1 | /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
2 | /* |
3 | * This is <linux/capability.h> |
4 | * |
5 | * Andrew G. Morgan <morgan@kernel.org> |
6 | * Alexander Kjeldaas <astor@guardian.no> |
7 | * with help from Aleph1, Roland Buresund and Andrew Main. |
8 | * |
9 | * See here for the libcap library ("POSIX draft" compliance): |
10 | * |
11 | * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ |
12 | */ |
13 | |
14 | #ifndef _UAPI_LINUX_CAPABILITY_H |
15 | #define _UAPI_LINUX_CAPABILITY_H |
16 | |
17 | #include <linux/types.h> |
18 | |
19 | /* User-level do most of the mapping between kernel and user |
20 | capabilities based on the version tag given by the kernel. The |
21 | kernel might be somewhat backwards compatible, but don't bet on |
22 | it. */ |
23 | |
24 | /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to |
25 | a set of three capability sets. The transposition of 3*the |
26 | following structure to such a composite is better handled in a user |
27 | library since the draft standard requires the use of malloc/free |
28 | etc.. */ |
29 | |
30 | #define _LINUX_CAPABILITY_VERSION_1 0x19980330 |
31 | #define _LINUX_CAPABILITY_U32S_1 1 |
32 | |
33 | #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ |
34 | #define _LINUX_CAPABILITY_U32S_2 2 |
35 | |
36 | #define _LINUX_CAPABILITY_VERSION_3 0x20080522 |
37 | #define _LINUX_CAPABILITY_U32S_3 2 |
38 | |
39 | typedef struct { |
40 | __u32 ; |
41 | int ; |
42 | } __user *; |
43 | |
44 | struct __user_cap_data_struct { |
45 | __u32 effective; |
46 | __u32 permitted; |
47 | __u32 inheritable; |
48 | }; |
49 | typedef struct __user_cap_data_struct __user *cap_user_data_t; |
50 | |
51 | |
52 | #define VFS_CAP_REVISION_MASK 0xFF000000 |
53 | #define VFS_CAP_REVISION_SHIFT 24 |
54 | #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK |
55 | #define VFS_CAP_FLAGS_EFFECTIVE 0x000001 |
56 | |
57 | #define VFS_CAP_REVISION_1 0x01000000 |
58 | #define VFS_CAP_U32_1 1 |
59 | #define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) |
60 | |
61 | #define VFS_CAP_REVISION_2 0x02000000 |
62 | #define VFS_CAP_U32_2 2 |
63 | #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) |
64 | |
65 | #define VFS_CAP_REVISION_3 0x03000000 |
66 | #define VFS_CAP_U32_3 2 |
67 | #define XATTR_CAPS_SZ_3 (sizeof(__le32)*(2 + 2*VFS_CAP_U32_3)) |
68 | |
69 | #define XATTR_CAPS_SZ XATTR_CAPS_SZ_3 |
70 | #define VFS_CAP_U32 VFS_CAP_U32_3 |
71 | #define VFS_CAP_REVISION VFS_CAP_REVISION_3 |
72 | |
73 | struct vfs_cap_data { |
74 | __le32 magic_etc; /* Little endian */ |
75 | struct { |
76 | __le32 permitted; /* Little endian */ |
77 | __le32 inheritable; /* Little endian */ |
78 | } data[VFS_CAP_U32]; |
79 | }; |
80 | |
81 | /* |
82 | * same as vfs_cap_data but with a rootid at the end |
83 | */ |
84 | struct vfs_ns_cap_data { |
85 | __le32 magic_etc; |
86 | struct { |
87 | __le32 permitted; /* Little endian */ |
88 | __le32 inheritable; /* Little endian */ |
89 | } data[VFS_CAP_U32]; |
90 | __le32 rootid; |
91 | }; |
92 | |
93 | #ifndef __KERNEL__ |
94 | |
95 | /* |
96 | * Backwardly compatible definition for source code - trapped in a |
97 | * 32-bit world. If you find you need this, please consider using |
98 | * libcap to untrap yourself... |
99 | */ |
100 | #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 |
101 | #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 |
102 | |
103 | #endif |
104 | |
105 | |
106 | /** |
107 | ** POSIX-draft defined capabilities. |
108 | **/ |
109 | |
110 | /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this |
111 | overrides the restriction of changing file ownership and group |
112 | ownership. */ |
113 | |
114 | #define CAP_CHOWN 0 |
115 | |
116 | /* Override all DAC access, including ACL execute access if |
117 | [_POSIX_ACL] is defined. Excluding DAC access covered by |
118 | CAP_LINUX_IMMUTABLE. */ |
119 | |
120 | #define CAP_DAC_OVERRIDE 1 |
121 | |
122 | /* Overrides all DAC restrictions regarding read and search on files |
123 | and directories, including ACL restrictions if [_POSIX_ACL] is |
124 | defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ |
125 | |
126 | #define CAP_DAC_READ_SEARCH 2 |
127 | |
128 | /* Overrides all restrictions about allowed operations on files, where |
129 | file owner ID must be equal to the user ID, except where CAP_FSETID |
130 | is applicable. It doesn't override MAC and DAC restrictions. */ |
131 | |
132 | #define CAP_FOWNER 3 |
133 | |
134 | /* Overrides the following restrictions that the effective user ID |
135 | shall match the file owner ID when setting the S_ISUID and S_ISGID |
136 | bits on that file; that the effective group ID (or one of the |
137 | supplementary group IDs) shall match the file owner ID when setting |
138 | the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are |
139 | cleared on successful return from chown(2) (not implemented). */ |
140 | |
141 | #define CAP_FSETID 4 |
142 | |
143 | /* Overrides the restriction that the real or effective user ID of a |
144 | process sending a signal must match the real or effective user ID |
145 | of the process receiving the signal. */ |
146 | |
147 | #define CAP_KILL 5 |
148 | |
149 | /* Allows setgid(2) manipulation */ |
150 | /* Allows setgroups(2) */ |
151 | /* Allows forged gids on socket credentials passing. */ |
152 | |
153 | #define CAP_SETGID 6 |
154 | |
155 | /* Allows set*uid(2) manipulation (including fsuid). */ |
156 | /* Allows forged pids on socket credentials passing. */ |
157 | |
158 | #define CAP_SETUID 7 |
159 | |
160 | |
161 | /** |
162 | ** Linux-specific capabilities |
163 | **/ |
164 | |
165 | /* Without VFS support for capabilities: |
166 | * Transfer any capability in your permitted set to any pid, |
167 | * remove any capability in your permitted set from any pid |
168 | * With VFS support for capabilities (neither of above, but) |
169 | * Add any capability from current's capability bounding set |
170 | * to the current process' inheritable set |
171 | * Allow taking bits out of capability bounding set |
172 | * Allow modification of the securebits for a process |
173 | */ |
174 | |
175 | #define CAP_SETPCAP 8 |
176 | |
177 | /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ |
178 | |
179 | #define CAP_LINUX_IMMUTABLE 9 |
180 | |
181 | /* Allows binding to TCP/UDP sockets below 1024 */ |
182 | /* Allows binding to ATM VCIs below 32 */ |
183 | |
184 | #define CAP_NET_BIND_SERVICE 10 |
185 | |
186 | /* Allow broadcasting, listen to multicast */ |
187 | |
188 | #define CAP_NET_BROADCAST 11 |
189 | |
190 | /* Allow interface configuration */ |
191 | /* Allow administration of IP firewall, masquerading and accounting */ |
192 | /* Allow setting debug option on sockets */ |
193 | /* Allow modification of routing tables */ |
194 | /* Allow setting arbitrary process / process group ownership on |
195 | sockets */ |
196 | /* Allow binding to any address for transparent proxying (also via NET_RAW) */ |
197 | /* Allow setting TOS (type of service) */ |
198 | /* Allow setting promiscuous mode */ |
199 | /* Allow clearing driver statistics */ |
200 | /* Allow multicasting */ |
201 | /* Allow read/write of device-specific registers */ |
202 | /* Allow activation of ATM control sockets */ |
203 | |
204 | #define CAP_NET_ADMIN 12 |
205 | |
206 | /* Allow use of RAW sockets */ |
207 | /* Allow use of PACKET sockets */ |
208 | /* Allow binding to any address for transparent proxying (also via NET_ADMIN) */ |
209 | |
210 | #define CAP_NET_RAW 13 |
211 | |
212 | /* Allow locking of shared memory segments */ |
213 | /* Allow mlock and mlockall (which doesn't really have anything to do |
214 | with IPC) */ |
215 | |
216 | #define CAP_IPC_LOCK 14 |
217 | |
218 | /* Override IPC ownership checks */ |
219 | |
220 | #define CAP_IPC_OWNER 15 |
221 | |
222 | /* Insert and remove kernel modules - modify kernel without limit */ |
223 | #define CAP_SYS_MODULE 16 |
224 | |
225 | /* Allow ioperm/iopl access */ |
226 | /* Allow sending USB messages to any device via /dev/bus/usb */ |
227 | |
228 | #define CAP_SYS_RAWIO 17 |
229 | |
230 | /* Allow use of chroot() */ |
231 | |
232 | #define CAP_SYS_CHROOT 18 |
233 | |
234 | /* Allow ptrace() of any process */ |
235 | |
236 | #define CAP_SYS_PTRACE 19 |
237 | |
238 | /* Allow configuration of process accounting */ |
239 | |
240 | #define CAP_SYS_PACCT 20 |
241 | |
242 | /* Allow configuration of the secure attention key */ |
243 | /* Allow administration of the random device */ |
244 | /* Allow examination and configuration of disk quotas */ |
245 | /* Allow setting the domainname */ |
246 | /* Allow setting the hostname */ |
247 | /* Allow mount() and umount(), setting up new smb connection */ |
248 | /* Allow some autofs root ioctls */ |
249 | /* Allow nfsservctl */ |
250 | /* Allow VM86_REQUEST_IRQ */ |
251 | /* Allow to read/write pci config on alpha */ |
252 | /* Allow irix_prctl on mips (setstacksize) */ |
253 | /* Allow flushing all cache on m68k (sys_cacheflush) */ |
254 | /* Allow removing semaphores */ |
255 | /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores |
256 | and shared memory */ |
257 | /* Allow locking/unlocking of shared memory segment */ |
258 | /* Allow turning swap on/off */ |
259 | /* Allow forged pids on socket credentials passing */ |
260 | /* Allow setting readahead and flushing buffers on block devices */ |
261 | /* Allow setting geometry in floppy driver */ |
262 | /* Allow turning DMA on/off in xd driver */ |
263 | /* Allow administration of md devices (mostly the above, but some |
264 | extra ioctls) */ |
265 | /* Allow tuning the ide driver */ |
266 | /* Allow access to the nvram device */ |
267 | /* Allow administration of apm_bios, serial and bttv (TV) device */ |
268 | /* Allow manufacturer commands in isdn CAPI support driver */ |
269 | /* Allow reading non-standardized portions of pci configuration space */ |
270 | /* Allow DDI debug ioctl on sbpcd driver */ |
271 | /* Allow setting up serial ports */ |
272 | /* Allow sending raw qic-117 commands */ |
273 | /* Allow enabling/disabling tagged queuing on SCSI controllers and sending |
274 | arbitrary SCSI commands */ |
275 | /* Allow setting encryption key on loopback filesystem */ |
276 | /* Allow setting zone reclaim policy */ |
277 | /* Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility */ |
278 | |
279 | #define CAP_SYS_ADMIN 21 |
280 | |
281 | /* Allow use of reboot() */ |
282 | |
283 | #define CAP_SYS_BOOT 22 |
284 | |
285 | /* Allow raising priority and setting priority on other (different |
286 | UID) processes */ |
287 | /* Allow use of FIFO and round-robin (realtime) scheduling on own |
288 | processes and setting the scheduling algorithm used by another |
289 | process. */ |
290 | /* Allow setting cpu affinity on other processes */ |
291 | /* Allow setting realtime ioprio class */ |
292 | /* Allow setting ioprio class on other processes */ |
293 | |
294 | #define CAP_SYS_NICE 23 |
295 | |
296 | /* Override resource limits. Set resource limits. */ |
297 | /* Override quota limits. */ |
298 | /* Override reserved space on ext2 filesystem */ |
299 | /* Modify data journaling mode on ext3 filesystem (uses journaling |
300 | resources) */ |
301 | /* NOTE: ext2 honors fsuid when checking for resource overrides, so |
302 | you can override using fsuid too */ |
303 | /* Override size restrictions on IPC message queues */ |
304 | /* Allow more than 64hz interrupts from the real-time clock */ |
305 | /* Override max number of consoles on console allocation */ |
306 | /* Override max number of keymaps */ |
307 | /* Control memory reclaim behavior */ |
308 | |
309 | #define CAP_SYS_RESOURCE 24 |
310 | |
311 | /* Allow manipulation of system clock */ |
312 | /* Allow irix_stime on mips */ |
313 | /* Allow setting the real-time clock */ |
314 | |
315 | #define CAP_SYS_TIME 25 |
316 | |
317 | /* Allow configuration of tty devices */ |
318 | /* Allow vhangup() of tty */ |
319 | |
320 | #define CAP_SYS_TTY_CONFIG 26 |
321 | |
322 | /* Allow the privileged aspects of mknod() */ |
323 | |
324 | #define CAP_MKNOD 27 |
325 | |
326 | /* Allow taking of leases on files */ |
327 | |
328 | #define CAP_LEASE 28 |
329 | |
330 | /* Allow writing the audit log via unicast netlink socket */ |
331 | |
332 | #define CAP_AUDIT_WRITE 29 |
333 | |
334 | /* Allow configuration of audit via unicast netlink socket */ |
335 | |
336 | #define CAP_AUDIT_CONTROL 30 |
337 | |
338 | /* Set or remove capabilities on files. |
339 | Map uid=0 into a child user namespace. */ |
340 | |
341 | #define CAP_SETFCAP 31 |
342 | |
343 | /* Override MAC access. |
344 | The base kernel enforces no MAC policy. |
345 | An LSM may enforce a MAC policy, and if it does and it chooses |
346 | to implement capability based overrides of that policy, this is |
347 | the capability it should use to do so. */ |
348 | |
349 | #define CAP_MAC_OVERRIDE 32 |
350 | |
351 | /* Allow MAC configuration or state changes. |
352 | The base kernel requires no MAC configuration. |
353 | An LSM may enforce a MAC policy, and if it does and it chooses |
354 | to implement capability based checks on modifications to that |
355 | policy or the data required to maintain it, this is the |
356 | capability it should use to do so. */ |
357 | |
358 | #define CAP_MAC_ADMIN 33 |
359 | |
360 | /* Allow configuring the kernel's syslog (printk behaviour) */ |
361 | |
362 | #define CAP_SYSLOG 34 |
363 | |
364 | /* Allow triggering something that will wake the system */ |
365 | |
366 | #define CAP_WAKE_ALARM 35 |
367 | |
368 | /* Allow preventing system suspends */ |
369 | |
370 | #define CAP_BLOCK_SUSPEND 36 |
371 | |
372 | /* Allow reading the audit log via multicast netlink socket */ |
373 | |
374 | #define CAP_AUDIT_READ 37 |
375 | |
376 | /* |
377 | * Allow system performance and observability privileged operations |
378 | * using perf_events, i915_perf and other kernel subsystems |
379 | */ |
380 | |
381 | #define CAP_PERFMON 38 |
382 | |
383 | /* |
384 | * CAP_BPF allows the following BPF operations: |
385 | * - Creating all types of BPF maps |
386 | * - Advanced verifier features |
387 | * - Indirect variable access |
388 | * - Bounded loops |
389 | * - BPF to BPF function calls |
390 | * - Scalar precision tracking |
391 | * - Larger complexity limits |
392 | * - Dead code elimination |
393 | * - And potentially other features |
394 | * - Loading BPF Type Format (BTF) data |
395 | * - Retrieve xlated and JITed code of BPF programs |
396 | * - Use bpf_spin_lock() helper |
397 | * |
398 | * CAP_PERFMON relaxes the verifier checks further: |
399 | * - BPF progs can use of pointer-to-integer conversions |
400 | * - speculation attack hardening measures are bypassed |
401 | * - bpf_probe_read to read arbitrary kernel memory is allowed |
402 | * - bpf_trace_printk to print kernel memory is allowed |
403 | * |
404 | * CAP_SYS_ADMIN is required to use bpf_probe_write_user. |
405 | * |
406 | * CAP_SYS_ADMIN is required to iterate system wide loaded |
407 | * programs, maps, links, BTFs and convert their IDs to file descriptors. |
408 | * |
409 | * CAP_PERFMON and CAP_BPF are required to load tracing programs. |
410 | * CAP_NET_ADMIN and CAP_BPF are required to load networking programs. |
411 | */ |
412 | #define CAP_BPF 39 |
413 | |
414 | |
415 | /* Allow checkpoint/restore related operations */ |
416 | /* Allow PID selection during clone3() */ |
417 | /* Allow writing to ns_last_pid */ |
418 | |
419 | #define CAP_CHECKPOINT_RESTORE 40 |
420 | |
421 | #define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE |
422 | |
423 | #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) |
424 | |
425 | /* |
426 | * Bit location of each capability (used by user-space library and kernel) |
427 | */ |
428 | |
429 | #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ |
430 | #define CAP_TO_MASK(x) (1U << ((x) & 31)) /* mask for indexed __u32 */ |
431 | |
432 | |
433 | #endif /* _UAPI_LINUX_CAPABILITY_H */ |
434 | |