Add new value CAP_CHECKPOINT_RESTORE = 40.
Linus' kernel has defined this one now.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
diff --git a/cap/names.go b/cap/names.go
index ff60017..9e02cd1 100644
--- a/cap/names.go
+++ b/cap/names.go
@@ -12,7 +12,7 @@
// FWIW the userspace tool '/sbin/capsh' also contains a runtime check
// for the condition that libcap is behind the running kernel in this
// way.
-const NamedCount = 40
+const NamedCount = 41
// CHOWN etc., are the named capability values of the Linux
// kernel. The canonical source for each name is the
@@ -331,90 +331,98 @@
// - cap.NET_ADMIN is required to load networking
// programs.
BPF
+
+ // CHECKPOINT_RESTORE allows a process to perform checkpoint
+ // and restore operations. Also permits
+ // explicit PID control via clone3() and
+ // also writing to ns_last_pid.
+ CHECKPOINT_RESTORE
)
var names = map[Value]string{
- CHOWN: "cap_chown",
- DAC_OVERRIDE: "cap_dac_override",
- DAC_READ_SEARCH: "cap_dac_read_search",
- FOWNER: "cap_fowner",
- FSETID: "cap_fsetid",
- KILL: "cap_kill",
- SETGID: "cap_setgid",
- SETUID: "cap_setuid",
- SETPCAP: "cap_setpcap",
- LINUX_IMMUTABLE: "cap_linux_immutable",
- NET_BIND_SERVICE: "cap_net_bind_service",
- NET_BROADCAST: "cap_net_broadcast",
- NET_ADMIN: "cap_net_admin",
- NET_RAW: "cap_net_raw",
- IPC_LOCK: "cap_ipc_lock",
- IPC_OWNER: "cap_ipc_owner",
- SYS_MODULE: "cap_sys_module",
- SYS_RAWIO: "cap_sys_rawio",
- SYS_CHROOT: "cap_sys_chroot",
- SYS_PTRACE: "cap_sys_ptrace",
- SYS_PACCT: "cap_sys_pacct",
- SYS_ADMIN: "cap_sys_admin",
- SYS_BOOT: "cap_sys_boot",
- SYS_NICE: "cap_sys_nice",
- SYS_RESOURCE: "cap_sys_resource",
- SYS_TIME: "cap_sys_time",
- SYS_TTY_CONFIG: "cap_sys_tty_config",
- MKNOD: "cap_mknod",
- LEASE: "cap_lease",
- AUDIT_WRITE: "cap_audit_write",
- AUDIT_CONTROL: "cap_audit_control",
- SETFCAP: "cap_setfcap",
- MAC_OVERRIDE: "cap_mac_override",
- MAC_ADMIN: "cap_mac_admin",
- SYSLOG: "cap_syslog",
- WAKE_ALARM: "cap_wake_alarm",
- BLOCK_SUSPEND: "cap_block_suspend",
- AUDIT_READ: "cap_audit_read",
- PERFMON: "cap_perfmon",
- BPF: "cap_bpf",
+ CHOWN: "cap_chown",
+ DAC_OVERRIDE: "cap_dac_override",
+ DAC_READ_SEARCH: "cap_dac_read_search",
+ FOWNER: "cap_fowner",
+ FSETID: "cap_fsetid",
+ KILL: "cap_kill",
+ SETGID: "cap_setgid",
+ SETUID: "cap_setuid",
+ SETPCAP: "cap_setpcap",
+ LINUX_IMMUTABLE: "cap_linux_immutable",
+ NET_BIND_SERVICE: "cap_net_bind_service",
+ NET_BROADCAST: "cap_net_broadcast",
+ NET_ADMIN: "cap_net_admin",
+ NET_RAW: "cap_net_raw",
+ IPC_LOCK: "cap_ipc_lock",
+ IPC_OWNER: "cap_ipc_owner",
+ SYS_MODULE: "cap_sys_module",
+ SYS_RAWIO: "cap_sys_rawio",
+ SYS_CHROOT: "cap_sys_chroot",
+ SYS_PTRACE: "cap_sys_ptrace",
+ SYS_PACCT: "cap_sys_pacct",
+ SYS_ADMIN: "cap_sys_admin",
+ SYS_BOOT: "cap_sys_boot",
+ SYS_NICE: "cap_sys_nice",
+ SYS_RESOURCE: "cap_sys_resource",
+ SYS_TIME: "cap_sys_time",
+ SYS_TTY_CONFIG: "cap_sys_tty_config",
+ MKNOD: "cap_mknod",
+ LEASE: "cap_lease",
+ AUDIT_WRITE: "cap_audit_write",
+ AUDIT_CONTROL: "cap_audit_control",
+ SETFCAP: "cap_setfcap",
+ MAC_OVERRIDE: "cap_mac_override",
+ MAC_ADMIN: "cap_mac_admin",
+ SYSLOG: "cap_syslog",
+ WAKE_ALARM: "cap_wake_alarm",
+ BLOCK_SUSPEND: "cap_block_suspend",
+ AUDIT_READ: "cap_audit_read",
+ PERFMON: "cap_perfmon",
+ BPF: "cap_bpf",
+ CHECKPOINT_RESTORE: "cap_checkpoint_restore",
}
var bits = map[string]Value{
- "cap_chown": CHOWN,
- "cap_dac_override": DAC_OVERRIDE,
- "cap_dac_read_search": DAC_READ_SEARCH,
- "cap_fowner": FOWNER,
- "cap_fsetid": FSETID,
- "cap_kill": KILL,
- "cap_setgid": SETGID,
- "cap_setuid": SETUID,
- "cap_setpcap": SETPCAP,
- "cap_linux_immutable": LINUX_IMMUTABLE,
- "cap_net_bind_service": NET_BIND_SERVICE,
- "cap_net_broadcast": NET_BROADCAST,
- "cap_net_admin": NET_ADMIN,
- "cap_net_raw": NET_RAW,
- "cap_ipc_lock": IPC_LOCK,
- "cap_ipc_owner": IPC_OWNER,
- "cap_sys_module": SYS_MODULE,
- "cap_sys_rawio": SYS_RAWIO,
- "cap_sys_chroot": SYS_CHROOT,
- "cap_sys_ptrace": SYS_PTRACE,
- "cap_sys_pacct": SYS_PACCT,
- "cap_sys_admin": SYS_ADMIN,
- "cap_sys_boot": SYS_BOOT,
- "cap_sys_nice": SYS_NICE,
- "cap_sys_resource": SYS_RESOURCE,
- "cap_sys_time": SYS_TIME,
- "cap_sys_tty_config": SYS_TTY_CONFIG,
- "cap_mknod": MKNOD,
- "cap_lease": LEASE,
- "cap_audit_write": AUDIT_WRITE,
- "cap_audit_control": AUDIT_CONTROL,
- "cap_setfcap": SETFCAP,
- "cap_mac_override": MAC_OVERRIDE,
- "cap_mac_admin": MAC_ADMIN,
- "cap_syslog": SYSLOG,
- "cap_wake_alarm": WAKE_ALARM,
- "cap_block_suspend": BLOCK_SUSPEND,
- "cap_audit_read": AUDIT_READ,
- "cap_perfmon": PERFMON,
- "cap_bpf": BPF,
+ "cap_chown": CHOWN,
+ "cap_dac_override": DAC_OVERRIDE,
+ "cap_dac_read_search": DAC_READ_SEARCH,
+ "cap_fowner": FOWNER,
+ "cap_fsetid": FSETID,
+ "cap_kill": KILL,
+ "cap_setgid": SETGID,
+ "cap_setuid": SETUID,
+ "cap_setpcap": SETPCAP,
+ "cap_linux_immutable": LINUX_IMMUTABLE,
+ "cap_net_bind_service": NET_BIND_SERVICE,
+ "cap_net_broadcast": NET_BROADCAST,
+ "cap_net_admin": NET_ADMIN,
+ "cap_net_raw": NET_RAW,
+ "cap_ipc_lock": IPC_LOCK,
+ "cap_ipc_owner": IPC_OWNER,
+ "cap_sys_module": SYS_MODULE,
+ "cap_sys_rawio": SYS_RAWIO,
+ "cap_sys_chroot": SYS_CHROOT,
+ "cap_sys_ptrace": SYS_PTRACE,
+ "cap_sys_pacct": SYS_PACCT,
+ "cap_sys_admin": SYS_ADMIN,
+ "cap_sys_boot": SYS_BOOT,
+ "cap_sys_nice": SYS_NICE,
+ "cap_sys_resource": SYS_RESOURCE,
+ "cap_sys_time": SYS_TIME,
+ "cap_sys_tty_config": SYS_TTY_CONFIG,
+ "cap_mknod": MKNOD,
+ "cap_lease": LEASE,
+ "cap_audit_write": AUDIT_WRITE,
+ "cap_audit_control": AUDIT_CONTROL,
+ "cap_setfcap": SETFCAP,
+ "cap_mac_override": MAC_OVERRIDE,
+ "cap_mac_admin": MAC_ADMIN,
+ "cap_syslog": SYSLOG,
+ "cap_wake_alarm": WAKE_ALARM,
+ "cap_block_suspend": BLOCK_SUSPEND,
+ "cap_audit_read": AUDIT_READ,
+ "cap_perfmon": PERFMON,
+ "cap_bpf": BPF,
+ "cap_checkpoint_restore": CHECKPOINT_RESTORE,
}
diff --git a/doc/values/40.txt b/doc/values/40.txt
new file mode 100644
index 0000000..c5993cf
--- /dev/null
+++ b/doc/values/40.txt
@@ -0,0 +1,4 @@
+Allows a process to perform checkpoint
+and restore operations. Also permits
+explicit PID control via clone3() and
+also writing to ns_last_pid.
diff --git a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h
index 6856f1f..09b5563 100644
--- a/libcap/include/uapi/linux/capability.h
+++ b/libcap/include/uapi/linux/capability.h
@@ -405,7 +405,13 @@
#define CAP_BPF 39
-#define CAP_LAST_CAP CAP_BPF
+/* Allow checkpoint/restore related operations */
+/* Allow PID selection during clone3() */
+/* Allow writing to ns_last_pid */
+
+#define CAP_CHECKPOINT_RESTORE 40
+
+#define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)