Rivoreo Source Code Repositories
src.rivoreo.one / vzctl / 1e8843ab61fce97fbff9d837eb4d6ff5466b9ace
commit1e8843ab61fce97fbff9d837eb4d6ff5466b9ace[log] [download]
authorAndrew Vagin <avagin@openvz.org>Tue Sep 18 08:35:41 2012 +0400
committerKir Kolyshkin <kir@openvz.org>Tue Sep 18 20:02:56 2012 +0400
treeb77b35f5ebe4af6a8d61ce9497136ad4072916bc
parent8be7335d34e2a474f67fbee4ce014cc36ee2aa08 [diff]
cap: restrict capabilities by a bounding set

A bounding set restricts a file capabilities.
P'(permitted) = (P(inheritable) & F(inheritable)) |
                           (F(permitted) & cap_bset).

Take into account a follow statement from man capabilities:
"""
When a process execve(2)s a set-user-ID-root program, it gains
all capabilities in its permitted and effective capability  sets,
except those masked out by the capability bounding set.
"""
so a bounding set is just one way to restrict capabilities.

An OpenVZ kernel does this by itself for historical reasons.

[kir@openvz.org: improve in-code comments]
1 file changed
tree: b77b35f5ebe4af6a8d61ce9497136ad4072916bc
  1. .gear-rules
  2. .gitignore
  3. COPYING
  4. ChangeLog
  5. INSTALL
  6. Makefile.am
  7. acinclude.m4
  8. autogen.sh
  9. bin/
  10. configure.ac
  11. etc/
  12. include/
  13. man/
  14. paths.am
  15. pathsubst.am
  16. scripts/
  17. setver.sh
  18. src/
  19. vzctl.spec