diff options
author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-05-25 08:56:10 -0700 |
---|---|---|
committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-06-04 14:09:51 -0700 |
commit | 379c2618cfbc337625f809f63fd4cb22793eccf8 (patch) | |
tree | 752cb940ec834c316d8f5f71513734e0b4f485a3 | |
parent | 67151d699de7c046c9bd557bbadc5fe12950228e (diff) | |
download | vyatta-cfg-system-379c2618cfbc337625f809f63fd4cb22793eccf8.tar.gz vyatta-cfg-system-379c2618cfbc337625f809f63fd4cb22793eccf8.zip |
Set file capability attributes
This sets file capability attributes during package
installation (and build) to allow better security models.
-rw-r--r-- | Makefile.am | 1 | ||||
-rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 4 | ||||
-rw-r--r-- | sysconf/filecaps | 31 |
3 files changed, 36 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index e4025c5b..e57021f1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -80,6 +80,7 @@ sysconf_DATA += sysconf/blacklist.DSA-1024 sysconf_DATA += sysconf/blacklist.RSA-2048 sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg +sysconf_DATA += sysconf/filecaps libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 4265d14b..7778ea87 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -133,6 +133,10 @@ EOF done cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf + + # Set file capabilities + sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \ + | xargs -i sh -c "setcap {}" fi # create needed directories diff --git a/sysconf/filecaps b/sysconf/filecaps new file mode 100644 index 00000000..80730334 --- /dev/null +++ b/sysconf/filecaps @@ -0,0 +1,31 @@ +# List of files that get special attribute labeling + +# Network related utilities +cap_net_admin=pe /usr/sbin/ethtool +cap_net_admin=pe /sbin/tc +cap_net_admin=pe /bin/ip +cap_net_admin=pe /sbin/iptables +cap_net_admin=pe /sbin/ip6tables +cap_net_admin=pe /sbin/ipset +cap_net_admin=pe /usr/sbin/conntrack +cap_net_admin=pe /usr/sbin/arp +cap_net_admin=pe /usr/sbin/brctl + +# Raw sockets +cap_net_raw=pe /usr/bin/tshark +cap_net_raw=pe /usr/sbin/tcpdump +cap_net_raw=pe /bin/ping +cap_net_raw=pe /bin/ping6 + +# Special case to allow command login +cap_audit_write=pe /bin/vbash + +# Allow changes to system settings +cap_sys_admin=pe /sbin/sysctl + +# Module install +cap_sys_module=pe /sbin/modprobe + +# Set time +cap_sys_time=pe /bin/date +cap_sys_time=pe /usr/sbin/ntpdate |