Okay, I'm trying to summarize this:
- _without_ the CONFIG_SECURITY_FILE_CAPABILITIES setting, CAP_SETPCAP allows crazy cap-setting silliness, and is disabled by init
- with CONFIG_SECURITY_FILE_CAPABILITIES, CAP_SETPCAP behaves differently, so it is not disabled by init
What I'd like to understand this better is an example of a "vulnerable" and "safe" behavior. From there, I can build a kernel both ways, and verify that CONFIG_SECURITY_FILE_CAPABILITIES is still safe.
Can someone give me an example to use that demonstrates the dangerous behavior?
Okay, I'm trying to summarize this: SECURITY_ FILE_CAPABILITI ES setting, CAP_SETPCAP allows crazy cap-setting silliness, and is disabled by init SECURITY_ FILE_CAPABILITI ES, CAP_SETPCAP behaves differently, so it is not disabled by init
- _without_ the CONFIG_
- with CONFIG_
What I'd like to understand this better is an example of a "vulnerable" and "safe" behavior. From there, I can build a kernel both ways, and verify that CONFIG_ SECURITY_ FILE_CAPABILITI ES is still safe.
Can someone give me an example to use that demonstrates the dangerous behavior?