Does Linux capabilities work with binfmt_misc?

Question

Does Linux capabilities work with binfmt_misc?

I am potentially interested in leveraging the Linux capabilities of the program (specifically cap_net_bind_service

so that the program can communicate with a TCP port less than 1024).

However, I would like to do this for a Mono program. I usually think this meant that the Mono interpreter itself needed to have the capabilities installed on it, not the program whatever.exe

it was running.

However, Linux can also be support for Mono binary kernel by kernel binfmt_misc .

So, does the binfmt_misc kernel mechanism work with capabilities? That is, so that a specific executable with binfmt_misc enabled can work with certain capabilities.

+3

linux mono linux-capabilities

Craig McQueen May 13 '15 at 12:21

source to share

1 answer

Charles duffy · Answer 1 · 2015-05-13T00:33:12+0000

Generally, I think this meant that the Mono interpreter itself would need to install capabilities on it [...]

This will not result in a binfmt_misc error if you set the options in the process tree in question rather than in files.

See cap_set_proc () and tools to manipulate it. For example, if you were using systemd:

[Service]
ExecStart=/usr/bin/mono /path/to/your/executable.exe
User=your_service_account
Capabilities=CAP_NET_BIND_SERVICE

Does Linux capabilities work with binfmt_misc?

More articles: