10.1. Protect Filesystem Devices

LIDS File ACLs protect access to files through the normal channels — using path and filename. However, such channels can be circumvented by reading from or writing to mounted block devices (e.g., /dev/hda1) directly. To prevent such access set

    -17:CAP_SYS_RAWIO

It is rare that Capability Exceptions to this need to be granted; most commonly such exceptions are for X servers or "multimedia software (e.g., xmms may access your CD-ROM via /dev/hd? rather than /mnt/cdrom).

10.2. CAP_BIND_NET_SERVICE

In "vanilla" kernels any programme with the CAP_BIND_NET_SERVICE capability can bind to a port number less than 1024. The capability is extended in LIDS-enabled kernels to allow particular ports, or a port range, to be specified. For example

    lidsadm -A -s /usr/sbin/httpd -o CAP_BIND_NET_SERVICE -j GRANT

    lidsadm -A -s /usr/sbin/httpd -o CAP_BIND_NET_SERVICE 80-80, 443-443 -j GRANT
    lidsadm -A -s /usr/local/sbin/httpproxy -o CAP_BIND_NET_SERVICE 80-88 -j GRANT

10.3. Prevent Processes Being Killed

Using the LIDS-specific capability, CAP_PROTECTED, a process (daemon) can be protected from userspace signals — such processes cannot therefore be killed. This is useful for protecting monitoring and intrusion-detection tools! Example:

    root> lidsadm -S -- -LIDS
    root> lidsconf -A -s /usr/bin/yes -o CAP_PROTECTED -j GRANT
    root> lidsconf -C
    root> lidsadm -S -- +RELOAD_CONF
    root> lidsadm -S -- +LIDS

    root> ps auxww | grep yes
        root      3712 13.8  0.0   1876   456 pts/0    R+   12:38   0:02 yes
    root> kill 3712
    bash: kill: (3712) - Operation not permitted
    root> lidsadm -S -- -LIDS
    root> kill 3712
    root> ps auxww | grep yes
    root>

N.B. Remember that only root processes have Capabilities so you cannot protect non-root-owned processes/daemons in this way. For example, exim4 drops is root privilege after binding to port 25 and so cannot be protected. Question: Is this paragraph correct?