[PATCH RFC] Define CAP_SYSLOG

Kees Cook kees at ubuntu.com
Mon Mar 8 10:58:18 PST 2010


Hi Serge,

On Fri, Mar 05, 2010 at 02:56:07PM -0600, Serge E. Hallyn wrote:
> Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
> this off into a new CAP_SYSLOG privilege which we can sanely take away
> from a container through the capability bounding set.

Seems like a good idea, but it'll require code changes in libcap2,
libcap-ng, as well as manpages.

I support the idea -- more stuff needs to be extracted from CAP_SYS_ADMIN,
but this is a nice distinct subsystem to do now.

Acked-By: Kees Cook <kees.cook at canonical.com>

-- 
Kees Cook
Ubuntu Security Team


More information about the Containers mailing list