Next: The CAP_CHOWN capability
Up: Prepare the LIDS sealing
Previous: Prepare the LIDS sealing
Capabilities are like privileges you can give a process. A root process
has all the capabilities. But there exists a capabilities boundig set.
In a normal kernel, when you remove a capability from the boundig set,
nobody can ever use it again, until next reboot.
(see http://www.netcom.com/~spoon/lcap for the normal use).
LIDS modifies this behaviour to enable you to switch theses on and off,
whenever you want. An access to the
/proc/sys/kernel/cap_bset9.1 is trapped and raise a security alert.
lidsadm performs all the job.
What follows is extracted from linux/include/linux/capability.h