.\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"
+.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
+.\" %%%LICENSE_END
.\"
.\" 6 Aug 2002 - Initial Creation
.\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com>
.\" other capabilities where the permitted or inheritable bit is set.
.\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
.\"
-.TH CAPABILITIES 7 2012-04-15 "Linux" "Linux Programmer's Manual"
+.TH CAPABILITIES 7 2013-03-11 "Linux" "Linux Programmer's Manual"
.SH NAME
capabilities \- overview of Linux capabilities
.SH DESCRIPTION
which can be independently enabled and disabled.
Capabilities are a per-thread attribute.
.\"
-.SS Capabilities List
+.SS Capabilities list
The following list shows the capabilities implemented on Linux,
and the operations or behaviors that each capability permits:
.TP
.BR CAP_AUDIT_WRITE " (since Linux 2.6.11)"
Write records to kernel auditing log.
.TP
+.BR CAP_BLOCK_SUSPEND " (since Linux 3.5)"
+Employ features that can block system suspend
+.RB ( epoll (7)
+.BR EPOLLWAKEUP ,
+.IR /proc/sys/wake_lock ).
+.TP
.B CAP_CHOWN
Make arbitrary changes to file UIDs and GIDs (see
.BR chown (2)).
.BR ptrace (2);
apply
.BR get_robust_list (2)
-to arbitrary processes.
+to arbitrary processes;
+inspect processes using
+.BR kcmp (2).
.TP
.B CAP_SYS_RAWIO
+.PD 0
+.RS
+.IP * 2
Perform I/O port operations
.RB ( iopl (2)
and
.BR ioperm (2));
+.IP *
access
.IR /proc/kcore ;
+.IP *
employ the
.B FIBMAP
.BR ioctl (2)
-operation.
+operation;
+.IP *
+open devices for accessing x86 model-specific registers (MSRs, see
+.BR msr (4))
+.IP *
+update
+.IR /proc/sys/vm/mmap_min_addr ;
+.IP *
+create memory mappings at addresses below the value specified by
+.IR /proc/sys/vm/mmap_min_addr ;
+.IP *
+map files in
+.IR /proc/pci/bus ;
+.IP *
+open
+.IR /dev/mem
+and
+.IR /dev/kmem ;
+.IP *
+perform various SCSI device commands;
+.IP *
+perform certain operations on
+.BR hpsa (4)
+and
+.BR cciss (4)
+devices;
+.IP *
+perform a range of device-specific operations on other devices.
+.RE
+.PD
.TP
.B CAP_SYS_RESOURCE
.PD 0
employ
.BR prctl (2)
.B PR_SET_MM
-operation.
+operation;
+set
+.IR /proc/PID/oom_score_adj
+to a value lower than the value last set by a process with
+.BR CAP_SYS_RESOURCE .
.RE
.PD
.TP
operations on virtual terminals.
.TP
.BR CAP_SYSLOG " (since Linux 2.6.37)"
+.IP * 3
Perform privileged
.BR syslog (2)
operations.
See
.BR syslog (2)
for information on which operations require privilege.
+.IP *
+View kernel addresses exposed via
+.I /proc
+and other interfaces when
+.IR /proc/sys/kernel/kptr_restrict
+has the value 1.
+(See the discussion of the
+.I kptr_restrict
+in
+.BR proc (5).)
.TP
.BR CAP_WAKE_ALARM " (since Linux 3.0)"
Trigger something that will wake up the system (set
.B CLOCK_BOOTTIME_ALARM
timers).
.\"
-.SS Past and Current Implementation
+.SS Past and current implementation
A full implementation of capabilities requires that:
.IP 1. 3
For all privileged operations,
Before kernel 2.6.24, only the first two of these requirements are met;
since kernel 2.6.24, all three requirements are met.
.\"
-.SS Thread Capability Sets
+.SS Thread capability sets
Each thread has three capability sets containing zero or more
of the above capabilities:
.TP
.BR capset (2),
a thread may manipulate its own capability sets (see below).
.\"
-.SS File Capabilities
+.SS File capabilities
Since kernel 2.6.24, the kernel supports
associating capability sets with an executable file using
.BR setcap (8).
for all other capabilities for which the corresponding permitted or
inheritable flags is enabled.
.\"
-.SS Transformation of Capabilities During execve()
+.SS Transformation of capabilities during execve()
.PP
During an
.BR execve (2),
back into the thread's inherited set in the future.
.\"
.\"
-.SS Effect of User ID Changes on Capabilities
+.SS Effect of user ID changes on capabilities
To preserve the traditional semantics for transitions between
0 and nonzero user IDs,
the kernel makes the following changes to a thread's capability
that the thread does not currently have).
.IP 4.
The new effective set must be a subset of the new permitted set.
-.SS The """securebits"" flags: establishing a capabilities-only environment
+.SS The securebits flags: establishing a capabilities-only environment
.\" For some background:
.\" see http://lwn.net/Articles/280279/ and
.\" http://article.gmane.org/gmane.linux.kernel.lsm/5476/
SECBIT_NOROOT_LOCKED);
.fi
.in
-.SH "CONFORMING TO"
+.SH CONFORMING TO
.PP
No standards govern capabilities, but the Linux capability implementation
is based on the withdrawn POSIX.1e draft standard; see
-.IR http://wt.xpilot.org/publications/posix.1e/ .
+.UR http://wt.tuxomania.net\:/publications\:/posix.1e/
+.UE .
.SH NOTES
Since kernel 2.5.27, capabilities are an optional kernel component,
and can be enabled/disabled via the CONFIG_SECURITY_CAPABILITIES
The
.I /proc/PID/status
file shows the capability sets of a process's main thread.
+Before Linux 3.8, nonexistent capabilities were shown as being
+enabled (1) in these sets.
+Since Linux 3.8,
+.\" 7b9a7ec565505699f503b4fcf61500dceb36e744
+all non-existent capabilities (above
+.BR CAP_LAST_CAP )
+are shown as disabled (0).
The
.I libcap
programs.
It can be found at
.br
-.IR http://www.kernel.org/pub/linux/libs/security/linux-privs .
+.UR http://www.kernel.org\:/pub\:/linux\:/libs\:/security\:/linux-privs
+.UE .
Before kernel 2.6.24, and since kernel 2.6.24 if
file capabilities are not enabled, a thread with the
starts out with this capability removed from its per-process bounding
set, and that bounding set is inherited by all other processes
created on the system.
-.SH "SEE ALSO"
+.SH SEE ALSO
.BR capget (2),
.BR prctl (2),
.BR setfsuid (2),
.BR getcap (8),
.BR setcap (8)
.PP
-Comments on the purposes of various capabilities in
.I include/linux/capability.h
-in the kernel source
+in the Linux kernel source tree