* confusion regarding the setcap permission
@ 2025-10-14 4:13 Rahul Sandhu
2025-10-14 12:33 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Rahul Sandhu @ 2025-10-14 4:13 UTC (permalink / raw)
To: selinux
Hi,
I'm looking at the class process' permission setcap, and I'm a bit
confused as to what it actually grants. The SELinux Notebook describes
setcap as follows:
> Set Linux capabilities of process.
However I'm not really sure what's going on here:
1. What syscall is actually used to set capabilities of a process?
2. What processes is it allowed to set? Assuming that the process is
started with dac_override (granted both on its executable file and
the SELinux domain it runs in), would setcap allow it to only set
dac_override? Would it allow it to set other permissions?
Thanks,
Rahul
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: confusion regarding the setcap permission
2025-10-14 4:13 confusion regarding the setcap permission Rahul Sandhu
@ 2025-10-14 12:33 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2025-10-14 12:33 UTC (permalink / raw)
To: Rahul Sandhu; +Cc: selinux
On Tue, Oct 14, 2025 at 12:13 AM Rahul Sandhu <nvraxn@gmail.com> wrote:
>
> Hi,
>
> I'm looking at the class process' permission setcap, and I'm a bit
> confused as to what it actually grants. The SELinux Notebook describes
> setcap as follows:
> > Set Linux capabilities of process.
> However I'm not really sure what's going on here:
> 1. What syscall is actually used to set capabilities of a process?
capset(2), https://man7.org/linux/man-pages/man2/capset.2.html
> 2. What processes is it allowed to set? Assuming that the process is
> started with dac_override (granted both on its executable file and
> the SELinux domain it runs in), would setcap allow it to only set
> dac_override? Would it allow it to set other permissions?
The capability security module enforces a set of restrictions over
which capabilities can be set as per the man page or you can read the
code at https://elixir.bootlin.com/linux/v6.17.1/source/security/commoncap.c#L272.
SELinux just checks whether the current process is allowed to set
(change) the capabilities of the target process (which is now limited
to the current process; at one time it was possible to change the
capabilities of another process but this was removed). The actual
checking of individual capability permissions by SELinux is deferred
to the capable() hook which is called when the process tries to use
the capability. Hence, the SELinux check is really just a check of
whether the process can modify its own capabilities at runtime.
>
> Thanks,
> Rahul
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-14 12:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-14 4:13 confusion regarding the setcap permission Rahul Sandhu
2025-10-14 12:33 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).