Reputation: 1018
How to compute the minimal capabilities' set for a process?
What's the best way to compute a minimal set of Linux capabilities for any process?
Suppose you're hardening an operating system and some of you tools may require CAP_NET_ADMIN and related network privileges while other tools may require CAP_SYS_NICE. There should be a way to tell for each executable which capabilities are really required.
Upvotes: 5
Views: 1399
Answers (1)
Reputation: 4893
Two possible approaches to determine required capabilities at runtime:
- Subsequently run your program under
stracewithout root privileges. Determine which system calls failed withEPERMand add corresponding capabilities to your program. Repeat this until all capabilities are gathered. - Use
SystemTap,DTraceorKprobesto log or intercept capability checks in kernel made for your program. (e.g. usecapablefrom BCC tools suite as described here)
Unit tests with good coverage will help a lot, I guess. Also note that capabilities(7) manual page lists system calls that may require each capability (although it is not a complete list).
Update:
The article referenced by @RodrigoBelem mentions capable_probe module, which is based on KProbes.
Original article with this module was "POSIX file capabilities: Parceling the power of root" and it's not availble now (it was hosted here). But you can find the source code and some docs in the Internet.
Upvotes: 3
Related Questions
- How to read file capabilities using Python?
- How to find out what Linux capabilities a process requires to work?
- Changing capabilities of the process
- Request Linux Capabilities During Runtime
- How to use CAP_SYS_ADMIN
- Does a process that have the root user always have all of the capabilities available in Linux?
- Do Linux capabilities partition the possible privileged operations?
- Edit linux capabilities in Perl
- Grant capabilities to a running process
- Reducing privileges of a process on Unix or Gnu/Linux