Process Capabilities

Linux kernel, as of version 2.2, supports Process Capabilities, as defined by POSIX 1003.6. With each process in a system three capability sets are associated:

• Inheritable set (pI): set of capabilities that can be inherited by a new process after a binary is executed by the running process.
• Permitted set (pP): maximum set of capabilities that a process may acquire during its lifetime i.e.. that can be in pE (below).
• Effective set (pE): set of capabilities that are currently used for access control.

LinSec Process Capabilities build on a slightly modified^4.4, still POSIX 1003.6 compliant, version of the Process Capabilities implemented in the Linux kernel.

Process capabilities are computed (Subsection 4.2.9), by LinSec specific algorithm, from File Capabilities (Subsection 4.2.5) and User Capabilities (Subsection 4.2.5). It is process capabilities that are used for access control checks in LinSec as they reflect both owning user's and application's privileges. When a process issues a access request for an capability protected object its effective capability set is checked for the required capabilities.

Footnotes

... modified^4.4

As stated in Section 5.8.