oci_spec::runtime

Enum Capability

source
pub enum Capability {
Show 41 variants AuditControl, AuditRead, AuditWrite, BlockSuspend, Bpf, CheckpointRestore, Chown, DacOverride, DacReadSearch, Fowner, Fsetid, IpcLock, IpcOwner, Kill, Lease, LinuxImmutable, MacAdmin, MacOverride, Mknod, NetAdmin, NetBindService, NetBroadcast, NetRaw, Perfmon, Setgid, Setfcap, Setpcap, Setuid, SysAdmin, SysBoot, SysChroot, SysModule, SysNice, SysPacct, SysPtrace, SysRawio, SysResource, SysTime, SysTtyConfig, Syslog, WakeAlarm,
}
Expand description

All available capabilities.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

Variants§

§

AuditControl

Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.

since Linux 2.6.11

§

AuditRead

Allow reading the audit log via multicast netlink socket.

since Linux 3.16

§

AuditWrite

Write records to kernel auditing log.

since Linux 2.6.11

§

BlockSuspend

Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock).

since Linux 3.5

§

Bpf

Employ privileged BPF operations; see bpf(2) and bpf-helpers(7).

This capability was added to separate out BPF functionality from the overloaded CAP_SYS_ADMIN capability.

since Linux 5.8

§

CheckpointRestore

  • update /proc/sys/kernel/ns_last_pid (see pid_namespaces(7))
  • employ the set_tid feature of clone3(2)
  • read the contents of the symbolic links in /proc/[pid]/map_files for other processes.

This capability was added to separate out BPF functionality from the overloaded CAP_SYS_ADMIN capability.

since Linux 5.9

§

Chown

Make arbitrary changes to file UIDs and GIDs (see chown(2)).

§

DacOverride

Bypass file read, write, and execute permission checks.

(DAC is an abbreviation of “discretionary access control”.)

§

DacReadSearch

  • bypass file read permission checks and directory read and execute permission checks
  • invoke open_by_handle_at(2)
  • use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.
§

Fowner

  • Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH
  • set inode flags (see ioctl_iflags(2)) on arbitrary files
  • set Access Control Lists (ACLs) on arbitrary files
  • ignore directory sticky bit on file deletion
  • modify user extended attributes on sticky directory owned by any user
  • specify O_NOATIME for arbitrary files in open(2) and fcntl(2)

Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn’t override MAC and DAC restrictions.

§

Fsetid

  • don’t clear set-user-ID and set-group-ID mode bits when a file is modified
  • set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process
§

IpcLock

§

IpcOwner

Bypass permission checks for operations on System V IPC objects.

§

Kill

Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.

§

Lease

Establish leases on arbitrary files (see fcntl(2)).

since Linux 2.4

§

LinuxImmutable

Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)).

§

MacAdmin

Allow MAC configuration or state changes.

Implemented for the Smack Linux Security Module (LSM).

since Linux 2.6.25

§

MacOverride

Override Mandatory Access Control (MAC).

Implemented for the Smack Linux Security Module (LSM).

since Linux 2.6.25

§

Mknod

Create special files using mknod(2).

since Linux 2.4

§

NetAdmin

Perform various network-related operations:

  • interface configuration
  • administration of IP firewall, masquerading, and accounting
  • modify routing tables
  • bind to any address for transparent proxying
  • set type-of-service (TOS)
  • clear driver statistics
  • set promiscuous mode
  • enabling multicasting
  • use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE and SO_SNDBUFFORCE
§

NetBindService

Bind a socket to Internet domain privileged ports (port numbers less than 1024).

§

NetBroadcast

(Unused) Make socket broadcasts, and listen to multicasts.

§

NetRaw

  • use RAW and PACKET sockets
  • bind to any address for transparent proxying
§

Perfmon

Employ various performance-monitoring mechanisms, including:

  • call perf_event_open(2)
  • employ various BPF operations that have performance implications

This capability was added to separate out performance monitoring functionality from the overloaded CAP_SYS_ADMIN capability. See also the kernel source file Documentation/admin-guide/perf-security.rst.

since Linux 5.8

§

Setgid

  • make arbitrary manipulations of process GIDs and supplementary GID list
  • forge GID when passing socket credentials via UNIX domain sockets
  • write a group ID mapping in a user namespace (see user_namespaces(7))
§

Setfcap

Set arbitrary capabilities on a file.

since Linux 2.6.24

§

Setpcap

If file capabilities are supported (i.e., since LinuxIDMapping 2.6.24): add any capability from the calling thread’s bounding set to its inheritable set; drop capabilities from the bounding set (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits flags.

If file capabilities are not supported (i.e., kernels before Linux 2.6.24): grant or remove any capability in the caller’s permitted capability set to or from any other process. (This property of CAP_SETPCAP is not available when the kernel is configured to support file capabilities, since CAP_SETPCAP has entirely different semantics for such kernels.)

§

Setuid

§

SysAdmin

  • perform a range of system administration operations including: quotactl(2), mount(2), umount(2), pivot_root(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2)
  • perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations)
  • perform VM86_REQUEST_IRQ vm86(2) command
  • access the same checkpoint/restore functionality that is governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker capability is preferred for accessing that functionality)
  • perform the same BPF operations as are governed by CAP_BPF (but the latter, weaker capability is preferred for accessing that functionality).
  • employ the same performance monitoring mechanisms as are governed by CAP_PERFMON (but the latter, weaker capability is preferred for accessing that functionality).
  • perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects
  • override RLIMIT_NPROC resource limit
  • perform operations on trusted and security extended attributes (see xattr(7))
  • use lookup_dcookie(2)
  • use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes
  • forge PID when passing socket credentials via UNIX domain sockets
  • exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2))
  • employ CLONE_* flags that create new namespaces with clone(2) and unshare(2) (but, since Linux 3.8, creating user namespaces does not require any capability)
  • access privileged perf event information
  • call setns(2) (requires CAP_SYS_ADMIN in the target namespace)
  • call fanotify_init(2)
  • perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations
  • perform madvise(2) MADV_HWPOISON operation
  • employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller’s controlling terminal
  • employ the obsolete nfsservctl(2) system call
  • employ the obsolete bdflush(2) system call
  • perform various privileged block-device ioctl(2) operations
  • perform various privileged filesystem ioctl(2) operations
  • perform privileged ioctl(2) operations on the /dev/random device (see random(4))
  • install a seccomp(2) filter without first having to set the no_new_privs thread attribute
  • modify allow/deny rules for device control groups
  • employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to dump tracee’s seccomp filters
  • employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend the tracee’s seccomp protections (i.e., the PTRACE_O_SUSPEND_SECCOMP flag)
  • perform administrative operations on many device drivers
  • modify autogroup nice values by writing to /proc/[pid]/autogroup (see sched(7))
§

SysBoot

§

SysChroot

§

SysModule

  • load and unload kernel modules (see init_module(2) and delete_module(2))
  • in kernels before 2.6.25: drop capabilities from the system-wide capability bounding set
§

SysNice

§

SysPacct

Use acct(2).

§

SysPtrace

§

SysRawio

  • perform I/O port operations (iopl(2) and ioperm(2));
  • access /proc/kcore
  • employ the FIBMAP ioctl(2) operation
  • open devices for accessing x86 model-specific registers (MSRs, see msr(4))
  • update /proc/sys/vm/mmap_min_addr
  • create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr
  • map files in /proc/bus/pci
  • open /dev/mem and /dev/kmem
  • perform various SCSI device commands
  • perform certain operations on hpsa(4) and cciss(4) devices
  • perform a range of device-specific operations on other devices
§

SysResource

  • use reserved space on ext2 filesystems
  • make ioctl(2) calls controlling ext3 journaling
  • override disk quota limits
  • increase resource limits (see setrlimit(2))
  • override RLIMIT_NPROC resource limit
  • override maximum number of consoles on console allocation
  • override maximum number of keymaps
  • allow more than 64hz interrupts from the real-time clock
  • raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2))
  • allow the RLIMIT_NOFILE resource limit on the number of “in-flight” file descriptors to be bypassed when passing file descriptors to another process via a UNIX domain socket (see unix(7));
  • override the /proc/sys/fs/pipe-size-max limit when setting the capacity of a pipe using the F_SETPIPE_SZ fcntl(2) command
  • use F_SETPIPE_SZ to increase the capacity of a pipe above the limit specified by /proc/sys/fs/pipe-max-size
  • override /proc/sys/fs/mqueue/queues_max, /proc/sys/fs/mqueue/msg_max and /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX message queues (see mq_overview(7))
  • employ the prctl(2) PR_SET_MM operation
  • set /proc/[pid]/oom_score_adj to a value lower than the value last set by a process with CAP_SYS_RESOURCE
§

SysTime

§

SysTtyConfig

§

Syslog

  • perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege.
  • view kernel addresses exposed via /proc and other interfaces when /proc/sys/kernel/kptr_restrict has the value 1. (See the discussion of the kptr_restrict in proc(5).)

since Linux 2.6.37

§

WakeAlarm

Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers). since Linux 3.0

Trait Implementations§

source§

impl Clone for Capability

source§

fn clone(&self) -> Capability

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for Capability

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl<'de> Deserialize<'de> for Capability

source§

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
source§

impl Display for Capability

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
source§

impl FromStr for Capability

source§

type Err = ParseError

The associated error which can be returned from parsing.
source§

fn from_str(s: &str) -> Result<Capability, <Self as FromStr>::Err>

Parses a string s to return a value of this type. Read more
source§

impl Hash for Capability

source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
source§

impl PartialEq for Capability

source§

fn eq(&self, other: &Capability) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl Serialize for Capability

source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
source§

impl TryFrom<&str> for Capability

source§

type Error = ParseError

The type returned in the event of a conversion error.
source§

fn try_from(s: &str) -> Result<Capability, <Self as TryFrom<&str>>::Error>

Performs the conversion.
source§

impl Copy for Capability

source§

impl Eq for Capability

source§

impl StructuralPartialEq for Capability

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

source§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T> ToString for T
where T: Display + ?Sized,

source§

default fn to_string(&self) -> String

Converts the given value to a String. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,