capabilities

Author: cirosantilli

README.md

@@ -334,6 +334,9 @@ Includes Linux concepts and utilities that work on Linux, not necessarily in the
         1.  [anacron](anacron)
     1.  [logrotate](logrotate.md)
     1.  [xargs](xargs.md)
+1.  Security
+    1. [SELinux](selinux.md)
+    1. [Capabilities](capabilities.md)
 1.  [Bibliography](bibliography.md)
 
 ## WIP

capabilities.md

@@ -0,0 +1,21 @@
+# Capabilities
+
+    man capabilities
+
+Splits sudo into multiple permissions, similar to Android app permissions. TODO what system do Android app permissions use?
+
+Implemented on the Linux kernel, and modified with the `capset` and `capget` system calls.
+
+CLI programs are confusingly named `setcap` and `getcap`.
+
+`CAP_SYS_ADMIN` grants all capabilities, and is equivalent to the old root.
+
+`setcap` and `getcap` work on executables, e.g.:
+
+    sudo setcap cap_sys_admin+ep virt_to_phys_user.out
+
+now allows `virt_to_phys_user.out` to access `/proc/<pid>/pagemap`.
+
+It can be retrieved with:
+
+    getcap virt_to_phys_user.out

qemu.md

@@ -614,3 +614,5 @@ Then the heart of execution is:
     - `hw/i386/`: x86 machines, notably the huge `pc.c`
     - `hw/arm/`: ARM machines, e.g. `versatilepb.c`
 -   `-device` devices. Most directories.
+
+IRQ: final point seems to be: `arm_cpu_set_irq`

selinux.md

@@ -0,0 +1,37 @@
+# SELinux
+
+TODO.
+
+Superset of capabilities: <https://lwn.net/Articles/79553/>
+
+<https://en.wikipedia.org/wiki/Security-Enhanced_Linux>
+
+    sudo apt-get install attr setools selinux-utils
+
+    man capabilities
+
+Disabled by default on Ubuntu: <https://askubuntu.com/questions/481293/selinux-implementation-in-ubuntu>
+
+## sesearch
+
+TODO.
+
+## getenforce
+
+## setenforce
+
+Check if enabled:
+
+    getenforce
+
+Enable:
+
+    sudo setenforce 1
+
+TODO: goes through which kernel interface?
+
+## getcap
+
+## getfattr
+
+TODO.