capabilities: Add support for Linux capabilities(7)

This adds capabilities for start-stop-daemon by adding --capabilities option. As a result, the user can specify the inheritable, ambient and bounding set by define capabilities in the service script. This fixes #314.
author: LinkTed <link.ted@mailbox.org> 2021-06-13 19:26:24 +0200
committer: Mike Frysinger <vapier@gmail.com> 2021-12-23 17:29:10 -0500
commit: 6e214b261604c4ab1ffc244272443a587bb59927 (patch)
tree: 618ab3e7bb84f80eff7a8c8e23c1700a2ca587be /service-script-guide.md
parent: fd1e4a384af44a8687b3a5369283f80f1cf29d84 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/service-script-guide.md b/service-script-guide.md
index 38b9c55d..dffb61c6 100644
--- a/service-script-guide.md
+++ b/service-script-guide.md
@@ -187,6 +187,21 @@ with
 
   * command_user="user:group"
 
+If your daemon should run with specific inheritable, ambient and
+bounding capabilities, then you can tell start-stop-daemon to launch
+it with
+
+  * capabilities="cap-list"
+
+The format is the same as in cap_iab(3). (Only on Linux)
+
+For example, to start the daemon with ambient and inheritable
+`cap_chown`, but without `cap_setpcap` in the bounding set, use
+the following value:
+```sh
+capabilities="^cap_chown,!cap_setpcap"
+```
+
 Finally, if your daemon always forks into the background but fails to
 create a PID file, then your only option is to use
author	LinkTed <link.ted@mailbox.org>	2021-06-13 19:26:24 +0200
committer	Mike Frysinger <vapier@gmail.com>	2021-12-23 17:29:10 -0500
commit	6e214b261604c4ab1ffc244272443a587bb59927 (patch)
tree	618ab3e7bb84f80eff7a8c8e23c1700a2ca587be /service-script-guide.md
parent	fd1e4a384af44a8687b3a5369283f80f1cf29d84 (diff)