Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[gentoo-user] setcap fails: (Operation not supported)
146 views
Skip to first unread message
Grant Edwards
Sep 30, 2021, 1:30:03 PM9/30/21
to
I'm trying to add NET_ADMIN capability to an executable that needs to
create a tun inteface. AFACIT, this is the command to do that:
$ sudo setcap cap_net_admin+ep example_app
Failed to set capabilities on file `example_app' (Operation not supported)
The only possible cause for that message Google has been able fo find
is that the FS doesn't have xattr support. It's an ext4 filesystem,
and I believe xattr support is enabled:
$ rm -f xattr-test
$ touch xattr-test
$ setfattr -n user.test -v "hello" xattr-test
$ getfattr -d xattr-test
# file: xattr-test
user.test="hello"
(AFAICT, there's no way to disable xattr support in ext4.)
I've also found sources that mention that in the kernel configuration
under 'enable different security models' you have to enable the
'capabilities' option. But, that option doesn't seem to exist in 5.10
kernels. The only occurances of the string CAPAB in 5.10 Kconfig files
is CPU_THUMB_CAPABLE
What do I need to do to get setap to work?
--
Grant
create a tun inteface. AFACIT, this is the command to do that:
$ sudo setcap cap_net_admin+ep example_app
Failed to set capabilities on file `example_app' (Operation not supported)
The only possible cause for that message Google has been able fo find
is that the FS doesn't have xattr support. It's an ext4 filesystem,
and I believe xattr support is enabled:
$ rm -f xattr-test
$ touch xattr-test
$ setfattr -n user.test -v "hello" xattr-test
$ getfattr -d xattr-test
# file: xattr-test
user.test="hello"
(AFAICT, there's no way to disable xattr support in ext4.)
I've also found sources that mention that in the kernel configuration
under 'enable different security models' you have to enable the
'capabilities' option. But, that option doesn't seem to exist in 5.10
kernels. The only occurances of the string CAPAB in 5.10 Kconfig files
is CPU_THUMB_CAPABLE
What do I need to do to get setap to work?
--
Grant
Grant Edwards
Sep 30, 2021, 1:40:04 PM9/30/21
to
On 2021-09-30, Grant Edwards <grant.b...@gmail.com> wrote:
> I'm trying to add NET_ADMIN capability to an executable that needs to
> create a tun inteface. AFACIT, this is the command to do that:
>
> $ sudo setcap cap_net_admin+ep example_app
> Failed to set capabilities on file `example_app' (Operation not supported)
>
> The only possible cause for that message Google has been able fo find
> is that the FS doesn't have xattr support.
Is Posix ACL support required for setcap?
> I'm trying to add NET_ADMIN capability to an executable that needs to
> create a tun inteface. AFACIT, this is the command to do that:
>
> $ sudo setcap cap_net_admin+ep example_app
> Failed to set capabilities on file `example_app' (Operation not supported)
>
> The only possible cause for that message Google has been able fo find
> is that the FS doesn't have xattr support.
I can't find any documentation of such a requirement, but it's the
only other thing I can think of...
--
Grant
Grant Edwards
Sep 30, 2021, 2:00:03 PM9/30/21
to
ext4, rebooted, and verified that ACLs now work.
Still can't figure out how to get setcap to work
# file example_app
example_app: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, with debug_info, not stripped
# setcap cap_net_admin,cap_net_raw+eip example_app
Failed to set capabilities on file `example_app' (Operation not supported)
--
Grant
Grant Edwards
Sep 30, 2021, 6:10:04 PM9/30/21
to
On 2021-09-30, Andrew Udvare <aud...@gmail.com> wrote:
> On 30/09/2021 13:58, Grant Edwards wrote:
>> Still can't figure out how to get setcap to work
> On 30/09/2021 13:58, Grant Edwards wrote:
>> Still can't figure out how to get setcap to work
> Not sure if this is it, but do you have CONFIG_EXT4_FS_SECURITY enabled?
No, I don't.
Google has found me information that indicates that SELinux and MAC
(Mandatory Access Controls) require FS_SECURITY, but Google can't find
any indication that FS_SECURITY is required for linux file
capabilities.
I should try enabling it and see...
Several years ago, I know I could set capabilities on executables (on
a different Gentoo machine), and I don't remember it being difficult
to get working at all...
--
Grant
Grant Edwards
Oct 1, 2021, 3:30:04 PM10/1/21
to
On 2021-10-01, Laurence Perkins <lper...@openeye.net> wrote:
> Doesn't it require xattrs?
Yes, I had xattrs enabled. That used to be enough to get setcap to work.
It now also requires CONFIG_*_FS_SECURITY, which I didn't have enabled.
--
Grant
> Doesn't it require xattrs?
Yes, I had xattrs enabled. That used to be enough to get setcap to work.
It now also requires CONFIG_*_FS_SECURITY, which I didn't have enabled.
--
Grant
0 new messages