.\" Add text noting that if we set the effective flag for one file
.\" capability, then we must also set the effective flag for all
.\" other capabilities where the permitted or inheritable bit is set.
+.\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG
.\"
-.TH CAPABILITIES 7 2010-01-31 "Linux" "Linux Programmer's Manual"
+.TH CAPABILITIES 7 2012-03-05 "Linux" "Linux Programmer's Manual"
.SH NAME
capabilities \- overview of Linux capabilities
.SH DESCRIPTION
For the purpose of performing permission checks,
-traditional Unix implementations distinguish two categories of processes:
+traditional UNIX implementations distinguish two categories of processes:
.I privileged
processes (whose effective user ID is 0, referred to as superuser or root),
and
the file system or any of the supplementary GIDs of the calling process.
.TP
.B CAP_IPC_LOCK
+.\" FIXME As at Linux 3.2, there are some strange uses of this capability
+.\" in other places; they probably should be replaced with something else.
Lock memory
.RB ( mlock (2),
.BR mlockall (2),
.BR mknod (2).
.TP
.B CAP_NET_ADMIN
-Perform various network-related operations
-(e.g., setting privileged socket options,
-enabling multicasting, interface configuration,
-modifying routing tables).
+Perform various network-related operations:
+.PD 0
+.RS
+.IP * 2
+interface configuration;
+.IP *
+administration of IP firewall, masquerading, and accounting
+.IP *
+modify routing tables;
+.IP *
+bind to any address for transparent proxying;
+.IP *
+set type-of-service (TOS)
+.IP *
+clear driver statistics;
+.IP *
+set promiscuous mode;
+.IP *
+enabling multicasting;
+.IP *
+use
+.BR setsockopt (2)
+to set the following socket options:
+.BR SO_DEBUG ,
+.BR SO_MARK ,
+.BR SO_PRIORITY
+(for a priority outside the range 0 to 6),
+.BR SO_RCVBUFFORCE ,
+and
+.BR SO_SNDBUFFORCE .
+.RE
+.PD
.TP
.B CAP_NET_BIND_SERVICE
Bind a socket to Internet domain privileged ports
(Unused) Make socket broadcasts, and listen to multicasts.
.TP
.B CAP_NET_RAW
-Use RAW and PACKET sockets.
+.PD 0
+.RS
+.IP * 2
+use RAW and PACKET sockets;
+.IP *
+bind to any address for transparent proxying.
+.RE
+.PD
.\" Also various IP options and setsockopt(SO_BINDTODEVICE)
.TP
.B CAP_SETGID
Make arbitrary manipulations of process GIDs and supplementary GID list;
-forge GID when passing socket credentials via Unix domain sockets.
+forge GID when passing socket credentials via UNIX domain sockets.
.TP
.BR CAP_SETFCAP " (since Linux 2.6.24)"
Set file capabilities.
.BR setreuid (2),
.BR setresuid (2),
.BR setfsuid (2));
-make forged UID when passing socket credentials via Unix domain sockets.
+make forged UID when passing socket credentials via UNIX domain sockets.
.\" FIXME CAP_SETUID also an effect in exec(); document this.
.TP
.B CAP_SYS_ADMIN
and
.BR setdomainname (2);
.IP *
+perform privileged
+.BR syslog (2)
+operations (since Linux 2.6.37,
+.BR CAP_SYSLOG
+should be used to permit such operations);
+.IP *
+perform
+.B VM86_REQUEST_IRQ
+.BR vm86 (2)
+command;
+.IP *
perform
.B IPC_SET
and
.BR pipe (2));
.IP *
employ
-.B CLONE_NEWNS
-flag with
+.B CLONE_*
+flags that create new namespaces with
.BR clone (2)
and
.BR unshare (2);
.IP *
+call
+.BR perf_event_open (2);
+.IP *
+access privileged
+.I perf
+event information;
+.IP *
+call
+.BR setns (2);
+.IP *
+call
+.BR fanotify_init (2);
+.IP *
perform
.B KEYCTL_CHOWN
and
.B KEYCTL_SETPERM
.BR keyctl (2)
-operations.
+operations;
+.IP *
+perform
+.BR madvise (2)
+.B MADV_HWPOISON
+operation;
+.IP *
+employ the
+.B TIOCSTI
+.BR ioctl (2)
+to insert characters into the input queue of a terminal other than
+the caller's controlling terminal.
+.IP *
+employ the obsolete
+.BR nfsservctl (2);
+system call;
+.IP *
+employ the obsolete
+.BR bdflush (2)
+system call;
+.IP *
+perform various privileged block-device
+.BR ioctl (2)
+operations;
+.IP *
+perform various privileged file-system
+.BR ioctl (2)
+operations;
+.IP *
+perform administrative operations on many device drivers.
.RE
.PD
.TP
.TP
.B CAP_SYS_PTRACE
Trace arbitrary processes using
-.BR ptrace (2)
+.BR ptrace (2);
+apply
+.BR get_robust_list (2)
+to arbitrary processes.
.TP
.B CAP_SYS_RAWIO
Perform I/O port operations
and
.BR ioperm (2));
access
-.IR /proc/kcore .
+.IR /proc/kcore ;
+employ the
+.B FIBMAP
+.BR ioctl (2)
+operation.
.TP
.B CAP_SYS_RESOURCE
.PD 0
.B RLIMIT_NPROC
resource limit;
.IP *
+override maximum number of consoles on console allocation;
+.IP *
+override maximum number of keymaps;
+.IP *
+allow more than 64hz interrupts from the real-time clock;
+.IP *
raise
.I msg_qbytes
limit for a System V message queue above the limit in
(see
.BR msgop (2)
and
-.BR msgctl (2)).
+.BR msgctl (2));
+.IP *
+override the
+.I /proc/sys/fs/pipe-size-max
+limit when setting the capacity of a pipe using the
+.B F_SETPIPE_SZ
+.BR fcntl (2)
+command.
+.IP *
+use
+.BR F_SETPIPE_SZ
+to increase the capacity of a pipe above the limit specified by
+.IR /proc/sys/fs/pipe-max-size ;
+.IP *
+override
+.I /proc/sys/fs/mqueue/queues_max
+limit when creating POSIX message queues (see
+.BR mq_overview (7)).
.RE
.PD
.TP
.TP
.B CAP_SYS_TTY_CONFIG
Use
-.BR vhangup (2).
+.BR vhangup (2);
+employ various privileged
+.BR ioctl (2)
+operations on virtual terminals.
+.TP
+.BR CAP_SYSLOG " (since Linux 2.6.37)"
+Perform privileged
+.BR syslog (2)
+operations.
+See
+.BR syslog (2)
+for information on which operations require privilege.
+.TP
+.BR CAP_WAKE_ALARM " (since Linux 3.0)"
+Trigger something that will wake up the system (set
+.B CLOCK_REALTIME_ALARM
+and
+.B CLOCK_BOOTTIME_ALARM
+timers).
.\"
.SS Past and Current Implementation
A full implementation of capabilities requires that:
.\" exec(), then it gets all capabilities in its
.\" permitted set, and no effective capabilities
This provides semantics that are the same as those provided by
-traditional Unix systems.
+traditional UNIX systems.
.SS Capability bounding set
The capability bounding set is a security mechanism that can be used
to limit the capabilities that can be gained during an
to Linux starting with kernel version 2.2.11.
.\"
.PP
-.B "Capability bounding set from Linux 2.6.25 onwards"
+.B "Capability bounding set from Linux 2.6.25 onward"
.PP
From Linux 2.6.25, the
.I "capability bounding set"
operation.
Removing capabilities from the bounding set is only supported if file
-capabilities are compiled into the kernel
-(CONFIG_SECURITY_FILE_CAPABILITIES).
-In that case, the
+capabilities are compiled into the kernel.
+In kernels before Linux 2.6.33,
+file capabilities were an optional feature configurable via the
+CONFIG_SECURITY_FILE_CAPABILITIES
+option.
+Since Linux 2.6.33, the configuration option has been removed
+and file capabilities are always part of the kernel.
+When file capabilities are compiled into the kernel, the
.B init
process (the ancestor of all processes) begins with a full bounding set.
If file capabilities are not compiled into the kernel, then
operation.)
.TP
.B SECBIT_NO_SETUID_FIXUP
-Setting this flag stops the kernel from adjusting capability sets when
+Setting this flag stops the kernel from adjusting capability sets when
the threads's effective and file system UIDs are switched between
zero and nonzero values.
(See the subsection
During an
.BR execve (2),
all of the flags are preserved, except
-.B SECURE_KEEP_CAPS
+.B SECBIT_KEEP_CAPS
which is always cleared.
An application can use the following call to lock itself,
.BR cap_init (3),
.BR capgetp (3),
.BR capsetp (3),
+.BR libcap (3),
.BR credentials (7),
.BR pthreads (7),
.BR getcap (8),
.BR setcap (8)
.PP
+Comments on the purposes of various capabilities in
.I include/linux/capability.h
in the kernel source
OSDN Git Service
