You are not logged in.

#1 2013-09-16 18:49:56

vroman
New member
From: Ciudad Real, Spain
Registered: 2013-07-01
Posts: 6

Adding "Linux capabilities" support on core packages

Hi everybody,

I was thinking about if we should start adding support for Linux capabilities [1] to core packages. We can use the fcaps.eclass from Gentoo which implements the "filecaps" USE flag and take the work done by upstream or avoid the fcaps.eclass at all and call "setcap" program directly (provided by sys-libs/libcap). Linux capabilities is not depending on hardened toolchain nor hardened-sources, but it's a great way to enhance both desktop and server security.

The main reason to use Linux capabailities is security enhanced deployments, reducing the setuid installed binaries taking a "least privilege" approach. Despite of its benefits, not all programs support capabilities so this only can be applied to those ebuilds. This also needs a filesystem with extended attributes support.

I ran a fast grep over /usr/portage and those packages seems to use "filecaps" USE flags for now:

app-cdr/cdrtools
app-emulation/libguestfs
app-emulation/qemu
gnome-base/gnome-keyring
net-analyzer/wireshark
net-misc/iputils
net-misc/netkit
sys-apps/systemd
sys-libs/libcap
x11-misc/i3status
net-misc/netkit-rsh
sys-libs/libcap

Upstream has masked "filecaps" USE flags on other OS like BSD due they implement in a different way the capabilities feature and fcaps.eclass currently doesn't wrap around the running OS kernel.

This post is a request for comments about what people thinks about this and which approach they think is better (or leave things without capabilities support).

[1] http://linux.die.net/man/7/capabilities

Offline

#2 2013-09-16 21:09:12

angry_vincent
Staff
From: Ukraine
Registered: 2010-10-07
Posts: 687

Re: Adding "Linux capabilities" support on core packages

net-misc/iputils is the only core package in this list.

Offline

Board footer

Powered by FluxBB