2017年7月25日 星期二

Linux capabilities

1.kernel 2.2 以後支援
2.使用 extended attributes 中的 security方式支援
3.支援的檔案系統 Ext2, Ext3, Ext4, Btrfs, JFS, XFS, Reiserfs
4.常用指令 getcap,setcap

Capabilities list
CAP_AUDIT_CONTROL (since Linux 2.6.11)
CAP_AUDIT_WRITE (since Linux 2.6.11)
CAP_BLOCK_SUSPEND (since Linux 3.5)
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_FOWNER
CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH
CAP_FSETID
CAP_IPC_LOCK
CAP_IPC_OWNER
CAP_KILL
CAP_LEASE (since Linux 2.4)
CAP_LINUX_IMMUTABLE
CAP_MAC_ADMIN (since Linux 2.6.25)
CAP_MAC_OVERRIDE (since Linux 2.6.25)
CAP_MKNOD (since Linux 2.4)
CAP_NET_ADMIN
CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST
CAP_NET_RAW
CAP_SETGID
CAP_SETFCAP (since Linux 2.6.24)
CAP_SETPCAP
CAP_SETUID
CAP_SYS_ADMIN
CAP_SYS_BOOT
CAP_SYS_CHROOT
CAP_SYS_MODULE
CAP_SYS_NICE
CAP_SYS_PACCT
CAP_SYS_PTRACE
CAP_SYS_RAWIO
CAP_SYS_RESOURCE
CAP_SYS_TIME
CAP_SYS_TTY_CONFIG
CAP_SYSLOG (since Linux 2.6.37)
CAP_WAKE_ALARM (since Linux 3.0)    

modes:
    e: Effective  This means the capability is “activated”.
    p: Permitted  This means the capability can be used/is allowed.
    i: Inherited  The capability is kept by child/subprocesses upon execve() for example.

使用範例
getfattr -d -m "security\\." /bin/ping
getcap /bin/ping
setcap -r /bin/ping
setcap 'cap_net_admin,cap_net_raw+ep' /bin/ping

複製 capabilities 參數
cp -a $src $dst
rsync -X $src $dst
tar -s, --preserve-order, --same-order
                             sort names to extract to match archive
      --selinux              Save the SELinux context to the archive
      --xattrs     

沒有留言: