Capability Override LSM

Info

• Author: Jack Lloyd
• ChangeLog
• FAQ

Download

• CapOver LSM 0.9.3
• PGP Signature (Key)

Links

• LSM Docs
• Linux 2.6

The Capability Override LSM (Linux Security Module), is a kernel module which gives you the ability to specify that certain users/groups/programs are to gain access to one or more extra POSIX.1e capabilities. This means this LSM is a permissive module, rather than a restrictive one (which is more typical of LSMs).

The LSM is controlled via the use of a policy, which is passed through a policy compiler and then through sysctl (or /proc) to the module itself. As an example of what you can do, you can create a policy that says "whenever someone in the users or admins groups executes /usr/bin/gpg, give that process the CAP_IPC_LOCK capability" (which lets GnuPG lock memory). The policy just described looks like this:

ipc_lock {
   groups users,admins
   path /usr/bin/gpg
}

After the policy is compiled and given to the module, GnuPG will be able to lock memory (when run by someone in users or admins). In particular, this means that you wouldn't have to run GnuPG setuid root anymore.

You can also view an example policy, which is perhaps commented a little too much, but it does show what kind of things the policy is capable of expressing.

Note that while CapOver works quite well, it hasn't been independently audited for security bugs, nor has any experienced LSM hacker signed off on it. For that reason, I would strongly suggest you not use the current version in a production system without doing some testing of your own.