msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2012-03-19 23:50+0900\n"
+"POT-Creation-Date: 2012-03-22 04:26+0900\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
msgstr ""
#. type: TH
-#: build/C/man2/acct.2:32 build/C/man5/acct.5:23 build/C/man7/capabilities.7:47 build/C/man2/capget.2:11 build/C/man7/cpuset.7:24 build/C/man7/credentials.7:25 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:23 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:27 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:25 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man2/seteuid.2:27 build/C/man2/setfsgid.2:29 build/C/man2/setfsuid.2:29 build/C/man2/setgid.2:27 build/C/man2/setpgid.2:46 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:43 build/C/man2/setsid.2:29 build/C/man2/setuid.2:28 build/C/man7/svipc.7:25 build/C/man3/ulimit.3:27
+#: build/C/man2/acct.2:32 build/C/man5/acct.5:23 build/C/man7/capabilities.7:46 build/C/man2/capget.2:11 build/C/man7/cpuset.7:24 build/C/man7/credentials.7:25 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:23 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:27 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:25 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man2/seteuid.2:27 build/C/man2/setfsgid.2:29 build/C/man2/setfsuid.2:29 build/C/man2/setgid.2:27 build/C/man2/setpgid.2:46 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:43 build/C/man2/setsid.2:29 build/C/man2/setuid.2:28 build/C/man7/svipc.7:25 build/C/man3/ulimit.3:27
#, no-wrap
msgid "Linux"
msgstr ""
#. type: TH
-#: build/C/man2/acct.2:32 build/C/man5/acct.5:23 build/C/man7/capabilities.7:47 build/C/man2/capget.2:11 build/C/man7/cpuset.7:24 build/C/man7/credentials.7:25 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:23 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:27 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:25 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man2/seteuid.2:27 build/C/man2/setfsgid.2:29 build/C/man2/setfsuid.2:29 build/C/man2/setgid.2:27 build/C/man2/setpgid.2:46 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:43 build/C/man2/setsid.2:29 build/C/man2/setuid.2:28 build/C/man7/svipc.7:25 build/C/man3/ulimit.3:27
+#: build/C/man2/acct.2:32 build/C/man5/acct.5:23 build/C/man7/capabilities.7:46 build/C/man2/capget.2:11 build/C/man7/cpuset.7:24 build/C/man7/credentials.7:25 build/C/man2/getgid.2:25 build/C/man2/getgroups.2:31 build/C/man2/getpid.2:23 build/C/man2/getpriority.2:46 build/C/man2/getresuid.2:27 build/C/man2/getrlimit.2:64 build/C/man2/getrusage.2:39 build/C/man2/getsid.2:25 build/C/man2/getuid.2:26 build/C/man2/iopl.2:33 build/C/man2/ioprio_set.2:25 build/C/man2/ipc.2:26 build/C/man2/seteuid.2:27 build/C/man2/setfsgid.2:29 build/C/man2/setfsuid.2:29 build/C/man2/setgid.2:27 build/C/man2/setpgid.2:46 build/C/man2/setresuid.2:26 build/C/man2/setreuid.2:43 build/C/man2/setsid.2:29 build/C/man2/setuid.2:28 build/C/man7/svipc.7:25 build/C/man3/ulimit.3:27
#, no-wrap
msgid "Linux Programmer's Manual"
msgstr ""
#. type: SH
-#: build/C/man2/acct.2:33 build/C/man5/acct.5:24 build/C/man7/capabilities.7:48 build/C/man2/capget.2:12 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:26 build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 build/C/man2/getpid.2:24 build/C/man2/getpriority.2:47 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:65 build/C/man2/getrusage.2:40 build/C/man2/getsid.2:26 build/C/man2/getuid.2:27 build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:26 build/C/man2/ipc.2:27 build/C/man2/seteuid.2:28 build/C/man2/setfsgid.2:30 build/C/man2/setfsuid.2:30 build/C/man2/setgid.2:28 build/C/man2/setpgid.2:47 build/C/man2/setresuid.2:27 build/C/man2/setreuid.2:44 build/C/man2/setsid.2:30 build/C/man2/setuid.2:29 build/C/man7/svipc.7:26 build/C/man3/ulimit.3:28
+#: build/C/man2/acct.2:33 build/C/man5/acct.5:24 build/C/man7/capabilities.7:47 build/C/man2/capget.2:12 build/C/man7/cpuset.7:25 build/C/man7/credentials.7:26 build/C/man2/getgid.2:26 build/C/man2/getgroups.2:32 build/C/man2/getpid.2:24 build/C/man2/getpriority.2:47 build/C/man2/getresuid.2:28 build/C/man2/getrlimit.2:65 build/C/man2/getrusage.2:40 build/C/man2/getsid.2:26 build/C/man2/getuid.2:27 build/C/man2/iopl.2:34 build/C/man2/ioprio_set.2:26 build/C/man2/ipc.2:27 build/C/man2/seteuid.2:28 build/C/man2/setfsgid.2:30 build/C/man2/setfsuid.2:30 build/C/man2/setgid.2:28 build/C/man2/setpgid.2:47 build/C/man2/setresuid.2:27 build/C/man2/setreuid.2:44 build/C/man2/setsid.2:30 build/C/man2/setuid.2:29 build/C/man7/svipc.7:26 build/C/man3/ulimit.3:28
#, no-wrap
msgid "NAME"
msgstr ""
msgstr ""
#. type: SH
-#: build/C/man2/acct.2:51 build/C/man5/acct.5:28 build/C/man7/capabilities.7:50 build/C/man2/capget.2:20 build/C/man7/cpuset.7:27 build/C/man7/credentials.7:28 build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 build/C/man2/getpid.2:34 build/C/man2/getpriority.2:57 build/C/man2/getresuid.2:38 build/C/man2/getrlimit.2:88 build/C/man2/getrusage.2:48 build/C/man2/getsid.2:49 build/C/man2/getuid.2:37 build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:33 build/C/man2/ipc.2:35 build/C/man2/seteuid.2:51 build/C/man2/setfsgid.2:37 build/C/man2/setfsuid.2:37 build/C/man2/setgid.2:36 build/C/man2/setpgid.2:96 build/C/man2/setresuid.2:37 build/C/man2/setreuid.2:68 build/C/man2/setsid.2:39 build/C/man2/setuid.2:37 build/C/man7/svipc.7:36 build/C/man3/ulimit.3:34
+#: build/C/man2/acct.2:51 build/C/man5/acct.5:28 build/C/man7/capabilities.7:49 build/C/man2/capget.2:20 build/C/man7/cpuset.7:27 build/C/man7/credentials.7:28 build/C/man2/getgid.2:36 build/C/man2/getgroups.2:52 build/C/man2/getpid.2:34 build/C/man2/getpriority.2:57 build/C/man2/getresuid.2:38 build/C/man2/getrlimit.2:88 build/C/man2/getrusage.2:48 build/C/man2/getsid.2:49 build/C/man2/getuid.2:37 build/C/man2/iopl.2:40 build/C/man2/ioprio_set.2:33 build/C/man2/ipc.2:35 build/C/man2/seteuid.2:51 build/C/man2/setfsgid.2:37 build/C/man2/setfsuid.2:37 build/C/man2/setgid.2:36 build/C/man2/setpgid.2:96 build/C/man2/setresuid.2:37 build/C/man2/setreuid.2:68 build/C/man2/setsid.2:39 build/C/man2/setuid.2:37 build/C/man7/svipc.7:36 build/C/man3/ulimit.3:34
#, no-wrap
msgid "DESCRIPTION"
msgstr ""
msgstr ""
#. type: SH
-#: build/C/man2/acct.2:130 build/C/man5/acct.5:152 build/C/man7/capabilities.7:890 build/C/man2/capget.2:210 build/C/man7/credentials.7:232 build/C/man2/getgid.2:44 build/C/man2/getgroups.2:133 build/C/man2/getpid.2:44 build/C/man2/getpriority.2:158 build/C/man2/getresuid.2:66 build/C/man2/getrlimit.2:473 build/C/man2/getrusage.2:194 build/C/man2/getsid.2:78 build/C/man2/getuid.2:45 build/C/man2/iopl.2:85 build/C/man2/ioprio_set.2:186 build/C/man2/ipc.2:46 build/C/man2/seteuid.2:89 build/C/man2/setfsgid.2:78 build/C/man2/setfsuid.2:78 build/C/man2/setgid.2:74 build/C/man2/setpgid.2:225 build/C/man2/setresuid.2:83 build/C/man2/setreuid.2:111 build/C/man2/setsid.2:64 build/C/man2/setuid.2:90 build/C/man3/ulimit.3:78
+#: build/C/man2/acct.2:130 build/C/man5/acct.5:152 build/C/man7/capabilities.7:997 build/C/man2/capget.2:210 build/C/man7/credentials.7:232 build/C/man2/getgid.2:44 build/C/man2/getgroups.2:133 build/C/man2/getpid.2:44 build/C/man2/getpriority.2:158 build/C/man2/getresuid.2:66 build/C/man2/getrlimit.2:473 build/C/man2/getrusage.2:194 build/C/man2/getsid.2:78 build/C/man2/getuid.2:45 build/C/man2/iopl.2:85 build/C/man2/ioprio_set.2:186 build/C/man2/ipc.2:46 build/C/man2/seteuid.2:89 build/C/man2/setfsgid.2:78 build/C/man2/setfsuid.2:78 build/C/man2/setgid.2:74 build/C/man2/setpgid.2:225 build/C/man2/setresuid.2:83 build/C/man2/setreuid.2:111 build/C/man2/setsid.2:64 build/C/man2/setuid.2:90 build/C/man3/ulimit.3:78
#, no-wrap
msgid "CONFORMING TO"
msgstr ""
msgstr ""
#. type: SH
-#: build/C/man2/acct.2:137 build/C/man5/acct.5:156 build/C/man7/capabilities.7:895 build/C/man2/capget.2:212 build/C/man7/cpuset.7:1340 build/C/man7/credentials.7:238 build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 build/C/man2/getpid.2:46 build/C/man2/getpriority.2:161 build/C/man2/getresuid.2:69 build/C/man2/getrlimit.2:496 build/C/man2/getrusage.2:205 build/C/man2/getsid.2:80 build/C/man2/getuid.2:47 build/C/man2/getuid.2:57 build/C/man2/iopl.2:89 build/C/man2/ioprio_set.2:188 build/C/man2/ipc.2:50 build/C/man2/seteuid.2:91 build/C/man2/setfsgid.2:82 build/C/man2/setfsuid.2:82 build/C/man2/setgid.2:64 build/C/man2/setpgid.2:247 build/C/man2/setresuid.2:86 build/C/man2/setreuid.2:117 build/C/man2/setsid.2:66 build/C/man2/setuid.2:95
+#: build/C/man2/acct.2:137 build/C/man5/acct.5:156 build/C/man7/capabilities.7:1002 build/C/man2/capget.2:212 build/C/man7/cpuset.7:1340 build/C/man7/credentials.7:238 build/C/man2/getgid.2:46 build/C/man2/getgroups.2:141 build/C/man2/getpid.2:46 build/C/man2/getpriority.2:161 build/C/man2/getresuid.2:69 build/C/man2/getrlimit.2:496 build/C/man2/getrusage.2:205 build/C/man2/getsid.2:80 build/C/man2/getuid.2:47 build/C/man2/getuid.2:57 build/C/man2/iopl.2:89 build/C/man2/ioprio_set.2:188 build/C/man2/ipc.2:50 build/C/man2/seteuid.2:91 build/C/man2/setfsgid.2:82 build/C/man2/setfsuid.2:82 build/C/man2/setgid.2:64 build/C/man2/setpgid.2:247 build/C/man2/setresuid.2:86 build/C/man2/setreuid.2:117 build/C/man2/setsid.2:66 build/C/man2/setuid.2:95
#, no-wrap
msgid "NOTES"
msgstr ""
msgstr ""
#. type: SH
-#: build/C/man2/acct.2:143 build/C/man5/acct.5:173 build/C/man7/capabilities.7:943 build/C/man2/capget.2:219 build/C/man7/cpuset.7:1487 build/C/man7/credentials.7:250 build/C/man2/getgid.2:62 build/C/man2/getgroups.2:171 build/C/man2/getpid.2:98 build/C/man2/getpriority.2:223 build/C/man2/getresuid.2:85 build/C/man2/getrlimit.2:620 build/C/man2/getrusage.2:245 build/C/man2/getsid.2:83 build/C/man2/getuid.2:73 build/C/man2/iopl.2:98 build/C/man2/ioprio_set.2:317 build/C/man2/ipc.2:58 build/C/man2/seteuid.2:117 build/C/man2/setfsgid.2:110 build/C/man2/setfsuid.2:110 build/C/man2/setgid.2:76 build/C/man2/setpgid.2:315 build/C/man2/setresuid.2:106 build/C/man2/setreuid.2:157 build/C/man2/setsid.2:83 build/C/man2/setuid.2:118 build/C/man7/svipc.7:320 build/C/man3/ulimit.3:83
+#: build/C/man2/acct.2:143 build/C/man5/acct.5:173 build/C/man7/capabilities.7:1050 build/C/man2/capget.2:219 build/C/man7/cpuset.7:1487 build/C/man7/credentials.7:250 build/C/man2/getgid.2:62 build/C/man2/getgroups.2:171 build/C/man2/getpid.2:98 build/C/man2/getpriority.2:223 build/C/man2/getresuid.2:85 build/C/man2/getrlimit.2:620 build/C/man2/getrusage.2:245 build/C/man2/getsid.2:83 build/C/man2/getuid.2:73 build/C/man2/iopl.2:98 build/C/man2/ioprio_set.2:317 build/C/man2/ipc.2:58 build/C/man2/seteuid.2:117 build/C/man2/setfsgid.2:110 build/C/man2/setfsuid.2:110 build/C/man2/setgid.2:76 build/C/man2/setpgid.2:315 build/C/man2/setresuid.2:106 build/C/man2/setreuid.2:157 build/C/man2/setsid.2:83 build/C/man2/setuid.2:118 build/C/man7/svipc.7:320 build/C/man3/ulimit.3:83
#, no-wrap
msgid "SEE ALSO"
msgstr ""
msgstr ""
#. type: SH
-#: build/C/man2/acct.2:145 build/C/man5/acct.5:178 build/C/man7/capabilities.7:962 build/C/man2/capget.2:223 build/C/man7/cpuset.7:1504 build/C/man7/credentials.7:281 build/C/man2/getgid.2:67 build/C/man2/getgroups.2:178 build/C/man2/getpid.2:108 build/C/man2/getpriority.2:231 build/C/man2/getresuid.2:91 build/C/man2/getrlimit.2:637 build/C/man2/getrusage.2:252 build/C/man2/getsid.2:87 build/C/man2/getuid.2:78 build/C/man2/iopl.2:101 build/C/man2/ioprio_set.2:323 build/C/man2/ipc.2:71 build/C/man2/seteuid.2:124 build/C/man2/setfsgid.2:115 build/C/man2/setfsuid.2:115 build/C/man2/setgid.2:82 build/C/man2/setpgid.2:322 build/C/man2/setresuid.2:115 build/C/man2/setreuid.2:165 build/C/man2/setsid.2:89 build/C/man2/setuid.2:125 build/C/man7/svipc.7:334 build/C/man3/ulimit.3:88
+#: build/C/man2/acct.2:145 build/C/man5/acct.5:178 build/C/man7/capabilities.7:1071 build/C/man2/capget.2:223 build/C/man7/cpuset.7:1504 build/C/man7/credentials.7:281 build/C/man2/getgid.2:67 build/C/man2/getgroups.2:178 build/C/man2/getpid.2:108 build/C/man2/getpriority.2:231 build/C/man2/getresuid.2:91 build/C/man2/getrlimit.2:637 build/C/man2/getrusage.2:252 build/C/man2/getsid.2:87 build/C/man2/getuid.2:78 build/C/man2/iopl.2:101 build/C/man2/ioprio_set.2:323 build/C/man2/ipc.2:71 build/C/man2/seteuid.2:124 build/C/man2/setfsgid.2:115 build/C/man2/setfsuid.2:115 build/C/man2/setgid.2:82 build/C/man2/setpgid.2:322 build/C/man2/setresuid.2:115 build/C/man2/setreuid.2:165 build/C/man2/setsid.2:89 build/C/man2/setuid.2:125 build/C/man7/svipc.7:334 build/C/man3/ulimit.3:88
#, no-wrap
msgid "COLOPHON"
msgstr ""
#. type: Plain text
-#: build/C/man2/acct.2:152 build/C/man5/acct.5:185 build/C/man7/capabilities.7:969 build/C/man2/capget.2:230 build/C/man7/cpuset.7:1511 build/C/man7/credentials.7:288 build/C/man2/getgid.2:74 build/C/man2/getgroups.2:185 build/C/man2/getpid.2:115 build/C/man2/getpriority.2:238 build/C/man2/getresuid.2:98 build/C/man2/getrlimit.2:644 build/C/man2/getrusage.2:259 build/C/man2/getsid.2:94 build/C/man2/getuid.2:85 build/C/man2/iopl.2:108 build/C/man2/ioprio_set.2:330 build/C/man2/ipc.2:78 build/C/man2/seteuid.2:131 build/C/man2/setfsgid.2:122 build/C/man2/setfsuid.2:122 build/C/man2/setgid.2:89 build/C/man2/setpgid.2:329 build/C/man2/setresuid.2:122 build/C/man2/setreuid.2:172 build/C/man2/setsid.2:96 build/C/man2/setuid.2:132 build/C/man7/svipc.7:341 build/C/man3/ulimit.3:95
+#: build/C/man2/acct.2:152 build/C/man5/acct.5:185 build/C/man7/capabilities.7:1078 build/C/man2/capget.2:230 build/C/man7/cpuset.7:1511 build/C/man7/credentials.7:288 build/C/man2/getgid.2:74 build/C/man2/getgroups.2:185 build/C/man2/getpid.2:115 build/C/man2/getpriority.2:238 build/C/man2/getresuid.2:98 build/C/man2/getrlimit.2:644 build/C/man2/getrusage.2:259 build/C/man2/getsid.2:94 build/C/man2/getuid.2:85 build/C/man2/iopl.2:108 build/C/man2/ioprio_set.2:330 build/C/man2/ipc.2:78 build/C/man2/seteuid.2:131 build/C/man2/setfsgid.2:122 build/C/man2/setfsuid.2:122 build/C/man2/setgid.2:89 build/C/man2/setpgid.2:329 build/C/man2/setresuid.2:122 build/C/man2/setreuid.2:172 build/C/man2/setsid.2:96 build/C/man2/setuid.2:132 build/C/man7/svipc.7:341 build/C/man3/ulimit.3:95
msgid ""
-"This page is part of release 3.35 of the Linux I<man-pages> project. A "
+"This page is part of release 3.37 of the Linux I<man-pages> project. A "
"description of the project, and information about reporting bugs, can be "
-"found at http://man7.org/linux/man-pages/."
+"found at http://www.kernel.org/doc/man-pages/."
msgstr ""
#. type: TH
msgstr ""
#. type: TH
-#: build/C/man7/capabilities.7:47
+#: build/C/man7/capabilities.7:46
#, no-wrap
msgid "CAPABILITIES"
msgstr ""
#. type: TH
-#: build/C/man7/capabilities.7:47
+#: build/C/man7/capabilities.7:46
#, no-wrap
-msgid "2011-10-04"
+msgid "2012-03-05"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:50
+#: build/C/man7/capabilities.7:49
msgid "capabilities - overview of Linux capabilities"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:62
+#: build/C/man7/capabilities.7:61
msgid ""
"For the purpose of performing permission checks, traditional UNIX "
"implementations distinguish two categories of processes: I<privileged> "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:69
+#: build/C/man7/capabilities.7:68
msgid ""
"Starting with kernel 2.2, Linux divides the privileges traditionally "
"associated with superuser into distinct units, known as I<capabilities>, "
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:69
+#: build/C/man7/capabilities.7:68
#, no-wrap
msgid "Capabilities List"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:72
+#: build/C/man7/capabilities.7:71
msgid ""
"The following list shows the capabilities implemented on Linux, and the "
"operations or behaviors that each capability permits:"
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:72
+#: build/C/man7/capabilities.7:71
#, no-wrap
msgid "B<CAP_AUDIT_CONTROL> (since Linux 2.6.11)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:76
+#: build/C/man7/capabilities.7:75
msgid ""
"Enable and disable kernel auditing; change auditing filter rules; retrieve "
"auditing status and filtering rules."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:76
+#: build/C/man7/capabilities.7:75
#, no-wrap
msgid "B<CAP_AUDIT_WRITE> (since Linux 2.6.11)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:79
+#: build/C/man7/capabilities.7:78
msgid "Write records to kernel auditing log."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:79
+#: build/C/man7/capabilities.7:78
#, no-wrap
msgid "B<CAP_CHOWN>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:83
+#: build/C/man7/capabilities.7:82
msgid "Make arbitrary changes to file UIDs and GIDs (see B<chown>(2))."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:83
+#: build/C/man7/capabilities.7:82
#, no-wrap
msgid "B<CAP_DAC_OVERRIDE>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:87
+#: build/C/man7/capabilities.7:86
msgid ""
"Bypass file read, write, and execute permission checks. (DAC is an "
"abbreviation of \"discretionary access control\".)"
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:87
+#: build/C/man7/capabilities.7:86
#, no-wrap
msgid "B<CAP_DAC_READ_SEARCH>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:91
+#: build/C/man7/capabilities.7:90
msgid ""
"Bypass file read permission checks and directory read and execute permission "
"checks."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:91
+#: build/C/man7/capabilities.7:90
#, no-wrap
msgid "B<CAP_FOWNER>"
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:95 build/C/man7/capabilities.7:105 build/C/man7/capabilities.7:109 build/C/man7/capabilities.7:111 build/C/man7/capabilities.7:113 build/C/man7/capabilities.7:234 build/C/man7/capabilities.7:244 build/C/man7/capabilities.7:250 build/C/man7/capabilities.7:256 build/C/man7/capabilities.7:263 build/C/man7/capabilities.7:266 build/C/man7/capabilities.7:274 build/C/man7/capabilities.7:276 build/C/man7/capabilities.7:285 build/C/man7/capabilities.7:292 build/C/man7/capabilities.7:295 build/C/man7/capabilities.7:302 build/C/man7/capabilities.7:332 build/C/man7/capabilities.7:337 build/C/man7/capabilities.7:342 build/C/man7/capabilities.7:345 build/C/man7/capabilities.7:348 build/C/man7/capabilities.7:357 build/C/man7/capabilities.7:361 build/C/man7/capabilities.7:393 build/C/man7/capabilities.7:395 build/C/man7/capabilities.7:399 build/C/man7/capabilities.7:401 build/C/man7/capabilities.7:404 build/C/man7/capabilities.7:408 build/C/man7/capabilities.7:417 build/C/man7/capabilities.7:617 build/C/man7/capabilities.7:625 build/C/man7/capabilities.7:932 build/C/man7/capabilities.7:937 build/C/man7/cpuset.7:539 build/C/man7/cpuset.7:544 build/C/man7/cpuset.7:549 build/C/man7/cpuset.7:725 build/C/man7/cpuset.7:729 build/C/man7/cpuset.7:926 build/C/man7/cpuset.7:929 build/C/man7/cpuset.7:933 build/C/man7/cpuset.7:937 build/C/man7/cpuset.7:941 build/C/man7/credentials.7:123 build/C/man7/credentials.7:129 build/C/man7/credentials.7:141 build/C/man7/credentials.7:163 build/C/man7/credentials.7:180 build/C/man7/credentials.7:212 build/C/man7/credentials.7:215 build/C/man7/credentials.7:225 build/C/man7/credentials.7:228
+#: build/C/man7/capabilities.7:94 build/C/man7/capabilities.7:104 build/C/man7/capabilities.7:108 build/C/man7/capabilities.7:110 build/C/man7/capabilities.7:112 build/C/man7/capabilities.7:182 build/C/man7/capabilities.7:184 build/C/man7/capabilities.7:186 build/C/man7/capabilities.7:188 build/C/man7/capabilities.7:190 build/C/man7/capabilities.7:192 build/C/man7/capabilities.7:194 build/C/man7/capabilities.7:196 build/C/man7/capabilities.7:198 build/C/man7/capabilities.7:222 build/C/man7/capabilities.7:224 build/C/man7/capabilities.7:270 build/C/man7/capabilities.7:280 build/C/man7/capabilities.7:286 build/C/man7/capabilities.7:291 build/C/man7/capabilities.7:297 build/C/man7/capabilities.7:304 build/C/man7/capabilities.7:307 build/C/man7/capabilities.7:315 build/C/man7/capabilities.7:317 build/C/man7/capabilities.7:326 build/C/man7/capabilities.7:333 build/C/man7/capabilities.7:336 build/C/man7/capabilities.7:338 build/C/man7/capabilities.7:343 build/C/man7/capabilities.7:346 build/C/man7/capabilities.7:353 build/C/man7/capabilities.7:358 build/C/man7/capabilities.7:364 build/C/man7/capabilities.7:368 build/C/man7/capabilities.7:372 build/C/man7/capabilities.7:376 build/C/man7/capabilities.7:380 build/C/man7/capabilities.7:407 build/C/man7/capabilities.7:412 build/C/man7/capabilities.7:417 build/C/man7/capabilities.7:420 build/C/man7/capabilities.7:423 build/C/man7/capabilities.7:432 build/C/man7/capabilities.7:436 build/C/man7/capabilities.7:472 build/C/man7/capabilities.7:474 build/C/man7/capabilities.7:478 build/C/man7/capabilities.7:480 build/C/man7/capabilities.7:483 build/C/man7/capabilities.7:487 build/C/man7/capabilities.7:489 build/C/man7/capabilities.7:491 build/C/man7/capabilities.7:493 build/C/man7/capabilities.7:502 build/C/man7/capabilities.7:509 build/C/man7/capabilities.7:514 build/C/man7/capabilities.7:724 build/C/man7/capabilities.7:732 build/C/man7/capabilities.7:1039 build/C/man7/capabilities.7:1044 build/C/man7/cpuset.7:539 build/C/man7/cpuset.7:544 build/C/man7/cpuset.7:549 build/C/man7/cpuset.7:725 build/C/man7/cpuset.7:729 build/C/man7/cpuset.7:926 build/C/man7/cpuset.7:929 build/C/man7/cpuset.7:933 build/C/man7/cpuset.7:937 build/C/man7/cpuset.7:941 build/C/man7/credentials.7:123 build/C/man7/credentials.7:129 build/C/man7/credentials.7:141 build/C/man7/credentials.7:163 build/C/man7/credentials.7:180 build/C/man7/credentials.7:212 build/C/man7/credentials.7:215 build/C/man7/credentials.7:225 build/C/man7/credentials.7:228
#, no-wrap
msgid "*"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:105
+#: build/C/man7/capabilities.7:104
msgid ""
"Bypass permission checks on operations that normally require the file system "
"UID of the process to match the UID of the file (e.g., B<chmod>(2), "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:109
+#: build/C/man7/capabilities.7:108
msgid "set extended file attributes (see B<chattr>(1)) on arbitrary files;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:111
+#: build/C/man7/capabilities.7:110
msgid "set Access Control Lists (ACLs) on arbitrary files;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:113
+#: build/C/man7/capabilities.7:112
msgid "ignore directory sticky bit on file deletion;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:120
+#: build/C/man7/capabilities.7:119
msgid "specify B<O_NOATIME> for arbitrary files in B<open>(2) and B<fcntl>(2)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:122
+#: build/C/man7/capabilities.7:121
#, no-wrap
msgid "B<CAP_FSETID>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:128
+#: build/C/man7/capabilities.7:127
msgid ""
"Don't clear set-user-ID and set-group-ID permission bits when a file is "
"modified; set the set-group-ID bit for a file whose GID does not match the "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:128
+#: build/C/man7/capabilities.7:127
#, no-wrap
msgid "B<CAP_IPC_LOCK>"
msgstr ""
+#. FIXME As at Linux 3.2, there are some strange uses of this capability
+#. in other places; they probably should be replaced with something else.
#. type: Plain text
-#: build/C/man7/capabilities.7:135
+#: build/C/man7/capabilities.7:136
msgid "Lock memory (B<mlock>(2), B<mlockall>(2), B<mmap>(2), B<shmctl>(2))."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:135
+#: build/C/man7/capabilities.7:136
#, no-wrap
msgid "B<CAP_IPC_OWNER>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:138
+#: build/C/man7/capabilities.7:139
msgid "Bypass permission checks for operations on System V IPC objects."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:138
+#: build/C/man7/capabilities.7:139
#, no-wrap
msgid "B<CAP_KILL>"
msgstr ""
#. if the child does an exec(). What is the rationale
#. for this?
#. type: Plain text
-#: build/C/man7/capabilities.7:151
+#: build/C/man7/capabilities.7:152
msgid ""
"Bypass permission checks for sending signals (see B<kill>(2)). This "
"includes use of the B<ioctl>(2) B<KDSIGACCEPT> operation."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:151
+#: build/C/man7/capabilities.7:152
#, no-wrap
msgid "B<CAP_LEASE> (since Linux 2.4)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:155
+#: build/C/man7/capabilities.7:156
msgid "Establish leases on arbitrary files (see B<fcntl>(2))."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:155
+#: build/C/man7/capabilities.7:156
#, no-wrap
msgid "B<CAP_LINUX_IMMUTABLE>"
msgstr ""
#. These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS
#. type: Plain text
-#: build/C/man7/capabilities.7:164
+#: build/C/man7/capabilities.7:165
msgid ""
"Set the B<FS_APPEND_FL> and B<FS_IMMUTABLE_FL> i-node flags (see "
"B<chattr>(1))."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:164
+#: build/C/man7/capabilities.7:165
#, no-wrap
msgid "B<CAP_MAC_ADMIN> (since Linux 2.6.25)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:168
+#: build/C/man7/capabilities.7:169
msgid ""
"Override Mandatory Access Control (MAC). Implemented for the Smack Linux "
"Security Module (LSM)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:168
+#: build/C/man7/capabilities.7:169
#, no-wrap
msgid "B<CAP_MAC_OVERRIDE> (since Linux 2.6.25)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:172
+#: build/C/man7/capabilities.7:173
msgid "Allow MAC configuration or state changes. Implemented for the Smack LSM."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:172
+#: build/C/man7/capabilities.7:173
#, no-wrap
msgid "B<CAP_MKNOD> (since Linux 2.4)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:176
+#: build/C/man7/capabilities.7:177
msgid "Create special files using B<mknod>(2)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:176
+#: build/C/man7/capabilities.7:177
#, no-wrap
msgid "B<CAP_NET_ADMIN>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:182
+#: build/C/man7/capabilities.7:180
+msgid "Perform various network-related operations:"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:184
+msgid "interface configuration;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:186
+msgid "administration of IP firewall, masquerading, and accounting"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:188
+msgid "modify routing tables;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:190
+msgid "bind to any address for transparent proxying;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:192
+msgid "set type-of-service (TOS)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:194
+msgid "clear driver statistics;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:196
+msgid "set promiscuous mode;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:198
+msgid "enabling multicasting;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:209
msgid ""
-"Perform various network-related operations (e.g., setting privileged socket "
-"options, enabling multicasting, interface configuration, modifying routing "
-"tables)."
+"use B<setsockopt>(2) to set the following socket options: B<SO_DEBUG>, "
+"B<SO_MARK>, B<SO_PRIORITY> (for a priority outside the range 0 to 6), "
+"B<SO_RCVBUFFORCE>, and B<SO_SNDBUFFORCE>."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:182
+#: build/C/man7/capabilities.7:211
#, no-wrap
msgid "B<CAP_NET_BIND_SERVICE>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:186
+#: build/C/man7/capabilities.7:215
msgid ""
"Bind a socket to Internet domain privileged ports (port numbers less than "
"1024)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:186
+#: build/C/man7/capabilities.7:215
#, no-wrap
msgid "B<CAP_NET_BROADCAST>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:189
+#: build/C/man7/capabilities.7:218
msgid "(Unused) Make socket broadcasts, and listen to multicasts."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:189
+#: build/C/man7/capabilities.7:218
#, no-wrap
msgid "B<CAP_NET_RAW>"
msgstr ""
-#. Also various IP options and setsockopt(SO_BINDTODEVICE)
#. type: Plain text
-#: build/C/man7/capabilities.7:193
-msgid "Use RAW and PACKET sockets."
+#: build/C/man7/capabilities.7:224
+msgid "use RAW and PACKET sockets;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:226
+msgid "bind to any address for transparent proxying."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:193
+#: build/C/man7/capabilities.7:229
#, no-wrap
msgid "B<CAP_SETGID>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:197
+#: build/C/man7/capabilities.7:233
msgid ""
"Make arbitrary manipulations of process GIDs and supplementary GID list; "
"forge GID when passing socket credentials via UNIX domain sockets."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:197
+#: build/C/man7/capabilities.7:233
#, no-wrap
msgid "B<CAP_SETFCAP> (since Linux 2.6.24)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:200
+#: build/C/man7/capabilities.7:236
msgid "Set file capabilities."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:200
+#: build/C/man7/capabilities.7:236
#, no-wrap
msgid "B<CAP_SETPCAP>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:211
+#: build/C/man7/capabilities.7:247
msgid ""
"If file capabilities are not supported: grant or remove any capability in "
"the caller's permitted capability set to or from any other process. (This "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:221
+#: build/C/man7/capabilities.7:257
msgid ""
"If file capabilities are supported: add any capability from the calling "
"thread's bounding set to its inheritable set; drop capabilities from the "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:221
+#: build/C/man7/capabilities.7:257
#, no-wrap
msgid "B<CAP_SETUID>"
msgstr ""
#. FIXME CAP_SETUID also an effect in exec(); document this.
#. type: Plain text
-#: build/C/man7/capabilities.7:230
+#: build/C/man7/capabilities.7:266
msgid ""
"Make arbitrary manipulations of process UIDs (B<setuid>(2), B<setreuid>(2), "
"B<setresuid>(2), B<setfsuid>(2)); make forged UID when passing socket "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:230
+#: build/C/man7/capabilities.7:266
#, no-wrap
msgid "B<CAP_SYS_ADMIN>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:244
+#: build/C/man7/capabilities.7:280
msgid ""
"Perform a range of system administration operations including: "
"B<quotactl>(2), B<mount>(2), B<umount>(2), B<swapon>(2), B<swapoff>(2), "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:250
+#: build/C/man7/capabilities.7:286
msgid ""
"perform privileged B<syslog>(2) operations (since Linux 2.6.37, "
"B<CAP_SYSLOG> should be used to permit such operations);"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:256
+#: build/C/man7/capabilities.7:291
+msgid "perform B<VM86_REQUEST_IRQ> B<vm86>(2) command;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:297
msgid ""
"perform B<IPC_SET> and B<IPC_RMID> operations on arbitrary System V IPC "
"objects;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:263
+#: build/C/man7/capabilities.7:304
msgid ""
"perform operations on I<trusted> and I<security> Extended Attributes (see "
"B<attr>(5));"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:266
+#: build/C/man7/capabilities.7:307
msgid "use B<lookup_dcookie>(2);"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:274
+#: build/C/man7/capabilities.7:315
msgid ""
"use B<ioprio_set>(2) to assign B<IOPRIO_CLASS_RT> and (before Linux 2.6.25) "
"B<IOPRIO_CLASS_IDLE> I/O scheduling classes;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:276
+#: build/C/man7/capabilities.7:317
msgid "forge UID when passing socket credentials;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:285
+#: build/C/man7/capabilities.7:326
msgid ""
"exceed I</proc/sys/fs/file-max>, the system-wide limit on the number of open "
"files, in system calls that open files (e.g., B<accept>(2), B<execve>(2), "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:292
-msgid "employ B<CLONE_NEWNS> flag with B<clone>(2) and B<unshare>(2);"
+#: build/C/man7/capabilities.7:333
+msgid ""
+"employ B<CLONE_*> flags that create new namespaces with B<clone>(2) and "
+"B<unshare>(2);"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:336
+msgid "call B<perf_event_open>(2);"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:295
-msgid "call B<setns>(2);"
+#: build/C/man7/capabilities.7:338
+msgid "call"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:302
+#: build/C/man7/capabilities.7:343
+msgid "access privileged I<perf> event information; B<setns>(2);"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:346
+msgid "call B<fanotify_init>(2);"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:353
msgid "perform B<KEYCTL_CHOWN> and B<KEYCTL_SETPERM> B<keyctl>(2) operations;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:307
-msgid "perform B<madvise>(2) B<MADV_HWPOISON> operation."
+#: build/C/man7/capabilities.7:358
+msgid "perform B<madvise>(2) B<MADV_HWPOISON> operation;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:364
+msgid ""
+"employ the B<TIOCSTI> B<ioctl>(2) to insert characters into the input queue "
+"of a terminal other than the caller's controlling terminal."
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:368
+msgid "employ the obsolete B<nfsservctl>(2); system call;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:372
+msgid "employ the obsolete B<bdflush>(2) system call;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:376
+msgid "perform various privileged block-device B<ioctl>(2) operations;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:380
+msgid "perform various privileged file-system B<ioctl>(2) operations;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:382
+msgid "perform administrative operations on many device drivers."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:309
+#: build/C/man7/capabilities.7:384
#, no-wrap
msgid "B<CAP_SYS_BOOT>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:315
+#: build/C/man7/capabilities.7:390
msgid "Use B<reboot>(2) and B<kexec_load>(2)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:315
+#: build/C/man7/capabilities.7:390
#, no-wrap
msgid "B<CAP_SYS_CHROOT>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:319
+#: build/C/man7/capabilities.7:394
msgid "Use B<chroot>(2)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:319
+#: build/C/man7/capabilities.7:394
#, no-wrap
msgid "B<CAP_SYS_MODULE>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:328
+#: build/C/man7/capabilities.7:403
msgid ""
"Load and unload kernel modules (see B<init_module>(2) and "
"B<delete_module>(2)); in kernels before 2.6.25: drop capabilities from the "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:328
+#: build/C/man7/capabilities.7:403
#, no-wrap
msgid "B<CAP_SYS_NICE>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:337
+#: build/C/man7/capabilities.7:412
msgid ""
"Raise process nice value (B<nice>(2), B<setpriority>(2)) and change the "
"nice value for arbitrary processes;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:342
+#: build/C/man7/capabilities.7:417
msgid ""
"set real-time scheduling policies for calling process, and set scheduling "
"policies and priorities for arbitrary processes (B<sched_setscheduler>(2), "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:345
+#: build/C/man7/capabilities.7:420
msgid "set CPU affinity for arbitrary processes (B<sched_setaffinity>(2));"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:348
+#: build/C/man7/capabilities.7:423
msgid ""
"set I/O scheduling class and priority for arbitrary processes "
"(B<ioprio_set>(2));"
#. do_migrate_pages(mm, &old, &new,
#. capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
#. type: Plain text
-#: build/C/man7/capabilities.7:357
+#: build/C/man7/capabilities.7:432
msgid ""
"apply B<migrate_pages>(2) to arbitrary processes and allow processes to be "
"migrated to arbitrary nodes;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:361
+#: build/C/man7/capabilities.7:436
msgid "apply B<move_pages>(2) to arbitrary processes;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:368
+#: build/C/man7/capabilities.7:443
msgid "use the B<MPOL_MF_MOVE_ALL> flag with B<mbind>(2) and B<move_pages>(2)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:370
+#: build/C/man7/capabilities.7:445
#, no-wrap
msgid "B<CAP_SYS_PACCT>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:374
+#: build/C/man7/capabilities.7:449
msgid "Use B<acct>(2)."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:374
+#: build/C/man7/capabilities.7:449
#, no-wrap
msgid "B<CAP_SYS_PTRACE>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:381
+#: build/C/man7/capabilities.7:456
msgid ""
"Trace arbitrary processes using B<ptrace>(2); apply B<get_robust_list>(2) "
"to arbitrary processes."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:381
+#: build/C/man7/capabilities.7:456
#, no-wrap
msgid "B<CAP_SYS_RAWIO>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:389
+#: build/C/man7/capabilities.7:468
msgid ""
"Perform I/O port operations (B<iopl>(2) and B<ioperm>(2)); access "
-"I</proc/kcore>."
+"I</proc/kcore>; employ the B<FIBMAP> B<ioctl>(2) operation."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:389
+#: build/C/man7/capabilities.7:468
#, no-wrap
msgid "B<CAP_SYS_RESOURCE>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:395
+#: build/C/man7/capabilities.7:474
msgid "Use reserved space on ext2 file systems;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:399
+#: build/C/man7/capabilities.7:478
msgid "make B<ioctl>(2) calls controlling ext3 journaling;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:401
+#: build/C/man7/capabilities.7:480
msgid "override disk quota limits;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:404
+#: build/C/man7/capabilities.7:483
msgid "increase resource limits (see B<setrlimit>(2));"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:408
+#: build/C/man7/capabilities.7:487
msgid "override B<RLIMIT_NPROC> resource limit;"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:417
+#: build/C/man7/capabilities.7:489
+msgid "override maximum number of consoles on console allocation;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:491
+msgid "override maximum number of keymaps;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:493
+msgid "allow more than 64hz interrupts from the real-time clock;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:502
msgid ""
"raise I<msg_qbytes> limit for a System V message queue above the limit in "
-"I</proc/sys/kernel/msgmnb> (see B<msgop>(2) and B<msgctl>(2))."
+"I</proc/sys/kernel/msgmnb> (see B<msgop>(2) and B<msgctl>(2));"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:509
+msgid ""
+"override the I</proc/sys/fs/pipe-size-max> limit when setting the capacity "
+"of a pipe using the B<F_SETPIPE_SZ> B<fcntl>(2) command."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:422
+#: build/C/man7/capabilities.7:514
msgid ""
"use B<F_SETPIPE_SZ> to increase the capacity of a pipe above the limit "
-"specified by I</proc/sys/fs/pipe-max-size>."
+"specified by I</proc/sys/fs/pipe-max-size>;"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:519
+msgid ""
+"override I</proc/sys/fs/mqueue/queues_max> limit when creating POSIX message "
+"queues (see B<mq_overview>(7))."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:424
+#: build/C/man7/capabilities.7:521
#, no-wrap
msgid "B<CAP_SYS_TIME>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:431
+#: build/C/man7/capabilities.7:528
msgid ""
"Set system clock (B<settimeofday>(2), B<stime>(2), B<adjtimex>(2)); set "
"real-time (hardware) clock."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:431
+#: build/C/man7/capabilities.7:528
#, no-wrap
msgid "B<CAP_SYS_TTY_CONFIG>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:435
-msgid "Use B<vhangup>(2)."
+#: build/C/man7/capabilities.7:535
+msgid ""
+"Use B<vhangup>(2); employ various privileged B<ioctl>(2) operations on "
+"virtual terminals."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:435
+#: build/C/man7/capabilities.7:535
#, no-wrap
msgid "B<CAP_SYSLOG> (since Linux 2.6.37)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:444
+#: build/C/man7/capabilities.7:543
msgid ""
"Perform privileged B<syslog>(2) operations. See B<syslog>(2) for "
"information on which operations require privilege."
msgstr ""
+#. type: TP
+#: build/C/man7/capabilities.7:543
+#, no-wrap
+msgid "B<CAP_WAKE_ALARM> (since Linux 3.0)"
+msgstr ""
+
+#. type: Plain text
+#: build/C/man7/capabilities.7:551
+msgid ""
+"Trigger something that will wake up the system (set B<CLOCK_REALTIME_ALARM> "
+"and B<CLOCK_BOOTTIME_ALARM> timers)."
+msgstr ""
+
#. type: SS
-#: build/C/man7/capabilities.7:444
+#: build/C/man7/capabilities.7:551
#, no-wrap
msgid "Past and Current Implementation"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:446
+#: build/C/man7/capabilities.7:553
msgid "A full implementation of capabilities requires that:"
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:446 build/C/man7/capabilities.7:589 build/C/man7/capabilities.7:736 build/C/man7/capabilities.7:789
+#: build/C/man7/capabilities.7:553 build/C/man7/capabilities.7:696 build/C/man7/capabilities.7:843 build/C/man7/capabilities.7:896
#, no-wrap
msgid "1."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:450
+#: build/C/man7/capabilities.7:557
msgid ""
"For all privileged operations, the kernel must check whether the thread has "
"the required capability in its effective set."
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:450 build/C/man7/capabilities.7:594 build/C/man7/capabilities.7:742 build/C/man7/capabilities.7:795
+#: build/C/man7/capabilities.7:557 build/C/man7/capabilities.7:701 build/C/man7/capabilities.7:849 build/C/man7/capabilities.7:902
#, no-wrap
msgid "2."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:453
+#: build/C/man7/capabilities.7:560
msgid ""
"The kernel must provide system calls allowing a thread's capability sets to "
"be changed and retrieved."
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:453 build/C/man7/capabilities.7:745 build/C/man7/capabilities.7:799
+#: build/C/man7/capabilities.7:560 build/C/man7/capabilities.7:852 build/C/man7/capabilities.7:906
#, no-wrap
msgid "3."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:456
+#: build/C/man7/capabilities.7:563
msgid ""
"The file system must support attaching capabilities to an executable file, "
"so that a process gains those capabilities when the file is executed."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:460
+#: build/C/man7/capabilities.7:567
msgid ""
"Before kernel 2.6.24, only the first two of these requirements are met; "
"since kernel 2.6.24, all three requirements are met."
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:460
+#: build/C/man7/capabilities.7:567
#, no-wrap
msgid "Thread Capability Sets"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:463
+#: build/C/man7/capabilities.7:570
msgid ""
"Each thread has three capability sets containing zero or more of the above "
"capabilities:"
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:463
+#: build/C/man7/capabilities.7:570
#, no-wrap
msgid "I<Permitted>:"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:471
+#: build/C/man7/capabilities.7:578
msgid ""
"This is a limiting superset for the effective capabilities that the thread "
"may assume. It is also a limiting superset for the capabilities that may be "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:477
+#: build/C/man7/capabilities.7:584
msgid ""
"If a thread drops a capability from its permitted set, it can never "
"reacquire that capability (unless it B<execve>(2)s either a set-user-ID-root "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:477
+#: build/C/man7/capabilities.7:584
#, no-wrap
msgid "I<Inheritable>:"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:484
+#: build/C/man7/capabilities.7:591
msgid ""
"This is a set of capabilities preserved across an B<execve>(2). It provides "
"a mechanism for a process to assign capabilities to the permitted set of the "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:484 build/C/man7/capabilities.7:526
+#: build/C/man7/capabilities.7:591 build/C/man7/capabilities.7:633
#, no-wrap
msgid "I<Effective>:"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:488
+#: build/C/man7/capabilities.7:595
msgid ""
"This is the set of capabilities used by the kernel to perform permission "
"checks for the thread."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:494
+#: build/C/man7/capabilities.7:601
msgid ""
"A child created via B<fork>(2) inherits copies of its parent's capability "
"sets. See below for a discussion of the treatment of capabilities during "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:499
+#: build/C/man7/capabilities.7:606
msgid ""
"Using B<capset>(2), a thread may manipulate its own capability sets (see "
"below)."
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:499
+#: build/C/man7/capabilities.7:606
#, no-wrap
msgid "File Capabilities"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:514
+#: build/C/man7/capabilities.7:621
msgid ""
"Since kernel 2.6.24, the kernel supports associating capability sets with an "
"executable file using B<setcap>(8). The file capability sets are stored in "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:516
+#: build/C/man7/capabilities.7:623
msgid "The three file capability sets are:"
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:516
+#: build/C/man7/capabilities.7:623
#, no-wrap
msgid "I<Permitted> (formerly known as I<forced>):"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:520
+#: build/C/man7/capabilities.7:627
msgid ""
"These capabilities are automatically permitted to the thread, regardless of "
"the thread's inheritable capabilities."
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:520
+#: build/C/man7/capabilities.7:627
#, no-wrap
msgid "I<Inheritable> (formerly known as I<allowed>):"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:526
+#: build/C/man7/capabilities.7:633
msgid ""
"This set is ANDed with the thread's inheritable set to determine which "
"inheritable capabilities are enabled in the permitted set of the thread "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:536
+#: build/C/man7/capabilities.7:643
msgid ""
"This is not a set, but rather just a single bit. If this bit is set, then "
"during an B<execve>(2) all of the new permitted capabilities for the thread "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:552
+#: build/C/man7/capabilities.7:659
msgid ""
"Enabling the file effective capability bit implies that any file permitted "
"or inheritable capability that causes a thread to acquire the corresponding "
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:552
+#: build/C/man7/capabilities.7:659
#, no-wrap
msgid "Transformation of Capabilities During execve()"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:558
+#: build/C/man7/capabilities.7:665
msgid ""
"During an B<execve>(2), the kernel calculates the new capabilities of the "
"process using the following algorithm:"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:563
+#: build/C/man7/capabilities.7:670
#, no-wrap
msgid ""
"P'(permitted) = (P(inheritable) & F(inheritable)) |\n"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:565
+#: build/C/man7/capabilities.7:672
#, no-wrap
msgid "P'(effective) = F(effective) ? P'(permitted) : 0\n"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:567
+#: build/C/man7/capabilities.7:674
#, no-wrap
msgid "P'(inheritable) = P(inheritable) [i.e., unchanged]\n"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:571
+#: build/C/man7/capabilities.7:678
msgid "where:"
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:572
+#: build/C/man7/capabilities.7:679
#, no-wrap
msgid "P"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:575
+#: build/C/man7/capabilities.7:682
msgid "denotes the value of a thread capability set before the B<execve>(2)"
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:575
+#: build/C/man7/capabilities.7:682
#, no-wrap
msgid "P'"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:578
+#: build/C/man7/capabilities.7:685
msgid "denotes the value of a capability set after the B<execve>(2)"
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:578
+#: build/C/man7/capabilities.7:685
#, no-wrap
msgid "F"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:580
+#: build/C/man7/capabilities.7:687
msgid "denotes a file capability set"
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:580
+#: build/C/man7/capabilities.7:687
#, no-wrap
msgid "cap_bset"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:582
+#: build/C/man7/capabilities.7:689
msgid "is the value of the capability bounding set (described below)."
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:584
+#: build/C/man7/capabilities.7:691
#, no-wrap
msgid "Capabilities and execution of programs by root"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:589
+#: build/C/man7/capabilities.7:696
msgid ""
"In order to provide an all-powerful I<root> using capability sets, during an "
"B<execve>(2):"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:594
+#: build/C/man7/capabilities.7:701
msgid ""
"If a set-user-ID-root program is being executed, or the real user ID of the "
"process is 0 (root) then the file inheritable and permitted sets are "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:597
+#: build/C/man7/capabilities.7:704
msgid ""
"If a set-user-ID-root program is being executed, then the file effective bit "
"is defined to be one (enabled)."
#. exec(), then it gets all capabilities in its
#. permitted set, and no effective capabilities
#. type: Plain text
-#: build/C/man7/capabilities.7:612
+#: build/C/man7/capabilities.7:719
msgid ""
"The upshot of the above rules, combined with the capabilities "
"transformations described above, is that when a process B<execve>(2)s a "
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:612
+#: build/C/man7/capabilities.7:719
#, no-wrap
msgid "Capability bounding set"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:617
+#: build/C/man7/capabilities.7:724
msgid ""
"The capability bounding set is a security mechanism that can be used to "
"limit the capabilities that can be gained during an B<execve>(2). The "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:625
+#: build/C/man7/capabilities.7:732
msgid ""
"During an B<execve>(2), the capability bounding set is ANDed with the file "
"permitted capability set, and the result of this operation is assigned to "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:637
+#: build/C/man7/capabilities.7:744
msgid ""
"(Since Linux 2.6.25) The capability bounding set acts as a limiting "
"superset for the capabilities that a thread can add to its inheritable set "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:644
+#: build/C/man7/capabilities.7:751
msgid ""
"Note that the bounding set masks the file permitted capabilities, but not "
"the inherited capabilities. If a thread maintains a capability in its "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:647
+#: build/C/man7/capabilities.7:754
msgid ""
"Depending on the kernel version, the capability bounding set is either a "
"system-wide attribute, or a per-process attribute."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:649
+#: build/C/man7/capabilities.7:756
msgid "B<Capability bounding set prior to Linux 2.6.25>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:657
+#: build/C/man7/capabilities.7:764
msgid ""
"In kernels before 2.6.25, the capability bounding set is a system-wide "
"attribute that affects all threads on the system. The bounding set is "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:664
+#: build/C/man7/capabilities.7:771
msgid ""
"Only the B<init> process may set capabilities in the capability bounding "
"set; other than that, the superuser (more precisely: programs with the "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:673
+#: build/C/man7/capabilities.7:780
msgid ""
"On a standard system the capability bounding set always masks out the "
"B<CAP_SETPCAP> capability. To remove this restriction (dangerous!), modify "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:677
+#: build/C/man7/capabilities.7:784
msgid ""
"The system-wide capability bounding set feature was added to Linux starting "
"with kernel version 2.2.11."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:679
+#: build/C/man7/capabilities.7:786
msgid "B<Capability bounding set from Linux 2.6.25 onward>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:684
+#: build/C/man7/capabilities.7:791
msgid ""
"From Linux 2.6.25, the I<capability bounding set> is a per-thread "
"attribute. (There is no longer a system-wide capability bounding set.)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:689
+#: build/C/man7/capabilities.7:796
msgid ""
"The bounding set is inherited at B<fork>(2) from the thread's parent, and "
"is preserved across an B<execve>(2)."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:702
+#: build/C/man7/capabilities.7:809
msgid ""
"A thread may remove capabilities from its capability bounding set using the "
"B<prctl>(2) B<PR_CAPBSET_DROP> operation, provided it has the "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:720
+#: build/C/man7/capabilities.7:827
msgid ""
"Removing capabilities from the bounding set is only supported if file "
"capabilities are compiled into the kernel. In kernels before Linux 2.6.33, "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:727
+#: build/C/man7/capabilities.7:834
msgid ""
"Removing a capability from the bounding set does not remove it from the "
"thread's inherited set. However it does prevent the capability from being "
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:727
+#: build/C/man7/capabilities.7:834
#, no-wrap
msgid "Effect of User ID Changes on Capabilities"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:736
+#: build/C/man7/capabilities.7:843
msgid ""
"To preserve the traditional semantics for transitions between 0 and nonzero "
"user IDs, the kernel makes the following changes to a thread's capability "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:742
+#: build/C/man7/capabilities.7:849
msgid ""
"If one or more of the real, effective or saved set user IDs was previously "
"0, and as a result of the UID changes all of these IDs have a nonzero value, "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:745
+#: build/C/man7/capabilities.7:852
msgid ""
"If the effective user ID is changed from 0 to nonzero, then all capabilities "
"are cleared from the effective set."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:748
+#: build/C/man7/capabilities.7:855
msgid ""
"If the effective user ID is changed from nonzero to 0, then the permitted "
"set is copied to the effective set."
msgstr ""
#. type: IP
-#: build/C/man7/capabilities.7:748 build/C/man7/capabilities.7:803
+#: build/C/man7/capabilities.7:855 build/C/man7/capabilities.7:910
#, no-wrap
msgid "4."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:766
+#: build/C/man7/capabilities.7:873
msgid ""
"If the file system user ID is changed from 0 to nonzero (see B<setfsuid>(2)) "
"then the following capabilities are cleared from the effective set: "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:774
+#: build/C/man7/capabilities.7:881
msgid ""
"If a thread that has a 0 value for one or more of its user IDs wants to "
"prevent its permitted capability set being cleared when it resets all of its "
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:774
+#: build/C/man7/capabilities.7:881
#, no-wrap
msgid "Programmatically adjusting capability sets"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:789
+#: build/C/man7/capabilities.7:896
msgid ""
"A thread can retrieve and change its capability sets using the B<capget>(2) "
"and B<capset>(2) system calls. However, the use of B<cap_get_proc>(3) and "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:795
+#: build/C/man7/capabilities.7:902
msgid ""
"If the caller does not have the B<CAP_SETPCAP> capability, the new "
"inheritable set must be a subset of the combination of the existing "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:799
+#: build/C/man7/capabilities.7:906
msgid ""
"(Since kernel 2.6.25) The new inheritable set must be a subset of the "
"combination of the existing inheritable set and the capability bounding set."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:803
+#: build/C/man7/capabilities.7:910
msgid ""
"The new permitted set must be a subset of the existing permitted set (i.e., "
"it is not possible to acquire permitted capabilities that the thread does "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:805
+#: build/C/man7/capabilities.7:912
msgid "The new effective set must be a subset of the new permitted set."
msgstr ""
#. type: SS
-#: build/C/man7/capabilities.7:805
+#: build/C/man7/capabilities.7:912
#, no-wrap
msgid "The \"securebits\" flags: establishing a capabilities-only environment"
msgstr ""
#. see http://lwn.net/Articles/280279/ and
#. http://article.gmane.org/gmane.linux.kernel.lsm/5476/
#. type: Plain text
-#: build/C/man7/capabilities.7:816
+#: build/C/man7/capabilities.7:923
msgid ""
"Starting with kernel 2.6.26, and with a kernel in which file capabilities "
"are enabled, Linux implements a set of per-thread I<securebits> flags that "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:816
+#: build/C/man7/capabilities.7:923
#, no-wrap
msgid "B<SECBIT_KEEP_CAPS>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:828
+#: build/C/man7/capabilities.7:935
msgid ""
"Setting this flag allows a thread that has one or more 0 UIDs to retain its "
"capabilities when it switches all of its UIDs to a nonzero value. If this "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:828
+#: build/C/man7/capabilities.7:935
#, no-wrap
msgid "B<SECBIT_NO_SETUID_FIXUP>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:835
+#: build/C/man7/capabilities.7:942
msgid ""
"Setting this flag stops the kernel from adjusting capability sets when the "
"threads's effective and file system UIDs are switched between zero and "
msgstr ""
#. type: TP
-#: build/C/man7/capabilities.7:835
+#: build/C/man7/capabilities.7:942
#, no-wrap
msgid "B<SECBIT_NOROOT>"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:843
+#: build/C/man7/capabilities.7:950
msgid ""
"If this bit is set, then the kernel does not grant capabilities when a "
"set-user-ID-root program is executed, or when a process with an effective or "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:853
+#: build/C/man7/capabilities.7:960
msgid ""
"Each of the above \"base\" flags has a companion \"locked\" flag. Setting "
"any of the \"locked\" flags is irreversible, and has the effect of "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:865
+#: build/C/man7/capabilities.7:972
msgid ""
"The I<securebits> flags can be modified and retrieved using the B<prctl>(2) "
"B<PR_SET_SECUREBITS> and B<PR_GET_SECUREBITS> operations. The "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:874
+#: build/C/man7/capabilities.7:981
msgid ""
"The I<securebits> flags are inherited by child processes. During an "
"B<execve>(2), all of the flags are preserved, except B<SECBIT_KEEP_CAPS> "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:879
+#: build/C/man7/capabilities.7:986
msgid ""
"An application can use the following call to lock itself, and all of its "
"descendants, into an environment where the only way of gaining capabilities "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:888
+#: build/C/man7/capabilities.7:995
#, no-wrap
msgid ""
"prctl(PR_SET_SECUREBITS,\n"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:895
+#: build/C/man7/capabilities.7:1002
msgid ""
"No standards govern capabilities, but the Linux capability implementation is "
"based on the withdrawn POSIX.1e draft standard; see "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:899
+#: build/C/man7/capabilities.7:1006
msgid ""
"Since kernel 2.5.27, capabilities are an optional kernel component, and can "
"be enabled/disabled via the CONFIG_SECURITY_CAPABILITIES kernel "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:906
+#: build/C/man7/capabilities.7:1013
msgid ""
"The I</proc/PID/task/TID/status> file can be used to view the capability "
"sets of a thread. The I</proc/PID/status> file shows the capability sets of "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:921
+#: build/C/man7/capabilities.7:1028
msgid ""
"The I<libcap> package provides a suite of routines for setting and getting "
"capabilities that is more comfortable and less likely to change than the "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:923
+#: build/C/man7/capabilities.7:1030
msgid "I<http://www.kernel.org/pub/linux/libs/security/linux-privs>."
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:932
+#: build/C/man7/capabilities.7:1039
msgid ""
"Before kernel 2.6.24, and since kernel 2.6.24 if file capabilities are not "
"enabled, a thread with the B<CAP_SETPCAP> capability can manipulate the "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:937
+#: build/C/man7/capabilities.7:1044
msgid ""
"In the pre-2.6.25 implementation the system-wide capability bounding set, "
"I</proc/sys/kernel/cap-bound>, always masks out this capability, and this "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:943
+#: build/C/man7/capabilities.7:1050
msgid ""
"If file capabilities are disabled in the current implementation, then "
"B<init> starts out with this capability removed from its per-process "
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:959
+#: build/C/man7/capabilities.7:1067
msgid ""
"B<capget>(2), B<prctl>(2), B<setfsuid>(2), B<cap_clear>(3), "
"B<cap_copy_ext>(3), B<cap_from_text>(3), B<cap_get_file>(3), "
"B<cap_get_proc>(3), B<cap_init>(3), B<capgetp>(3), B<capsetp>(3), "
-"B<credentials>(7), B<pthreads>(7), B<getcap>(8), B<setcap>(8)"
+"B<libcap>(3), B<credentials>(7), B<pthreads>(7), B<getcap>(8), B<setcap>(8)"
msgstr ""
#. type: Plain text
-#: build/C/man7/capabilities.7:962
-msgid "I<include/linux/capability.h> in the kernel source"
+#: build/C/man7/capabilities.7:1071
+msgid ""
+"Comments on the purposes of various capabilities in "
+"I<include/linux/capability.h> in the kernel source"
msgstr ""
#. type: TH