Err, one last remark to my previous posting. You must already think i like to write to myself, but i want to bring this to an end and could not go to bed before making a last try........... On Mon, 3 Sep 2001, Andreas Amann wrote:
To be able to use the --caps option right now you would have to make some 'hacks' in the kernel-code in the meantime.
I made the following changes in /usr/src/linux/fs/exec.c: Lines 676ff ---------------------------------------------------------------------- Comment out 'working': 676: kernel_cap_t new_permitted; //, working; 677: int do_unlock = 0; 678: Comment out these four lines: 679: //new_permitted = cap_intersect(bprm->cap_permitted, cap_bset); 680: //working = cap_intersect(bprm->cap_inheritable, 681: // current->cap_inheritable); 682: //new_permitted = cap_combine(new_permitted, working); 683: Add the following line: 684: new_permitted = cap_intersect(current->cap_inheritable, cap_bset); Changes in /usr/src/linux/include/linux/capability.h Line 305 ---------------------------------------------------------------------- Change #define CAP_INIT_INH_SET to_cap_t(0) into #define CAP_INIT_INH_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP)) After compiling a new kernel the system should start up as usual but you are able to use the --cap option of compartment to specify the caps of the new process. BUT: Please, please keep in mind that i'm not totally sure what will be broken by that behind the scenes. My knowledge in c-programming is quite small. So better see it as a 'proof of concept'. But if nobody can find a bad error i would say, it could be a nice configuration option for the next SuSE kernel. Maybe..... with kind regards Andreas Amann <mailto:andreas.amann@epost.de>