site
contact
newsImproving Linux Capabilities
I have been struggling to get Linux Capabilities to work as I want in containers. Various problems...
Applications run as "restricted root" in containers. That much is
working OK, but as I want to fine-tune it, hit snags. A very significant
capability that is dropped is cap_sys_admin, which among many things,
drops the ability to execute mount/umount.
Unfortunately, the only way to restore mount/umount (which I might
want to do in certain circumstances) is not to drop cap_sys_admin, but
that is very bad because it will give restricted-root too many other
powers.
This is a recognised problem, and a chap named Nicolas has created
one solution, to break the mount/umount capability out of cap_sys_info,
named cap_sys_mount. Some comments on his patches are negative. The
patches are here:
https://www.spinics.net/lists/selinux/msg23373.html
I have compiled the 4.14.41 kernel with the cap_sys_mount patches,
but it doesn't seem to work, so have sent an email to Nicolas.
Another problem is that the 'getcap' and 'setcap' utilities do not
work. After much googling, I finally found a post in a forum, that
CONFIG_EXT4_FS_SECURITY needs to be set in the kernel (for the case of
ext4 f.s.).
No other documentation that I had read mentioned that little detail.
Yes, docs stated to set CONFIG_EXT4_FS_XATTR -- though for the 4.14
kernel, that option is no longer there, as it is always set.
This is what I now have:
CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_EXT4_ENCRYPTION=y
CONFIG_EXT4_FS_ENCRYPTION=y
# CONFIG_EXT4_DEBUG is not set
Tags: easy