]>
Commit | Line | Data |
---|---|---|
c11b1abf | 1 | .\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com> |
fea681da MK |
2 | .\" |
3 | .\" Permission is granted to make and distribute verbatim copies of this | |
4 | .\" manual provided the copyright notice and this permission notice are | |
5 | .\" preserved on all copies. | |
6 | .\" | |
7 | .\" Permission is granted to copy and distribute modified versions of this | |
8 | .\" manual under the conditions for verbatim copying, provided that the | |
9 | .\" entire resulting derived work is distributed under the terms of a | |
10 | .\" permission notice identical to this one. | |
11 | .\" | |
12 | .\" Since the Linux kernel and libraries are constantly changing, this | |
13 | .\" manual page may be incorrect or out-of-date. The author(s) assume no | |
14 | .\" responsibility for errors or omissions, or for damages resulting from | |
10d76543 MK |
15 | .\" the use of the information contained herein. The author(s) may not |
16 | .\" have taken the same level of care in the production of this manual, | |
17 | .\" which is licensed free of charge, as they might when working | |
18 | .\" professionally. | |
fea681da MK |
19 | .\" |
20 | .\" Formatted or processed versions of this manual, if unaccompanied by | |
21 | .\" the source, must acknowledge the copyright and authors of this work. | |
fea681da MK |
22 | .\" |
23 | .\" 6 Aug 2002 - Initial Creation | |
c11b1abf MK |
24 | .\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com> |
25 | .\" Modified 2004-05-27, Michael Kerrisk, <mtk.manpages@gmail.com> | |
1c1e15ed | 26 | .\" 2004-12-08, mtk Added O_NOATIME for CAP_FOWNER |
5eaee3d9 | 27 | .\" 2005-08-16, mtk, Added CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE |
c8e68512 MK |
28 | .\" 2008-07-15, Serge Hallyn <serue@us.bbm.com> |
29 | .\" Document file capabilities, per-process capability | |
30 | .\" bounding set, changed semantics for CAP_SETPCAP, | |
31 | .\" and other changes in 2.6.2[45]. | |
32 | .\" Add CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SETFCAP. | |
33 | .\" 2008-07-15, mtk | |
34 | .\" Add text describing circumstances in which CAP_SETPCAP | |
35 | .\" (theoretically) permits a thread to change the | |
36 | .\" capability sets of another thread. | |
37 | .\" Add section describing rules for programmatically | |
38 | .\" adjusting thread capability sets. | |
39 | .\" Describe rationale for capability bounding set. | |
40 | .\" Document "securebits" flags. | |
41 | .\" Add text noting that if we set the effective flag for one file | |
42 | .\" capability, then we must also set the effective flag for all | |
43 | .\" other capabilities where the permitted or inheritable bit is set. | |
bfb730f9 | 44 | .\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG |
5eaee3d9 | 45 | .\" |
38b6e5b0 | 46 | .TH CAPABILITIES 7 2012-12-22 "Linux" "Linux Programmer's Manual" |
fea681da MK |
47 | .SH NAME |
48 | capabilities \- overview of Linux capabilities | |
49 | .SH DESCRIPTION | |
fea681da | 50 | For the purpose of performing permission checks, |
008f1ecc | 51 | traditional UNIX implementations distinguish two categories of processes: |
fea681da MK |
52 | .I privileged |
53 | processes (whose effective user ID is 0, referred to as superuser or root), | |
54 | and | |
55 | .I unprivileged | |
c7094399 | 56 | processes (whose effective UID is nonzero). |
fea681da MK |
57 | Privileged processes bypass all kernel permission checks, |
58 | while unprivileged processes are subject to full permission | |
59 | checking based on the process's credentials | |
60 | (usually: effective UID, effective GID, and supplementary group list). | |
61 | ||
c13182ef MK |
62 | Starting with kernel 2.2, Linux divides the privileges traditionally |
63 | associated with superuser into distinct units, known as | |
fea681da | 64 | .IR capabilities , |
3dfe7e0d | 65 | which can be independently enabled and disabled. |
cf7a13d4 | 66 | Capabilities are a per-thread attribute. |
c8e68512 | 67 | .\" |
c634028a | 68 | .SS Capabilities list |
c8e68512 MK |
69 | The following list shows the capabilities implemented on Linux, |
70 | and the operations or behaviors that each capability permits: | |
fea681da | 71 | .TP |
45286787 | 72 | .BR CAP_AUDIT_CONTROL " (since Linux 2.6.11)" |
5eaee3d9 MK |
73 | Enable and disable kernel auditing; change auditing filter rules; |
74 | retrieve auditing status and filtering rules. | |
75 | .TP | |
45286787 | 76 | .BR CAP_AUDIT_WRITE " (since Linux 2.6.11)" |
c8e68512 | 77 | Write records to kernel auditing log. |
5eaee3d9 | 78 | .TP |
9339d749 MK |
79 | .BR CAP_BLOCK_SUSPEND " (since Linux 3.5)" |
80 | Employ features that can block system suspend | |
81 | .RB ( epoll (7) | |
82 | .BR EPOLLWAKEUP , | |
83 | .IR /proc/sys/wake_lock ). | |
84 | .TP | |
fea681da | 85 | .B CAP_CHOWN |
c8e68512 | 86 | Make arbitrary changes to file UIDs and GIDs (see |
fea681da MK |
87 | .BR chown (2)). |
88 | .TP | |
89 | .B CAP_DAC_OVERRIDE | |
90 | Bypass file read, write, and execute permission checks. | |
c8e68512 | 91 | (DAC is an abbreviation of "discretionary access control".) |
fea681da MK |
92 | .TP |
93 | .B CAP_DAC_READ_SEARCH | |
94 | Bypass file read permission checks and | |
95 | directory read and execute permission checks. | |
96 | .TP | |
97 | .B CAP_FOWNER | |
c8e68512 MK |
98 | .PD 0 |
99 | .RS | |
100 | .IP * 2 | |
fea681da MK |
101 | Bypass permission checks on operations that normally |
102 | require the file system UID of the process to match the UID of | |
103 | the file (e.g., | |
104 | .BR chmod (2), | |
105 | .BR utime (2)), | |
c8e68512 | 106 | excluding those operations covered by |
fea681da MK |
107 | .B CAP_DAC_OVERRIDE |
108 | and | |
109 | .BR CAP_DAC_READ_SEARCH ; | |
c8e68512 | 110 | .IP * |
fea681da MK |
111 | set extended file attributes (see |
112 | .BR chattr (1)) | |
113 | on arbitrary files; | |
c8e68512 | 114 | .IP * |
fea681da | 115 | set Access Control Lists (ACLs) on arbitrary files; |
c8e68512 | 116 | .IP * |
1c1e15ed | 117 | ignore directory sticky bit on file deletion; |
c8e68512 | 118 | .IP * |
1c1e15ed MK |
119 | specify |
120 | .B O_NOATIME | |
121 | for arbitrary files in | |
122 | .BR open (2) | |
123 | and | |
124 | .BR fcntl (2). | |
c8e68512 MK |
125 | .RE |
126 | .PD | |
fea681da MK |
127 | .TP |
128 | .B CAP_FSETID | |
c8e68512 MK |
129 | Don't clear set-user-ID and set-group-ID permission |
130 | bits when a file is modified; | |
131 | set the set-group-ID bit for a file whose GID does not match | |
fea681da MK |
132 | the file system or any of the supplementary GIDs of the calling process. |
133 | .TP | |
134 | .B CAP_IPC_LOCK | |
46c73a44 MK |
135 | .\" FIXME As at Linux 3.2, there are some strange uses of this capability |
136 | .\" in other places; they probably should be replaced with something else. | |
c8e68512 | 137 | Lock memory |
fea681da MK |
138 | .RB ( mlock (2), |
139 | .BR mlockall (2), | |
140 | .BR mmap (2), | |
141 | .BR shmctl (2)). | |
142 | .TP | |
143 | .B CAP_IPC_OWNER | |
144 | Bypass permission checks for operations on System V IPC objects. | |
145 | .TP | |
146 | .B CAP_KILL | |
147 | Bypass permission checks for sending signals (see | |
148 | .BR kill (2)). | |
097585ed | 149 | This includes use of the |
c8e68512 | 150 | .BR ioctl (2) |
097585ed | 151 | .B KDSIGACCEPT |
c8e68512 | 152 | operation. |
afc322c2 | 153 | .\" FIXME CAP_KILL also has an effect for threads + setting child |
a7c1e564 MK |
154 | .\" termination signal to other than SIGCHLD: without this |
155 | .\" capability, the termination signal reverts to SIGCHLD | |
c13182ef | 156 | .\" if the child does an exec(). What is the rationale |
a7c1e564 | 157 | .\" for this? |
fea681da | 158 | .TP |
c8e68512 MK |
159 | .BR CAP_LEASE " (since Linux 2.4)" |
160 | Establish leases on arbitrary files (see | |
fea681da MK |
161 | .BR fcntl (2)). |
162 | .TP | |
163 | .B CAP_LINUX_IMMUTABLE | |
c8e68512 MK |
164 | Set the |
165 | .B FS_APPEND_FL | |
fea681da | 166 | and |
c8e68512 MK |
167 | .B FS_IMMUTABLE_FL |
168 | .\" These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS | |
169 | i-node flags (see | |
fea681da MK |
170 | .BR chattr (1)). |
171 | .TP | |
c8e68512 MK |
172 | .BR CAP_MAC_ADMIN " (since Linux 2.6.25)" |
173 | Override Mandatory Access Control (MAC). | |
174 | Implemented for the Smack Linux Security Module (LSM). | |
175 | .TP | |
176 | .BR CAP_MAC_OVERRIDE " (since Linux 2.6.25)" | |
177 | Allow MAC configuration or state changes. | |
178 | Implemented for the Smack LSM. | |
179 | .TP | |
180 | .BR CAP_MKNOD " (since Linux 2.4)" | |
181 | Create special files using | |
fea681da MK |
182 | .BR mknod (2). |
183 | .TP | |
184 | .B CAP_NET_ADMIN | |
e87268ec MK |
185 | Perform various network-related operations: |
186 | .PD 0 | |
187 | .RS | |
188 | .IP * 2 | |
189 | interface configuration; | |
190 | .IP * | |
191 | administration of IP firewall, masquerading, and accounting | |
192 | .IP * | |
193 | modify routing tables; | |
194 | .IP * | |
195 | bind to any address for transparent proxying; | |
196 | .IP * | |
197 | set type-of-service (TOS) | |
198 | .IP * | |
199 | clear driver statistics; | |
200 | .IP * | |
201 | set promiscuous mode; | |
202 | .IP * | |
203 | enabling multicasting; | |
204 | .IP * | |
205 | use | |
206 | .BR setsockopt (2) | |
207 | to set the following socket options: | |
208 | .BR SO_DEBUG , | |
209 | .BR SO_MARK , | |
210 | .BR SO_PRIORITY | |
211 | (for a priority outside the range 0 to 6), | |
212 | .BR SO_RCVBUFFORCE , | |
213 | and | |
214 | .BR SO_SNDBUFFORCE . | |
215 | .RE | |
216 | .PD | |
fea681da MK |
217 | .TP |
218 | .B CAP_NET_BIND_SERVICE | |
6eb334b2 | 219 | Bind a socket to Internet domain privileged ports |
fea681da MK |
220 | (port numbers less than 1024). |
221 | .TP | |
222 | .B CAP_NET_BROADCAST | |
c8e68512 | 223 | (Unused) Make socket broadcasts, and listen to multicasts. |
fea681da MK |
224 | .TP |
225 | .B CAP_NET_RAW | |
93e9e2d6 MK |
226 | .PD 0 |
227 | .RS | |
228 | .IP * 2 | |
229 | use RAW and PACKET sockets; | |
230 | .IP * | |
231 | bind to any address for transparent proxying. | |
232 | .RE | |
233 | .PD | |
fea681da MK |
234 | .\" Also various IP options and setsockopt(SO_BINDTODEVICE) |
235 | .TP | |
236 | .B CAP_SETGID | |
c8e68512 | 237 | Make arbitrary manipulations of process GIDs and supplementary GID list; |
008f1ecc | 238 | forge GID when passing socket credentials via UNIX domain sockets. |
fea681da | 239 | .TP |
c8e68512 MK |
240 | .BR CAP_SETFCAP " (since Linux 2.6.24)" |
241 | Set file capabilities. | |
242 | .TP | |
243 | .B CAP_SETPCAP | |
244 | If file capabilities are not supported: | |
245 | grant or remove any capability in the | |
246 | caller's permitted capability set to or from any other process. | |
247 | (This property of | |
248 | .B CAP_SETPCAP | |
249 | is not available when the kernel is configured to support | |
250 | file capabilities, since | |
fea681da | 251 | .B CAP_SETPCAP |
c8e68512 MK |
252 | has entirely different semantics for such kernels.) |
253 | ||
254 | If file capabilities are supported: | |
255 | add any capability from the calling thread's bounding set | |
256 | to its inheritable set; | |
257 | drop capabilities from the bounding set (via | |
258 | .BR prctl (2) | |
259 | .BR PR_CAPBSET_DROP ); | |
260 | make changes to the | |
261 | .I securebits | |
262 | flags. | |
fea681da MK |
263 | .TP |
264 | .B CAP_SETUID | |
c8e68512 | 265 | Make arbitrary manipulations of process UIDs |
fea681da MK |
266 | .RB ( setuid (2), |
267 | .BR setreuid (2), | |
268 | .BR setresuid (2), | |
269 | .BR setfsuid (2)); | |
008f1ecc | 270 | make forged UID when passing socket credentials via UNIX domain sockets. |
777f5a9e | 271 | .\" FIXME CAP_SETUID also an effect in exec(); document this. |
fea681da MK |
272 | .TP |
273 | .B CAP_SYS_ADMIN | |
c8e68512 MK |
274 | .PD 0 |
275 | .RS | |
276 | .IP * 2 | |
277 | Perform a range of system administration operations including: | |
fea681da MK |
278 | .BR quotactl (2), |
279 | .BR mount (2), | |
280 | .BR umount (2), | |
1368e847 MK |
281 | .BR swapon (2), |
282 | .BR swapoff (2), | |
fea681da | 283 | .BR sethostname (2), |
f169a862 | 284 | and |
c8e68512 MK |
285 | .BR setdomainname (2); |
286 | .IP * | |
bfb730f9 MK |
287 | perform privileged |
288 | .BR syslog (2) | |
289 | operations (since Linux 2.6.37, | |
290 | .BR CAP_SYSLOG | |
291 | should be used to permit such operations); | |
292 | .IP * | |
c8e68512 | 293 | perform |
c11e3891 MK |
294 | .B VM86_REQUEST_IRQ |
295 | .BR vm86 (2) | |
296 | command; | |
297 | .IP * | |
298 | perform | |
fea681da MK |
299 | .B IPC_SET |
300 | and | |
301 | .B IPC_RMID | |
302 | operations on arbitrary System V IPC objects; | |
c8e68512 | 303 | .IP * |
fea681da MK |
304 | perform operations on |
305 | .I trusted | |
306 | and | |
307 | .I security | |
308 | Extended Attributes (see | |
309 | .BR attr (5)); | |
c8e68512 MK |
310 | .IP * |
311 | use | |
08baa0af | 312 | .BR lookup_dcookie (2); |
c8e68512 | 313 | .IP * |
a1f926b8 MK |
314 | use |
315 | .BR ioprio_set (2) | |
316 | to assign | |
317 | .B IOPRIO_CLASS_RT | |
83ee9237 | 318 | and (before Linux 2.6.25) |
237aa7c5 | 319 | .B IOPRIO_CLASS_IDLE |
a1f926b8 | 320 | I/O scheduling classes; |
c8e68512 | 321 | .IP * |
c8e68512 MK |
322 | forge UID when passing socket credentials; |
323 | .IP * | |
fea681da | 324 | exceed |
3dfe7e0d MK |
325 | .IR /proc/sys/fs/file-max , |
326 | the system-wide limit on the number of open files, | |
327 | in system calls that open files (e.g., | |
fea681da MK |
328 | .BR accept (2), |
329 | .BR execve (2), | |
330 | .BR open (2), | |
f169a862 | 331 | .BR pipe (2)); |
c8e68512 | 332 | .IP * |
c13182ef | 333 | employ |
0f807eea MK |
334 | .B CLONE_* |
335 | flags that create new namespaces with | |
a7c1e564 MK |
336 | .BR clone (2) |
337 | and | |
338 | .BR unshare (2); | |
c8e68512 | 339 | .IP * |
e4698850 | 340 | call |
0f322ccc MK |
341 | .BR perf_event_open (2); |
342 | .IP * | |
0f322ccc MK |
343 | access privileged |
344 | .I perf | |
345 | event information; | |
2bfe6656 MK |
346 | .IP * |
347 | call | |
e4698850 MK |
348 | .BR setns (2); |
349 | .IP * | |
0f807eea MK |
350 | call |
351 | .BR fanotify_init (2); | |
352 | .IP * | |
c13182ef | 353 | perform |
a7c1e564 MK |
354 | .B KEYCTL_CHOWN |
355 | and | |
356 | .B KEYCTL_SETPERM | |
357 | .BR keyctl (2) | |
e64e6056 MK |
358 | operations; |
359 | .IP * | |
360 | perform | |
361 | .BR madvise (2) | |
362 | .B MADV_HWPOISON | |
0f807eea MK |
363 | operation; |
364 | .IP * | |
365 | employ the | |
366 | .B TIOCSTI | |
367 | .BR ioctl (2) | |
368 | to insert characters into the input queue of a terminal other than | |
369 | the caller's controlling terminal. | |
370 | .IP * | |
0f807eea | 371 | employ the obsolete |
51c5c662 | 372 | .BR nfsservctl (2) |
c42221c4 MK |
373 | system call; |
374 | .IP * | |
375 | employ the obsolete | |
0f807eea MK |
376 | .BR bdflush (2) |
377 | system call; | |
378 | .IP * | |
379 | perform various privileged block-device | |
380 | .BR ioctl (2) | |
381 | operations; | |
382 | .IP * | |
383 | perform various privileged file-system | |
384 | .BR ioctl (2) | |
385 | operations; | |
386 | .IP * | |
387 | perform administrative operations on many device drivers. | |
c8e68512 MK |
388 | .RE |
389 | .PD | |
fea681da MK |
390 | .TP |
391 | .B CAP_SYS_BOOT | |
c8e68512 | 392 | Use |
08baa0af MK |
393 | .BR reboot (2) |
394 | and | |
395 | .BR kexec_load (2). | |
fea681da MK |
396 | .TP |
397 | .B CAP_SYS_CHROOT | |
c8e68512 | 398 | Use |
fea681da MK |
399 | .BR chroot (2). |
400 | .TP | |
401 | .B CAP_SYS_MODULE | |
c8e68512 MK |
402 | Load and unload kernel modules |
403 | (see | |
fea681da MK |
404 | .BR init_module (2) |
405 | and | |
c8e68512 MK |
406 | .BR delete_module (2)); |
407 | in kernels before 2.6.25: | |
408 | drop capabilities from the system-wide capability bounding set. | |
fea681da MK |
409 | .TP |
410 | .B CAP_SYS_NICE | |
c8e68512 MK |
411 | .PD 0 |
412 | .RS | |
413 | .IP * 2 | |
414 | Raise process nice value | |
fea681da MK |
415 | .RB ( nice (2), |
416 | .BR setpriority (2)) | |
c8e68512 MK |
417 | and change the nice value for arbitrary processes; |
418 | .IP * | |
419 | set real-time scheduling policies for calling process, | |
420 | and set scheduling policies and priorities for arbitrary processes | |
fea681da MK |
421 | .RB ( sched_setscheduler (2), |
422 | .BR sched_setparam (2)); | |
c8e68512 | 423 | .IP * |
fea681da | 424 | set CPU affinity for arbitrary processes |
c13182ef | 425 | .RB ( sched_setaffinity (2)); |
c8e68512 | 426 | .IP * |
a1f926b8 | 427 | set I/O scheduling class and priority for arbitrary processes |
c13182ef | 428 | .RB ( ioprio_set (2)); |
c8e68512 MK |
429 | .IP * |
430 | apply | |
a1f926b8 | 431 | .BR migrate_pages (2) |
c8e68512 | 432 | to arbitrary processes and allow processes |
a1f926b8 | 433 | to be migrated to arbitrary nodes; |
c13182ef | 434 | .\" FIXME CAP_SYS_NICE also has the following effect for |
a1f926b8 MK |
435 | .\" migrate_pages(2): |
436 | .\" do_migrate_pages(mm, &old, &new, | |
437 | .\" capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE); | |
c8e68512 MK |
438 | .IP * |
439 | apply | |
a7c1e564 | 440 | .BR move_pages (2) |
c8e68512 MK |
441 | to arbitrary processes; |
442 | .IP * | |
4d62f7b6 MK |
443 | use the |
444 | .B MPOL_MF_MOVE_ALL | |
c13182ef | 445 | flag with |
a7c1e564 | 446 | .BR mbind (2) |
c13182ef | 447 | and |
a7c1e564 | 448 | .BR move_pages (2). |
c8e68512 MK |
449 | .RE |
450 | .PD | |
fea681da MK |
451 | .TP |
452 | .B CAP_SYS_PACCT | |
c8e68512 | 453 | Use |
fea681da MK |
454 | .BR acct (2). |
455 | .TP | |
456 | .B CAP_SYS_PTRACE | |
c8e68512 | 457 | Trace arbitrary processes using |
cbd7b9bf MK |
458 | .BR ptrace (2); |
459 | apply | |
460 | .BR get_robust_list (2) | |
38b6e5b0 MK |
461 | to arbitrary processes; |
462 | inspect processes using | |
463 | .BR kcmp (2). | |
fea681da MK |
464 | .TP |
465 | .B CAP_SYS_RAWIO | |
c8e68512 | 466 | Perform I/O port operations |
fea681da MK |
467 | .RB ( iopl (2) |
468 | and | |
469 | .BR ioperm (2)); | |
470 | access | |
474e1f9d MK |
471 | .IR /proc/kcore ; |
472 | employ the | |
473 | .B FIBMAP | |
474 | .BR ioctl (2) | |
475 | operation. | |
fea681da MK |
476 | .TP |
477 | .B CAP_SYS_RESOURCE | |
c8e68512 MK |
478 | .PD 0 |
479 | .RS | |
480 | .IP * 2 | |
481 | Use reserved space on ext2 file systems; | |
482 | .IP * | |
483 | make | |
fea681da MK |
484 | .BR ioctl (2) |
485 | calls controlling ext3 journaling; | |
c8e68512 MK |
486 | .IP * |
487 | override disk quota limits; | |
488 | .IP * | |
489 | increase resource limits (see | |
fea681da | 490 | .BR setrlimit (2)); |
c8e68512 MK |
491 | .IP * |
492 | override | |
fea681da | 493 | .B RLIMIT_NPROC |
c8e68512 MK |
494 | resource limit; |
495 | .IP * | |
aa66392d MK |
496 | override maximum number of consoles on console allocation; |
497 | .IP * | |
498 | override maximum number of keymaps; | |
499 | .IP * | |
500 | allow more than 64hz interrupts from the real-time clock; | |
501 | .IP * | |
c8e68512 | 502 | raise |
fea681da | 503 | .I msg_qbytes |
c8e68512 | 504 | limit for a System V message queue above the limit in |
0daa9e92 | 505 | .I /proc/sys/kernel/msgmnb |
fea681da MK |
506 | (see |
507 | .BR msgop (2) | |
508 | and | |
ad7b0f91 MK |
509 | .BR msgctl (2)); |
510 | .IP * | |
511 | override the | |
512 | .I /proc/sys/fs/pipe-size-max | |
513 | limit when setting the capacity of a pipe using the | |
514 | .B F_SETPIPE_SZ | |
515 | .BR fcntl (2) | |
516 | command. | |
46883521 MK |
517 | .IP * |
518 | use | |
519 | .BR F_SETPIPE_SZ | |
520 | to increase the capacity of a pipe above the limit specified by | |
b39a2012 MK |
521 | .IR /proc/sys/fs/pipe-max-size ; |
522 | .IP * | |
523 | override | |
524 | .I /proc/sys/fs/mqueue/queues_max | |
525 | limit when creating POSIX message queues (see | |
ecc1f45b MK |
526 | .BR mq_overview (7)); |
527 | .IP * | |
528 | employ | |
529 | .BR prctl (2) | |
530 | .B PR_SET_MM | |
531 | operation. | |
c8e68512 MK |
532 | .RE |
533 | .PD | |
fea681da MK |
534 | .TP |
535 | .B CAP_SYS_TIME | |
c8e68512 | 536 | Set system clock |
fea681da MK |
537 | .RB ( settimeofday (2), |
538 | .BR stime (2), | |
539 | .BR adjtimex (2)); | |
c8e68512 | 540 | set real-time (hardware) clock. |
fea681da MK |
541 | .TP |
542 | .B CAP_SYS_TTY_CONFIG | |
c8e68512 | 543 | Use |
749ac769 MK |
544 | .BR vhangup (2); |
545 | employ various privileged | |
546 | .BR ioctl (2) | |
547 | operations on virtual terminals. | |
bfb730f9 MK |
548 | .TP |
549 | .BR CAP_SYSLOG " (since Linux 2.6.37)" | |
10fe5485 | 550 | .IP * 3 |
bfb730f9 MK |
551 | Perform privileged |
552 | .BR syslog (2) | |
553 | operations. | |
554 | See | |
555 | .BR syslog (2) | |
556 | for information on which operations require privilege. | |
10fe5485 MK |
557 | .IP * |
558 | View kernel addresses exposed via | |
559 | .I /proc | |
560 | and other interfaces when | |
561 | .IR /proc/sys/kernel/kptr_restrict | |
562 | has the value 1. | |
4eaa04c5 | 563 | (See the discussion of the |
10fe5485 MK |
564 | .I kptr_restrict |
565 | in | |
566 | .BR proc (5).) | |
d6b08708 MK |
567 | .TP |
568 | .BR CAP_WAKE_ALARM " (since Linux 3.0)" | |
569 | Trigger something that will wake up the system (set | |
570 | .B CLOCK_REALTIME_ALARM | |
571 | and | |
572 | .B CLOCK_BOOTTIME_ALARM | |
573 | timers). | |
c8e68512 | 574 | .\" |
c634028a | 575 | .SS Past and current implementation |
c8e68512 MK |
576 | A full implementation of capabilities requires that: |
577 | .IP 1. 3 | |
578 | For all privileged operations, | |
579 | the kernel must check whether the thread has the required | |
580 | capability in its effective set. | |
581 | .IP 2. | |
137d81b5 | 582 | The kernel must provide system calls allowing a thread's capability sets to |
c8e68512 MK |
583 | be changed and retrieved. |
584 | .IP 3. | |
585 | The file system must support attaching capabilities to an executable file, | |
586 | so that a process gains those capabilities when the file is executed. | |
587 | .PP | |
588 | Before kernel 2.6.24, only the first two of these requirements are met; | |
589 | since kernel 2.6.24, all three requirements are met. | |
590 | .\" | |
c634028a | 591 | .SS Thread capability sets |
cf7a13d4 | 592 | Each thread has three capability sets containing zero or more |
fea681da MK |
593 | of the above capabilities: |
594 | .TP | |
fea681da | 595 | .IR Permitted : |
c8e68512 MK |
596 | This is a limiting superset for the effective |
597 | capabilities that the thread may assume. | |
598 | It is also a limiting superset for the capabilities that | |
599 | may be added to the inheritable set by a thread that does not have the | |
600 | .B CAP_SETPCAP | |
601 | capability in its effective set. | |
602 | ||
cf7a13d4 | 603 | If a thread drops a capability from its permitted set, |
3b777aff | 604 | it can never reacquire that capability (unless it |
c930827f | 605 | .BR execve (2)s |
c8e68512 MK |
606 | either a set-user-ID-root program, or |
607 | a program whose associated file capabilities grant that capability). | |
fea681da | 608 | .TP |
c8e68512 MK |
609 | .IR Inheritable : |
610 | This is a set of capabilities preserved across an | |
fea681da | 611 | .BR execve (2). |
c8e68512 MK |
612 | It provides a mechanism for a process to assign capabilities |
613 | to the permitted set of the new program during an | |
614 | .BR execve (2). | |
615 | .TP | |
616 | .IR Effective : | |
617 | This is the set of capabilities used by the kernel to | |
618 | perform permission checks for the thread. | |
fea681da | 619 | .PP |
fea681da MK |
620 | A child created via |
621 | .BR fork (2) | |
622 | inherits copies of its parent's capability sets. | |
3dfe7e0d | 623 | See below for a discussion of the treatment of capabilities during |
c930827f | 624 | .BR execve (2). |
fea681da MK |
625 | .PP |
626 | Using | |
627 | .BR capset (2), | |
c8e68512 MK |
628 | a thread may manipulate its own capability sets (see below). |
629 | .\" | |
c634028a | 630 | .SS File capabilities |
c8e68512 MK |
631 | Since kernel 2.6.24, the kernel supports |
632 | associating capability sets with an executable file using | |
633 | .BR setcap (8). | |
634 | The file capability sets are stored in an extended attribute (see | |
635 | .BR setxattr (2)) | |
636 | named | |
637 | .IR "security.capability" . | |
638 | Writing to this extended attribute requires the | |
639 | .BR CAP_SETFCAP | |
fea681da | 640 | capability. |
c8e68512 | 641 | The file capability sets, |
cf7a13d4 | 642 | in conjunction with the capability sets of the thread, |
c8e68512 | 643 | determine the capabilities of a thread after an |
c930827f | 644 | .BR execve (2). |
c8e68512 MK |
645 | |
646 | The three file capability sets are: | |
fea681da | 647 | .TP |
3dfe7e0d | 648 | .IR Permitted " (formerly known as " forced ): |
c8e68512 | 649 | These capabilities are automatically permitted to the thread, |
cf7a13d4 | 650 | regardless of the thread's inheritable capabilities. |
fea681da | 651 | .TP |
c8e68512 MK |
652 | .IR Inheritable " (formerly known as " allowed ): |
653 | This set is ANDed with the thread's inheritable set to determine which | |
654 | inheritable capabilities are enabled in the permitted set of | |
655 | the thread after the | |
656 | .BR execve (2). | |
657 | .TP | |
fea681da | 658 | .IR Effective : |
c8e68512 MK |
659 | This is not a set, but rather just a single bit. |
660 | If this bit is set, then during an | |
661 | .BR execve (2) | |
662 | all of the new permitted capabilities for the thread are | |
663 | also raised in the effective set. | |
664 | If this bit is not set, then after an | |
665 | .BR execve (2), | |
666 | none of the new permitted capabilities is in the new effective set. | |
667 | ||
668 | Enabling the file effective capability bit implies | |
2914a14d | 669 | that any file permitted or inheritable capability that causes a |
c8e68512 MK |
670 | thread to acquire the corresponding permitted capability during an |
671 | .BR execve (2) | |
e33a08e1 | 672 | (see the transformation rules described below) will also acquire that |
c8e68512 MK |
673 | capability in its effective set. |
674 | Therefore, when assigning capabilities to a file | |
675 | .RB ( setcap (8), | |
676 | .BR cap_set_file (3), | |
677 | .BR cap_set_fd (3)), | |
678 | if we specify the effective flag as being enabled for any capability, | |
679 | then the effective flag must also be specified as enabled | |
680 | for all other capabilities for which the corresponding permitted or | |
681 | inheritable flags is enabled. | |
682 | .\" | |
c634028a | 683 | .SS Transformation of capabilities during execve() |
fea681da | 684 | .PP |
c13182ef | 685 | During an |
c930827f | 686 | .BR execve (2), |
1e321034 | 687 | the kernel calculates the new capabilities of |
fea681da | 688 | the process using the following algorithm: |
088a639b | 689 | .in +4n |
fea681da MK |
690 | .nf |
691 | ||
c13182ef | 692 | P'(permitted) = (P(inheritable) & F(inheritable)) | |
3dfe7e0d | 693 | (F(permitted) & cap_bset) |
fea681da | 694 | |
c8e68512 | 695 | P'(effective) = F(effective) ? P'(permitted) : 0 |
fea681da | 696 | |
5bdccabd | 697 | P'(inheritable) = P(inheritable) [i.e., unchanged] |
fea681da MK |
698 | |
699 | .fi | |
088a639b | 700 | .in |
fea681da | 701 | where: |
c8e68512 | 702 | .RS 4 |
fea681da | 703 | .IP P 10 |
c13182ef | 704 | denotes the value of a thread capability set before the |
c930827f | 705 | .BR execve (2) |
c8e68512 | 706 | .IP P' |
c13182ef | 707 | denotes the value of a capability set after the |
c930827f | 708 | .BR execve (2) |
c8e68512 | 709 | .IP F |
fea681da | 710 | denotes a file capability set |
c8e68512 MK |
711 | .IP cap_bset |
712 | is the value of the capability bounding set (described below). | |
713 | .RE | |
714 | .\" | |
715 | .SS Capabilities and execution of programs by root | |
716 | In order to provide an all-powerful | |
717 | .I root | |
718 | using capability sets, during an | |
719 | .BR execve (2): | |
720 | .IP 1. 3 | |
721 | If a set-user-ID-root program is being executed, | |
722 | or the real user ID of the process is 0 (root) | |
723 | then the file inheritable and permitted sets are defined to be all ones | |
724 | (i.e., all capabilities enabled). | |
725 | .IP 2. | |
726 | If a set-user-ID-root program is being executed, | |
727 | then the file effective bit is defined to be one (enabled). | |
3dfe7e0d | 728 | .PP |
c8e68512 MK |
729 | The upshot of the above rules, |
730 | combined with the capabilities transformations described above, | |
731 | is that when a process | |
c930827f | 732 | .BR execve (2)s |
3dfe7e0d | 733 | a set-user-ID-root program, or when a process with an effective UID of 0 |
c930827f | 734 | .BR execve (2)s |
3dfe7e0d | 735 | a program, |
c13182ef | 736 | it gains all capabilities in its permitted and effective capability sets, |
c8e68512 | 737 | except those masked out by the capability bounding set. |
c7094399 | 738 | .\" If a process with real UID 0, and nonzero effective UID does an |
c8e68512 | 739 | .\" exec(), then it gets all capabilities in its |
35fb7de5 | 740 | .\" permitted set, and no effective capabilities |
3dfe7e0d | 741 | This provides semantics that are the same as those provided by |
008f1ecc | 742 | traditional UNIX systems. |
c8e68512 MK |
743 | .SS Capability bounding set |
744 | The capability bounding set is a security mechanism that can be used | |
745 | to limit the capabilities that can be gained during an | |
746 | .BR execve (2). | |
747 | The bounding set is used in the following ways: | |
748 | .IP * 2 | |
749 | During an | |
750 | .BR execve (2), | |
751 | the capability bounding set is ANDed with the file permitted | |
752 | capability set, and the result of this operation is assigned to the | |
753 | thread's permitted capability set. | |
754 | The capability bounding set thus places a limit on the permitted | |
755 | capabilities that may be granted by an executable file. | |
756 | .IP * | |
757 | (Since Linux 2.6.25) | |
758 | The capability bounding set acts as a limiting superset for | |
759 | the capabilities that a thread can add to its inheritable set using | |
760 | .BR capset (2). | |