From 0c92194eeee9c1fd58580ef852c11eb1861d6dee Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Sat, 24 Jun 2017 16:04:34 +0200 Subject: setpriv: support modifying the set of ambient capabilities Right now, we do not support modifying the set of ambient capabilities, which has been introduced quite recently with Linux 4.3. As libcap-ng does not yet provide any ability to modify this set, we do have to roll our own support via `prctl`, which is now easy to do due to the indirections introduced in the preceding commits. We add a new command line argument "--ambient-caps", which uses the same syntax as both "--inh-caps" and "--bounding-set" to specify either adding or dropping capabilities. This commit also adjusts documentation to mention the newly introduced ability to modify the ambient capability set. Based on a patch by Andy Lutomirski. Reviewed-by: Andy Lutomirski Signed-off-by: Patrick Steinhardt --- sys-utils/setpriv.1 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sys-utils/setpriv.1') diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 index be97c0799..b0cc33a2b 100644 --- a/sys-utils/setpriv.1 +++ b/sys-utils/setpriv.1 @@ -27,8 +27,8 @@ mostly useless, information. Incompatible with all other options. .B \-\-groups \fIgroup\fR... Set supplementary groups. The argument is a comma-separated list. .TP -.BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... -Set the inheritable capabilities or the capability bounding set. See +.BR \-\-inh\-caps " (" + | \- ) \fIcap "... or " \-\-ambient-caps " (" + | \- ) \fIcap "... or " \-\-bounding\-set " (" + | \- ) \fIcap ... +Set the inheritable capabilities, ambient capabilities or the capability bounding set. See .BR capabilities (7). The argument is a comma-separated list of .BI + cap @@ -40,7 +40,9 @@ and .B \-all can be used to add or remove all caps. The set of capabilities starts out as the current inheritable set for -.B \-\-inh\-caps +.BR \-\-inh\-caps , +the current ambient set for +.B \-\-ambient\-caps and the current bounding set for .BR \-\-bounding\-set . If you drop something from the bounding set without also dropping it from the -- cgit v1.2.3-55-g7522