diff options
| -rw-r--r-- | security/advanced/frm_capabilities.tex | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/security/advanced/frm_capabilities.tex b/security/advanced/frm_capabilities.tex index 7e514df..5acd8e9 100644 --- a/security/advanced/frm_capabilities.tex +++ b/security/advanced/frm_capabilities.tex @@ -140,13 +140,13 @@ Distribution: /usr/include/linux/capability.h \begin{columns}[onlytextwidth] \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Capability Set Handling} - \begin{tiny} + \begin{scriptsize} \begin{verbatim} #include <sys/capability.h> -int list_n = 1; cap_t caps; -cap_value_t list[list_n]; +int list_n = 1; +cap_value_t list[1]; caps = cap_get_proc(); @@ -158,40 +158,37 @@ cap_set_proc(caps); cap_free(caps); \end{verbatim} - \end{tiny} + \end{scriptsize} \end{beamerboxesrounded} \end{column} \begin{column}{0.45\textwidth} Capability Bitfield Modifications \begin{beamerboxesrounded}[shadow=true]{gain (temp):} - \begin{tiny} + \begin{scriptsize} \begin{verbatim} list[0] = CAP_NET_BIND_SERVICE; cap_set_flag(caps, CAP_EFFECTIVE, list_n, list, CAP_SET); -cap_set_proc(caps); \end{verbatim} - \end{tiny} + \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{drop (temp):} - \begin{tiny} + \begin{scriptsize} \begin{verbatim} list[0] = CAP_NET_BIND_SERVICE; cap_set_flag(caps,CAP_EFFECTIVE, list_n, list,CAP_CLEAR); -cap_set_proc(caps); \end{verbatim} - \end{tiny} + \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{drop (finally):} - \begin{tiny} + \begin{scriptsize} \begin{verbatim} list[0] = CAP_NET_BIND_SERVICE; cap_set_flag(caps,CAP_PERMITTED, list_n, list,CAP_CLEAR); -cap_set_proc(caps); \end{verbatim} - \end{tiny} + \end{scriptsize} \end{beamerboxesrounded} \end{column} \end{columns} @@ -208,7 +205,7 @@ Scenario for dropping capabilities in suid-root processes \item effective: drop all \item permitted: keep only required \end{itemize} -\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS)) +\item set SEC\_KEEP\_CAPS (prctl(PR\_SET\_KEEPCAPS, 1)) \item set all UIDs to non-zero \item raise capability in effecive set before calling a privileged syscall \item drop capability from effective set after syscall |