Fairphone ODM | 25c12f5 | 2023-12-15 17:24:06 +0800 | [diff] [blame] | 1 | /* |
| 2 | * This is <linux/capability.h> |
| 3 | * |
| 4 | * Andrew G. Morgan <morgan@kernel.org> |
| 5 | * Alexander Kjeldaas <astor@guardian.no> |
| 6 | * with help from Aleph1, Roland Buresund and Andrew Main. |
| 7 | * |
| 8 | * See here for the libcap library ("POSIX draft" compliance): |
| 9 | * |
| 10 | * https://git.kernel.org/pub/scm/libs/libcap/libcap.git/refs/ |
| 11 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ |
| 12 | */ |
| 13 | |
| 14 | #ifndef _UAPI_LINUX_CAPABILITY_H |
| 15 | #define _UAPI_LINUX_CAPABILITY_H |
| 16 | |
| 17 | #include <linux/types.h> |
| 18 | |
| 19 | /* User-level do most of the mapping between kernel and user |
| 20 | capabilities based on the version tag given by the kernel. The |
| 21 | kernel might be somewhat backwards compatible, but don't bet on |
| 22 | it. */ |
| 23 | |
| 24 | /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to |
| 25 | a set of three capability sets. The transposition of 3*the |
| 26 | following structure to such a composite is better handled in a user |
| 27 | library since the draft standard requires the use of malloc/free |
| 28 | etc.. */ |
| 29 | |
| 30 | #define _LINUX_CAPABILITY_VERSION_1 0x19980330 |
| 31 | #define _LINUX_CAPABILITY_U32S_1 1 |
| 32 | |
| 33 | #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ |
| 34 | #define _LINUX_CAPABILITY_U32S_2 2 |
| 35 | |
| 36 | #define _LINUX_CAPABILITY_VERSION_3 0x20080522 |
| 37 | #define _LINUX_CAPABILITY_U32S_3 2 |
| 38 | |
| 39 | typedef struct __user_cap_header_struct { |
| 40 | __u32 version; |
| 41 | int pid; |
| 42 | } *cap_user_header_t; |
| 43 | |
| 44 | typedef struct __user_cap_data_struct { |
| 45 | __u32 effective; |
| 46 | __u32 permitted; |
| 47 | __u32 inheritable; |
| 48 | } *cap_user_data_t; |
| 49 | |
| 50 | |
| 51 | #define VFS_CAP_REVISION_MASK 0xFF000000 |
| 52 | #define VFS_CAP_REVISION_SHIFT 24 |
| 53 | #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK |
| 54 | #define VFS_CAP_FLAGS_EFFECTIVE 0x000001 |
| 55 | |
| 56 | #define VFS_CAP_REVISION_1 0x01000000 |
| 57 | #define VFS_CAP_U32_1 1 |
| 58 | #define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) |
| 59 | |
| 60 | #define VFS_CAP_REVISION_2 0x02000000 |
| 61 | #define VFS_CAP_U32_2 2 |
| 62 | #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) |
| 63 | |
| 64 | #define VFS_CAP_REVISION_3 0x03000000 |
| 65 | #define VFS_CAP_U32_3 VFS_CAP_U32_2 |
| 66 | #define XATTR_CAPS_SZ_3 (sizeof(__le32)+XATTR_CAPS_SZ_2) |
| 67 | |
| 68 | /* |
| 69 | * Kernel capabilities default to v2. The v3 VFS caps are only used, |
| 70 | * at present, for namespace specific filesystem capabilities. |
| 71 | */ |
| 72 | #define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 |
| 73 | #define VFS_CAP_U32 VFS_CAP_U32_2 |
| 74 | #define VFS_CAP_REVISION VFS_CAP_REVISION_2 |
| 75 | |
| 76 | #define _VFS_CAP_DATA_HEAD \ |
| 77 | __le32 magic_etc; /* Little endian */ \ |
| 78 | struct { \ |
| 79 | __le32 permitted; /* Little endian */ \ |
| 80 | __le32 inheritable; /* Little endian */ \ |
| 81 | } data[VFS_CAP_U32] |
| 82 | |
| 83 | struct vfs_cap_data { |
| 84 | _VFS_CAP_DATA_HEAD; |
| 85 | }; |
| 86 | |
| 87 | struct vfs_ns_cap_data { |
| 88 | _VFS_CAP_DATA_HEAD; |
| 89 | __le32 rootid; |
| 90 | }; |
| 91 | |
| 92 | #ifndef __KERNEL__ |
| 93 | |
| 94 | /* |
| 95 | * Backwardly compatible definition for source code - trapped in a |
| 96 | * 32-bit world. If you find you need this, please consider using |
| 97 | * libcap to untrap yourself... |
| 98 | */ |
| 99 | #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 |
| 100 | #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 |
| 101 | |
| 102 | #endif |
| 103 | |
| 104 | |
| 105 | /** |
| 106 | ** POSIX-draft defined capabilities. |
| 107 | **/ |
| 108 | |
| 109 | /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this |
| 110 | overrides the restriction of changing file ownership and group |
| 111 | ownership. */ |
| 112 | |
| 113 | #define CAP_CHOWN 0 |
| 114 | |
| 115 | /* Override all DAC access, including ACL execute access if |
| 116 | [_POSIX_ACL] is defined. Excluding DAC access covered by |
| 117 | CAP_LINUX_IMMUTABLE. */ |
| 118 | |
| 119 | #define CAP_DAC_OVERRIDE 1 |
| 120 | |
| 121 | /* Overrides all DAC restrictions regarding read and search on files |
| 122 | and directories, including ACL restrictions if [_POSIX_ACL] is |
| 123 | defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ |
| 124 | |
| 125 | #define CAP_DAC_READ_SEARCH 2 |
| 126 | |
| 127 | /* Overrides all restrictions about allowed operations on files, where |
| 128 | file owner ID must be equal to the user ID, except where CAP_FSETID |
| 129 | is applicable. It doesn't override MAC and DAC restrictions. */ |
| 130 | |
| 131 | #define CAP_FOWNER 3 |
| 132 | |
| 133 | /* Overrides the following restrictions that the effective user ID |
| 134 | shall match the file owner ID when setting the S_ISUID and S_ISGID |
| 135 | bits on that file; that the effective group ID (or one of the |
| 136 | supplementary group IDs) shall match the file owner ID when setting |
| 137 | the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are |
| 138 | cleared on successful return from chown(2) (not implemented). */ |
| 139 | |
| 140 | #define CAP_FSETID 4 |
| 141 | |
| 142 | /* Overrides the restriction that the real or effective user ID of a |
| 143 | process sending a signal must match the real or effective user ID |
| 144 | of the process receiving the signal. */ |
| 145 | |
| 146 | #define CAP_KILL 5 |
| 147 | |
| 148 | /* Allows setgid(2) manipulation */ |
| 149 | /* Allows setgroups(2) */ |
| 150 | /* Allows forged gids on socket credentials passing. */ |
| 151 | |
| 152 | #define CAP_SETGID 6 |
| 153 | |
| 154 | /* Allows set*uid(2) manipulation (including fsuid). */ |
| 155 | /* Allows forged pids on socket credentials passing. */ |
| 156 | |
| 157 | #define CAP_SETUID 7 |
| 158 | |
| 159 | |
| 160 | /** |
| 161 | ** Linux-specific capabilities |
| 162 | **/ |
| 163 | |
| 164 | /* Without VFS support for capabilities: |
| 165 | * Transfer any capability in your permitted set to any pid, |
| 166 | * remove any capability in your permitted set from any pid |
| 167 | * With VFS support for capabilities (neither of above, but) |
| 168 | * Add any capability from current's capability bounding set |
| 169 | * to the current process' inheritable set |
| 170 | * Allow taking bits out of capability bounding set |
| 171 | * Allow modification of the securebits for a process |
| 172 | */ |
| 173 | |
| 174 | #define CAP_SETPCAP 8 |
| 175 | |
| 176 | /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ |
| 177 | |
| 178 | #define CAP_LINUX_IMMUTABLE 9 |
| 179 | |
| 180 | /* Allows binding to TCP/UDP sockets below 1024 */ |
| 181 | /* Allows binding to ATM VCIs below 32 */ |
| 182 | |
| 183 | #define CAP_NET_BIND_SERVICE 10 |
| 184 | |
| 185 | /* Allow broadcasting, listen to multicast */ |
| 186 | |
| 187 | #define CAP_NET_BROADCAST 11 |
| 188 | |
| 189 | /* Allow interface configuration */ |
| 190 | /* Allow administration of IP firewall, masquerading and accounting */ |
| 191 | /* Allow setting debug option on sockets */ |
| 192 | /* Allow modification of routing tables */ |
| 193 | /* Allow setting arbitrary process / process group ownership on |
| 194 | sockets */ |
| 195 | /* Allow binding to any address for transparent proxying (also via NET_RAW) */ |
| 196 | /* Allow setting TOS (type of service) */ |
| 197 | /* Allow setting promiscuous mode */ |
| 198 | /* Allow clearing driver statistics */ |
| 199 | /* Allow multicasting */ |
| 200 | /* Allow read/write of device-specific registers */ |
| 201 | /* Allow activation of ATM control sockets */ |
| 202 | |
| 203 | #define CAP_NET_ADMIN 12 |
| 204 | |
| 205 | /* Allow use of RAW sockets */ |
| 206 | /* Allow use of PACKET sockets */ |
| 207 | /* Allow binding to any address for transparent proxying (also via NET_ADMIN) */ |
| 208 | |
| 209 | #define CAP_NET_RAW 13 |
| 210 | |
| 211 | /* Allow locking of shared memory segments */ |
| 212 | /* Allow mlock and mlockall (which doesn't really have anything to do |
| 213 | with IPC) */ |
| 214 | |
| 215 | #define CAP_IPC_LOCK 14 |
| 216 | |
| 217 | /* Override IPC ownership checks */ |
| 218 | |
| 219 | #define CAP_IPC_OWNER 15 |
| 220 | |
| 221 | /* Insert and remove kernel modules - modify kernel without limit */ |
| 222 | #define CAP_SYS_MODULE 16 |
| 223 | |
| 224 | /* Allow ioperm/iopl access */ |
| 225 | /* Allow sending USB messages to any device via /dev/bus/usb */ |
| 226 | |
| 227 | #define CAP_SYS_RAWIO 17 |
| 228 | |
| 229 | /* Allow use of chroot() */ |
| 230 | |
| 231 | #define CAP_SYS_CHROOT 18 |
| 232 | |
| 233 | /* Allow ptrace() of any process */ |
| 234 | |
| 235 | #define CAP_SYS_PTRACE 19 |
| 236 | |
| 237 | /* Allow configuration of process accounting */ |
| 238 | |
| 239 | #define CAP_SYS_PACCT 20 |
| 240 | |
| 241 | /* Allow configuration of the secure attention key */ |
| 242 | /* Allow administration of the random device */ |
| 243 | /* Allow examination and configuration of disk quotas */ |
| 244 | /* Allow setting the domainname */ |
| 245 | /* Allow setting the hostname */ |
| 246 | /* Allow calling bdflush() */ |
| 247 | /* Allow mount() and umount(), setting up new smb connection */ |
| 248 | /* Allow some autofs root ioctls */ |
| 249 | /* Allow nfsservctl */ |
| 250 | /* Allow VM86_REQUEST_IRQ */ |
| 251 | /* Allow to read/write pci config on alpha */ |
| 252 | /* Allow irix_prctl on mips (setstacksize) */ |
| 253 | /* Allow flushing all cache on m68k (sys_cacheflush) */ |
| 254 | /* Allow removing semaphores */ |
| 255 | /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores |
| 256 | and shared memory */ |
| 257 | /* Allow locking/unlocking of shared memory segment */ |
| 258 | /* Allow turning swap on/off */ |
| 259 | /* Allow forged pids on socket credentials passing */ |
| 260 | /* Allow setting readahead and flushing buffers on block devices */ |
| 261 | /* Allow setting geometry in floppy driver */ |
| 262 | /* Allow turning DMA on/off in xd driver */ |
| 263 | /* Allow administration of md devices (mostly the above, but some |
| 264 | extra ioctls) */ |
| 265 | /* Allow tuning the ide driver */ |
| 266 | /* Allow access to the nvram device */ |
| 267 | /* Allow administration of apm_bios, serial and bttv (TV) device */ |
| 268 | /* Allow manufacturer commands in isdn CAPI support driver */ |
| 269 | /* Allow reading non-standardized portions of pci configuration space */ |
| 270 | /* Allow DDI debug ioctl on sbpcd driver */ |
| 271 | /* Allow setting up serial ports */ |
| 272 | /* Allow sending raw qic-117 commands */ |
| 273 | /* Allow enabling/disabling tagged queuing on SCSI controllers and sending |
| 274 | arbitrary SCSI commands */ |
| 275 | /* Allow setting encryption key on loopback filesystem */ |
| 276 | /* Allow setting zone reclaim policy */ |
| 277 | |
| 278 | #define CAP_SYS_ADMIN 21 |
| 279 | |
| 280 | /* Allow use of reboot() */ |
| 281 | |
| 282 | #define CAP_SYS_BOOT 22 |
| 283 | |
| 284 | /* Allow raising priority and setting priority on other (different |
| 285 | UID) processes */ |
| 286 | /* Allow use of FIFO and round-robin (realtime) scheduling on own |
| 287 | processes and setting the scheduling algorithm used by another |
| 288 | process. */ |
| 289 | /* Allow setting cpu affinity on other processes */ |
| 290 | |
| 291 | #define CAP_SYS_NICE 23 |
| 292 | |
| 293 | /* Override resource limits. Set resource limits. */ |
| 294 | /* Override quota limits. */ |
| 295 | /* Override reserved space on ext2 filesystem */ |
| 296 | /* Modify data journaling mode on ext3 filesystem (uses journaling |
| 297 | resources) */ |
| 298 | /* NOTE: ext2 honors fsuid when checking for resource overrides, so |
| 299 | you can override using fsuid too */ |
| 300 | /* Override size restrictions on IPC message queues */ |
| 301 | /* Allow more than 64hz interrupts from the real-time clock */ |
| 302 | /* Override max number of consoles on console allocation */ |
| 303 | /* Override max number of keymaps */ |
| 304 | |
| 305 | #define CAP_SYS_RESOURCE 24 |
| 306 | |
| 307 | /* Allow manipulation of system clock */ |
| 308 | /* Allow irix_stime on mips */ |
| 309 | /* Allow setting the real-time clock */ |
| 310 | |
| 311 | #define CAP_SYS_TIME 25 |
| 312 | |
| 313 | /* Allow configuration of tty devices */ |
| 314 | /* Allow vhangup() of tty */ |
| 315 | |
| 316 | #define CAP_SYS_TTY_CONFIG 26 |
| 317 | |
| 318 | /* Allow the privileged aspects of mknod() */ |
| 319 | |
| 320 | #define CAP_MKNOD 27 |
| 321 | |
| 322 | /* Allow taking of leases on files */ |
| 323 | |
| 324 | #define CAP_LEASE 28 |
| 325 | |
| 326 | /* Allow writing the audit log via unicast netlink socket */ |
| 327 | |
| 328 | #define CAP_AUDIT_WRITE 29 |
| 329 | |
| 330 | /* Allow configuration of audit via unicast netlink socket */ |
| 331 | |
| 332 | #define CAP_AUDIT_CONTROL 30 |
| 333 | |
| 334 | /* Set capabilities on files. */ |
| 335 | |
| 336 | #define CAP_SETFCAP 31 |
| 337 | |
| 338 | /* Override MAC access. |
| 339 | The base kernel enforces no MAC policy. |
| 340 | An LSM may enforce a MAC policy, and if it does and it chooses |
| 341 | to implement capability based overrides of that policy, this is |
| 342 | the capability it should use to do so. */ |
| 343 | |
| 344 | #define CAP_MAC_OVERRIDE 32 |
| 345 | |
| 346 | /* Allow MAC configuration or state changes. |
| 347 | The base kernel requires no MAC configuration. |
| 348 | An LSM may enforce a MAC policy, and if it does and it chooses |
| 349 | to implement capability based checks on modifications to that |
| 350 | policy or the data required to maintain it, this is the |
| 351 | capability it should use to do so. */ |
| 352 | |
| 353 | #define CAP_MAC_ADMIN 33 |
| 354 | |
| 355 | /* Allow configuring the kernel's syslog (printk behaviour) */ |
| 356 | |
| 357 | #define CAP_SYSLOG 34 |
| 358 | |
| 359 | /* Allow triggering something that will wake the system */ |
| 360 | |
| 361 | #define CAP_WAKE_ALARM 35 |
| 362 | |
| 363 | /* Allow preventing system suspends */ |
| 364 | |
| 365 | #define CAP_BLOCK_SUSPEND 36 |
| 366 | |
| 367 | /* Allow reading the audit log via multicast netlink socket */ |
| 368 | |
| 369 | #define CAP_AUDIT_READ 37 |
| 370 | |
| 371 | /* Allow system performance and observability privileged operations using |
| 372 | * perf_events, i915_perf and other kernel subsystems. */ |
| 373 | |
| 374 | #define CAP_PERFMON 38 |
| 375 | |
| 376 | /* |
| 377 | * CAP_BPF allows the following BPF operations: |
| 378 | * - Creating all types of BPF maps |
| 379 | * - Advanced verifier features |
| 380 | * - Indirect variable access |
| 381 | * - Bounded loops |
| 382 | * - BPF to BPF function calls |
| 383 | * - Scalar precision tracking |
| 384 | * - Larger complexity limits |
| 385 | * - Dead code elimination |
| 386 | * - And potentially other features |
| 387 | * - Loading BPF Type Format (BTF) data |
| 388 | * - Retrieve xlated and JITed code of BPF programs |
| 389 | * - Use bpf_spin_lock() helper |
| 390 | * |
| 391 | * CAP_PERFMON relaxes the verifier checks further: |
| 392 | * - BPF progs can use of pointer-to-integer conversions |
| 393 | * - speculation attack hardening measures are bypassed |
| 394 | * - bpf_probe_read to read arbitrary kernel memory is allowed |
| 395 | * - bpf_trace_printk to print kernel memory is allowed |
| 396 | * |
| 397 | * CAP_SYS_ADMIN is required to use bpf_probe_write_user. |
| 398 | * |
| 399 | * CAP_SYS_ADMIN is required to iterate system wide loaded |
| 400 | * programs, maps, links, BTFs and convert their IDs to file descriptors. |
| 401 | * |
| 402 | * CAP_PERFMON and CAP_BPF are required to load tracing programs. |
| 403 | * CAP_NET_ADMIN and CAP_BPF are required to load networking programs. |
| 404 | */ |
| 405 | |
| 406 | #define CAP_BPF 39 |
| 407 | |
| 408 | /* Allow checkpoint/restore related operations */ |
| 409 | /* Allow PID selection during clone3() */ |
| 410 | /* Allow writing to ns_last_pid */ |
| 411 | |
| 412 | #define CAP_CHECKPOINT_RESTORE 40 |
| 413 | |
| 414 | #define CAP_LAST_CAP CAP_CHECKPOINT_RESTORE |
| 415 | |
| 416 | #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) |
| 417 | |
| 418 | /* |
| 419 | * Bit location of each capability (used by user-space library and kernel) |
| 420 | */ |
| 421 | |
| 422 | #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ |
| 423 | #define CAP_TO_MASK(x) (1u << ((x) & 31)) /* mask for indexed __u32 */ |
| 424 | |
| 425 | |
| 426 | #endif /* _UAPI_LINUX_CAPABILITY_H */ |