1607ca46eSDavid Howells /* 2607ca46eSDavid Howells * This is <linux/capability.h> 3607ca46eSDavid Howells * 4607ca46eSDavid Howells * Andrew G. Morgan <morgan@kernel.org> 5607ca46eSDavid Howells * Alexander Kjeldaas <astor@guardian.no> 6607ca46eSDavid Howells * with help from Aleph1, Roland Buresund and Andrew Main. 7607ca46eSDavid Howells * 8607ca46eSDavid Howells * See here for the libcap library ("POSIX draft" compliance): 9607ca46eSDavid Howells * 10607ca46eSDavid Howells * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ 11607ca46eSDavid Howells */ 12607ca46eSDavid Howells 13607ca46eSDavid Howells #ifndef _UAPI_LINUX_CAPABILITY_H 14607ca46eSDavid Howells #define _UAPI_LINUX_CAPABILITY_H 15607ca46eSDavid Howells 16607ca46eSDavid Howells #include <linux/types.h> 17607ca46eSDavid Howells 18607ca46eSDavid Howells /* User-level do most of the mapping between kernel and user 19607ca46eSDavid Howells capabilities based on the version tag given by the kernel. The 20607ca46eSDavid Howells kernel might be somewhat backwards compatible, but don't bet on 21607ca46eSDavid Howells it. */ 22607ca46eSDavid Howells 23607ca46eSDavid Howells /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to 24607ca46eSDavid Howells a set of three capability sets. The transposition of 3*the 25607ca46eSDavid Howells following structure to such a composite is better handled in a user 26607ca46eSDavid Howells library since the draft standard requires the use of malloc/free 27607ca46eSDavid Howells etc.. */ 28607ca46eSDavid Howells 29607ca46eSDavid Howells #define _LINUX_CAPABILITY_VERSION_1 0x19980330 30607ca46eSDavid Howells #define _LINUX_CAPABILITY_U32S_1 1 31607ca46eSDavid Howells 32607ca46eSDavid Howells #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ 33607ca46eSDavid Howells #define _LINUX_CAPABILITY_U32S_2 2 34607ca46eSDavid Howells 35607ca46eSDavid Howells #define _LINUX_CAPABILITY_VERSION_3 0x20080522 36607ca46eSDavid Howells #define _LINUX_CAPABILITY_U32S_3 2 37607ca46eSDavid Howells 38607ca46eSDavid Howells typedef struct __user_cap_header_struct { 39607ca46eSDavid Howells __u32 version; 40607ca46eSDavid Howells int pid; 41607ca46eSDavid Howells } __user *cap_user_header_t; 42607ca46eSDavid Howells 43607ca46eSDavid Howells typedef struct __user_cap_data_struct { 44607ca46eSDavid Howells __u32 effective; 45607ca46eSDavid Howells __u32 permitted; 46607ca46eSDavid Howells __u32 inheritable; 47607ca46eSDavid Howells } __user *cap_user_data_t; 48607ca46eSDavid Howells 49607ca46eSDavid Howells 50607ca46eSDavid Howells #define VFS_CAP_REVISION_MASK 0xFF000000 51607ca46eSDavid Howells #define VFS_CAP_REVISION_SHIFT 24 52607ca46eSDavid Howells #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK 53607ca46eSDavid Howells #define VFS_CAP_FLAGS_EFFECTIVE 0x000001 54607ca46eSDavid Howells 55607ca46eSDavid Howells #define VFS_CAP_REVISION_1 0x01000000 56607ca46eSDavid Howells #define VFS_CAP_U32_1 1 57607ca46eSDavid Howells #define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) 58607ca46eSDavid Howells 59607ca46eSDavid Howells #define VFS_CAP_REVISION_2 0x02000000 60607ca46eSDavid Howells #define VFS_CAP_U32_2 2 61607ca46eSDavid Howells #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) 62607ca46eSDavid Howells 63607ca46eSDavid Howells #define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 64607ca46eSDavid Howells #define VFS_CAP_U32 VFS_CAP_U32_2 65607ca46eSDavid Howells #define VFS_CAP_REVISION VFS_CAP_REVISION_2 66607ca46eSDavid Howells 67607ca46eSDavid Howells struct vfs_cap_data { 68607ca46eSDavid Howells __le32 magic_etc; /* Little endian */ 69607ca46eSDavid Howells struct { 70607ca46eSDavid Howells __le32 permitted; /* Little endian */ 71607ca46eSDavid Howells __le32 inheritable; /* Little endian */ 72607ca46eSDavid Howells } data[VFS_CAP_U32]; 73607ca46eSDavid Howells }; 74607ca46eSDavid Howells 75607ca46eSDavid Howells #ifndef __KERNEL__ 76607ca46eSDavid Howells 77607ca46eSDavid Howells /* 78607ca46eSDavid Howells * Backwardly compatible definition for source code - trapped in a 79607ca46eSDavid Howells * 32-bit world. If you find you need this, please consider using 80607ca46eSDavid Howells * libcap to untrap yourself... 81607ca46eSDavid Howells */ 82607ca46eSDavid Howells #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 83607ca46eSDavid Howells #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 84607ca46eSDavid Howells 85607ca46eSDavid Howells #endif 86607ca46eSDavid Howells 87607ca46eSDavid Howells 88607ca46eSDavid Howells /** 89607ca46eSDavid Howells ** POSIX-draft defined capabilities. 90607ca46eSDavid Howells **/ 91607ca46eSDavid Howells 92607ca46eSDavid Howells /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this 93607ca46eSDavid Howells overrides the restriction of changing file ownership and group 94607ca46eSDavid Howells ownership. */ 95607ca46eSDavid Howells 96607ca46eSDavid Howells #define CAP_CHOWN 0 97607ca46eSDavid Howells 98607ca46eSDavid Howells /* Override all DAC access, including ACL execute access if 99607ca46eSDavid Howells [_POSIX_ACL] is defined. Excluding DAC access covered by 100607ca46eSDavid Howells CAP_LINUX_IMMUTABLE. */ 101607ca46eSDavid Howells 102607ca46eSDavid Howells #define CAP_DAC_OVERRIDE 1 103607ca46eSDavid Howells 104607ca46eSDavid Howells /* Overrides all DAC restrictions regarding read and search on files 105607ca46eSDavid Howells and directories, including ACL restrictions if [_POSIX_ACL] is 106607ca46eSDavid Howells defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ 107607ca46eSDavid Howells 108607ca46eSDavid Howells #define CAP_DAC_READ_SEARCH 2 109607ca46eSDavid Howells 110607ca46eSDavid Howells /* Overrides all restrictions about allowed operations on files, where 111607ca46eSDavid Howells file owner ID must be equal to the user ID, except where CAP_FSETID 112607ca46eSDavid Howells is applicable. It doesn't override MAC and DAC restrictions. */ 113607ca46eSDavid Howells 114607ca46eSDavid Howells #define CAP_FOWNER 3 115607ca46eSDavid Howells 116607ca46eSDavid Howells /* Overrides the following restrictions that the effective user ID 117607ca46eSDavid Howells shall match the file owner ID when setting the S_ISUID and S_ISGID 118607ca46eSDavid Howells bits on that file; that the effective group ID (or one of the 119607ca46eSDavid Howells supplementary group IDs) shall match the file owner ID when setting 120607ca46eSDavid Howells the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are 121607ca46eSDavid Howells cleared on successful return from chown(2) (not implemented). */ 122607ca46eSDavid Howells 123607ca46eSDavid Howells #define CAP_FSETID 4 124607ca46eSDavid Howells 125607ca46eSDavid Howells /* Overrides the restriction that the real or effective user ID of a 126607ca46eSDavid Howells process sending a signal must match the real or effective user ID 127607ca46eSDavid Howells of the process receiving the signal. */ 128607ca46eSDavid Howells 129607ca46eSDavid Howells #define CAP_KILL 5 130607ca46eSDavid Howells 131607ca46eSDavid Howells /* Allows setgid(2) manipulation */ 132607ca46eSDavid Howells /* Allows setgroups(2) */ 133607ca46eSDavid Howells /* Allows forged gids on socket credentials passing. */ 134607ca46eSDavid Howells 135607ca46eSDavid Howells #define CAP_SETGID 6 136607ca46eSDavid Howells 137607ca46eSDavid Howells /* Allows set*uid(2) manipulation (including fsuid). */ 138607ca46eSDavid Howells /* Allows forged pids on socket credentials passing. */ 139607ca46eSDavid Howells 140607ca46eSDavid Howells #define CAP_SETUID 7 141607ca46eSDavid Howells 142607ca46eSDavid Howells 143607ca46eSDavid Howells /** 144607ca46eSDavid Howells ** Linux-specific capabilities 145607ca46eSDavid Howells **/ 146607ca46eSDavid Howells 147607ca46eSDavid Howells /* Without VFS support for capabilities: 148607ca46eSDavid Howells * Transfer any capability in your permitted set to any pid, 149607ca46eSDavid Howells * remove any capability in your permitted set from any pid 150607ca46eSDavid Howells * With VFS support for capabilities (neither of above, but) 151607ca46eSDavid Howells * Add any capability from current's capability bounding set 152607ca46eSDavid Howells * to the current process' inheritable set 153607ca46eSDavid Howells * Allow taking bits out of capability bounding set 154607ca46eSDavid Howells * Allow modification of the securebits for a process 155607ca46eSDavid Howells */ 156607ca46eSDavid Howells 157607ca46eSDavid Howells #define CAP_SETPCAP 8 158607ca46eSDavid Howells 159607ca46eSDavid Howells /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ 160607ca46eSDavid Howells 161607ca46eSDavid Howells #define CAP_LINUX_IMMUTABLE 9 162607ca46eSDavid Howells 163607ca46eSDavid Howells /* Allows binding to TCP/UDP sockets below 1024 */ 164607ca46eSDavid Howells /* Allows binding to ATM VCIs below 32 */ 165607ca46eSDavid Howells 166607ca46eSDavid Howells #define CAP_NET_BIND_SERVICE 10 167607ca46eSDavid Howells 168607ca46eSDavid Howells /* Allow broadcasting, listen to multicast */ 169607ca46eSDavid Howells 170607ca46eSDavid Howells #define CAP_NET_BROADCAST 11 171607ca46eSDavid Howells 172607ca46eSDavid Howells /* Allow interface configuration */ 173607ca46eSDavid Howells /* Allow administration of IP firewall, masquerading and accounting */ 174607ca46eSDavid Howells /* Allow setting debug option on sockets */ 175607ca46eSDavid Howells /* Allow modification of routing tables */ 176607ca46eSDavid Howells /* Allow setting arbitrary process / process group ownership on 177607ca46eSDavid Howells sockets */ 178607ca46eSDavid Howells /* Allow binding to any address for transparent proxying (also via NET_RAW) */ 179607ca46eSDavid Howells /* Allow setting TOS (type of service) */ 180607ca46eSDavid Howells /* Allow setting promiscuous mode */ 181607ca46eSDavid Howells /* Allow clearing driver statistics */ 182607ca46eSDavid Howells /* Allow multicasting */ 183607ca46eSDavid Howells /* Allow read/write of device-specific registers */ 184607ca46eSDavid Howells /* Allow activation of ATM control sockets */ 185607ca46eSDavid Howells 186607ca46eSDavid Howells #define CAP_NET_ADMIN 12 187607ca46eSDavid Howells 188607ca46eSDavid Howells /* Allow use of RAW sockets */ 189607ca46eSDavid Howells /* Allow use of PACKET sockets */ 190607ca46eSDavid Howells /* Allow binding to any address for transparent proxying (also via NET_ADMIN) */ 191607ca46eSDavid Howells 192607ca46eSDavid Howells #define CAP_NET_RAW 13 193607ca46eSDavid Howells 194607ca46eSDavid Howells /* Allow locking of shared memory segments */ 195607ca46eSDavid Howells /* Allow mlock and mlockall (which doesn't really have anything to do 196607ca46eSDavid Howells with IPC) */ 197607ca46eSDavid Howells 198607ca46eSDavid Howells #define CAP_IPC_LOCK 14 199607ca46eSDavid Howells 200607ca46eSDavid Howells /* Override IPC ownership checks */ 201607ca46eSDavid Howells 202607ca46eSDavid Howells #define CAP_IPC_OWNER 15 203607ca46eSDavid Howells 204607ca46eSDavid Howells /* Insert and remove kernel modules - modify kernel without limit */ 205607ca46eSDavid Howells #define CAP_SYS_MODULE 16 206607ca46eSDavid Howells 207607ca46eSDavid Howells /* Allow ioperm/iopl access */ 208*21470e32SMauro Carvalho Chehab /* Allow sending USB messages to any device via /dev/bus/usb */ 209607ca46eSDavid Howells 210607ca46eSDavid Howells #define CAP_SYS_RAWIO 17 211607ca46eSDavid Howells 212607ca46eSDavid Howells /* Allow use of chroot() */ 213607ca46eSDavid Howells 214607ca46eSDavid Howells #define CAP_SYS_CHROOT 18 215607ca46eSDavid Howells 216607ca46eSDavid Howells /* Allow ptrace() of any process */ 217607ca46eSDavid Howells 218607ca46eSDavid Howells #define CAP_SYS_PTRACE 19 219607ca46eSDavid Howells 220607ca46eSDavid Howells /* Allow configuration of process accounting */ 221607ca46eSDavid Howells 222607ca46eSDavid Howells #define CAP_SYS_PACCT 20 223607ca46eSDavid Howells 224607ca46eSDavid Howells /* Allow configuration of the secure attention key */ 225607ca46eSDavid Howells /* Allow administration of the random device */ 226607ca46eSDavid Howells /* Allow examination and configuration of disk quotas */ 227607ca46eSDavid Howells /* Allow setting the domainname */ 228607ca46eSDavid Howells /* Allow setting the hostname */ 229607ca46eSDavid Howells /* Allow calling bdflush() */ 230607ca46eSDavid Howells /* Allow mount() and umount(), setting up new smb connection */ 231607ca46eSDavid Howells /* Allow some autofs root ioctls */ 232607ca46eSDavid Howells /* Allow nfsservctl */ 233607ca46eSDavid Howells /* Allow VM86_REQUEST_IRQ */ 234607ca46eSDavid Howells /* Allow to read/write pci config on alpha */ 235607ca46eSDavid Howells /* Allow irix_prctl on mips (setstacksize) */ 236607ca46eSDavid Howells /* Allow flushing all cache on m68k (sys_cacheflush) */ 237607ca46eSDavid Howells /* Allow removing semaphores */ 238607ca46eSDavid Howells /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores 239607ca46eSDavid Howells and shared memory */ 240607ca46eSDavid Howells /* Allow locking/unlocking of shared memory segment */ 241607ca46eSDavid Howells /* Allow turning swap on/off */ 242607ca46eSDavid Howells /* Allow forged pids on socket credentials passing */ 243607ca46eSDavid Howells /* Allow setting readahead and flushing buffers on block devices */ 244607ca46eSDavid Howells /* Allow setting geometry in floppy driver */ 245607ca46eSDavid Howells /* Allow turning DMA on/off in xd driver */ 246607ca46eSDavid Howells /* Allow administration of md devices (mostly the above, but some 247607ca46eSDavid Howells extra ioctls) */ 248607ca46eSDavid Howells /* Allow tuning the ide driver */ 249607ca46eSDavid Howells /* Allow access to the nvram device */ 250607ca46eSDavid Howells /* Allow administration of apm_bios, serial and bttv (TV) device */ 251607ca46eSDavid Howells /* Allow manufacturer commands in isdn CAPI support driver */ 252607ca46eSDavid Howells /* Allow reading non-standardized portions of pci configuration space */ 253607ca46eSDavid Howells /* Allow DDI debug ioctl on sbpcd driver */ 254607ca46eSDavid Howells /* Allow setting up serial ports */ 255607ca46eSDavid Howells /* Allow sending raw qic-117 commands */ 256607ca46eSDavid Howells /* Allow enabling/disabling tagged queuing on SCSI controllers and sending 257607ca46eSDavid Howells arbitrary SCSI commands */ 258607ca46eSDavid Howells /* Allow setting encryption key on loopback filesystem */ 259607ca46eSDavid Howells /* Allow setting zone reclaim policy */ 260607ca46eSDavid Howells 261607ca46eSDavid Howells #define CAP_SYS_ADMIN 21 262607ca46eSDavid Howells 263607ca46eSDavid Howells /* Allow use of reboot() */ 264607ca46eSDavid Howells 265607ca46eSDavid Howells #define CAP_SYS_BOOT 22 266607ca46eSDavid Howells 267607ca46eSDavid Howells /* Allow raising priority and setting priority on other (different 268607ca46eSDavid Howells UID) processes */ 269607ca46eSDavid Howells /* Allow use of FIFO and round-robin (realtime) scheduling on own 270607ca46eSDavid Howells processes and setting the scheduling algorithm used by another 271607ca46eSDavid Howells process. */ 272607ca46eSDavid Howells /* Allow setting cpu affinity on other processes */ 273607ca46eSDavid Howells 274607ca46eSDavid Howells #define CAP_SYS_NICE 23 275607ca46eSDavid Howells 276607ca46eSDavid Howells /* Override resource limits. Set resource limits. */ 277607ca46eSDavid Howells /* Override quota limits. */ 278607ca46eSDavid Howells /* Override reserved space on ext2 filesystem */ 279607ca46eSDavid Howells /* Modify data journaling mode on ext3 filesystem (uses journaling 280607ca46eSDavid Howells resources) */ 281607ca46eSDavid Howells /* NOTE: ext2 honors fsuid when checking for resource overrides, so 282607ca46eSDavid Howells you can override using fsuid too */ 283607ca46eSDavid Howells /* Override size restrictions on IPC message queues */ 284607ca46eSDavid Howells /* Allow more than 64hz interrupts from the real-time clock */ 285607ca46eSDavid Howells /* Override max number of consoles on console allocation */ 286607ca46eSDavid Howells /* Override max number of keymaps */ 287607ca46eSDavid Howells 288607ca46eSDavid Howells #define CAP_SYS_RESOURCE 24 289607ca46eSDavid Howells 290607ca46eSDavid Howells /* Allow manipulation of system clock */ 291607ca46eSDavid Howells /* Allow irix_stime on mips */ 292607ca46eSDavid Howells /* Allow setting the real-time clock */ 293607ca46eSDavid Howells 294607ca46eSDavid Howells #define CAP_SYS_TIME 25 295607ca46eSDavid Howells 296607ca46eSDavid Howells /* Allow configuration of tty devices */ 297607ca46eSDavid Howells /* Allow vhangup() of tty */ 298607ca46eSDavid Howells 299607ca46eSDavid Howells #define CAP_SYS_TTY_CONFIG 26 300607ca46eSDavid Howells 301607ca46eSDavid Howells /* Allow the privileged aspects of mknod() */ 302607ca46eSDavid Howells 303607ca46eSDavid Howells #define CAP_MKNOD 27 304607ca46eSDavid Howells 305607ca46eSDavid Howells /* Allow taking of leases on files */ 306607ca46eSDavid Howells 307607ca46eSDavid Howells #define CAP_LEASE 28 308607ca46eSDavid Howells 309147d2601SRichard Guy Briggs /* Allow writing the audit log via unicast netlink socket */ 310147d2601SRichard Guy Briggs 311607ca46eSDavid Howells #define CAP_AUDIT_WRITE 29 312607ca46eSDavid Howells 313147d2601SRichard Guy Briggs /* Allow configuration of audit via unicast netlink socket */ 314147d2601SRichard Guy Briggs 315607ca46eSDavid Howells #define CAP_AUDIT_CONTROL 30 316607ca46eSDavid Howells 317607ca46eSDavid Howells #define CAP_SETFCAP 31 318607ca46eSDavid Howells 319607ca46eSDavid Howells /* Override MAC access. 320607ca46eSDavid Howells The base kernel enforces no MAC policy. 321607ca46eSDavid Howells An LSM may enforce a MAC policy, and if it does and it chooses 322607ca46eSDavid Howells to implement capability based overrides of that policy, this is 323607ca46eSDavid Howells the capability it should use to do so. */ 324607ca46eSDavid Howells 325607ca46eSDavid Howells #define CAP_MAC_OVERRIDE 32 326607ca46eSDavid Howells 327607ca46eSDavid Howells /* Allow MAC configuration or state changes. 328607ca46eSDavid Howells The base kernel requires no MAC configuration. 329607ca46eSDavid Howells An LSM may enforce a MAC policy, and if it does and it chooses 330607ca46eSDavid Howells to implement capability based checks on modifications to that 331607ca46eSDavid Howells policy or the data required to maintain it, this is the 332607ca46eSDavid Howells capability it should use to do so. */ 333607ca46eSDavid Howells 334607ca46eSDavid Howells #define CAP_MAC_ADMIN 33 335607ca46eSDavid Howells 336607ca46eSDavid Howells /* Allow configuring the kernel's syslog (printk behaviour) */ 337607ca46eSDavid Howells 338607ca46eSDavid Howells #define CAP_SYSLOG 34 339607ca46eSDavid Howells 340607ca46eSDavid Howells /* Allow triggering something that will wake the system */ 341607ca46eSDavid Howells 342607ca46eSDavid Howells #define CAP_WAKE_ALARM 35 343607ca46eSDavid Howells 344607ca46eSDavid Howells /* Allow preventing system suspends */ 345607ca46eSDavid Howells 346607ca46eSDavid Howells #define CAP_BLOCK_SUSPEND 36 347607ca46eSDavid Howells 3483a101b8dSRichard Guy Briggs /* Allow reading the audit log via multicast netlink socket */ 3493a101b8dSRichard Guy Briggs 3503a101b8dSRichard Guy Briggs #define CAP_AUDIT_READ 37 3513a101b8dSRichard Guy Briggs 3523a101b8dSRichard Guy Briggs 3533a101b8dSRichard Guy Briggs #define CAP_LAST_CAP CAP_AUDIT_READ 354607ca46eSDavid Howells 355607ca46eSDavid Howells #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) 356607ca46eSDavid Howells 357607ca46eSDavid Howells /* 358607ca46eSDavid Howells * Bit location of each capability (used by user-space library and kernel) 359607ca46eSDavid Howells */ 360607ca46eSDavid Howells 361607ca46eSDavid Howells #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ 362607ca46eSDavid Howells #define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ 363607ca46eSDavid Howells 364607ca46eSDavid Howells 365607ca46eSDavid Howells #endif /* _UAPI_LINUX_CAPABILITY_H */ 366