inherit_level

关于LINUX安全内核的源代码

1) add parent pid in lids_security_alert message

2) lids_set_flags change to lids_set_acls : make more sense.

3) modifiy copy_lids_sys_acl during fork() and lids_set_acls during do_execve().

	Now, if a program fork(), but before it execute any program, it will 
	get the same ACLs as its parent. 
	
	Once it execve(), it will check inherit. and delete some uninheritable 
	ACLs and capabilities. This checking do only once if the execve is 
	running multi-times.

	After that, it will merge the ACLs with current execute program's 
	ACLs and Capabilities. 
	
Now, I dont care how many times the program forks internal, its children will gain the same privillege with its parent. This will change until it execute()..

For the sshd, you can now do 
	# lidsadm -A -s /usr/sbin/sshd -o /etc/shadow -i 0 -j READ 
		/* the -i 0 can ignore if it is 0 */

To script inherit, for firstly it will fork a "bash" and then run the command in the script. It will need less 1 TTL to make the command inherit its capabilities. 

For example, a script,

-------test.sh----	
#!/bin/sh
ifconfig eth0 down
ifup eth0
------test.sh--------

if you do,	
	# lidsadm -A -s test.sh -o CAP_NET_ADMIN -i 1 -j GRANT

You can only make the first command running succefully..but the second commond will fail, for even through the "ifup eth0" get the CAP_NET_ADMIN, but it can not inherit to its "ifconfig eth0 up" running within "ifup eth0". You need to make the inherit level(TTL) to 2.