<arg choice="plain">exit-status</arg>
<arg choice="opt" rep="repeat"><replaceable>STATUS</replaceable></arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-analyze</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="plain">capability</arg>
+ <arg choice="opt" rep="repeat"><replaceable>CAPABILITY</replaceable></arg>
+ </cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
</example>
</refsect2>
+ <refsect2>
+ <title><command>systemd-analyze capability <optional><replaceable>CAPABILITY</replaceable>...</optional></command></title>
+
+ <para>This command prints a list of Linux capabilities along with their numeric IDs. See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details. If no argument is specified the full list of capabilities known to the service manager and
+ the kernel is shown. Capabilities defined by the kernel but not known to the service manager are shown
+ as <literal>cap_???</literal>. Optionally, if arguments are specified they may refer to specific
+ cabilities by name or numeric ID, in which case only the indicated capabilities are shown in the
+ table.</para>
+
+ <example>
+ <title><command>Show some example capability names</command></title>
+
+ <programlisting>$ systemd-analyze capability 0 1 {30..32}
+NAME NUMBER
+cap_chown 0
+cap_dac_override 1
+cap_audit_control 30
+cap_setfcap 31
+cap_mac_override 32</programlisting>
+ </example>
+ </refsect2>
+
<refsect2>
<title><command>systemd-analyze condition <replaceable>CONDITION</replaceable>...</command></title>
<varlistentry>
<term><varname>CapabilityBoundingSet=</varname></term>
- <listitem><para>Controls which capabilities to include in the capability bounding set for the executed
- process. See <citerefentry
- project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
- details. Takes a whitespace-separated list of capability names, e.g. <constant>CAP_SYS_ADMIN</constant>,
- <constant>CAP_DAC_OVERRIDE</constant>, <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be
- included in the bounding set, all others are removed. If the list of capabilities is prefixed with
- <literal>~</literal>, all but the listed capabilities will be included, the effect of the assignment
- inverted. Note that this option also affects the respective capabilities in the effective, permitted and
- inheritable capability sets. If this option is not used, the capability bounding set is not modified on process
- execution, hence no limits on the capabilities of the process are enforced. This option may appear more than
- once, in which case the bounding sets are merged by <constant>OR</constant>, or by <constant>AND</constant> if
- the lines are prefixed with <literal>~</literal> (see below). If the empty string is assigned to this option,
- the bounding set is reset to the empty capability set, and all prior settings have no effect. If set to
- <literal>~</literal> (without any further argument), the bounding set is reset to the full set of available
- capabilities, also undoing any previous settings. This does not affect commands prefixed with
- <literal>+</literal>.</para>
+ <listitem><para>Controls which capabilities to include in the capability bounding set for the
+ executed process. See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details. Takes a whitespace-separated list of capability names,
+ e.g. <constant>CAP_SYS_ADMIN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
+ <constant>CAP_SYS_PTRACE</constant>. Capabilities listed will be included in the bounding set, all
+ others are removed. If the list of capabilities is prefixed with <literal>~</literal>, all but the
+ listed capabilities will be included, the effect of the assignment inverted. Note that this option
+ also affects the respective capabilities in the effective, permitted and inheritable capability
+ sets. If this option is not used, the capability bounding set is not modified on process execution,
+ hence no limits on the capabilities of the process are enforced. This option may appear more than
+ once, in which case the bounding sets are merged by <constant>OR</constant>, or by
+ <constant>AND</constant> if the lines are prefixed with <literal>~</literal> (see below). If the
+ empty string is assigned to this option, the bounding set is reset to the empty capability set, and
+ all prior settings have no effect. If set to <literal>~</literal> (without any further argument),
+ the bounding set is reset to the full set of available capabilities, also undoing any previous
+ settings. This does not affect commands prefixed with <literal>+</literal>.</para>
+
+ <para>Use
+ <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+ <command>capability</command> command to retrieve a list of capabilities defined on the local
+ system.</para>
<para>Example: if a unit has the following,
<programlisting>CapabilityBoundingSet=CAP_A CAP_B
#include "bus-map-properties.h"
#include "bus-unit-util.h"
#include "calendarspec.h"
+#include "cap-list.h"
+#include "capability-util.h"
#include "conf-files.h"
#include "copy.h"
#include "def.h"
return table_print(table, NULL);
}
+static int dump_capabilities(int argc, char *argv[], void *userdata) {
+ _cleanup_(table_unrefp) Table *table = NULL;
+ unsigned last_cap;
+ int r;
+
+ table = table_new("name", "number");
+ if (!table)
+ return log_oom();
+
+ (void) table_set_align_percent(table, table_get_cell(table, 0, 1), 100);
+
+ /* Determine the maximum of the last cap known by the kernel and by us */
+ last_cap = MAX((unsigned) CAP_LAST_CAP, cap_last_cap());
+
+ if (strv_isempty(strv_skip(argv, 1)))
+ for (unsigned c = 0; c <= last_cap; c++) {
+ r = table_add_many(table,
+ TABLE_STRING, capability_to_name(c) ?: "cap_???",
+ TABLE_UINT, c);
+ if (r < 0)
+ return table_log_add_error(r);
+ }
+ else {
+ for (int i = 1; i < argc; i++) {
+ int c;
+
+ c = capability_from_name(argv[i]);
+ if (c < 0 || (unsigned) c > last_cap)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Capability \"%s\" not known.", argv[i]);
+
+ r = table_add_many(table,
+ TABLE_STRING, capability_to_name(c) ?: "cap_???",
+ TABLE_UINT, (unsigned) c);
+ if (r < 0)
+ return table_log_add_error(r);
+ }
+
+ (void) table_set_sort(table, (size_t) 1, (size_t) -1);
+ }
+
+ (void) pager_open(arg_pager_flags);
+
+ return table_print(table, NULL);
+}
+
#if HAVE_SECCOMP
static int load_kernel_syscalls(Set **ret) {
" unit-files List files and symlinks for units\n"
" unit-paths List load directories for units\n"
" exit-status [STATUS...] List exit status definitions\n"
+ " capability [CAP...] List capability definitions\n"
" syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
" condition CONDITION... Evaluate conditions and asserts\n"
" verify FILE... Check unit files for correctness\n"
{ "unit-paths", 1, 1, 0, dump_unit_paths },
{ "exit-status", VERB_ANY, VERB_ANY, 0, dump_exit_status },
{ "syscall-filter", VERB_ANY, VERB_ANY, 0, dump_syscall_filters },
+ { "capability", VERB_ANY, VERB_ANY, 0, dump_capabilities },
{ "condition", 2, VERB_ANY, 0, do_condition },
{ "verify", 2, VERB_ANY, 0, do_verify },
{ "calendar", 2, VERB_ANY, 0, test_calendar },
projects / thirdparty / systemd.git / commitdiff
