capabilities: added support for ambient capabilities.
authorIsmo Puustinen <ismo.puustinen@intel.com>
Thu, 31 Dec 2015 12:54:44 +0000 (14:54 +0200)
committerIsmo Puustinen <ismo.puustinen@intel.com>
Tue, 12 Jan 2016 10:14:50 +0000 (12:14 +0200)
commit755d4b67a471ed1a3472b8536cb51315d4e4e3c1
tree8a0d604514b069463816768a326fb4a6f4f947d7
parenta103496ca585e22bb5e386e3238b468d133f5659
capabilities: added support for ambient capabilities.

This patch adds support for ambient capabilities in service files. The
idea with ambient capabilities is that the execed processes can run with
non-root user and get some inherited capabilities, without having any
need to add the capabilities to the executable file.

You need at least Linux 4.3 to use ambient capabilities. SecureBit
keep-caps is automatically added when you use ambient capabilities and
wish to change the user.

An example system service file might look like this:

[Unit]
Description=Service for testing caps

[Service]
ExecStart=/usr/bin/sleep 10000
User=nobody
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW

After starting the service it has these capabilities:

CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000003fffffffff
CapAmb: 0000000000003000
src/basic/capability-util.c
src/basic/capability-util.h
src/basic/missing.h
src/core/dbus-execute.c
src/core/execute.c
src/core/execute.h
src/core/load-fragment-gperf.gperf.m4
src/core/load-fragment.c