[gentoo-user] Re: setcap fails: (Operation not supported)
On 2021-10-01, Laurence Perkins wrote: > Doesn't it require xattrs? Yes, I had xattrs enabled. That used to be enough to get setcap to work. It now also requires CONFIG_*_FS_SECURITY, which I didn't have enabled. -- Grant
RE: [gentoo-user] Re: setcap fails: (Operation not supported)
Doesn't it require xattrs? I vaguely remember running into that at one point years ago. Not sure if the other flags you're using will force xattr support on or not, but it's worth checking. LMP -Original Message- From: Grant Edwards Sent: Thursday, September 30, 2021 3:00 PM To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: setcap fails: (Operation not supported) On 2021-09-30, Andrew Udvare wrote: > On 30/09/2021 13:58, Grant Edwards wrote: >> Still can't figure out how to get setcap to work > Not sure if this is it, but do you have CONFIG_EXT4_FS_SECURITY enabled? No, I don't. Google has found me information that indicates that SELinux and MAC (Mandatory Access Controls) require FS_SECURITY, but Google can't find any indication that FS_SECURITY is required for linux file capabilities. I should try enabling it and see... Several years ago, I know I could set capabilities on executables (on a different Gentoo machine), and I don't remember it being difficult to get working at all... -- Grant
[gentoo-user] Re: setcap fails: (Operation not supported)
On 2021-09-30, Andrew Udvare wrote: > On 30/09/2021 13:58, Grant Edwards wrote: >> Still can't figure out how to get setcap to work > Not sure if this is it, but do you have CONFIG_EXT4_FS_SECURITY enabled? No, I don't. Google has found me information that indicates that SELinux and MAC (Mandatory Access Controls) require FS_SECURITY, but Google can't find any indication that FS_SECURITY is required for linux file capabilities. I should try enabling it and see... Several years ago, I know I could set capabilities on executables (on a different Gentoo machine), and I don't remember it being difficult to get working at all... -- Grant
Re: [gentoo-user] Re: setcap fails: (Operation not supported)
On 30/09/2021 13:58, Grant Edwards wrote: On 2021-09-30, Grant Edwards wrote: On 2021-09-30, Grant Edwards wrote: I'm trying to add NET_ADMIN capability to an executable that needs to create a tun inteface. AFACIT, this is the command to do that: $ sudo setcap cap_net_admin+ep example_app Failed to set capabilities on file `example_app' (Operation not supported) The only possible cause for that message Google has been able fo find is that the FS doesn't have xattr support. Is Posix ACL support required for setcap? I can't find any documentation of such a requirement, but it's the only other thing I can think of... That's not it. I rebuilt my kernel with POSIX ACL support enabled for ext4, rebooted, and verified that ACLs now work. Still can't figure out how to get setcap to work # file example_app example_app: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped # setcap cap_net_admin,cap_net_raw+eip example_app Failed to set capabilities on file `example_app' (Operation not supported) -- Grant Not sure if this is it, but do you have CONFIG_EXT4_FS_SECURITY enabled? OpenPGP_signature Description: OpenPGP digital signature
[gentoo-user] Re: setcap fails: (Operation not supported)
On 2021-09-30, Grant Edwards wrote: > On 2021-09-30, Grant Edwards wrote: > >> I'm trying to add NET_ADMIN capability to an executable that needs to >> create a tun inteface. AFACIT, this is the command to do that: >> >>$ sudo setcap cap_net_admin+ep example_app >>Failed to set capabilities on file `example_app' (Operation not supported) >> >> The only possible cause for that message Google has been able fo find >> is that the FS doesn't have xattr support. > > Is Posix ACL support required for setcap? > > I can't find any documentation of such a requirement, but it's the > only other thing I can think of... That's not it. I rebuilt my kernel with POSIX ACL support enabled for ext4, rebooted, and verified that ACLs now work. Still can't figure out how to get setcap to work # file example_app example_app: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped # setcap cap_net_admin,cap_net_raw+eip example_app Failed to set capabilities on file `example_app' (Operation not supported) -- Grant
[gentoo-user] Re: setcap fails: (Operation not supported)
On 2021-09-30, Grant Edwards wrote: > I'm trying to add NET_ADMIN capability to an executable that needs to > create a tun inteface. AFACIT, this is the command to do that: > >$ sudo setcap cap_net_admin+ep example_app >Failed to set capabilities on file `example_app' (Operation not supported) > > The only possible cause for that message Google has been able fo find > is that the FS doesn't have xattr support. Is Posix ACL support required for setcap? I can't find any documentation of such a requirement, but it's the only other thing I can think of... -- Grant