Lines Matching +full:allow +full:- +full:set +full:- +full:time
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
11 * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
19 /* User-level do most of the mapping between kernel and user
25 a set of three capability sets. The transposition of 3*the
33 #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */
96 * Backwardly compatible definition for source code - trapped in a
97 * 32-bit world. If you find you need this, please consider using
107 ** POSIX-draft defined capabilities.
155 /* Allows set*uid(2) manipulation (including fsuid). */
162 ** Linux-specific capabilities
166 * Transfer any capability in your permitted set to any pid,
167 * remove any capability in your permitted set from any pid
169 * Add any capability from current's capability bounding set
170 * to the current process' inheritable set
171 * Allow taking bits out of capability bounding set
172 * Allow modification of the securebits for a process
177 /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
186 /* Allow broadcasting, listen to multicast */
190 /* Allow interface configuration */
191 /* Allow administration of IP firewall, masquerading and accounting */
192 /* Allow setting debug option on sockets */
193 /* Allow modification of routing tables */
194 /* Allow setting arbitrary process / process group ownership on
196 /* Allow binding to any address for transparent proxying (also via NET_RAW) */
197 /* Allow setting TOS (type of service) */
198 /* Allow setting promiscuous mode */
199 /* Allow clearing driver statistics */
200 /* Allow multicasting */
201 /* Allow read/write of device-specific registers */
202 /* Allow activation of ATM control sockets */
206 /* Allow use of RAW sockets */
207 /* Allow use of PACKET sockets */
208 /* Allow binding to any address for transparent proxying (also via NET_ADMIN) */
212 /* Allow locking of shared memory segments */
213 /* Allow mlock and mlockall (which doesn't really have anything to do
222 /* Insert and remove kernel modules - modify kernel without limit */
225 /* Allow ioperm/iopl access */
226 /* Allow sending USB messages to any device via /dev/bus/usb */
230 /* Allow use of chroot() */
234 /* Allow ptrace() of any process */
238 /* Allow configuration of process accounting */
242 /* Allow configuration of the secure attention key */
243 /* Allow administration of the random device */
244 /* Allow examination and configuration of disk quotas */
245 /* Allow setting the domainname */
246 /* Allow setting the hostname */
247 /* Allow mount() and umount(), setting up new smb connection */
248 /* Allow some autofs root ioctls */
249 /* Allow nfsservctl */
250 /* Allow VM86_REQUEST_IRQ */
251 /* Allow to read/write pci config on alpha */
252 /* Allow irix_prctl on mips (setstacksize) */
253 /* Allow flushing all cache on m68k (sys_cacheflush) */
254 /* Allow removing semaphores */
257 /* Allow locking/unlocking of shared memory segment */
258 /* Allow turning swap on/off */
259 /* Allow forged pids on socket credentials passing */
260 /* Allow setting readahead and flushing buffers on block devices */
261 /* Allow setting geometry in floppy driver */
262 /* Allow turning DMA on/off in xd driver */
263 /* Allow administration of md devices (mostly the above, but some
265 /* Allow tuning the ide driver */
266 /* Allow access to the nvram device */
267 /* Allow administration of apm_bios, serial and bttv (TV) device */
268 /* Allow manufacturer commands in isdn CAPI support driver */
269 /* Allow reading non-standardized portions of pci configuration space */
270 /* Allow DDI debug ioctl on sbpcd driver */
271 /* Allow setting up serial ports */
272 /* Allow sending raw qic-117 commands */
273 /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
275 /* Allow setting encryption key on loopback filesystem */
276 /* Allow setting zone reclaim policy */
277 /* Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility */
281 /* Allow use of reboot() */
285 /* Allow raising priority and setting priority on other (different
287 /* Allow use of FIFO and round-robin (realtime) scheduling on own
290 /* Allow setting cpu affinity on other processes */
291 /* Allow setting realtime ioprio class */
292 /* Allow setting ioprio class on other processes */
296 /* Override resource limits. Set resource limits. */
304 /* Allow more than 64hz interrupts from the real-time clock */
311 /* Allow manipulation of system clock */
312 /* Allow irix_stime on mips */
313 /* Allow setting the real-time clock */
317 /* Allow configuration of tty devices */
318 /* Allow vhangup() of tty */
322 /* Allow the privileged aspects of mknod() */
326 /* Allow taking of leases on files */
330 /* Allow writing the audit log via unicast netlink socket */
334 /* Allow configuration of audit via unicast netlink socket */
338 /* Set or remove capabilities on files.
351 /* Allow MAC configuration or state changes.
360 /* Allow configuring the kernel's syslog (printk behaviour) */
364 /* Allow triggering something that will wake the system */
368 /* Allow preventing system suspends */
372 /* Allow reading the audit log via multicast netlink socket */
377 * Allow system performance and observability privileged operations
385 * - Creating all types of BPF maps
386 * - Advanced verifier features
387 * - Indirect variable access
388 * - Bounded loops
389 * - BPF to BPF function calls
390 * - Scalar precision tracking
391 * - Larger complexity limits
392 * - Dead code elimination
393 * - And potentially other features
394 * - Loading BPF Type Format (BTF) data
395 * - Retrieve xlated and JITed code of BPF programs
396 * - Use bpf_spin_lock() helper
399 * - BPF progs can use of pointer-to-integer conversions
400 * - speculation attack hardening measures are bypassed
401 * - bpf_probe_read to read arbitrary kernel memory is allowed
402 * - bpf_trace_printk to print kernel memory is allowed
415 /* Allow checkpoint/restore related operations */
416 /* Allow PID selection during clone3() */
417 /* Allow writing to ns_last_pid */
426 * Bit location of each capability (used by user-space library and kernel)