Global capability bounding set

This document contains sample configuration of the global capability set. You should probably want your own global capability set to have the same contents no matter what your software and system configuration is. Anyway, this gB configuration was OK for our test system.

Use capadm -B -a to set your gB. Alternatively you may use capadm -G -f to set gB to full and then capadm -G -r to remove unwanted capabilities.

Global capability bounding set
------------------------------
gB = 0xFFFFFFE7FFFFFFFF

        CAP_CHOWN                       CAP_DAC_OVERRIDE         
        CAP_DAC_READ_SEARCH             CAP_FOWNER               
        CAP_FSETID                      CAP_KILL                 
        CAP_SETGID                      CAP_SETUID               
        CAP_SETPCAP                     CAP_LINUX_IMMUTABLE      
        CAP_NET_BIND_SERVICE            CAP_NET_BROADCAST        
        CAP_NET_ADMIN                   CAP_NET_RAW              
        CAP_IPC_LOCK                    CAP_IPC_OWNER            
        CAP_SYS_MODULE                  CAP_SYS_RAWIO            
        CAP_SYS_CHROOT                  CAP_SYS_PTRACE           
        CAP_SYS_PACCT                   CAP_SYS_ADMIN            
        CAP_SYS_BOOT                    CAP_SYS_NICE             
        CAP_SYS_RESOURCE                CAP_SYS_TIME             
        CAP_SYS_TTY_CONFIG              CAP_MKNOD                
        CAP_LEASE                       RESERVED1                
        RESERVED2                       CAP_LINSEC_ADMIN         
        CAP_PROC_PROTECTED              CAP_PROC_UNKILLABLE      
        CAP_PROC_GOD                    CAP_SYS_BOOTTIME         
        CAP_MOD_CAP                     CAP_ACD_OVERRIDE