capng_c 0.1.2 → 0.1.7

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 255863aedacdc832b5ff8da87fb0d97a2916a65b1385c6f8072281967039d632
4
- data.tar.gz: e145914ff785ff35cf7df36e86e9fca56a6de5228139b4e9ef586888be20bad3
3
+ metadata.gz: 5bae1dd7527d09feef11b6252856439df68a03fd8dbd130fe0a9b7b2f97b4d49
4
+ data.tar.gz: 7156e1d1d7394f54826b6057fef70f66a1a7df58d23cdfab9ee0c802660d2919
5
5
  SHA512:
6
- metadata.gz: e401c25553011b8e922b1f7c80574fef9d9890464905b29513485c7a1627091fa26532d6f461d86aeb202e82b64eddca7f31edde1e48f07a00bf8cb3fe67ab01
7
- data.tar.gz: 6d6f3fbf99fc67ea2ec32f5803a453782d2f10e6773d7db1905eba33d01c657cb7a3a238d7cc65f910f5ad361398964b44135f4bf79c256d0edb35222f2cdb8d
6
+ metadata.gz: b92e7b9a212dffbe73bef10990dd45108a9612583e863fa7737b75f9466aee9152806592ad476d9b839c7fa6ee9ebd308524388547db2a13117b29813d206554
7
+ data.tar.gz: 92c5d50b1416162cc8a2ab609e42ac558e8cba462ef5f2a9bea5d81096ded50f72b68a6f640cfcd6f03660e669b269e75702a69e2e65510d7ac9b15e8f00397f
@@ -0,0 +1,5 @@
1
+ BasedOnStyle: Mozilla
2
+ ColumnLimit: 90
3
+ BinPackParameters: true
4
+ BinPackArguments: false
5
+ AllowShortCaseLabelsOnASingleLine: false
@@ -0,0 +1,35 @@
1
+ name: Apt based Linux
2
+ on:
3
+ push:
4
+ pull_request:
5
+ jobs:
6
+ build:
7
+ name: Build
8
+ strategy:
9
+ fail-fast: false
10
+ matrix:
11
+ label:
12
+ - Debian GNU/Linux Buster amd64
13
+ - Ubuntu Bionic amd64
14
+ - Ubuntu Focal amd64
15
+ include:
16
+ - label: Debian GNU/Linux Buster amd64
17
+ test-docker-image: debian:buster
18
+ test-script: ci/apt-test.sh
19
+ - label: Ubuntu Bionic amd64
20
+ test-docker-image: ubuntu:bionic
21
+ test-script: ci/apt-test.sh
22
+ - label: Ubuntu Focal amd64
23
+ test-docker-image: ubuntu:focal
24
+ test-script: ci/apt-test.sh
25
+ runs-on: ubuntu-latest
26
+ steps:
27
+ - uses: actions/checkout@master
28
+ - name: rake compile & rake test
29
+ run: |
30
+ docker run \
31
+ --rm \
32
+ --tty \
33
+ --volume ${PWD}:/capng \
34
+ ${{ matrix.test-docker-image }} \
35
+ /capng/${{ matrix.test-script }}
@@ -1,4 +1,4 @@
1
- name: Linux testing
1
+ name: Multiple Ruby version tests
2
2
  on:
3
3
  - push
4
4
  - pull_request
@@ -0,0 +1,39 @@
1
+ name: Yum based Linux
2
+ on:
3
+ push:
4
+ pull_request:
5
+ jobs:
6
+ build:
7
+ name: Build
8
+ strategy:
9
+ fail-fast: false
10
+ matrix:
11
+ label:
12
+ - CentOS 7 x86_64
13
+ - CentOS 8 x86_64
14
+ - Fedora 33 x86_64
15
+ - AmazonLinux 2 x86_64
16
+ include:
17
+ - label: CentOS 7 x86_64
18
+ test-docker-image: centos:7
19
+ test-script: ci/yum-test.sh
20
+ - label: CentOS 8 x86_64
21
+ test-docker-image: centos:8
22
+ test-script: ci/yum-test.sh
23
+ - label: Fedora 33 x86_64
24
+ test-docker-image: fedora:33
25
+ test-script: ci/yum-test.sh
26
+ - label: AmazonLinux 2 x86_64
27
+ test-docker-image: amazonlinux:2
28
+ test-script: ci/yum-test.sh
29
+ runs-on: ubuntu-latest
30
+ steps:
31
+ - uses: actions/checkout@master
32
+ - name: rake compile & rake test
33
+ run: |
34
+ docker run \
35
+ --rm \
36
+ --tty \
37
+ --volume ${PWD}:/capng \
38
+ ${{ matrix.test-docker-image }} \
39
+ /capng/${{ matrix.test-script }}
data/Gemfile CHANGED
@@ -1,4 +1,6 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- # Specify your gem's dependencies in ioext.gemspec
3
+ # Specify your gem's dependencies in capng_c.gemspec
4
4
  gemspec
5
+
6
+ gem "irb"
data/README.md CHANGED
@@ -1,9 +1,21 @@
1
1
  # Capng_c
2
2
 
3
- ![Linux testing](https://github.com/cosmo0920/capng_c/workflows/Linux%20testing/badge.svg?branch=main)
3
+ ![Multiple Ruby version tests](https://github.com/fluent-plugins-nursery/capng_c/workflows/Multiple%20Ruby%20version%20tests/badge.svg?branch=main)
4
+ ![Apt based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Apt%20based%20Linux/badge.svg?branch=main)
5
+ ![Yum based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Yum%20based%20Linux/badge.svg?branch=main)
4
6
 
5
7
  libcap-ng bindings for Ruby.
6
8
 
9
+ ## Prerequisites
10
+
11
+ * pkg-config package for linking libcap-ng library
12
+ * libcap-ng and its development packages
13
+ * libcap-ng-dev on Debian GNU/Linux and Ubuntu
14
+ * libcap-ng-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
15
+ * Ruby and its development packages
16
+ * ruby-dev on Debian GNU/Linux and Ubuntu
17
+ * ruby-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
18
+
7
19
  ## Installation
8
20
 
9
21
  Add this line to your application's Gemfile:
@@ -20,6 +32,10 @@ Or install it yourself as:
20
32
 
21
33
  $ gem install capng_c
22
34
 
35
+ ## Usage
36
+
37
+ The usage examples are put in [example directory](example).
38
+
23
39
  ## Development
24
40
 
25
41
  After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -28,4 +44,4 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
28
44
 
29
45
  ## Contributing
30
46
 
31
- Bug reports and pull requests are welcome on GitHub at https://github.com/cosmo0920/capng_c.
47
+ Bug reports and pull requests are welcome on GitHub at https://github.com/fluent-plugins-nursery/capng_c.
@@ -10,8 +10,8 @@ Gem::Specification.new do |spec|
10
10
 
11
11
  spec.summary = %q{libcap-ng bindings for Ruby.}
12
12
  spec.description = spec.summary
13
- spec.homepage = "https://github.com/cosmo0920/cap-ng_c"
14
-
13
+ spec.homepage = "https://github.com/fluent-plugins-nursery/cap-ng_c"
14
+ spec.license = "Apache-2.0"
15
15
  spec.metadata["allowed_push_host"] = "https://rubygems.org"
16
16
 
17
17
  spec.metadata["homepage_uri"] = spec.homepage
@@ -32,4 +32,5 @@ Gem::Specification.new do |spec|
32
32
  spec.add_development_dependency "rake", "~> 12.0"
33
33
  spec.add_development_dependency "rake-compiler", "~> 1.0"
34
34
  spec.add_development_dependency "test-unit", "~> 3.3.3"
35
+ spec.add_development_dependency "yard", "~> 0.9"
35
36
  end
@@ -0,0 +1,15 @@
1
+ #!/bin/bash
2
+
3
+ set -exu
4
+
5
+ export DEBIAN_FRONTEND=noninteractive
6
+
7
+ apt update
8
+ apt install -V -y lsb-release
9
+
10
+ apt install -V -y ruby-dev git build-essential pkg-config
11
+ apt install -V -y libcap-ng-dev
12
+ cd /capng && \
13
+ gem install bundler --no-document && \
14
+ bundle install && \
15
+ bundle exec rake
@@ -0,0 +1,64 @@
1
+ #!/bin/bash
2
+
3
+ set -exu
4
+
5
+ distribution=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f2)
6
+ version=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f4)
7
+ USE_SCL=0
8
+ USE_AMZN_EXT=0
9
+
10
+ case ${distribution} in
11
+ amazon)
12
+ case ${version} in
13
+ 2)
14
+ DNF=yum
15
+ USE_AMZN_EXT=1
16
+ ;;
17
+ esac
18
+ ;;
19
+ centos)
20
+ case ${version} in
21
+ 7)
22
+ DNF=yum
23
+ USE_SCL=1
24
+ ;;
25
+ *)
26
+ DNF="dnf --enablerepo=PowerTools"
27
+ ;;
28
+ esac
29
+ ;;
30
+ fedoraproject)
31
+ case ${version} in
32
+ 33)
33
+ DNF=yum
34
+ ;;
35
+ esac
36
+ ;;
37
+ esac
38
+
39
+ ${DNF} groupinstall -y "Development Tools"
40
+
41
+ if [ $USE_SCL -eq 1 ]; then
42
+ ${DNF} install -y centos-release-scl && \
43
+ ${DNF} install -y \
44
+ rh-ruby26-ruby-devel \
45
+ rh-ruby26-rubygems \
46
+ rh-ruby26-rubygem-rake \
47
+ rpm-build
48
+ elif [ $USE_AMZN_EXT -eq 1 ]; then
49
+ amazon-linux-extras install -y ruby2.6 && \
50
+ ${DNF} install -y ruby-devel
51
+ else
52
+ ${DNF} install -y ruby-devel \
53
+ rubygems \
54
+ rpm-build
55
+ fi
56
+ ${DNF} install -y libcap-ng-devel
57
+
58
+ if [ $USE_SCL -eq 1 ]; then
59
+ # For unbound variable error
60
+ export MANPATH=
61
+ cd /capng && source /opt/rh/rh-ruby26/enable && gem install bundler --no-document && bundle install && bundle exec rake
62
+ else
63
+ cd /capng && gem install bundler --no-document && bundle install && bundle exec rake
64
+ fi
@@ -0,0 +1,36 @@
1
+ # Copyright 2020- Hiroshi Hatake
2
+
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ require 'capng'
16
+
17
+ if ARGV.size != 1
18
+ puts "specify file path on ARGV."
19
+ exit 1
20
+ end
21
+
22
+ if Process.uid != 0
23
+ puts "Needed to run as root!"
24
+ exit 2
25
+ end
26
+
27
+ path = ARGV[0]
28
+ capng = CapNG.new(:file, path)
29
+ print = CapNG::Print.new
30
+ puts "capability: #{print.caps_text(:buffer, :effective)}"
31
+ capng.clear(:caps)
32
+ ret = capng.update(:add, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED,
33
+ [:dac_read_search, :dac_override])
34
+ puts "updating capability: #{ret ? "success" : "fail"}"
35
+ capng.apply_caps_file(path)
36
+ puts "updated capability: #{print.caps_text(:buffer, :effective)}"
@@ -0,0 +1,59 @@
1
+ # Copyright 2020- Hiroshi Hatake
2
+
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ require 'capng'
16
+
17
+ if Process.uid != 0
18
+ puts "Needed to run as root!"
19
+ exit 2
20
+ end
21
+
22
+ capng = CapNG.new(:current_process)
23
+
24
+ print = CapNG::Print.new
25
+ puts "capability: #{print.caps_text(:buffer, :effective)}"
26
+ target_file = ARGV[0] || "/var/log/syslog"
27
+ capng.clear(:caps)
28
+
29
+ puts "capability: #{print.caps_text(:buffer, :effective)}"
30
+ ret = capng.update(:add, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED, :dac_read_search)
31
+ puts "CapNG#update: #{ret ? 'success' : 'fail'}"
32
+
33
+ ret = capng.apply(:caps)
34
+ puts "CapNG#apply(add): #{ret ? 'success' : 'fail'}"
35
+ puts "capability: #{print.caps_text(:buffer, :effective)}"
36
+ path = "/var/log/syslog"
37
+ unless File.readable?(path)
38
+ puts "-----unreadable!!!!-----\ntarget: #{target_file}"
39
+ end
40
+ contents = File.read(target_file)
41
+ if contents.length >= 0
42
+ puts "succeeded to read: #{target_file}"
43
+ end
44
+
45
+ ret = capng.update(:drop, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED, :dac_read_search)
46
+ puts "CapNG#update(drop): #{ret ? 'success' : 'fail'}"
47
+ puts "capability: #{print.caps_text(:buffer, :effective)}"
48
+
49
+ ret = capng.apply(:caps)
50
+ puts "CapNG#apply(drop): #{ret ? 'success' : 'fail'}"
51
+
52
+ unless File.readable?(path)
53
+ puts "-----unreadable!!!!-----\ntarget: #{target_file}"
54
+ end
55
+ begin
56
+ File.read(target_file)
57
+ rescue Errno::EACCES
58
+ puts "permission denied even if run as root"
59
+ end
@@ -0,0 +1,36 @@
1
+ # Copyright 2020- Hiroshi Hatake
2
+
3
+ # Licensed under the Apache License, Version 2.0 (the "License");
4
+ # you may not use this file except in compliance with the License.
5
+ # You may obtain a copy of the License at
6
+
7
+ # http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ # Unless required by applicable law or agreed to in writing, software
10
+ # distributed under the License is distributed on an "AS IS" BASIS,
11
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ # See the License for the specific language governing permissions and
13
+ # limitations under the License.
14
+
15
+ require 'capng'
16
+
17
+ capng = CapNG.new(:current_process)
18
+ unless capng.have_capability?(:effective, :dac_read_search)
19
+ puts "This example needs to setup :dac_read_search capability on running Ruby executable."
20
+ exit 2
21
+ end
22
+
23
+ print = CapNG::Print.new
24
+ puts "capability: #{print.caps_text(:buffer, :effective)}"
25
+ target_file = ARGV[0] || "/var/log/syslog"
26
+
27
+ path = "/var/log/syslog"
28
+ unless File.readable?(path)
29
+ puts "-----unreadable!!!!-----\ntarget: #{target_file}"
30
+ end
31
+ if capng.have_capability?(:effective, :dac_read_search)
32
+ contents = File.read(target_file)
33
+ if contents.length >= 0
34
+ puts "succeeded to read: #{target_file} w/o root user"
35
+ end
36
+ end
@@ -13,21 +13,37 @@
13
13
 
14
14
  #include <capng.h>
15
15
 
16
- struct CapNGCapability {};
17
-
18
- static void capng_capability_free(void* capng);
19
-
20
- static const rb_data_type_t rb_capng_capability_type = {
21
- "capng_capability/c_runtime",
22
- {
23
- 0,
24
- capng_capability_free,
25
- 0,
26
- },
27
- NULL,
28
- NULL,
29
- RUBY_TYPED_FREE_IMMEDIATELY
30
- };
16
+ /* clang-format off */
17
+ /*
18
+ * Document-class: CapNG::Capability
19
+ *
20
+ * Check Linux capabilities and define its constants.
21
+ *
22
+ * @example
23
+ * require 'capng'
24
+ *
25
+ * @cap = CapNG::Capability.new
26
+ *
27
+ * @cap.from_name(:dac_read_search) #=> 2
28
+ * @cap.to_name(CapNG::Capability::DAC_READ_SEARCH) #=> "dac_read_search"
29
+ */
30
+ /* clang-format on */
31
+
32
+ struct CapNGCapability
33
+ {};
34
+
35
+ static void
36
+ capng_capability_free(void* capng);
37
+
38
+ static const rb_data_type_t rb_capng_capability_type = { "capng_capability/c_runtime",
39
+ {
40
+ 0,
41
+ capng_capability_free,
42
+ 0,
43
+ },
44
+ NULL,
45
+ NULL,
46
+ RUBY_TYPED_FREE_IMMEDIATELY };
31
47
 
32
48
  static void
33
49
  capng_capability_free(void* ptr)
@@ -45,16 +61,29 @@ rb_capng_capability_alloc(VALUE klass)
45
61
  return obj;
46
62
  }
47
63
 
64
+ /*
65
+ * Initalize Capability class.
66
+ *
67
+ * @return [nil]
68
+ *
69
+ */
48
70
  static VALUE
49
71
  rb_capng_capability_initialize(VALUE self)
50
72
  {
51
73
  return Qnil;
52
74
  }
53
75
 
76
+ /*
77
+ * Obtain capability name from capability value.
78
+ *
79
+ * @param rb_capability [Integer] Capability constant value.
80
+ * @return [String]
81
+ *
82
+ */
54
83
  static VALUE
55
84
  rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
56
85
  {
57
- const char *name = capng_capability_to_name(NUM2UINT(rb_capability));
86
+ const char* name = capng_capability_to_name(NUM2UINT(rb_capability));
58
87
 
59
88
  if (name)
60
89
  return rb_str_new2(name);
@@ -62,20 +91,28 @@ rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
62
91
  return rb_str_new2("unknown");
63
92
  }
64
93
 
94
+ /*
95
+ * Obtain capability value from capability name.
96
+ *
97
+ * @param rb_capability_name_or_symbol [String or Symbol] Capability constant value.
98
+ * @return [Integer]
99
+ *
100
+ */
65
101
  static VALUE
66
102
  rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
67
103
  {
68
104
  unsigned int capability;
69
105
 
70
106
  switch (TYPE(rb_capability_name_or_symbol)) {
71
- case T_SYMBOL:
72
- capability = capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
73
- break;
74
- case T_STRING:
75
- capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
76
- break;
77
- default:
78
- rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
107
+ case T_SYMBOL:
108
+ capability =
109
+ capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
110
+ break;
111
+ case T_STRING:
112
+ capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
113
+ break;
114
+ default:
115
+ rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
79
116
  }
80
117
  return INT2NUM(capability);
81
118
  }
@@ -83,7 +120,7 @@ rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
83
120
  void
84
121
  Init_capng_capability(VALUE rb_cCapNG)
85
122
  {
86
- rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
123
+ VALUE rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
87
124
 
88
125
  rb_define_alloc_func(rb_cCapability, rb_capng_capability_alloc);
89
126
 
@@ -92,47 +129,300 @@ Init_capng_capability(VALUE rb_cCapNG)
92
129
  rb_define_method(rb_cCapability, "from_name", rb_capng_capability_from_name, 1);
93
130
 
94
131
  // Capability constants.
132
+
133
+ /* Make arbitrary changes to file UIDs and GIDs (see chown(2)). */
95
134
  rb_define_const(rb_cCapability, "CHOWN", INT2NUM(CAP_CHOWN));
135
+ /*
136
+ * Bypass file read, write, and execute permission checks. (DAC
137
+ * is an abbreviation of "discretionary access control".) */
96
138
  rb_define_const(rb_cCapability, "DAC_OVERRIDE", INT2NUM(CAP_DAC_OVERRIDE));
139
+ /*
140
+ * * Bypass file read permission checks and directory read and execute permission
141
+ * checks;
142
+ * * invoke open_by_handle_at(2);
143
+ * * use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a
144
+ * file descriptor.
145
+ */
97
146
  rb_define_const(rb_cCapability, "DAC_READ_SEARCH", INT2NUM(CAP_DAC_READ_SEARCH));
147
+ /*
148
+ * * Bypass permission checks on operations that normally require
149
+ * the filesystem UID of the process to match the UID of the
150
+ * file (e.g., chmod(2), utime(2)), excluding those operations
151
+ * covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
152
+ * * set inode flags (see ioctl_iflags(2)) on arbitrary files;
153
+ * * set Access Control Lists (ACLs) on arbitrary files;
154
+ * * ignore directory sticky bit on file deletion;
155
+ * * modify user extended attributes on sticky directory owned by
156
+ * any user;
157
+ * * specify O_NOATIME for arbitrary files in open(2) and
158
+ * fcntl(2).
159
+ */
98
160
  rb_define_const(rb_cCapability, "FOWNER", INT2NUM(CAP_FOWNER));
161
+ /*
162
+ * * Don't clear set-user-ID and set-group-ID mode bits when a
163
+ * file is modified;
164
+ * * set the set-group-ID bit for a file whose GID does not match
165
+ * the filesystem or any of the supplementary GIDs of the
166
+ * calling process.
167
+ */
99
168
  rb_define_const(rb_cCapability, "FSETID", INT2NUM(CAP_FSETID));
169
+ /* Bypass permission checks for sending signals (see kill(2)).
170
+ * This includes use of the ioctl(2) KDSIGACCEPT operation. */
100
171
  rb_define_const(rb_cCapability, "KILL", INT2NUM(CAP_KILL));
172
+ /*
173
+ * * Make arbitrary manipulations of process GIDs and
174
+ * supplementary GID list;
175
+ * * forge GID when passing socket credentials via UNIX domain
176
+ * sockets;
177
+ * * write a group ID mapping in a user namespace (see
178
+ * user_namespaces(7)).
179
+ */
101
180
  rb_define_const(rb_cCapability, "SETGID", INT2NUM(CAP_SETGID));
181
+ /*
182
+ * * Make arbitrary manipulations of process UIDs (setuid(2),
183
+ * setreuid(2), setresuid(2), setfsuid(2));
184
+ * * forge UID when passing socket credentials via UNIX domain
185
+ * sockets;
186
+ * * write a user ID mapping in a user namespace (see
187
+ * user_namespaces(7)).
188
+ */
102
189
  rb_define_const(rb_cCapability, "SETUID", INT2NUM(CAP_SETUID));
190
+ /*
191
+ * If file capabilities are supported (i.e., since Linux 2.6.24):
192
+ * add any capability from the calling thread's bounding set to
193
+ * its inheritable set; drop capabilities from the bounding set
194
+ * (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits
195
+ * flags.
196
+ *
197
+ * If file capabilities are not supported (i.e., kernels before
198
+ * Linux 2.6.24): grant or remove any capability in the caller's
199
+ * permitted capability set to or from any other process. (This
200
+ * property of CAP_SETPCAP is not available when the kernel is
201
+ * configured to support file capabilities, since CAP_SETPCAP has
202
+ * entirely different semantics for such kernels.)
203
+ */
103
204
  rb_define_const(rb_cCapability, "SETPCAP", INT2NUM(CAP_SETPCAP));
205
+ /* Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)). */
104
206
  rb_define_const(rb_cCapability, "LINUX_IMMUTABLE", INT2NUM(CAP_LINUX_IMMUTABLE));
207
+ /* Bind a socket to Internet domain privileged ports (port numbers less than 1024).*/
105
208
  rb_define_const(rb_cCapability, "NET_BIND_SERIVCE", INT2NUM(CAP_NET_BIND_SERVICE));
209
+ /* (Unused) Make socket broadcasts, and listen to multicasts. */
106
210
  rb_define_const(rb_cCapability, "NET_BROATCAST", INT2NUM(CAP_NET_BROADCAST));
211
+ /* Perform various network-related operations:
212
+ *
213
+ * * interface configuration;
214
+ * * administration of IP firewall, masquerading, and accounting;
215
+ * * modify routing tables;
216
+ * * bind to any address for transparent proxying;
217
+ * * set type-of-service (TOS);
218
+ * * clear driver statistics;
219
+ * * set promiscuous mode;
220
+ * * enabling multicasting;
221
+ * * use setsockopt(2) to set the following socket options:
222
+ * * SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
223
+ * * range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
224
+ */
107
225
  rb_define_const(rb_cCapability, "NET_ADMIN", INT2NUM(CAP_NET_ADMIN));
226
+ /*
227
+ * * Use RAW and PACKET sockets;
228
+ * * bind to any address for transparent proxying.
229
+ */
108
230
  rb_define_const(rb_cCapability, "NET_RAW", INT2NUM(CAP_NET_RAW));
231
+ /* Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). */
109
232
  rb_define_const(rb_cCapability, "IPC_LOCK", INT2NUM(CAP_IPC_LOCK));
233
+ /* Bypass permission checks for operations on System V IPC
234
+ * objects.
235
+ */
110
236
  rb_define_const(rb_cCapability, "IPC_OWNER", INT2NUM(CAP_IPC_OWNER));
237
+ /*
238
+ * * Load and unload kernel modules (see init_module(2) and
239
+ * delete_module(2)) in kernels before 2.6.25
240
+ * * drop capabilities from the system-wide capability bounding set.
241
+ */
111
242
  rb_define_const(rb_cCapability, "SYS_MODULE", INT2NUM(CAP_SYS_MODULE));
243
+ /*
244
+ * * Perform I/O port operations (iopl(2) and ioperm(2));
245
+ * * access /proc/kcore;
246
+ * * employ the FIBMAP ioctl(2) operation;
247
+ * * open devices for accessing x86 model-specific registers
248
+ * (MSRs, see msr(4));
249
+ * * update /proc/sys/vm/mmap_min_addr;
250
+ * * create memory mappings at addresses below the value
251
+ * specified by /proc/sys/vm/mmap_min_addr;
252
+ * * map files in /proc/bus/pci;
253
+ * * open /dev/mem and /dev/kmem;
254
+ * * perform various SCSI device commands;
255
+ * * perform certain operations on hpsa(4) and cciss(4) devices;
256
+ * * perform a range of device-specific operations on other
257
+ * devices.
258
+ */
112
259
  rb_define_const(rb_cCapability, "SYS_RAWIO", INT2NUM(CAP_SYS_RAWIO));
260
+ /*
261
+ * * Use chroot(2);
262
+ * * change mount namespaces using setns(2).
263
+ */
113
264
  rb_define_const(rb_cCapability, "SYS_CHROOT", INT2NUM(CAP_SYS_CHROOT));
265
+ /*
266
+ * * Trace arbitrary processes using ptrace(2);
267
+ * * apply get_robust_list(2) to arbitrary processes;
268
+ * * transfer data to or from the memory of arbitrary processes
269
+ * using process_vm_readv(2) and process_vm_writev(2);
270
+ * * inspect processes using kcmp(2).
271
+ */
114
272
  rb_define_const(rb_cCapability, "SYS_PTRACE", INT2NUM(CAP_SYS_PTRACE));
273
+ /* Use acct(2). */
115
274
  rb_define_const(rb_cCapability, "SYS_PACCT", INT2NUM(CAP_SYS_PACCT));
275
+ /*
276
+ * Note:
277
+ * this capability is overloaded; see Notes to kernel developers, below.
278
+ *
279
+ * * Perform a range of system administration operations
280
+ * including: quotactl(2), mount(2), umount(2), pivot_root(2),
281
+ * swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
282
+ * * perform privileged syslog(2) operations (since Linux 2.6.37,
283
+ * CAP_SYSLOG should be used to permit such operations);
284
+ * * perform VM86_REQUEST_IRQ vm86(2) command;
285
+ * * access the same checkpoint/restore functionality that is
286
+ * governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker
287
+ * capability is preferred for accessing that functionality).
288
+ * * perform the same BPF operations as are governed by CAP_BPF
289
+ * (but the latter, weaker capability is preferred for
290
+ * accessing that functionality).
291
+ * * employ the same performance monitoring mechanisms as are
292
+ * governed by CAP_PERFMON (but the latter, weaker capability
293
+ * is preferred for accessing that functionality).
294
+ * * perform IPC_SET and IPC_RMID operations on arbitrary System
295
+ * V IPC objects;
296
+ * * override RLIMIT_NPROC resource limit;
297
+ * * perform operations on trusted and security extended
298
+ * attributes (see xattr(7));
299
+ * * use lookup_dcookie(2);
300
+ * * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
301
+ * Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
302
+ * * forge PID when passing socket credentials via UNIX domain
303
+ * sockets;
304
+ * * exceed /proc/sys/fs/file-max, the system-wide limit on the
305
+ * number of open files, in system calls that open files (e.g.,
306
+ * accept(2), execve(2), open(2), pipe(2));
307
+ * * employ CLONE_* flags that create new namespaces with
308
+ * clone(2) and unshare(2) (but, since Linux 3.8, creating user
309
+ * namespaces does not require any capability);
310
+ * * access privileged perf event information;
311
+ * * call setns(2) (requires CAP_SYS_ADMIN in the target
312
+ * namespace);
313
+ * * call fanotify_init(2);
314
+ * * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
315
+ * operations;
316
+ * * perform madvise(2) MADV_HWPOISON operation;
317
+ * * employ the TIOCSTI ioctl(2) to insert characters into the
318
+ * input queue of a terminal other than the caller's
319
+ * controlling terminal;
320
+ * * employ the obsolete nfsservctl(2) system call;
321
+ * * employ the obsolete bdflush(2) system call;
322
+ * * perform various privileged block-device ioctl(2) operations;
323
+ * * perform various privileged filesystem ioctl(2) operations;
324
+ * * perform privileged ioctl(2) operations on the /dev/random
325
+ * device (see random(4));
326
+ * * install a seccomp(2) filter without first having to set the
327
+ * no_new_privs thread attribute;
328
+ * * modify allow/deny rules for device control groups;
329
+ * * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
330
+ * dump tracee's seccomp filters;
331
+ * * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
332
+ * the tracee's seccomp protections (i.e., the
333
+ * PTRACE_O_SUSPEND_SECCOMP flag);
334
+ * * perform administrative operations on many device drivers;
335
+ * * modify autogroup nice values by writing to
336
+ * /proc/[pid]/autogroup (see sched(7)).
337
+ */
116
338
  rb_define_const(rb_cCapability, "SYS_ADMIN", INT2NUM(CAP_SYS_ADMIN));
339
+ /* Use reboot(2) and kexec_load(2). */
117
340
  rb_define_const(rb_cCapability, "SYS_BOOT", INT2NUM(CAP_SYS_BOOT));
341
+ /*
342
+ * * Lower the process nice value (nice(2), setpriority(2)) and
343
+ * change the nice value for arbitrary processes;
344
+ * * set real-time scheduling policies for calling process, and
345
+ * set scheduling policies and priorities for arbitrary
346
+ * processes (sched_setscheduler(2), sched_setparam(2),
347
+ * sched_setattr(2));
348
+ * * set CPU affinity for arbitrary processes
349
+ * (sched_setaffinity(2));
350
+ * * set I/O scheduling class and priority for arbitrary
351
+ * processes (ioprio_set(2));
352
+ * * apply migrate_pages(2) to arbitrary processes and allow
353
+ * processes to be migrated to arbitrary nodes;
354
+ * * apply move_pages(2) to arbitrary processes;
355
+ * * use the MPOL_MF_MOVE_ALL flag with mbind(2) and
356
+ * move_pages(2).
357
+ */
118
358
  rb_define_const(rb_cCapability, "SYS_NICE", INT2NUM(CAP_SYS_NICE));
359
+ /*
360
+ * * Use reserved space on ext2 filesystems;
361
+ * * make ioctl(2) calls controlling ext3 journaling;
362
+ * * override disk quota limits;
363
+ * * increase resource limits (see setrlimit(2));
364
+ * * override RLIMIT_NPROC resource limit;
365
+ * * override maximum number of consoles on console allocation;
366
+ * * override maximum number of keymaps;
367
+ * * allow more than 64hz interrupts from the real-time clock;
368
+ * * raise msg_qbytes limit for a System V message queue above
369
+ * the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
370
+ * msgctl(2));
371
+ * * allow the RLIMIT_NOFILE resource limit on the number of "in-
372
+ * flight" file descriptors to be bypassed when passing file
373
+ * descriptors to another process via a UNIX domain socket (see
374
+ * unix(7));
375
+ * * override the /proc/sys/fs/pipe-size-max limit when setting
376
+ * the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
377
+ * command;
378
+ * * use F_SETPIPE_SZ to increase the capacity of a pipe above
379
+ * the limit specified by /proc/sys/fs/pipe-max-size;
380
+ * * override /proc/sys/fs/mqueue/queues_max,
381
+ * /proc/sys/fs/mqueue/msg_max, and
382
+ * /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX
383
+ * message queues (see mq_overview(7));
384
+ * * employ the prctl(2) PR_SET_MM operation;
385
+ * * set /proc/[pid]/oom_score_adj to a value lower than the
386
+ * value last set by a process with CAP_SYS_RESOURCE.
387
+ */
119
388
  rb_define_const(rb_cCapability, "SYS_RESOURCE", INT2NUM(CAP_SYS_RESOURCE));
389
+ /* Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
390
+ * real-time (hardware) clock.*/
120
391
  rb_define_const(rb_cCapability, "SYS_TIME", INT2NUM(CAP_SYS_TIME));
392
+ /* Use vhangup(2); employ various privileged ioctl(2) operations
393
+ * on virtual terminals.
394
+ */
121
395
  rb_define_const(rb_cCapability, "TTY_CONFIG", INT2NUM(CAP_SYS_TTY_CONFIG));
396
+ /* Create special files using mknod(2). (since Linux 2.4) */
122
397
  rb_define_const(rb_cCapability, "MKNOD", INT2NUM(CAP_MKNOD));
398
+ /* Establish leases on arbitrary files (see fcntl(2)). (since Linux 2.4) */
123
399
  rb_define_const(rb_cCapability, "LEASE", INT2NUM(CAP_LEASE));
400
+ /* Write records to kernel auditing log. (since Linux 2.6.11) */
124
401
  rb_define_const(rb_cCapability, "AUDIT_WRITE", INT2NUM(CAP_AUDIT_WRITE));
402
+ /* Enable and disable kernel auditing; change auditing filter
403
+ * rules; retrieve auditing status and filtering rules. (since Linux 2.6.11)*/
125
404
  rb_define_const(rb_cCapability, "AUDIT_CONTROL", INT2NUM(CAP_AUDIT_CONTROL));
126
405
  #ifdef CAP_SETFCAP
406
+ /* Set arbitrary capabilities on a file. since Linux 2.6.24) */
127
407
  rb_define_const(rb_cCapability, "SETFCAP", INT2NUM(CAP_SETFCAP));
128
408
  #endif
129
409
  #ifdef CAP_MAC_OVERRIDE
130
410
  rb_define_const(rb_cCapability, "MAC_OVERRIDE", INT2NUM(CAP_MAC_OVERRIDE));
131
411
  #endif
132
412
  #ifdef CAP_MAC_ADMIN
413
+ /* Allow MAC configuration or state changes. Implemented for the
414
+ * Smack Linux Security Module (LSM). (since Linux 2.6.25)
415
+ */
133
416
  rb_define_const(rb_cCapability, "MAC_ADMIN", INT2NUM(CAP_MAC_ADMIN));
134
417
  #endif
135
418
  #ifdef CAP_SYSLOG
419
+ /*
420
+ * * Perform privileged syslog(2) operations. See syslog(2) for
421
+ * information on which operations require privilege.
422
+ * * View kernel addresses exposed via /proc and other interfaces
423
+ * when /proc/sys/kernel/kptr_restrict has the value 1. (See
424
+ * the discussion of the kptr_restrict in proc(5).)
425
+ */
136
426
  rb_define_const(rb_cCapability, "SYSLOG", INT2NUM(CAP_SYSLOG));
137
427
  #endif
138
428
  #if defined(CAP_EPOLLWAKEUP) && defined(CAP_BLOCK_SUSPEND)
@@ -142,21 +432,59 @@ Init_capng_capability(VALUE rb_cCapNG)
142
432
  rb_define_const(rb_cCapability, "EPOLLWAKEUP", INT2NUM(CAP_EPOLLWAKEUP));
143
433
  #endif
144
434
  #ifdef CAP_WAKE_ALARM
435
+ /* Trigger something that will wake up the system (set
436
+ * CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
437
+ */
145
438
  rb_define_const(rb_cCapability, "WAKE_ALARM", INT2NUM(CAP_WAKE_ALARM));
146
439
  #endif
147
440
  #ifdef CAP_BLOCK_SUSPEND
441
+ /*
442
+ Employ features that can block system suspend (epoll(7)
443
+ EPOLLWAKEUP, /proc/sys/wake_lock). (since Linux 3.5)
444
+ */
148
445
  rb_define_const(rb_cCapability, "BLOCK_SUSPEND", INT2NUM(CAP_BLOCK_SUSPEND));
149
446
  #endif
150
447
  #ifdef CAP_AUDIT_READ
448
+ /* Allow reading the audit log via a multicast netlink socket. (since Linux 3.16) */
151
449
  rb_define_const(rb_cCapability, "AUDIT_READ", INT2NUM(CAP_AUDIT_READ));
152
450
  #endif
153
451
  #ifdef CAP_PERFMON
452
+ /*
453
+ * Employ various performance-monitoring mechanisms, including:
454
+ *
455
+ * * call perf_event_open(2)
456
+ * * employ various BPF operations that have performance
457
+ * implications.
458
+ *
459
+ * This capability was added in Linux 5.8 to separate out
460
+ * performance monitoring functionality from the overloaded
461
+ * CAP_SYS_ADMIN capability. See also the kernel source file
462
+ * Documentation/admin-guide/perf-security.rst.
463
+ */
154
464
  rb_define_const(rb_cCapability, "PERFMON", INT2NUM(CAP_PERFMON));
155
465
  #endif
156
466
  #ifdef CAP_BPF
467
+ /*
468
+ * Employ privileged BPF operations; see bpf(2) and
469
+ * bpf-helpers(7).
470
+ *
471
+ * This capability was added in Linux 5.8 to separate out BPF
472
+ * functionality from the overloaded CAP_SYS_ADMIN capability.
473
+ * (since Linux 5.8)
474
+ */
157
475
  rb_define_const(rb_cCapability, "BPF", INT2NUM(CAP_BPF));
158
476
  #endif
159
477
  #ifdef CAP_CHECKPOINT_RESTORE
478
+ /*
479
+ * * employ the set_tid feature of clone3(2);
480
+ * * read the contents of the symbolic links in
481
+ * /proc/[pid]/map_files for other processes.
482
+ *
483
+ * This capability was added in Linux 5.9 to separate out
484
+ * checkpoint/restore functionality from the overloaded
485
+ * CAP_SYS_ADMIN capability.
486
+ * (since Linux 5.9)
487
+ */
160
488
  rb_define_const(rb_cCapability, "CHECKPOINT_RESTORE", INT2NUM(CAP_CHECKPOINT_RESTORE));
161
489
  #endif
162
490
  }