 15:59:20 +0100
Subject: add demo showing privileged run from a runner only

---
 readme.rst | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 readme.rst

(limited to 'readme.rst')

diff --git a/readme.rst b/readme.rst
new file mode 100644
index 0000000..f7820b7
--- /dev/null
+++ b/readme.rst
@@ -0,0 +1,9 @@
+The first example drops caps except setuid/gid, then change to a user, then
+regain a specific capability.
+
+The second example sets the inheritable caps and drops all caps except
+setuid/gid, then change to a user, then execve a program which is assumed to
+have same set of inheritable caps sets in its xattrs + effective flag. Thus
+the result is the launched program has only a specific capability and nobody
+can automatically gain (as opposed to effective + permited file caps) the
+allowed capability. Only the runner can do it.
-- 
cgit v1.2.3