Setting Linux Capabilities
Ravi Paluri (QUIC)
quic_rpaluri at quicinc.com
Wed Aug 17 02:15:12 PDT 2022
> OpenWrt has procd-ujail, to set capabilities with it:
> https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/sysntpd#L80
> https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/ntpd.capabilities
Thanks Etienne for the pointers and letting us know that jailing needs to be enabled for capabilities to work.
Thanks,
Ravi
-----Original Message-----
From: Etienne Champetier <champetier.etienne at gmail.com>
Sent: Tuesday, August 16, 2022 5:34 PM
To: Ravi Paluri (QUIC) <quic_rpaluri at quicinc.com>
Cc: openwrt-devel at lists.openwrt.org
Subject: Re: Setting Linux Capabilities
WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
Hi Ravi,
Le mar. 16 août 2022 à 07:52, Ravi Paluri (QUIC) <quic_rpaluri at quicinc.com> a écrit :
>
> Hi Team,
> We would like to set below capabilities for our process.
> * CAP_NET_ADMIN
> * CAP_NET_RAW
>
> Do we need to use APIs mentioned in https://linux.die.net/man/3/cap_set_flag and https://linux.die.net/man/3/cap_set_proc to get this functionality?
>
> On Systemd, I see that this can be achieved by writing below lines in a service file.
> CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
> AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
>
> So, would like to know if there is any thing similar that can be done in procd init scripts?
OpenWrt has procd-ujail, to set capabilities with it:
https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/sysntpd#L80
https://github.com/openwrt/openwrt/blob/master/package/utils/busybox/files/ntpd.capabilities
Best
Etienne
> Thanks,
> Ravi
More information about the openwrt-devel
mailing list