The Capability Override LSM is a kernel module for Linux which gives you the ability to specify that certain users/groups/programs are to gain access to one or more extra POSIX.1e capabilities. This means this LSM is a permissive module, rather than a restrictive one (which is more typical of LSMs). More information in the FAQ and in the changelog.
The current version of CapOver, 0.9.3, was written and tested on Linux 2.6.8, and has not been updated to follow changing Linux kernel APIs. It does not currently compile on Linux 2.6.27.
The LSM is controlled via the use of a policy, which is passed
through a policy compiler and then through sysctl
(or
/proc
) to the module itself. As an example of what you can
do, you can create a policy that says "whenever someone in the
users
or admins
groups executes
/usr/bin/gpg
, give that process the CAP_IPC_LOCK
capability" (which lets GnuPG lock memory). The policy just described
looks like this:
ipc_lock { groups users,admins path /usr/bin/gpg }
After the policy is compiled and given to the module, GnuPG will be
able to lock memory (when run by someone in users
or
admins
). In particular, this means that you wouldn't have
to run GnuPG setuid root
anymore.
Here is an example policy file which shows a number of interesting things you can do with CapOver:
# Note that policy.pl will probably choke on this due to all the strange user # and group names. It's just an example... # If not otherwise specified, audit processes that get extra caps default_audit on # let anything running gid/egid (crypto|realtime) lock memory ipc_lock { path any group crypto,realtime # use the default audit value } # let anyone lock memory if they're running gpg; don't audit this ipc_lock { path /usr/bin/gpg # doesn't need to be setuid anymore audit off } net_raw { path /bin/ping # normally setuid root; not needed anymore audit off # don't bother auditing everyone who uses ping } # let people in the admins group do network-related stuff net_raw,net_admin { group admins audit on # implicit 'path any' } # let me do all kinds of stuff net_admin,sys_admin,chown,setuid,setgid,net_raw { user lloyd path any # same as not setting it at all audit off # I'm invisible! } sys_admin { user bob # presumably not in the admins group (otherwise the rule would # always be true for him, which would be bad) group admins # let bob do stuff, if the binary is setgid admins audit on # implicit 'path any' } # let any admin start a few servers without privs # (note that many of them need access to root-owned files, so this doesn't # work as-is). net_bind { group admins # assumes there are one or more real users in this group path /usr/sbin/httpd path /usr/sbin/sshd path /usr/sbin/xinetd path /usr/sbin/snmpd # use the default audit value }
Note that while CapOver works quite well, it hasn't been independently audited for security bugs, nor has any experienced LSM hacker signed off on it. For that reason, I would strongly suggest you not use the current version in a production system without doing some testing of your own.