.\" capability, then we must also set the effective flag for all
.\" other capabilities where the permitted or inheritable bit is set.
.\"
-.TH CAPABILITIES 7 2009-08-03 "Linux" "Linux Programmer's Manual"
+.TH CAPABILITIES 7 2010-01-31 "Linux" "Linux Programmer's Manual"
.SH NAME
capabilities \- overview of Linux capabilities
.SH DESCRIPTION
.RI ( root ).
These flags are as follows:
.TP
-.B SECURE_KEEP_CAPS
+.B SECBIT_KEEP_CAPS
Setting this flag allows a thread that has one or more 0 UIDs to retain
its capabilities when it switches all of its UIDs to a nonzero value.
If this flag is not set,
.B PR_SET_KEEPCAPS
operation.)
.TP
-.B SECURE_NO_SETUID_FIXUP
+.B SECBIT_NO_SETUID_FIXUP
Setting this flag stops the kernel from adjusting capability sets when
the threads's effective and file system UIDs are switched between
zero and nonzero values.
(See the subsection
.IR "Effect of User ID Changes on Capabilities" .)
.TP
-.B SECURE_NOROOT
+.B SECBIT_NOROOT
If this bit is set, then the kernel does not grant capabilities
when a set-user-ID-root program is executed, or when a process with
an effective or real UID of 0 calls
and has the effect of preventing further changes to the
corresponding "base" flag.
The locked flags are:
-.BR SECURE_KEEP_CAPS_LOCKED ,
-.BR SECURE_NO_SETUID_FIXUP_LOCKED ,
+.BR SECBIT_KEEP_CAPS_LOCKED ,
+.BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
and
-.BR SECURE_NOROOT_LOCKED .
+.BR SECBIT_NOROOT_LOCKED .
.PP
The
.I securebits
.nf
prctl(PR_SET_SECUREBITS,
- 1 << SECURE_KEEP_CAPS_LOCKED |
- 1 << SECURE_NO_SETUID_FIXUP |
- 1 << SECURE_NO_SETUID_FIXUP_LOCKED |
- 1 << SECURE_NOROOT |
- 1 << SECURE_NOROOT_LOCKED);
+ SECBIT_KEEP_CAPS_LOCKED |
+ SECBIT_NO_SETUID_FIXUP |
+ SECBIT_NO_SETUID_FIXUP_LOCKED |
+ SECBIT_NOROOT |
+ SECBIT_NOROOT_LOCKED);
.fi
.in
.SH "CONFORMING TO"