blob: f7820b792426220ca799c5b28afc53ba872fde76 (
plain)
1
2
3
4
5
6
7
8
9
|
The first example drops caps except setuid/gid, then change to a user, then
regain a specific capability.
The second example sets the inheritable caps and drops all caps except
setuid/gid, then change to a user, then execve a program which is assumed to
have same set of inheritable caps sets in its xattrs + effective flag. Thus
the result is the launched program has only a specific capability and nobody
can automatically gain (as opposed to effective + permited file caps) the
allowed capability. Only the runner can do it.
|
