next up previous contents
Next: The CAP_CHOWN capability Up: Prepare the LIDS sealing Previous: Prepare the LIDS sealing   Contents

Capabilities

Capabilities are like privileges you can give a process. A root process has all the capabilities. But there exists a capabilities boundig set. In a normal kernel, when you remove a capability from the boundig set, nobody can ever use it again, until next reboot. (see http://www.netcom.com/~spoon/lcap for the normal use).

LIDS modifies this behaviour to enable you to switch theses on and off, whenever you want. An access to the /proc/sys/kernel/cap_bset9.1 is trapped and raise a security alert. lidsadm performs all the job.

What follows is extracted from linux/include/linux/capability.h



Subsections

Biondi Philippe 2000-02-24