The Capability Override LSM is a Linux kernel module which, when installed, gives processes running with certain (admin-configured) user or group IDs access to one or more POSIX.1e capabilities.
|Tags||Security Operating System Kernels Linux|
|Operating Systems||POSIX Linux|
Release Notes: The module has been fixed to handle some API changes in recent 2.6 kernels.
Release Notes: SMP issues in the module have been fixed. The policy compiler now has a fairly solid warning mechanism. Support for CAP_SETPCAP was removed due to security issues.
Release Notes: This version fixes a few bugs in the policy compiler, including one that caused it to have problems using the 'users' group. Symlink handling has also been much improved.
Release Notes: Rule checks are done at program load rather than for each system call, so there is less overhead. The policy can specify which rules should cause audit data to be produced. The policy compiler has much better error checking. Several bugs in the module were fixed, including a memory leak, and a race that occurred when using path checks.
Release Notes: Processes can now be authorized based on the path of the executable. The policy mechanism has been completely redesigned, and is significantly more flexible and powerful. Several bugs of varying severity have been fixed. The documentation now includes a short howto on configuring a policy for your site.