You only need special labels on an executable if its trying to raise the
effective capabilities. You don't need anything if the execuable is just
trying to lower them.
My favourite approach:
- use a capability segment in the ELF file to drop capabilities
- use filesystem extentions to mark an executable with raised caps
This is the fail-safe approach. The common task of dropping unwanted
capabilities can be easily implemented in a tool and filesystem independent way.
The more troublesome capability-raising issues are best left to the filesystem.
It doesn't matter too much if other filesystems and tools drop the extra info,
since that simply makes the process unprivileged - and if run as root it can
still drop the capabilities it doesn't want.
J
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/