/ :: code :: CapOver

The Capability Override LSM is a kernel module for Linux which gives you the ability to specify that certain users/groups/programs are to gain access to one or more extra POSIX.1e capabilities. This means this LSM is a permissive module, rather than a restrictive one (which is more typical of LSMs). More information in the FAQ and in the changelog.

The current version of CapOver, 0.9.3, was written and tested on Linux 2.6.8, and has not been updated to follow changing Linux kernel APIs. It does not currently compile on Linux 2.6.27.

The LSM is controlled via the use of a policy, which is passed through a policy compiler and then through sysctl (or /proc) to the module itself. As an example of what you can do, you can create a policy that says "whenever someone in the users or admins groups executes /usr/bin/gpg, give that process the CAP_IPC_LOCK capability" (which lets GnuPG lock memory). The policy just described looks like this:

ipc_lock {
   groups users,admins
   path /usr/bin/gpg
}

After the policy is compiled and given to the module, GnuPG will be able to lock memory (when run by someone in users or admins). In particular, this means that you wouldn't have to run GnuPG setuid root anymore.

Here is an example policy file which shows a number of interesting things you can do with CapOver:

# Note that policy.pl will probably choke on this due to all the strange user
# and group names. It's just an example...

# If not otherwise specified, audit processes that get extra caps
default_audit on

# let anything running gid/egid (crypto|realtime) lock memory
ipc_lock {
   path any
   group crypto,realtime
   # use the default audit value
}

# let anyone lock memory if they're running gpg; don't audit this
ipc_lock {
   path /usr/bin/gpg # doesn't need to be setuid anymore
   audit off
}

net_raw {
   path /bin/ping   # normally setuid root; not needed anymore
   audit off        # don't bother auditing everyone who uses ping
}

# let people in the admins group do network-related stuff
net_raw,net_admin {
   group admins
   audit on
   # implicit 'path any'
}

# let me do all kinds of stuff
net_admin,sys_admin,chown,setuid,setgid,net_raw {
   user lloyd
   path any # same as not setting it at all
   audit off # I'm invisible!
}

sys_admin {
   user bob     # presumably not in the admins group (otherwise the rule would
                # always be true for him, which would be bad)
   group admins # let bob do stuff, if the binary is setgid admins
   audit on
   # implicit 'path any'
}

# let any admin start a few servers without privs
#   (note that many of them need access to root-owned files, so this doesn't
#    work as-is).
net_bind {
   group admins # assumes there are one or more real users in this group
   path /usr/sbin/httpd
   path /usr/sbin/sshd
   path /usr/sbin/xinetd
   path /usr/sbin/snmpd
   # use the default audit value
}

Note that while CapOver works quite well, it hasn't been independently audited for security bugs, nor has any experienced LSM hacker signed off on it. For that reason, I would strongly suggest you not use the current version in a production system without doing some testing of your own.