The Capability Override LSM is a kernel module for Linux which gives you the ability to specify that certain users/groups/programs are to gain access to one or more extra POSIX.1e capabilities. This means this LSM is a permissive module, rather than a restrictive one (which is more typical of LSMs). More information in the FAQ and in the changelog.
The current version of CapOver, 0.9.3, was written and tested on Linux 2.6.8, and has not been updated to follow changing Linux kernel APIs. It does not currently compile on Linux 2.6.27.
The LSM is controlled via the use of a policy, which is passed
through a policy compiler and then through sysctl (or
/proc) to the module itself. As an example of what you can
do, you can create a policy that says "whenever someone in the
users or admins groups executes
/usr/bin/gpg, give that process the CAP_IPC_LOCK
capability" (which lets GnuPG lock memory). The policy just described
looks like this:
ipc_lock {
groups users,admins
path /usr/bin/gpg
}
After the policy is compiled and given to the module, GnuPG will be
able to lock memory (when run by someone in users or
admins). In particular, this means that you wouldn't have
to run GnuPG setuid root anymore.
Here is an example policy file which shows a number of interesting things you can do with CapOver:
# Note that policy.pl will probably choke on this due to all the strange user
# and group names. It's just an example...
# If not otherwise specified, audit processes that get extra caps
default_audit on
# let anything running gid/egid (crypto|realtime) lock memory
ipc_lock {
path any
group crypto,realtime
# use the default audit value
}
# let anyone lock memory if they're running gpg; don't audit this
ipc_lock {
path /usr/bin/gpg # doesn't need to be setuid anymore
audit off
}
net_raw {
path /bin/ping # normally setuid root; not needed anymore
audit off # don't bother auditing everyone who uses ping
}
# let people in the admins group do network-related stuff
net_raw,net_admin {
group admins
audit on
# implicit 'path any'
}
# let me do all kinds of stuff
net_admin,sys_admin,chown,setuid,setgid,net_raw {
user lloyd
path any # same as not setting it at all
audit off # I'm invisible!
}
sys_admin {
user bob # presumably not in the admins group (otherwise the rule would
# always be true for him, which would be bad)
group admins # let bob do stuff, if the binary is setgid admins
audit on
# implicit 'path any'
}
# let any admin start a few servers without privs
# (note that many of them need access to root-owned files, so this doesn't
# work as-is).
net_bind {
group admins # assumes there are one or more real users in this group
path /usr/sbin/httpd
path /usr/sbin/sshd
path /usr/sbin/xinetd
path /usr/sbin/snmpd
# use the default audit value
}
Note that while CapOver works quite well, it hasn't been independently audited for security bugs, nor has any experienced LSM hacker signed off on it. For that reason, I would strongly suggest you not use the current version in a production system without doing some testing of your own.