Capability | #uses | #files |
CAP_AUDIT_CONTROL | 2 | 2 |
CAP_AUDIT_WRITE | 1 | 1 |
CAP_BLOCK_SUSPEND | 3 | 2 |
CAP_CHOWN | 4 | 2 |
CAP_DAC_OVERRIDE | 2 | 1 |
CAP_DAC_READ_SEARCH | 5 | 3 |
CAP_FOWNER | 11 | 8 |
CAP_FSETID | 9 | 7 |
CAP_IPC_LOCK | 14 | 9 |
CAP_IPC_OWNER | 1 | 1 |
CAP_KILL | 2 | 2 |
CAP_LEASE | 1 | 1 |
CAP_LINUX_IMMUTABLE | 14 | 14 |
CAP_MAC_ADMIN | 28 | 5 |
CAP_MAC_OVERRIDE | 5 | 2 |
CAP_MKNOD | 3 | 3 |
CAP_NET_ADMIN | 399 | 188 |
CAP_NET_BIND_SERVICE | 15 | 12 |
CAP_NET_BROADCAST | 0 | 0 |
CAP_NET_RAW | 20 | 12 |
CAP_SETFCAP | 3 | 2 |
CAP_SETGID | 11 | 6 |
CAP_SETPCAP | 2 | 2 |
CAP_SETUID | 9 | 4 |
CAP_SYS_ADMIN | 502 | 257 |
CAP_SYS_BOOT | 2 | 2 |
CAP_SYS_CHROOT | 2 | 2 |
CAP_SYSLOG | 2 | 2 |
CAP_SYS_MODULE | 5 | 3 |
CAP_SYS_NICE | 14 | 8 |
CAP_SYS_PACCT | 1 | 1 |
CAP_SYS_PTRACE | 11 | 5 |
CAP_SYS_RAWIO | 69 | 43 |
CAP_SYS_RESOURCE | 38 | 25 |
CAP_SYS_TIME | 19 | 11 |
CAP_SYS_TTY_CONFIG | 11 | 5 |
CAP_WAKE_ALARM | 2 | 1 |
Total | 1242 | 654 |
2013-03-12
Revisiting kernel capability usage statistics
Revisiting my earlier statistics on capability use in the Linux 3.2 kernel source, things are not getting better for CAP_SYS_ADMIN. The statistics below are for Linux 3.9-rc2. By comparison with Linux 3.2, total uses of CAP_* constants in the kernel sources have risen by 10.6% (1242 versus 1167) and total uses of CAP_SYS_ADMIN have risen by slightly more: 11.1% (502 versus 451). This article remains relevant, and digging a bit deeper, overly broad range seems to be a problem that afflicts not just CAP_SYS_ADMIN and CAP_NET_ADMIN about also (at least) CAP_SYS_RAWIO, as the discussion in this thread on the proposed CAP_COMPROMISE_KERNEL capability shows.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment