uapi/linux/capability.h

*f80ad8b4SAndroid Build Coastguard Worker/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
*f80ad8b4SAndroid Build Coastguard Worker/*
*f80ad8b4SAndroid Build Coastguard Worker * This is <linux/capability.h>
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * Andrew G. Morgan <[email protected]>
*f80ad8b4SAndroid Build Coastguard Worker * Alexander Kjeldaas <[email protected]>
*f80ad8b4SAndroid Build Coastguard Worker * with help from Aleph1, Roland Buresund and Andrew Main.
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * See here for the libcap library ("POSIX draft" compliance):
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#ifndef _UAPI_LINUX_CAPABILITY_H
*f80ad8b4SAndroid Build Coastguard Worker#define _UAPI_LINUX_CAPABILITY_H
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#include <linux/types.h>
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* User-level do most of the mapping between kernel and user
*f80ad8b4SAndroid Build Coastguard Worker   capabilities based on the version tag given by the kernel. The
*f80ad8b4SAndroid Build Coastguard Worker   kernel might be somewhat backwards compatible, but don't bet on
*f80ad8b4SAndroid Build Coastguard Worker   it. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
*f80ad8b4SAndroid Build Coastguard Worker   a set of three capability sets.  The transposition of 3*the
*f80ad8b4SAndroid Build Coastguard Worker   following structure to such a composite is better handled in a user
*f80ad8b4SAndroid Build Coastguard Worker   library since the draft standard requires the use of malloc/free
*f80ad8b4SAndroid Build Coastguard Worker   etc.. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_VERSION_1  0x19980330
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_U32S_1     1
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_VERSION_2  0x20071026  /* deprecated - use v3 */
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_U32S_2     2
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_VERSION_3  0x20080522
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_U32S_3     2
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Workertypedef struct __user_cap_header_struct {
*f80ad8b4SAndroid Build Coastguard Worker	__u32 version;
*f80ad8b4SAndroid Build Coastguard Worker	int pid;
*f80ad8b4SAndroid Build Coastguard Worker} __user *cap_user_header_t;
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Workerstruct __user_cap_data_struct {
*f80ad8b4SAndroid Build Coastguard Worker        __u32 effective;
*f80ad8b4SAndroid Build Coastguard Worker        __u32 permitted;
*f80ad8b4SAndroid Build Coastguard Worker        __u32 inheritable;
*f80ad8b4SAndroid Build Coastguard Worker};
*f80ad8b4SAndroid Build Coastguard Workertypedef struct __user_cap_data_struct __user *cap_user_data_t;
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_REVISION_MASK	0xFF000000
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_REVISION_SHIFT	24
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_FLAGS_MASK	~VFS_CAP_REVISION_MASK
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_FLAGS_EFFECTIVE	0x000001
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_REVISION_1	0x01000000
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_U32_1           1
*f80ad8b4SAndroid Build Coastguard Worker#define XATTR_CAPS_SZ_1         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_REVISION_2	0x02000000
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_U32_2           2
*f80ad8b4SAndroid Build Coastguard Worker#define XATTR_CAPS_SZ_2         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_REVISION_3	0x03000000
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_U32_3           2
*f80ad8b4SAndroid Build Coastguard Worker#define XATTR_CAPS_SZ_3         (sizeof(__le32)*(2 + 2*VFS_CAP_U32_3))
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define XATTR_CAPS_SZ           XATTR_CAPS_SZ_3
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_U32             VFS_CAP_U32_3
*f80ad8b4SAndroid Build Coastguard Worker#define VFS_CAP_REVISION	VFS_CAP_REVISION_3
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Workerstruct vfs_cap_data {
*f80ad8b4SAndroid Build Coastguard Worker	__le32 magic_etc;            /* Little endian */
*f80ad8b4SAndroid Build Coastguard Worker	struct {
*f80ad8b4SAndroid Build Coastguard Worker		__le32 permitted;    /* Little endian */
*f80ad8b4SAndroid Build Coastguard Worker		__le32 inheritable;  /* Little endian */
*f80ad8b4SAndroid Build Coastguard Worker	} data[VFS_CAP_U32];
*f80ad8b4SAndroid Build Coastguard Worker};
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/*
*f80ad8b4SAndroid Build Coastguard Worker * same as vfs_cap_data but with a rootid at the end
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Workerstruct vfs_ns_cap_data {
*f80ad8b4SAndroid Build Coastguard Worker	__le32 magic_etc;
*f80ad8b4SAndroid Build Coastguard Worker	struct {
*f80ad8b4SAndroid Build Coastguard Worker		__le32 permitted;    /* Little endian */
*f80ad8b4SAndroid Build Coastguard Worker		__le32 inheritable;  /* Little endian */
*f80ad8b4SAndroid Build Coastguard Worker	} data[VFS_CAP_U32];
*f80ad8b4SAndroid Build Coastguard Worker	__le32 rootid;
*f80ad8b4SAndroid Build Coastguard Worker};
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#ifndef __KERNEL__
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/*
*f80ad8b4SAndroid Build Coastguard Worker * Backwardly compatible definition for source code - trapped in a
*f80ad8b4SAndroid Build Coastguard Worker * 32-bit world. If you find you need this, please consider using
*f80ad8b4SAndroid Build Coastguard Worker * libcap to untrap yourself...
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
*f80ad8b4SAndroid Build Coastguard Worker#define _LINUX_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#endif
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/**
*f80ad8b4SAndroid Build Coastguard Worker ** POSIX-draft defined capabilities.
*f80ad8b4SAndroid Build Coastguard Worker **/
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
*f80ad8b4SAndroid Build Coastguard Worker   overrides the restriction of changing file ownership and group
*f80ad8b4SAndroid Build Coastguard Worker   ownership. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_CHOWN            0
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Override all DAC access, including ACL execute access if
*f80ad8b4SAndroid Build Coastguard Worker   [_POSIX_ACL] is defined. Excluding DAC access covered by
*f80ad8b4SAndroid Build Coastguard Worker   CAP_LINUX_IMMUTABLE. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_DAC_OVERRIDE     1
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Overrides all DAC restrictions regarding read and search on files
*f80ad8b4SAndroid Build Coastguard Worker   and directories, including ACL restrictions if [_POSIX_ACL] is
*f80ad8b4SAndroid Build Coastguard Worker   defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_DAC_READ_SEARCH  2
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Overrides all restrictions about allowed operations on files, where
*f80ad8b4SAndroid Build Coastguard Worker   file owner ID must be equal to the user ID, except where CAP_FSETID
*f80ad8b4SAndroid Build Coastguard Worker   is applicable. It doesn't override MAC and DAC restrictions. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_FOWNER           3
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Overrides the following restrictions that the effective user ID
*f80ad8b4SAndroid Build Coastguard Worker   shall match the file owner ID when setting the S_ISUID and S_ISGID
*f80ad8b4SAndroid Build Coastguard Worker   bits on that file; that the effective group ID (or one of the
*f80ad8b4SAndroid Build Coastguard Worker   supplementary group IDs) shall match the file owner ID when setting
*f80ad8b4SAndroid Build Coastguard Worker   the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
*f80ad8b4SAndroid Build Coastguard Worker   cleared on successful return from chown(2) (not implemented). */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_FSETID           4
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Overrides the restriction that the real or effective user ID of a
*f80ad8b4SAndroid Build Coastguard Worker   process sending a signal must match the real or effective user ID
*f80ad8b4SAndroid Build Coastguard Worker   of the process receiving the signal. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_KILL             5
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allows setgid(2) manipulation */
*f80ad8b4SAndroid Build Coastguard Worker/* Allows setgroups(2) */
*f80ad8b4SAndroid Build Coastguard Worker/* Allows forged gids on socket credentials passing. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SETGID           6
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allows set*uid(2) manipulation (including fsuid). */
*f80ad8b4SAndroid Build Coastguard Worker/* Allows forged pids on socket credentials passing. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SETUID           7
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/**
*f80ad8b4SAndroid Build Coastguard Worker ** Linux-specific capabilities
*f80ad8b4SAndroid Build Coastguard Worker **/
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Without VFS support for capabilities:
*f80ad8b4SAndroid Build Coastguard Worker *   Transfer any capability in your permitted set to any pid,
*f80ad8b4SAndroid Build Coastguard Worker *   remove any capability in your permitted set from any pid
*f80ad8b4SAndroid Build Coastguard Worker * With VFS support for capabilities (neither of above, but)
*f80ad8b4SAndroid Build Coastguard Worker *   Add any capability from current's capability bounding set
*f80ad8b4SAndroid Build Coastguard Worker *       to the current process' inheritable set
*f80ad8b4SAndroid Build Coastguard Worker *   Allow taking bits out of capability bounding set
*f80ad8b4SAndroid Build Coastguard Worker *   Allow modification of the securebits for a process
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SETPCAP          8
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_LINUX_IMMUTABLE  9
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allows binding to TCP/UDP sockets below 1024 */
*f80ad8b4SAndroid Build Coastguard Worker/* Allows binding to ATM VCIs below 32 */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_NET_BIND_SERVICE 10
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow broadcasting, listen to multicast */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_NET_BROADCAST    11
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow interface configuration */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow administration of IP firewall, masquerading and accounting */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting debug option on sockets */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow modification of routing tables */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting arbitrary process / process group ownership on
*f80ad8b4SAndroid Build Coastguard Worker   sockets */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow binding to any address for transparent proxying (also via NET_RAW) */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting TOS (type of service) */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting promiscuous mode */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow clearing driver statistics */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow multicasting */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow read/write of device-specific registers */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow activation of ATM control sockets */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_NET_ADMIN        12
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow use of RAW sockets */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow use of PACKET sockets */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_NET_RAW          13
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow locking of shared memory segments */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow mlock and mlockall (which doesn't really have anything to do
*f80ad8b4SAndroid Build Coastguard Worker   with IPC) */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_IPC_LOCK         14
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Override IPC ownership checks */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_IPC_OWNER        15
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Insert and remove kernel modules - modify kernel without limit */
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_MODULE       16
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow ioperm/iopl access */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow sending USB messages to any device via /dev/bus/usb */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_RAWIO        17
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow use of chroot() */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_CHROOT       18
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow ptrace() of any process */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_PTRACE       19
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow configuration of process accounting */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_PACCT        20
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow configuration of the secure attention key */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow administration of the random device */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow examination and configuration of disk quotas */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting the domainname */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting the hostname */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow mount() and umount(), setting up new smb connection */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow some autofs root ioctls */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow nfsservctl */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow VM86_REQUEST_IRQ */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow to read/write pci config on alpha */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow irix_prctl on mips (setstacksize) */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow flushing all cache on m68k (sys_cacheflush) */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow removing semaphores */
*f80ad8b4SAndroid Build Coastguard Worker/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
*f80ad8b4SAndroid Build Coastguard Worker   and shared memory */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow locking/unlocking of shared memory segment */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow turning swap on/off */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow forged pids on socket credentials passing */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting readahead and flushing buffers on block devices */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting geometry in floppy driver */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow turning DMA on/off in xd driver */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow administration of md devices (mostly the above, but some
*f80ad8b4SAndroid Build Coastguard Worker   extra ioctls) */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow tuning the ide driver */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow access to the nvram device */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow administration of apm_bios, serial and bttv (TV) device */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow manufacturer commands in isdn CAPI support driver */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow reading non-standardized portions of pci configuration space */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow DDI debug ioctl on sbpcd driver */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting up serial ports */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow sending raw qic-117 commands */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
*f80ad8b4SAndroid Build Coastguard Worker   arbitrary SCSI commands */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting encryption key on loopback filesystem */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting zone reclaim policy */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_ADMIN        21
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow use of reboot() */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_BOOT         22
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow raising priority and setting priority on other (different
*f80ad8b4SAndroid Build Coastguard Worker   UID) processes */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow use of FIFO and round-robin (realtime) scheduling on own
*f80ad8b4SAndroid Build Coastguard Worker   processes and setting the scheduling algorithm used by another
*f80ad8b4SAndroid Build Coastguard Worker   process. */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting cpu affinity on other processes */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting realtime ioprio class */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting ioprio class on other processes */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_NICE         23
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Override resource limits. Set resource limits. */
*f80ad8b4SAndroid Build Coastguard Worker/* Override quota limits. */
*f80ad8b4SAndroid Build Coastguard Worker/* Override reserved space on ext2 filesystem */
*f80ad8b4SAndroid Build Coastguard Worker/* Modify data journaling mode on ext3 filesystem (uses journaling
*f80ad8b4SAndroid Build Coastguard Worker   resources) */
*f80ad8b4SAndroid Build Coastguard Worker/* NOTE: ext2 honors fsuid when checking for resource overrides, so
*f80ad8b4SAndroid Build Coastguard Worker   you can override using fsuid too */
*f80ad8b4SAndroid Build Coastguard Worker/* Override size restrictions on IPC message queues */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow more than 64hz interrupts from the real-time clock */
*f80ad8b4SAndroid Build Coastguard Worker/* Override max number of consoles on console allocation */
*f80ad8b4SAndroid Build Coastguard Worker/* Override max number of keymaps */
*f80ad8b4SAndroid Build Coastguard Worker/* Control memory reclaim behavior */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_RESOURCE     24
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow manipulation of system clock */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow irix_stime on mips */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow setting the real-time clock */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_TIME         25
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow configuration of tty devices */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow vhangup() of tty */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYS_TTY_CONFIG   26
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow the privileged aspects of mknod() */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_MKNOD            27
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow taking of leases on files */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_LEASE            28
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow writing the audit log via unicast netlink socket */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_AUDIT_WRITE      29
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow configuration of audit via unicast netlink socket */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_AUDIT_CONTROL    30
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Set or remove capabilities on files.
*f80ad8b4SAndroid Build Coastguard Worker   Map uid=0 into a child user namespace. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SETFCAP	     31
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Override MAC access.
*f80ad8b4SAndroid Build Coastguard Worker   The base kernel enforces no MAC policy.
*f80ad8b4SAndroid Build Coastguard Worker   An LSM may enforce a MAC policy, and if it does and it chooses
*f80ad8b4SAndroid Build Coastguard Worker   to implement capability based overrides of that policy, this is
*f80ad8b4SAndroid Build Coastguard Worker   the capability it should use to do so. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_MAC_OVERRIDE     32
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow MAC configuration or state changes.
*f80ad8b4SAndroid Build Coastguard Worker   The base kernel requires no MAC configuration.
*f80ad8b4SAndroid Build Coastguard Worker   An LSM may enforce a MAC policy, and if it does and it chooses
*f80ad8b4SAndroid Build Coastguard Worker   to implement capability based checks on modifications to that
*f80ad8b4SAndroid Build Coastguard Worker   policy or the data required to maintain it, this is the
*f80ad8b4SAndroid Build Coastguard Worker   capability it should use to do so. */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_MAC_ADMIN        33
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow configuring the kernel's syslog (printk behaviour) */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_SYSLOG           34
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow triggering something that will wake the system */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_WAKE_ALARM            35
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow preventing system suspends */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_BLOCK_SUSPEND    36
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow reading the audit log via multicast netlink socket */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_AUDIT_READ		37
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/*
*f80ad8b4SAndroid Build Coastguard Worker * Allow system performance and observability privileged operations
*f80ad8b4SAndroid Build Coastguard Worker * using perf_events, i915_perf and other kernel subsystems
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_PERFMON		38
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/*
*f80ad8b4SAndroid Build Coastguard Worker * CAP_BPF allows the following BPF operations:
*f80ad8b4SAndroid Build Coastguard Worker * - Creating all types of BPF maps
*f80ad8b4SAndroid Build Coastguard Worker * - Advanced verifier features
*f80ad8b4SAndroid Build Coastguard Worker *   - Indirect variable access
*f80ad8b4SAndroid Build Coastguard Worker *   - Bounded loops
*f80ad8b4SAndroid Build Coastguard Worker *   - BPF to BPF function calls
*f80ad8b4SAndroid Build Coastguard Worker *   - Scalar precision tracking
*f80ad8b4SAndroid Build Coastguard Worker *   - Larger complexity limits
*f80ad8b4SAndroid Build Coastguard Worker *   - Dead code elimination
*f80ad8b4SAndroid Build Coastguard Worker *   - And potentially other features
*f80ad8b4SAndroid Build Coastguard Worker * - Loading BPF Type Format (BTF) data
*f80ad8b4SAndroid Build Coastguard Worker * - Retrieve xlated and JITed code of BPF programs
*f80ad8b4SAndroid Build Coastguard Worker * - Use bpf_spin_lock() helper
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * CAP_PERFMON relaxes the verifier checks further:
*f80ad8b4SAndroid Build Coastguard Worker * - BPF progs can use of pointer-to-integer conversions
*f80ad8b4SAndroid Build Coastguard Worker * - speculation attack hardening measures are bypassed
*f80ad8b4SAndroid Build Coastguard Worker * - bpf_probe_read to read arbitrary kernel memory is allowed
*f80ad8b4SAndroid Build Coastguard Worker * - bpf_trace_printk to print kernel memory is allowed
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * CAP_SYS_ADMIN is required to use bpf_probe_write_user.
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * CAP_SYS_ADMIN is required to iterate system wide loaded
*f80ad8b4SAndroid Build Coastguard Worker * programs, maps, links, BTFs and convert their IDs to file descriptors.
*f80ad8b4SAndroid Build Coastguard Worker *
*f80ad8b4SAndroid Build Coastguard Worker * CAP_PERFMON and CAP_BPF are required to load tracing programs.
*f80ad8b4SAndroid Build Coastguard Worker * CAP_NET_ADMIN and CAP_BPF are required to load networking programs.
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_BPF			39
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/* Allow checkpoint/restore related operations */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow PID selection during clone3() */
*f80ad8b4SAndroid Build Coastguard Worker/* Allow writing to ns_last_pid */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_CHECKPOINT_RESTORE	40
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker/*
*f80ad8b4SAndroid Build Coastguard Worker * Bit location of each capability (used by user-space library and kernel)
*f80ad8b4SAndroid Build Coastguard Worker */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
*f80ad8b4SAndroid Build Coastguard Worker#define CAP_TO_MASK(x)      (1U << ((x) & 31)) /* mask for indexed __u32 */
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker
*f80ad8b4SAndroid Build Coastguard Worker#endif /* _UAPI_LINUX_CAPABILITY_H */