Setting Linux Capabilities

Daniel Golle daniel at makrotopia.org
Wed Aug 17 02:57:18 PDT 2022 

On Wed, Aug 17, 2022 at 09:15:12AM +0000, Ravi Paluri (QUIC) wrote:
> > OpenWrt has procd-ujail, to set capabilities with it:
> > https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/sysntpd#L80
> > https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/ntpd.capabilities
> 
> Thanks Etienne for the pointers and letting us know that jailing needs to be enabled for capabilities to work.

You can also use procd/ujail to just drop/set capabilities WITHOUT
having to use the chroot-jail and other functionality at the same time.

> 
> Thanks,
> Ravi
> 
> -----Original Message-----
> From: Etienne Champetier <champetier.etienne at gmail.com> 
> Sent: Tuesday, August 16, 2022 5:34 PM
> To: Ravi Paluri (QUIC) <quic_rpaluri at quicinc.com>
> Cc: openwrt-devel at lists.openwrt.org
> Subject: Re: Setting Linux Capabilities
> 
> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
> 
> Hi Ravi,
> 
> Le mar. 16 août 2022 à 07:52, Ravi Paluri (QUIC) <quic_rpaluri at quicinc.com> a écrit :
> >
> > Hi Team,
> >     We would like to set below capabilities for our process.
> > * CAP_NET_ADMIN
> > * CAP_NET_RAW
> >
> > Do we need to use APIs mentioned in https://linux.die.net/man/3/cap_set_flag and https://linux.die.net/man/3/cap_set_proc to get this functionality?
> >
> > On Systemd, I see that this can be achieved by writing below lines in a service file.
> > CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW 
> > AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
> >
> > So, would like to know if there is any thing similar that can be done in procd init scripts?
> 
> OpenWrt has procd-ujail, to set capabilities with it:
> https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/sysntpd#L80
> https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/ntpd.capabilities
> 
> Best
> Etienne
> 
> > Thanks,
> > Ravi
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list