lcap(8) - Linux man page
Name
lcap - remove Linux kernel capabilitiesSynopsis
lcap [-h]lcap [-v[v]] -c capability
lcap [-v[v]] [-z] capability ...
Description
This manual page documents lcap. lcap removes "capabilities" from the Linux kernel (2.2.11 and greater).
Options
Without any command line options, lcap will display all the capability bits and their current setting. A * before the capability means the bit is set (to one). The lack of a * means the bit is unset (set to zero).
- -h
- Display the help message.
- -v
- Show lots of information.
- -vv
- Show even more information.
- -c
- Check if capability is set. If the capability's bit is set, the return code is greater than zero. If the capability's is not set, the return code is zero.
- -z
- Set all capability bits to zero except for the capabilities listed on the command line.
Without the -z option, the capability bit is set to zero. All other bits are left as is. Multiple capabilities may be listed on the command line (except when using the -c option, in which case only one capability may be specified).
Note that if you remove the CAP_SYS_MODULE capability from the system, then no further capability-modifications are possible, and lcap will no longer be able to correctly report the bound capability set.
Note also that if CAP_SYS_RAWIO or CAP_SYS_MODULE are part of the capability set, then it's possible to re-insert capabilities by various means. Hence, after you have adjusted your set of bound capabilities, you will need to remove CAP_SYS_RAWIO and CAP_SYS_MODULE if you want to make sure that capabilies are not re-introduced.
