next up previous contents
Next: The CAP_CHOWN capability Up: Prepare the LIDS sealing Previous: Prepare the LIDS sealing   Contents


Capabilities are like privileges you can give a process. A root process has all the capabilities. But there exists a capabilities boundig set. In a normal kernel, when you remove a capability from the boundig set, nobody can ever use it again, until next reboot. (see for the normal use).

LIDS modifies this behaviour to enable you to switch theses on and off, whenever you want. An access to the /proc/sys/kernel/cap_bset9.1 is trapped and raise a security alert. lidsadm performs all the job.

What follows is extracted from linux/include/linux/capability.h


Biondi Philippe 2000-02-24