previous: https://boards.4chan.org/g/thread/108466244/
#define __NR_capget 125
#define __NR_capset 126
https://man7.org/linux/man-pages/man2/capset.2.html
https://man7.org/linux/man-pages/man7/capabilities.7.html
tl;dr:
manage process capabilities
capabilities! really interesting subject. there are like five million different security/permission/capability management systems on linux, and this is one of them. it's actually one of the more important and widely used ones, too. i will give a brief (and certainly biased) overview of the ones i feel actually matter (to most people)
>CAP_BPF
for bpf, of course
>CAP_DAC_OVERRIDE
to override file ownership
>CAP_KILL
to signal processes!
>CAP_NET_*
need i even say it?
>CAP_SETUID
for suid binaries
>CAP_SYS_ADMIN
so fucking overloaded i won't even begin to describe it
>CAP_SYS_NICE
it's important to be nice ^_^
>CAP_SYS_PTRACE
god i love ptrace,,,,
>CAP_SYS_RESOURCE
override rlimits! open all the things
the thread capability set model (permitted, inheritable, effective, bounding, and ambient) is pretty complicated, but seems comprehensive. it's certainly an interesting approach to the problem. it's just really hard to follow sometimes lol
anyone else have experience with these? they're common enough that i would be pretty surprised if no one here had run into them while building software. what'd you run into, how'd you approach it, and what was the end result? share with the class!
relevant resources:
man man
man syscalls
https://man7.org/linux/man-pages/
https://linux.die.net/man/
https://elixir.bootlin.com/linux/
https://elixir.bootlin.com/musl/
https://elixir.bootlin.com/glibc/
