summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-05-25 08:56:10 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-06-04 14:09:51 -0700
commit379c2618cfbc337625f809f63fd4cb22793eccf8 (patch)
tree752cb940ec834c316d8f5f71513734e0b4f485a3
parent67151d699de7c046c9bd557bbadc5fe12950228e (diff)
downloadvyatta-cfg-system-379c2618cfbc337625f809f63fd4cb22793eccf8.tar.gz
vyatta-cfg-system-379c2618cfbc337625f809f63fd4cb22793eccf8.zip
Set file capability attributes
This sets file capability attributes during package installation (and build) to allow better security models.
-rw-r--r--Makefile.am1
-rw-r--r--debian/vyatta-cfg-system.postinst.in4
-rw-r--r--sysconf/filecaps31
3 files changed, 36 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index e4025c5b..e57021f1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -80,6 +80,7 @@ sysconf_DATA += sysconf/blacklist.DSA-1024
sysconf_DATA += sysconf/blacklist.RSA-2048
sysconf_DATA += sysconf/level
sysconf_DATA += sysconf/pam_radius.cfg
+sysconf_DATA += sysconf/filecaps
libudev_SCRIPTS = scripts/vyatta_net_name
etcudev_DATA = sysconf/vyatta-net.rules
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 4265d14b..7778ea87 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -133,6 +133,10 @@ EOF
done
cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
+
+ # Set file capabilities
+ sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \
+ | xargs -i sh -c "setcap {}"
fi
# create needed directories
diff --git a/sysconf/filecaps b/sysconf/filecaps
new file mode 100644
index 00000000..80730334
--- /dev/null
+++ b/sysconf/filecaps
@@ -0,0 +1,31 @@
+# List of files that get special attribute labeling
+
+# Network related utilities
+cap_net_admin=pe /usr/sbin/ethtool
+cap_net_admin=pe /sbin/tc
+cap_net_admin=pe /bin/ip
+cap_net_admin=pe /sbin/iptables
+cap_net_admin=pe /sbin/ip6tables
+cap_net_admin=pe /sbin/ipset
+cap_net_admin=pe /usr/sbin/conntrack
+cap_net_admin=pe /usr/sbin/arp
+cap_net_admin=pe /usr/sbin/brctl
+
+# Raw sockets
+cap_net_raw=pe /usr/bin/tshark
+cap_net_raw=pe /usr/sbin/tcpdump
+cap_net_raw=pe /bin/ping
+cap_net_raw=pe /bin/ping6
+
+# Special case to allow command login
+cap_audit_write=pe /bin/vbash
+
+# Allow changes to system settings
+cap_sys_admin=pe /sbin/sysctl
+
+# Module install
+cap_sys_module=pe /sbin/modprobe
+
+# Set time
+cap_sys_time=pe /bin/date
+cap_sys_time=pe /usr/sbin/ntpdate