site  contact  subhomenews

Improving Linux Capabilities

May 20, 2018 — BarryK

I have been struggling to get Linux Capabilities to work as I want in containers. Various problems...

Applications run as "restricted root" in containers. That much is working OK, but as I want to fine-tune it, hit snags. A very significant capability that is dropped is cap_sys_admin, which among many things, drops the ability to execute mount/umount.

Unfortunately, the only way to restore mount/umount (which I might want to do in certain circumstances) is not to drop cap_sys_admin, but that is very bad because it will give restricted-root too many other powers.

This is a recognised problem, and a chap named Nicolas has created one solution, to break the mount/umount capability out of cap_sys_info, named cap_sys_mount. Some comments on his patches are negative. The patches are here:

https://www.spinics.net/lists/selinux/msg23373.html

I have compiled the 4.14.41 kernel with the cap_sys_mount patches, but it doesn't seem to work, so have sent an email to Nicolas.

Another problem is that the 'getcap' and 'setcap' utilities do not work. After much googling, I finally found a post in a forum, that CONFIG_EXT4_FS_SECURITY needs to be set in the kernel (for the case of ext4 f.s.).

No other documentation that I had read mentioned that little detail. Yes, docs stated to set CONFIG_EXT4_FS_XATTR -- though for the 4.14 kernel, that option is no longer there, as it is always set.

This is what I now have:

CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_EXT4_ENCRYPTION=y
CONFIG_EXT4_FS_ENCRYPTION=y
# CONFIG_EXT4_DEBUG is not set

Tags: easy