Identification, Authentication and Authorization

File capabilities

Stored in the security.capability attribute.

Specify capabilities for threads that exec a file.

  • Permitted set.

    • Immediately forced into the permitted set.

    • Previous AND with the thread’s bounding set.

  • Inheritable set.

    • To AND with the threads’ inheritable set.

    • Can be used to reduce the effective set upon the exec.

  • Effective bit.

    • Enforce all new capabilities into the thread’s effective set.

PreviousFiles extended attributes (xattr)NextCapability transfer across exec

Last updated