举例来说,如果你设置pA = CAP_NET_BIND_SERVICE,那么你子进程可以自动连接到low-bumbered ports。 linux对应commit提供了测试用例,ambient_test.c /* * Test program for the ambient capabilities. This program spawns a shell * that allows running processes with a defined set of capabilities. * * (C)...
capabilities (CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than it is with this patch. === Footnotes === [1] Files that are missing the "security.capability" xattr or that have unrecognized values for that xattr end up with has_cap == false. The code that does...
>> capabilities (CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much >> less useful than it is with this patch. >> >> === Footnotes === >> >> [1] Files that are missing the "security.capability" xattr or that >> have unrecognized values for that xattr end up with has_cap ...
非特权用户通过添加特定capabilities到pA,其子进程便能在pA、pP和pE中获取这些能力。例如,设置pA为CAP_NET_BIND_SERVICE,其子进程将能自动连接到低编号的端口。Linux内核提供了测试用例(ambient_test.c)用于验证ambient capabilities的功能。通过上述机制,Linux系统在保持细粒度权限控制的同时,也解决了...
Files master Dockerfile README.md server.go set_ambient.c Breadcrumbs capabilities-blog / File metadata and controls 90 lines (81 loc) · 2.03 KB Raw
This is flat-out useless. Having pI = CAP_NET_BIND_SERVICE doesn't let me bind low-numbered ports, full stop. > My Nack remains that you are eliminating the explicit enforcement of > selective inheritance. A lockable secure bit protecting access to your ...
CAP_NET_BIND_SERVICE in pI and execs you, you can't bind low-numbered ports. If your parent puts CAP_NET_BIND_SERVICE in pA, you can. > >>> My Nack remains that you are eliminating the explicit enforcement of >>> selective inheritance. A lockable secure bit protecting access to your...
> don't work if you're in a sufficiently restrictive mount namespace. > > For my own use, I plan on adding only CAP_NET_BIND_SERVICE and > CAP_NET_RAW to pA, and I'll be layering seccomp on top to the extent > possible. ...
don't work if you're in a sufficiently restrictive mount namespace. For my own use, I plan on adding only CAP_NET_BIND_SERVICE and CAP_NET_RAW to pA, and I'll be layering seccomp on top to the extent possible. --Andy >