How to remove kernel capabilities?

To: debian-security@lists.debian.org
Subject: How to remove kernel capabilities?
From: Simon Brandmair <sbrandmair@gmx.net>
Date: Sat, 22 Mar 2014 12:27:11 +0100
Message-id: <[🔎] lgjs2g$lh8$1@online.de>

Good morning everyone,

in the Securing Debian Manual it is described how to remove
CAP_LINUX_IMMUTABLE from the system, so that the file attributes 'i' and
'a' can't be change afterwards (until the next reboot) [1]. That doesn't
seem to work in recent versions of Debian anymore, because -- if I
understand it right -- from Linux 2.6.25 on the capability bounding set
changed. Therefore, lcap is removed from Debian, and there is no
/proc/sys/kernel/cap-bound anymore.

Can I still archive the same effect with a recent kernel (e.g. 3.2.54)?
How would I do that so no process can gain that capability? Or does that
section just needs to get removed from the manual?

Cheers,
Simon


[1]
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.17

Reply to:

Prev by Date: Re: Will there be an openjdk-7 security update for wheezy?
Next by Date: Upcoming stable point release (7.5)
Previous by thread: Operation Windigo
Next by thread: Upcoming stable point release (7.5)
Index(es):
- Date
- Thread