.\" Add text noting that if we set the effective flag for one file
.\" capability, then we must also set the effective flag for all
.\" other capabilities where the permitted or inheritable bit is set.
+.\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
+.\" FIXME: Linux 3.0 added CAP_WAKE_ALARM
.\"
-.TH CAPABILITIES 7 2010-06-19 "Linux" "Linux Programmer's Manual"
+.TH CAPABILITIES 7 2011-09-07 "Linux" "Linux Programmer's Manual"
.SH NAME
capabilities \- overview of Linux capabilities
.SH DESCRIPTION
and
.BR setdomainname (2);
.IP *
+perform privileged
+.BR syslog (2)
+operations (since Linux 2.6.37,
+.BR CAP_SYSLOG
+should be used to permit such operations);
+.IP *
perform
.B IPC_SET
and
.B CAP_SYS_TTY_CONFIG
Use
.BR vhangup (2).
+.TP
+.BR CAP_SYSLOG " (since Linux 2.6.37)"
+Perform privileged
+.BR syslog (2)
+operations.
+See
+.BR syslog (2)
+for information on which operations require privilege.
.\"
.SS Past and Current Implementation
A full implementation of capabilities requires that:
operation.
Removing capabilities from the bounding set is only supported if file
-capabilities are compiled into the kernel
-(CONFIG_SECURITY_FILE_CAPABILITIES).
-In that case, the
+capabilities are compiled into the kernel.
+In kernels before Linux 2.6.33,
+file capabilities were an optional feature configurable via the
+CONFIG_SECURITY_FILE_CAPABILITIES
+option.
+Since Linux 2.6.33, the configuration option has been removed
+and file capabilities are always part of the kernel.
+When file capabilities are compiled into the kernel, the
.B init
process (the ancestor of all processes) begins with a full bounding set.
If file capabilities are not compiled into the kernel, then
During an
.BR execve (2),
all of the flags are preserved, except
-.B SECURE_KEEP_CAPS
+.B SECBIT_KEEP_CAPS
which is always cleared.
An application can use the following call to lock itself,