Class: CapNG::Capability

Inherits:
Object
  • Object
show all
Defined in:
ext/capng/capability.c,
ext/capng/capability.c

Overview

Check Linux capabilities and define its constants.

Examples:

require 'capng'

@cap = CapNG::Capability.new

@cap.from_name(:dac_read_search) #=> 2
@cap.to_name(CapNG::Capability::DAC_READ_SEARCH) #=> "dac_read_search"

Constant Summary collapse

CHOWN =

Make arbitrary changes to file UIDs and GIDs (see chown(2)).

INT2NUM(CAP_CHOWN)
DAC_OVERRIDE =

Bypass file read, write, and execute permission checks. (DAC is an abbreviation of “discretionary access control”.)

INT2NUM(CAP_DAC_OVERRIDE)
DAC_READ_SEARCH =

  • Bypass file read permission checks and directory read and execute permission checks;

  • invoke open_by_handle_at(2);

  • use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.

INT2NUM(CAP_DAC_READ_SEARCH)
FOWNER =

  • Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;

  • set inode flags (see ioctl_iflags(2)) on arbitrary files;

  • set Access Control Lists (ACLs) on arbitrary files;

  • ignore directory sticky bit on file deletion;

  • modify user extended attributes on sticky directory owned by any user;

  • specify O_NOATIME for arbitrary files in open(2) and fcntl(2).

INT2NUM(CAP_FOWNER)
FSETID =

  • Don’t clear set-user-ID and set-group-ID mode bits when a file is modified;

  • set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process.

INT2NUM(CAP_FSETID)
KILL =

Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.

INT2NUM(CAP_KILL)
SETGID =

  • Make arbitrary manipulations of process GIDs and supplementary GID list;

  • forge GID when passing socket credentials via UNIX domain sockets;

  • write a group ID mapping in a user namespace (see user_namespaces(7)).

INT2NUM(CAP_SETGID)
SETUID =

  • Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2));

  • forge UID when passing socket credentials via UNIX domain sockets;

  • write a user ID mapping in a user namespace (see user_namespaces(7)).

INT2NUM(CAP_SETUID)
SETPCAP =

add any capability from the calling thread’s bounding set to its inheritable set; drop capabilities from the bounding set (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits flags.

If file capabilities are not supported (i.e., kernels before Linux 2.6.24): grant or remove any capability in the caller’s permitted capability set to or from any other process. (This property of CAP_SETPCAP is not available when the kernel is configured to support file capabilities, since CAP_SETPCAP has entirely different semantics for such kernels.)

If file capabilities are supported (i.e., since Linux 2.6.24)
LINUX_IMMUTABLE =

Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)).

INT2NUM(CAP_LINUX_IMMUTABLE)
NET_BIND_SERIVCE =

Bind a socket to Internet domain privileged ports (port numbers less than 1024).

INT2NUM(CAP_NET_BIND_SERVICE)
NET_BROATCAST =

(Unused) Make socket broadcasts, and listen to multicasts.

INT2NUM(CAP_NET_BROADCAST)
NET_ADMIN =

  • interface configuration;

  • administration of IP firewall, masquerading, and accounting;

  • modify routing tables;

  • bind to any address for transparent proxying;

  • set type-of-service (TOS);

  • clear driver statistics;

  • set promiscuous mode;

  • enabling multicasting;

  • use setsockopt(2) to set the following socket options:

    • SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the

    • range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.

Perform various network-related operations
NET_RAW =

  • Use RAW and PACKET sockets;

  • bind to any address for transparent proxying.

INT2NUM(CAP_NET_RAW)
IPC_LOCK =

Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).

INT2NUM(CAP_IPC_LOCK)
IPC_OWNER =

Bypass permission checks for operations on System V IPC objects.

INT2NUM(CAP_IPC_OWNER)
SYS_MODULE =

  • Load and unload kernel modules (see init_module(2) and delete_module(2)) in kernels before 2.6.25

  • drop capabilities from the system-wide capability bounding set.

INT2NUM(CAP_SYS_MODULE)
SYS_RAWIO =

  • Perform I/O port operations (iopl(2) and ioperm(2));

  • access /proc/kcore;

  • employ the FIBMAP ioctl(2) operation;

  • open devices for accessing x86 model-specific registers (MSRs, see msr(4));

  • update /proc/sys/vm/mmap_min_addr;

  • create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr;

  • map files in /proc/bus/pci;

  • open /dev/mem and /dev/kmem;

  • perform various SCSI device commands;

  • perform certain operations on hpsa(4) and cciss(4) devices;

  • perform a range of device-specific operations on other devices.

INT2NUM(CAP_SYS_RAWIO)
SYS_CHROOT =

  • Use chroot(2);

  • change mount namespaces using setns(2).

INT2NUM(CAP_SYS_CHROOT)
SYS_PTRACE =

  • Trace arbitrary processes using ptrace(2);

  • apply get_robust_list(2) to arbitrary processes;

  • transfer data to or from the memory of arbitrary processes using process_vm_readv(2) and process_vm_writev(2);

  • inspect processes using kcmp(2).

INT2NUM(CAP_SYS_PTRACE)
SYS_PACCT =

Use acct(2).

INT2NUM(CAP_SYS_PACCT)
SYS_ADMIN =

this capability is overloaded; see Notes to kernel developers, below.

  • Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), pivot_root(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2);

  • perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations);

  • perform VM86_REQUEST_IRQ vm86(2) command;

  • access the same checkpoint/restore functionality that is governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker capability is preferred for accessing that functionality).

  • perform the same BPF operations as are governed by CAP_BPF (but the latter, weaker capability is preferred for accessing that functionality).

  • employ the same performance monitoring mechanisms as are governed by CAP_PERFMON (but the latter, weaker capability is preferred for accessing that functionality).

  • perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects;

  • override RLIMIT_NPROC resource limit;

  • perform operations on trusted and security extended attributes (see xattr(7));

  • use lookup_dcookie(2);

  • use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;

  • forge PID when passing socket credentials via UNIX domain sockets;

  • exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2));

  • employ CLONE_* flags that create new namespaces with clone(2) and unshare(2) (but, since Linux 3.8, creating user namespaces does not require any capability);

  • access privileged perf event information;

  • call setns(2) (requires CAP_SYS_ADMIN in the target namespace);

  • call fanotify_init(2);

  • perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations;

  • perform madvise(2) MADV_HWPOISON operation;

  • employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller’s controlling terminal;

  • employ the obsolete nfsservctl(2) system call;

  • employ the obsolete bdflush(2) system call;

  • perform various privileged block-device ioctl(2) operations;

  • perform various privileged filesystem ioctl(2) operations;

  • perform privileged ioctl(2) operations on the /dev/random device (see random(4));

  • install a seccomp(2) filter without first having to set the no_new_privs thread attribute;

  • modify allow/deny rules for device control groups;

  • employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to dump tracee’s seccomp filters;

  • employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend the tracee’s seccomp protections (i.e., the PTRACE_O_SUSPEND_SECCOMP flag);

  • perform administrative operations on many device drivers;

  • modify autogroup nice values by writing to /proc//autogroup (see sched(7)).

Note
SYS_BOOT =

Use reboot(2) and kexec_load(2).

INT2NUM(CAP_SYS_BOOT)
SYS_NICE =

  • Lower the process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes;

  • set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2), sched_setattr(2));

  • set CPU affinity for arbitrary processes (sched_setaffinity(2));

  • set I/O scheduling class and priority for arbitrary processes (ioprio_set(2));

  • apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes;

  • apply move_pages(2) to arbitrary processes;

  • use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).

INT2NUM(CAP_SYS_NICE)
SYS_RESOURCE =

  • Use reserved space on ext2 filesystems;

  • make ioctl(2) calls controlling ext3 journaling;

  • override disk quota limits;

  • increase resource limits (see setrlimit(2));

  • override RLIMIT_NPROC resource limit;

  • override maximum number of consoles on console allocation;

  • override maximum number of keymaps;

  • allow more than 64hz interrupts from the real-time clock;

  • raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2));

  • allow the RLIMIT_NOFILE resource limit on the number of “in- flight” file descriptors to be bypassed when passing file descriptors to another process via a UNIX domain socket (see unix(7));

  • override the /proc/sys/fs/pipe-size-max limit when setting the capacity of a pipe using the F_SETPIPE_SZ fcntl(2) command;

  • use F_SETPIPE_SZ to increase the capacity of a pipe above the limit specified by /proc/sys/fs/pipe-max-size;

  • override /proc/sys/fs/mqueue/queues_max, /proc/sys/fs/mqueue/msg_max, and /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX message queues (see mq_overview(7));

  • employ the prctl(2) PR_SET_MM operation;

  • set /proc//oom_score_adj to a value lower than the value last set by a process with CAP_SYS_RESOURCE.

INT2NUM(CAP_SYS_RESOURCE)
SYS_TIME =

Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.

INT2NUM(CAP_SYS_TIME)
TTY_CONFIG =

Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.

INT2NUM(CAP_SYS_TTY_CONFIG)
MKNOD =

Create special files using mknod(2). (since Linux 2.4)

INT2NUM(CAP_MKNOD)
LEASE =

Establish leases on arbitrary files (see fcntl(2)). (since Linux 2.4)

INT2NUM(CAP_LEASE)
AUDIT_WRITE =

Write records to kernel auditing log. (since Linux 2.6.11)

INT2NUM(CAP_AUDIT_WRITE)
AUDIT_CONTROL =

Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. (since Linux 2.6.11)

INT2NUM(CAP_AUDIT_CONTROL)
SETFCAP =

Set arbitrary capabilities on a file. since Linux 2.6.24)

INT2NUM(CAP_SETFCAP)
MAC_OVERRIDE = 
INT2NUM(CAP_MAC_OVERRIDE)
MAC_ADMIN =

Allow MAC configuration or state changes. Implemented for the Smack Linux Security Module (LSM). (since Linux 2.6.25)

INT2NUM(CAP_MAC_ADMIN)
SYSLOG =

  • Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege.

  • View kernel addresses exposed via /proc and other interfaces when /proc/sys/kernel/kptr_restrict has the value 1. (See the discussion of the kptr_restrict in proc(5).)

INT2NUM(CAP_SYSLOG)
EPOLLWAKEUP = 
INT2NUM(CAP_EPOLLWAKEUP)
WAKE_ALARM =

Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).

INT2NUM(CAP_WAKE_ALARM)
BLOCK_SUSPEND =

Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock). (since Linux 3.5)

INT2NUM(CAP_BLOCK_SUSPEND)
AUDIT_READ =

Allow reading the audit log via a multicast netlink socket. (since Linux 3.16)

INT2NUM(CAP_AUDIT_READ)
PERFMON =

  • call perf_event_open(2)

  • employ various BPF operations that have performance implications.

This capability was added in Linux 5.8 to separate out performance monitoring functionality from the overloaded CAP_SYS_ADMIN capability. See also the kernel source file Documentation/admin-guide/perf-security.rst.

Employ various performance-monitoring mechanisms, including
BPF =

Employ privileged BPF operations; see bpf(2) and bpf-helpers(7).

This capability was added in Linux 5.8 to separate out BPF functionality from the overloaded CAP_SYS_ADMIN capability. (since Linux 5.8)

INT2NUM(CAP_BPF)
CHECKPOINT_RESTORE =

  • employ the set_tid feature of clone3(2);

  • read the contents of the symbolic links in /proc//map_files for other processes.

This capability was added in Linux 5.9 to separate out checkpoint/restore functionality from the overloaded CAP_SYS_ADMIN capability. (since Linux 5.9)

INT2NUM(CAP_CHECKPOINT_RESTORE)

Instance Method Summary collapse

Constructor Details

#initializenil

Initalize Capability class.



70
71
72
73
74
 
# File 'ext/capng/capability.c', line 70

static VALUE
rb_capng_capability_initialize(VALUE self)
{
  return Qnil;
}

Instance Method Details

#each {|Integer, String| ... } ⇒ nil

Obtain capability code and name pairs with enumerable.

Yields:

  • (Integer, String)

Returns:

  • (nil) 


127
128
129
130
131
132
133
134
135
136
137
138
139
 
# File 'ext/capng/capability.c', line 127

static VALUE
rb_capng_capability_each(VALUE self)
{
  RETURN_ENUMERATOR(self, 0, 0);

  for (int i = 0; capabilityInfoTable[i].name != NULL; i++) {
    rb_yield_values(2,
                    INT2NUM(capabilityInfoTable[i].code),
                    rb_str_new2(capabilityInfoTable[i].name));
  }

  return Qnil;
}

#from_name(rb_capability_name_or_symbol) ⇒ Integer

Obtain capability value from capability name.

Parameters:

  • rb_capability_name_or_symbol (String or Symbol)

    Capability constant value.

Returns:

  • (Integer) 


101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
 
# File 'ext/capng/capability.c', line 101

static VALUE
rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
{
  unsigned int capability;

  switch (TYPE(rb_capability_name_or_symbol)) {
    case T_SYMBOL:
      capability =
        capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
      break;
    case T_STRING:
      capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
      break;
    default:
      rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
  }
  return INT2NUM(capability);
}

#to_name(rb_capability) ⇒ String

Obtain capability name from capability value.

Parameters:

  • rb_capability (Integer)

    Capability constant value.

Returns:

  • (String) 


83
84
85
86
87
88
89
90
91
92
 
# File 'ext/capng/capability.c', line 83

static VALUE
rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
{
  const char* name = capng_capability_to_name(NUM2UINT(rb_capability));

  if (name)
    return rb_str_new2(name);
  else
    return rb_str_new2("unknown");
}