steveej/msc-thesis
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases 4 Packages Wiki Activity Actions

context/lxcaps: improve wording and table format

Browse source
This commit is contained in:
steveej 2017-01-18 16:54:28 +01:00
parent d459e1fdb1
commit 909c877b82
2 changed files with 19 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

34
src/docs/parts/context/context.tex
View file

@ -150,31 +150,31 @@ If another process is then moved to this mount-namespace it could automatically
\subsubsection{Capabilities}
\label{sect:lpc-caps}
\Glspl{lxcap} provide a mechanism for fine-grained permission control for \gls{Linux} processes and programs files.\cite{Hallyn2008}.
Conventionally, applications that require elevated privileges are started by \textit{root\footnote{the administrator account on \gls{Linux}}}.
By dropping specific unneeded capabilities, the risk of running an applications that needs some but not all of the \textit{root} privileges can be heavily reduced.
Conventionally, applications that require elevated privileges are set up to run as \textit{root\footnote{the administrator account on \gls{Linux}}} and therefore have \textbf{full} system privileges.
By being able to drop specific unneeded capabilities, the risk in running applications that needs some, but not all, of the \textit{root} privileges can be heavily reduced because.
\ctable[
cap = \Glspl{lxcap},
caption = \Glspl{lxcap}\footnote{from \textit{CAPABILITIES(7)}},
maxwidth = \textwidth,
label = tab:lxcap,
]{c}{}{
\FL CAP\_AUDIT\_CONTROL, CAP\_AUDIT\_READ, CAP\_AUDIT\_WRITE
\NN CAP\_BLOCK\_SUSPEND, CAP\_CHOWN, CAP\_DAC\_OVERRIDE
\NN CAP\_DAC\_READ\_SEARCH, CAP\_FOWNER, CAP\_FSETID
\NN CAP\_IPC\_LOCK, CAP\_IPC\_OWNER, CAP\_KILL
\NN CAP\_LEASE, CAP\_LINUX\_IMMUTABLE, CAP\_MAC\_ADMIN
\NN CAP\_MAC\_OVERRIDE, CAP\_MKNOD, CAP\_NET\_ADMIN
\NN CAP\_NET\_BIND\_SERVICE, CAP\_NET\_BROADCAST, CAP\_NET\_RAW
\NN CAP\_SETGID, CAP\_SETFCAP, CAP\_SETPCAP
\NN CAP\_SETUID, CAP\_SYS\_ADMIN, CAP\_SYS\_BOOT
\NN \textbf{CAP\_SYS\_CHROOT}, CAP\_SYS\_MODULE, CAP\_SYS\_NICE
\NN CAP\_SYS\_PACCT, CAP\_SYS\_PTRACE, CAP\_SYS\_RAWIO
\NN CAP\_SYS\_RESOURCE, CAP\_SYS\_TIME, CAP\_SYS\_TTY\_CONFIG
\NN CAP\_SYSLOG, CAP\_WAKE\_ALARM, CAP\_SETPCAP
]{X}{}{
\FL AUDIT\_CONTROL, AUDIT\_READ, AUDIT\_WRITE,
\NN BLOCK\_SUSPEND, CHOWN, DAC\_OVERRIDE,
\NN DAC\_READ\_SEARCH, FOWNER, FSETID
\NN IPC\_LOCK, IPC\_OWNER, KILL
\NN LEASE, LINUX\_IMMUTABLE, MAC\_ADMIN
\NN MAC\_OVERRIDE, MKNOD, NET\_ADMIN
\NN NET\_BIND\_SERVICE, NET\_BROADCAST, NET\_RAW
\NN SETGID, SETFCAP, SETPCAP
\NN SETUID, SYS\_ADMIN, SYS\_BOOT
\NN \textbf{SYS\_CHROOT}, SYS\_MODULE, SYS\_NICE
\NN SYS\_PACCT, SYS\_PTRACE, SYS\_RAWIO
\NN SYS\_RESOURCE, SYS\_TIME, SYS\_TTY\_CONFIG
\NN SYSLOG, WAKE\_ALARM, SETPCAP
}
At the time of writing \gls{Linux} the 39 capabilities that are known are listed in table \ref{tab:lxns}.
At the time of writing \gls{Linux} the 39 capabilities that are currently available are listed in table \ref{tab:lxns}.
They are listed explicitly for the sake of completeness, and as a demonstration of how many different privileges are distinguished today on \gls{Linux}.
As the focus for this project is not \gls{appc} per-se, but only the method of creation and form of distribution, it is not important to examine every listed \gls{lxcap}, but rather look at an interesting example.

2
src/docs/parts/research/research.tex
View file

@ -32,8 +32,10 @@ This chapter explains the criteria for evaluating available \glspl{pm} for their
\item [Automatic Updates of Sources] {
`guix refresh` can update package sources according to defined updaters
}
\item [Native CI] { https://notabug.org/mthl/cuirass }
\end{description}
\section{Spack}
Spack (\url{https://github.com/LLNL/spack}) is a package manager written in Python.