capng_c 0.1.2 → 0.1.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.clang-format +5 -0
- data/.github/workflows/apt.yml +35 -0
- data/.github/workflows/linux.yml +1 -1
- data/.github/workflows/yum.yml +39 -0
- data/Gemfile +3 -1
- data/README.md +18 -2
- data/capng_c.gemspec +3 -2
- data/ci/apt-test.sh +15 -0
- data/ci/yum-test.sh +64 -0
- data/example/file_capability.rb +36 -0
- data/example/process_capability.rb +59 -0
- data/example/process_capability_without_root.rb +36 -0
- data/ext/capng/capability.c +353 -25
- data/ext/capng/capng.c +313 -122
- data/ext/capng/capng.h +25 -16
- data/ext/capng/enum-action.c +35 -0
- data/ext/capng/enum-flags.c +44 -0
- data/ext/capng/enum-result.c +38 -0
- data/ext/capng/enum-select.c +39 -0
- data/ext/capng/enum-type.c +42 -0
- data/ext/capng/enum.c +7 -42
- data/ext/capng/extconf.rb +4 -0
- data/ext/capng/print.c +127 -76
- data/ext/capng/state.c +55 -21
- data/ext/capng/utils.c +7 -7
- data/lib/capng.rb +14 -7
- data/lib/capng/version.rb +1 -1
- metadata +35 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5bae1dd7527d09feef11b6252856439df68a03fd8dbd130fe0a9b7b2f97b4d49
|
4
|
+
data.tar.gz: 7156e1d1d7394f54826b6057fef70f66a1a7df58d23cdfab9ee0c802660d2919
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b92e7b9a212dffbe73bef10990dd45108a9612583e863fa7737b75f9466aee9152806592ad476d9b839c7fa6ee9ebd308524388547db2a13117b29813d206554
|
7
|
+
data.tar.gz: 92c5d50b1416162cc8a2ab609e42ac558e8cba462ef5f2a9bea5d81096ded50f72b68a6f640cfcd6f03660e669b269e75702a69e2e65510d7ac9b15e8f00397f
|
data/.clang-format
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
name: Apt based Linux
|
2
|
+
on:
|
3
|
+
push:
|
4
|
+
pull_request:
|
5
|
+
jobs:
|
6
|
+
build:
|
7
|
+
name: Build
|
8
|
+
strategy:
|
9
|
+
fail-fast: false
|
10
|
+
matrix:
|
11
|
+
label:
|
12
|
+
- Debian GNU/Linux Buster amd64
|
13
|
+
- Ubuntu Bionic amd64
|
14
|
+
- Ubuntu Focal amd64
|
15
|
+
include:
|
16
|
+
- label: Debian GNU/Linux Buster amd64
|
17
|
+
test-docker-image: debian:buster
|
18
|
+
test-script: ci/apt-test.sh
|
19
|
+
- label: Ubuntu Bionic amd64
|
20
|
+
test-docker-image: ubuntu:bionic
|
21
|
+
test-script: ci/apt-test.sh
|
22
|
+
- label: Ubuntu Focal amd64
|
23
|
+
test-docker-image: ubuntu:focal
|
24
|
+
test-script: ci/apt-test.sh
|
25
|
+
runs-on: ubuntu-latest
|
26
|
+
steps:
|
27
|
+
- uses: actions/checkout@master
|
28
|
+
- name: rake compile & rake test
|
29
|
+
run: |
|
30
|
+
docker run \
|
31
|
+
--rm \
|
32
|
+
--tty \
|
33
|
+
--volume ${PWD}:/capng \
|
34
|
+
${{ matrix.test-docker-image }} \
|
35
|
+
/capng/${{ matrix.test-script }}
|
data/.github/workflows/linux.yml
CHANGED
@@ -0,0 +1,39 @@
|
|
1
|
+
name: Yum based Linux
|
2
|
+
on:
|
3
|
+
push:
|
4
|
+
pull_request:
|
5
|
+
jobs:
|
6
|
+
build:
|
7
|
+
name: Build
|
8
|
+
strategy:
|
9
|
+
fail-fast: false
|
10
|
+
matrix:
|
11
|
+
label:
|
12
|
+
- CentOS 7 x86_64
|
13
|
+
- CentOS 8 x86_64
|
14
|
+
- Fedora 33 x86_64
|
15
|
+
- AmazonLinux 2 x86_64
|
16
|
+
include:
|
17
|
+
- label: CentOS 7 x86_64
|
18
|
+
test-docker-image: centos:7
|
19
|
+
test-script: ci/yum-test.sh
|
20
|
+
- label: CentOS 8 x86_64
|
21
|
+
test-docker-image: centos:8
|
22
|
+
test-script: ci/yum-test.sh
|
23
|
+
- label: Fedora 33 x86_64
|
24
|
+
test-docker-image: fedora:33
|
25
|
+
test-script: ci/yum-test.sh
|
26
|
+
- label: AmazonLinux 2 x86_64
|
27
|
+
test-docker-image: amazonlinux:2
|
28
|
+
test-script: ci/yum-test.sh
|
29
|
+
runs-on: ubuntu-latest
|
30
|
+
steps:
|
31
|
+
- uses: actions/checkout@master
|
32
|
+
- name: rake compile & rake test
|
33
|
+
run: |
|
34
|
+
docker run \
|
35
|
+
--rm \
|
36
|
+
--tty \
|
37
|
+
--volume ${PWD}:/capng \
|
38
|
+
${{ matrix.test-docker-image }} \
|
39
|
+
/capng/${{ matrix.test-script }}
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,9 +1,21 @@
|
|
1
1
|
# Capng_c
|
2
2
|
|
3
|
-
![
|
3
|
+
![Multiple Ruby version tests](https://github.com/fluent-plugins-nursery/capng_c/workflows/Multiple%20Ruby%20version%20tests/badge.svg?branch=main)
|
4
|
+
![Apt based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Apt%20based%20Linux/badge.svg?branch=main)
|
5
|
+
![Yum based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Yum%20based%20Linux/badge.svg?branch=main)
|
4
6
|
|
5
7
|
libcap-ng bindings for Ruby.
|
6
8
|
|
9
|
+
## Prerequisites
|
10
|
+
|
11
|
+
* pkg-config package for linking libcap-ng library
|
12
|
+
* libcap-ng and its development packages
|
13
|
+
* libcap-ng-dev on Debian GNU/Linux and Ubuntu
|
14
|
+
* libcap-ng-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
|
15
|
+
* Ruby and its development packages
|
16
|
+
* ruby-dev on Debian GNU/Linux and Ubuntu
|
17
|
+
* ruby-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
|
18
|
+
|
7
19
|
## Installation
|
8
20
|
|
9
21
|
Add this line to your application's Gemfile:
|
@@ -20,6 +32,10 @@ Or install it yourself as:
|
|
20
32
|
|
21
33
|
$ gem install capng_c
|
22
34
|
|
35
|
+
## Usage
|
36
|
+
|
37
|
+
The usage examples are put in [example directory](example).
|
38
|
+
|
23
39
|
## Development
|
24
40
|
|
25
41
|
After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
@@ -28,4 +44,4 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
28
44
|
|
29
45
|
## Contributing
|
30
46
|
|
31
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/
|
47
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/fluent-plugins-nursery/capng_c.
|
data/capng_c.gemspec
CHANGED
@@ -10,8 +10,8 @@ Gem::Specification.new do |spec|
|
|
10
10
|
|
11
11
|
spec.summary = %q{libcap-ng bindings for Ruby.}
|
12
12
|
spec.description = spec.summary
|
13
|
-
spec.homepage = "https://github.com/
|
14
|
-
|
13
|
+
spec.homepage = "https://github.com/fluent-plugins-nursery/cap-ng_c"
|
14
|
+
spec.license = "Apache-2.0"
|
15
15
|
spec.metadata["allowed_push_host"] = "https://rubygems.org"
|
16
16
|
|
17
17
|
spec.metadata["homepage_uri"] = spec.homepage
|
@@ -32,4 +32,5 @@ Gem::Specification.new do |spec|
|
|
32
32
|
spec.add_development_dependency "rake", "~> 12.0"
|
33
33
|
spec.add_development_dependency "rake-compiler", "~> 1.0"
|
34
34
|
spec.add_development_dependency "test-unit", "~> 3.3.3"
|
35
|
+
spec.add_development_dependency "yard", "~> 0.9"
|
35
36
|
end
|
data/ci/apt-test.sh
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -exu
|
4
|
+
|
5
|
+
export DEBIAN_FRONTEND=noninteractive
|
6
|
+
|
7
|
+
apt update
|
8
|
+
apt install -V -y lsb-release
|
9
|
+
|
10
|
+
apt install -V -y ruby-dev git build-essential pkg-config
|
11
|
+
apt install -V -y libcap-ng-dev
|
12
|
+
cd /capng && \
|
13
|
+
gem install bundler --no-document && \
|
14
|
+
bundle install && \
|
15
|
+
bundle exec rake
|
data/ci/yum-test.sh
ADDED
@@ -0,0 +1,64 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -exu
|
4
|
+
|
5
|
+
distribution=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f2)
|
6
|
+
version=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f4)
|
7
|
+
USE_SCL=0
|
8
|
+
USE_AMZN_EXT=0
|
9
|
+
|
10
|
+
case ${distribution} in
|
11
|
+
amazon)
|
12
|
+
case ${version} in
|
13
|
+
2)
|
14
|
+
DNF=yum
|
15
|
+
USE_AMZN_EXT=1
|
16
|
+
;;
|
17
|
+
esac
|
18
|
+
;;
|
19
|
+
centos)
|
20
|
+
case ${version} in
|
21
|
+
7)
|
22
|
+
DNF=yum
|
23
|
+
USE_SCL=1
|
24
|
+
;;
|
25
|
+
*)
|
26
|
+
DNF="dnf --enablerepo=PowerTools"
|
27
|
+
;;
|
28
|
+
esac
|
29
|
+
;;
|
30
|
+
fedoraproject)
|
31
|
+
case ${version} in
|
32
|
+
33)
|
33
|
+
DNF=yum
|
34
|
+
;;
|
35
|
+
esac
|
36
|
+
;;
|
37
|
+
esac
|
38
|
+
|
39
|
+
${DNF} groupinstall -y "Development Tools"
|
40
|
+
|
41
|
+
if [ $USE_SCL -eq 1 ]; then
|
42
|
+
${DNF} install -y centos-release-scl && \
|
43
|
+
${DNF} install -y \
|
44
|
+
rh-ruby26-ruby-devel \
|
45
|
+
rh-ruby26-rubygems \
|
46
|
+
rh-ruby26-rubygem-rake \
|
47
|
+
rpm-build
|
48
|
+
elif [ $USE_AMZN_EXT -eq 1 ]; then
|
49
|
+
amazon-linux-extras install -y ruby2.6 && \
|
50
|
+
${DNF} install -y ruby-devel
|
51
|
+
else
|
52
|
+
${DNF} install -y ruby-devel \
|
53
|
+
rubygems \
|
54
|
+
rpm-build
|
55
|
+
fi
|
56
|
+
${DNF} install -y libcap-ng-devel
|
57
|
+
|
58
|
+
if [ $USE_SCL -eq 1 ]; then
|
59
|
+
# For unbound variable error
|
60
|
+
export MANPATH=
|
61
|
+
cd /capng && source /opt/rh/rh-ruby26/enable && gem install bundler --no-document && bundle install && bundle exec rake
|
62
|
+
else
|
63
|
+
cd /capng && gem install bundler --no-document && bundle install && bundle exec rake
|
64
|
+
fi
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Copyright 2020- Hiroshi Hatake
|
2
|
+
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
require 'capng'
|
16
|
+
|
17
|
+
if ARGV.size != 1
|
18
|
+
puts "specify file path on ARGV."
|
19
|
+
exit 1
|
20
|
+
end
|
21
|
+
|
22
|
+
if Process.uid != 0
|
23
|
+
puts "Needed to run as root!"
|
24
|
+
exit 2
|
25
|
+
end
|
26
|
+
|
27
|
+
path = ARGV[0]
|
28
|
+
capng = CapNG.new(:file, path)
|
29
|
+
print = CapNG::Print.new
|
30
|
+
puts "capability: #{print.caps_text(:buffer, :effective)}"
|
31
|
+
capng.clear(:caps)
|
32
|
+
ret = capng.update(:add, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED,
|
33
|
+
[:dac_read_search, :dac_override])
|
34
|
+
puts "updating capability: #{ret ? "success" : "fail"}"
|
35
|
+
capng.apply_caps_file(path)
|
36
|
+
puts "updated capability: #{print.caps_text(:buffer, :effective)}"
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# Copyright 2020- Hiroshi Hatake
|
2
|
+
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
require 'capng'
|
16
|
+
|
17
|
+
if Process.uid != 0
|
18
|
+
puts "Needed to run as root!"
|
19
|
+
exit 2
|
20
|
+
end
|
21
|
+
|
22
|
+
capng = CapNG.new(:current_process)
|
23
|
+
|
24
|
+
print = CapNG::Print.new
|
25
|
+
puts "capability: #{print.caps_text(:buffer, :effective)}"
|
26
|
+
target_file = ARGV[0] || "/var/log/syslog"
|
27
|
+
capng.clear(:caps)
|
28
|
+
|
29
|
+
puts "capability: #{print.caps_text(:buffer, :effective)}"
|
30
|
+
ret = capng.update(:add, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED, :dac_read_search)
|
31
|
+
puts "CapNG#update: #{ret ? 'success' : 'fail'}"
|
32
|
+
|
33
|
+
ret = capng.apply(:caps)
|
34
|
+
puts "CapNG#apply(add): #{ret ? 'success' : 'fail'}"
|
35
|
+
puts "capability: #{print.caps_text(:buffer, :effective)}"
|
36
|
+
path = "/var/log/syslog"
|
37
|
+
unless File.readable?(path)
|
38
|
+
puts "-----unreadable!!!!-----\ntarget: #{target_file}"
|
39
|
+
end
|
40
|
+
contents = File.read(target_file)
|
41
|
+
if contents.length >= 0
|
42
|
+
puts "succeeded to read: #{target_file}"
|
43
|
+
end
|
44
|
+
|
45
|
+
ret = capng.update(:drop, CapNG::Type::EFFECTIVE | CapNG::Type::INHERITABLE | CapNG::Type::PERMITTED, :dac_read_search)
|
46
|
+
puts "CapNG#update(drop): #{ret ? 'success' : 'fail'}"
|
47
|
+
puts "capability: #{print.caps_text(:buffer, :effective)}"
|
48
|
+
|
49
|
+
ret = capng.apply(:caps)
|
50
|
+
puts "CapNG#apply(drop): #{ret ? 'success' : 'fail'}"
|
51
|
+
|
52
|
+
unless File.readable?(path)
|
53
|
+
puts "-----unreadable!!!!-----\ntarget: #{target_file}"
|
54
|
+
end
|
55
|
+
begin
|
56
|
+
File.read(target_file)
|
57
|
+
rescue Errno::EACCES
|
58
|
+
puts "permission denied even if run as root"
|
59
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Copyright 2020- Hiroshi Hatake
|
2
|
+
|
3
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
# you may not use this file except in compliance with the License.
|
5
|
+
# You may obtain a copy of the License at
|
6
|
+
|
7
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
# Unless required by applicable law or agreed to in writing, software
|
10
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
# See the License for the specific language governing permissions and
|
13
|
+
# limitations under the License.
|
14
|
+
|
15
|
+
require 'capng'
|
16
|
+
|
17
|
+
capng = CapNG.new(:current_process)
|
18
|
+
unless capng.have_capability?(:effective, :dac_read_search)
|
19
|
+
puts "This example needs to setup :dac_read_search capability on running Ruby executable."
|
20
|
+
exit 2
|
21
|
+
end
|
22
|
+
|
23
|
+
print = CapNG::Print.new
|
24
|
+
puts "capability: #{print.caps_text(:buffer, :effective)}"
|
25
|
+
target_file = ARGV[0] || "/var/log/syslog"
|
26
|
+
|
27
|
+
path = "/var/log/syslog"
|
28
|
+
unless File.readable?(path)
|
29
|
+
puts "-----unreadable!!!!-----\ntarget: #{target_file}"
|
30
|
+
end
|
31
|
+
if capng.have_capability?(:effective, :dac_read_search)
|
32
|
+
contents = File.read(target_file)
|
33
|
+
if contents.length >= 0
|
34
|
+
puts "succeeded to read: #{target_file} w/o root user"
|
35
|
+
end
|
36
|
+
end
|
data/ext/capng/capability.c
CHANGED
@@ -13,21 +13,37 @@
|
|
13
13
|
|
14
14
|
#include <capng.h>
|
15
15
|
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
16
|
+
/* clang-format off */
|
17
|
+
/*
|
18
|
+
* Document-class: CapNG::Capability
|
19
|
+
*
|
20
|
+
* Check Linux capabilities and define its constants.
|
21
|
+
*
|
22
|
+
* @example
|
23
|
+
* require 'capng'
|
24
|
+
*
|
25
|
+
* @cap = CapNG::Capability.new
|
26
|
+
*
|
27
|
+
* @cap.from_name(:dac_read_search) #=> 2
|
28
|
+
* @cap.to_name(CapNG::Capability::DAC_READ_SEARCH) #=> "dac_read_search"
|
29
|
+
*/
|
30
|
+
/* clang-format on */
|
31
|
+
|
32
|
+
struct CapNGCapability
|
33
|
+
{};
|
34
|
+
|
35
|
+
static void
|
36
|
+
capng_capability_free(void* capng);
|
37
|
+
|
38
|
+
static const rb_data_type_t rb_capng_capability_type = { "capng_capability/c_runtime",
|
39
|
+
{
|
40
|
+
0,
|
41
|
+
capng_capability_free,
|
42
|
+
0,
|
43
|
+
},
|
44
|
+
NULL,
|
45
|
+
NULL,
|
46
|
+
RUBY_TYPED_FREE_IMMEDIATELY };
|
31
47
|
|
32
48
|
static void
|
33
49
|
capng_capability_free(void* ptr)
|
@@ -45,16 +61,29 @@ rb_capng_capability_alloc(VALUE klass)
|
|
45
61
|
return obj;
|
46
62
|
}
|
47
63
|
|
64
|
+
/*
|
65
|
+
* Initalize Capability class.
|
66
|
+
*
|
67
|
+
* @return [nil]
|
68
|
+
*
|
69
|
+
*/
|
48
70
|
static VALUE
|
49
71
|
rb_capng_capability_initialize(VALUE self)
|
50
72
|
{
|
51
73
|
return Qnil;
|
52
74
|
}
|
53
75
|
|
76
|
+
/*
|
77
|
+
* Obtain capability name from capability value.
|
78
|
+
*
|
79
|
+
* @param rb_capability [Integer] Capability constant value.
|
80
|
+
* @return [String]
|
81
|
+
*
|
82
|
+
*/
|
54
83
|
static VALUE
|
55
84
|
rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
|
56
85
|
{
|
57
|
-
const char
|
86
|
+
const char* name = capng_capability_to_name(NUM2UINT(rb_capability));
|
58
87
|
|
59
88
|
if (name)
|
60
89
|
return rb_str_new2(name);
|
@@ -62,20 +91,28 @@ rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
|
|
62
91
|
return rb_str_new2("unknown");
|
63
92
|
}
|
64
93
|
|
94
|
+
/*
|
95
|
+
* Obtain capability value from capability name.
|
96
|
+
*
|
97
|
+
* @param rb_capability_name_or_symbol [String or Symbol] Capability constant value.
|
98
|
+
* @return [Integer]
|
99
|
+
*
|
100
|
+
*/
|
65
101
|
static VALUE
|
66
102
|
rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
|
67
103
|
{
|
68
104
|
unsigned int capability;
|
69
105
|
|
70
106
|
switch (TYPE(rb_capability_name_or_symbol)) {
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
107
|
+
case T_SYMBOL:
|
108
|
+
capability =
|
109
|
+
capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
|
110
|
+
break;
|
111
|
+
case T_STRING:
|
112
|
+
capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
|
113
|
+
break;
|
114
|
+
default:
|
115
|
+
rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
|
79
116
|
}
|
80
117
|
return INT2NUM(capability);
|
81
118
|
}
|
@@ -83,7 +120,7 @@ rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
|
|
83
120
|
void
|
84
121
|
Init_capng_capability(VALUE rb_cCapNG)
|
85
122
|
{
|
86
|
-
rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
|
123
|
+
VALUE rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
|
87
124
|
|
88
125
|
rb_define_alloc_func(rb_cCapability, rb_capng_capability_alloc);
|
89
126
|
|
@@ -92,47 +129,300 @@ Init_capng_capability(VALUE rb_cCapNG)
|
|
92
129
|
rb_define_method(rb_cCapability, "from_name", rb_capng_capability_from_name, 1);
|
93
130
|
|
94
131
|
// Capability constants.
|
132
|
+
|
133
|
+
/* Make arbitrary changes to file UIDs and GIDs (see chown(2)). */
|
95
134
|
rb_define_const(rb_cCapability, "CHOWN", INT2NUM(CAP_CHOWN));
|
135
|
+
/*
|
136
|
+
* Bypass file read, write, and execute permission checks. (DAC
|
137
|
+
* is an abbreviation of "discretionary access control".) */
|
96
138
|
rb_define_const(rb_cCapability, "DAC_OVERRIDE", INT2NUM(CAP_DAC_OVERRIDE));
|
139
|
+
/*
|
140
|
+
* * Bypass file read permission checks and directory read and execute permission
|
141
|
+
* checks;
|
142
|
+
* * invoke open_by_handle_at(2);
|
143
|
+
* * use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a
|
144
|
+
* file descriptor.
|
145
|
+
*/
|
97
146
|
rb_define_const(rb_cCapability, "DAC_READ_SEARCH", INT2NUM(CAP_DAC_READ_SEARCH));
|
147
|
+
/*
|
148
|
+
* * Bypass permission checks on operations that normally require
|
149
|
+
* the filesystem UID of the process to match the UID of the
|
150
|
+
* file (e.g., chmod(2), utime(2)), excluding those operations
|
151
|
+
* covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
|
152
|
+
* * set inode flags (see ioctl_iflags(2)) on arbitrary files;
|
153
|
+
* * set Access Control Lists (ACLs) on arbitrary files;
|
154
|
+
* * ignore directory sticky bit on file deletion;
|
155
|
+
* * modify user extended attributes on sticky directory owned by
|
156
|
+
* any user;
|
157
|
+
* * specify O_NOATIME for arbitrary files in open(2) and
|
158
|
+
* fcntl(2).
|
159
|
+
*/
|
98
160
|
rb_define_const(rb_cCapability, "FOWNER", INT2NUM(CAP_FOWNER));
|
161
|
+
/*
|
162
|
+
* * Don't clear set-user-ID and set-group-ID mode bits when a
|
163
|
+
* file is modified;
|
164
|
+
* * set the set-group-ID bit for a file whose GID does not match
|
165
|
+
* the filesystem or any of the supplementary GIDs of the
|
166
|
+
* calling process.
|
167
|
+
*/
|
99
168
|
rb_define_const(rb_cCapability, "FSETID", INT2NUM(CAP_FSETID));
|
169
|
+
/* Bypass permission checks for sending signals (see kill(2)).
|
170
|
+
* This includes use of the ioctl(2) KDSIGACCEPT operation. */
|
100
171
|
rb_define_const(rb_cCapability, "KILL", INT2NUM(CAP_KILL));
|
172
|
+
/*
|
173
|
+
* * Make arbitrary manipulations of process GIDs and
|
174
|
+
* supplementary GID list;
|
175
|
+
* * forge GID when passing socket credentials via UNIX domain
|
176
|
+
* sockets;
|
177
|
+
* * write a group ID mapping in a user namespace (see
|
178
|
+
* user_namespaces(7)).
|
179
|
+
*/
|
101
180
|
rb_define_const(rb_cCapability, "SETGID", INT2NUM(CAP_SETGID));
|
181
|
+
/*
|
182
|
+
* * Make arbitrary manipulations of process UIDs (setuid(2),
|
183
|
+
* setreuid(2), setresuid(2), setfsuid(2));
|
184
|
+
* * forge UID when passing socket credentials via UNIX domain
|
185
|
+
* sockets;
|
186
|
+
* * write a user ID mapping in a user namespace (see
|
187
|
+
* user_namespaces(7)).
|
188
|
+
*/
|
102
189
|
rb_define_const(rb_cCapability, "SETUID", INT2NUM(CAP_SETUID));
|
190
|
+
/*
|
191
|
+
* If file capabilities are supported (i.e., since Linux 2.6.24):
|
192
|
+
* add any capability from the calling thread's bounding set to
|
193
|
+
* its inheritable set; drop capabilities from the bounding set
|
194
|
+
* (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits
|
195
|
+
* flags.
|
196
|
+
*
|
197
|
+
* If file capabilities are not supported (i.e., kernels before
|
198
|
+
* Linux 2.6.24): grant or remove any capability in the caller's
|
199
|
+
* permitted capability set to or from any other process. (This
|
200
|
+
* property of CAP_SETPCAP is not available when the kernel is
|
201
|
+
* configured to support file capabilities, since CAP_SETPCAP has
|
202
|
+
* entirely different semantics for such kernels.)
|
203
|
+
*/
|
103
204
|
rb_define_const(rb_cCapability, "SETPCAP", INT2NUM(CAP_SETPCAP));
|
205
|
+
/* Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)). */
|
104
206
|
rb_define_const(rb_cCapability, "LINUX_IMMUTABLE", INT2NUM(CAP_LINUX_IMMUTABLE));
|
207
|
+
/* Bind a socket to Internet domain privileged ports (port numbers less than 1024).*/
|
105
208
|
rb_define_const(rb_cCapability, "NET_BIND_SERIVCE", INT2NUM(CAP_NET_BIND_SERVICE));
|
209
|
+
/* (Unused) Make socket broadcasts, and listen to multicasts. */
|
106
210
|
rb_define_const(rb_cCapability, "NET_BROATCAST", INT2NUM(CAP_NET_BROADCAST));
|
211
|
+
/* Perform various network-related operations:
|
212
|
+
*
|
213
|
+
* * interface configuration;
|
214
|
+
* * administration of IP firewall, masquerading, and accounting;
|
215
|
+
* * modify routing tables;
|
216
|
+
* * bind to any address for transparent proxying;
|
217
|
+
* * set type-of-service (TOS);
|
218
|
+
* * clear driver statistics;
|
219
|
+
* * set promiscuous mode;
|
220
|
+
* * enabling multicasting;
|
221
|
+
* * use setsockopt(2) to set the following socket options:
|
222
|
+
* * SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
|
223
|
+
* * range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
|
224
|
+
*/
|
107
225
|
rb_define_const(rb_cCapability, "NET_ADMIN", INT2NUM(CAP_NET_ADMIN));
|
226
|
+
/*
|
227
|
+
* * Use RAW and PACKET sockets;
|
228
|
+
* * bind to any address for transparent proxying.
|
229
|
+
*/
|
108
230
|
rb_define_const(rb_cCapability, "NET_RAW", INT2NUM(CAP_NET_RAW));
|
231
|
+
/* Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). */
|
109
232
|
rb_define_const(rb_cCapability, "IPC_LOCK", INT2NUM(CAP_IPC_LOCK));
|
233
|
+
/* Bypass permission checks for operations on System V IPC
|
234
|
+
* objects.
|
235
|
+
*/
|
110
236
|
rb_define_const(rb_cCapability, "IPC_OWNER", INT2NUM(CAP_IPC_OWNER));
|
237
|
+
/*
|
238
|
+
* * Load and unload kernel modules (see init_module(2) and
|
239
|
+
* delete_module(2)) in kernels before 2.6.25
|
240
|
+
* * drop capabilities from the system-wide capability bounding set.
|
241
|
+
*/
|
111
242
|
rb_define_const(rb_cCapability, "SYS_MODULE", INT2NUM(CAP_SYS_MODULE));
|
243
|
+
/*
|
244
|
+
* * Perform I/O port operations (iopl(2) and ioperm(2));
|
245
|
+
* * access /proc/kcore;
|
246
|
+
* * employ the FIBMAP ioctl(2) operation;
|
247
|
+
* * open devices for accessing x86 model-specific registers
|
248
|
+
* (MSRs, see msr(4));
|
249
|
+
* * update /proc/sys/vm/mmap_min_addr;
|
250
|
+
* * create memory mappings at addresses below the value
|
251
|
+
* specified by /proc/sys/vm/mmap_min_addr;
|
252
|
+
* * map files in /proc/bus/pci;
|
253
|
+
* * open /dev/mem and /dev/kmem;
|
254
|
+
* * perform various SCSI device commands;
|
255
|
+
* * perform certain operations on hpsa(4) and cciss(4) devices;
|
256
|
+
* * perform a range of device-specific operations on other
|
257
|
+
* devices.
|
258
|
+
*/
|
112
259
|
rb_define_const(rb_cCapability, "SYS_RAWIO", INT2NUM(CAP_SYS_RAWIO));
|
260
|
+
/*
|
261
|
+
* * Use chroot(2);
|
262
|
+
* * change mount namespaces using setns(2).
|
263
|
+
*/
|
113
264
|
rb_define_const(rb_cCapability, "SYS_CHROOT", INT2NUM(CAP_SYS_CHROOT));
|
265
|
+
/*
|
266
|
+
* * Trace arbitrary processes using ptrace(2);
|
267
|
+
* * apply get_robust_list(2) to arbitrary processes;
|
268
|
+
* * transfer data to or from the memory of arbitrary processes
|
269
|
+
* using process_vm_readv(2) and process_vm_writev(2);
|
270
|
+
* * inspect processes using kcmp(2).
|
271
|
+
*/
|
114
272
|
rb_define_const(rb_cCapability, "SYS_PTRACE", INT2NUM(CAP_SYS_PTRACE));
|
273
|
+
/* Use acct(2). */
|
115
274
|
rb_define_const(rb_cCapability, "SYS_PACCT", INT2NUM(CAP_SYS_PACCT));
|
275
|
+
/*
|
276
|
+
* Note:
|
277
|
+
* this capability is overloaded; see Notes to kernel developers, below.
|
278
|
+
*
|
279
|
+
* * Perform a range of system administration operations
|
280
|
+
* including: quotactl(2), mount(2), umount(2), pivot_root(2),
|
281
|
+
* swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
|
282
|
+
* * perform privileged syslog(2) operations (since Linux 2.6.37,
|
283
|
+
* CAP_SYSLOG should be used to permit such operations);
|
284
|
+
* * perform VM86_REQUEST_IRQ vm86(2) command;
|
285
|
+
* * access the same checkpoint/restore functionality that is
|
286
|
+
* governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker
|
287
|
+
* capability is preferred for accessing that functionality).
|
288
|
+
* * perform the same BPF operations as are governed by CAP_BPF
|
289
|
+
* (but the latter, weaker capability is preferred for
|
290
|
+
* accessing that functionality).
|
291
|
+
* * employ the same performance monitoring mechanisms as are
|
292
|
+
* governed by CAP_PERFMON (but the latter, weaker capability
|
293
|
+
* is preferred for accessing that functionality).
|
294
|
+
* * perform IPC_SET and IPC_RMID operations on arbitrary System
|
295
|
+
* V IPC objects;
|
296
|
+
* * override RLIMIT_NPROC resource limit;
|
297
|
+
* * perform operations on trusted and security extended
|
298
|
+
* attributes (see xattr(7));
|
299
|
+
* * use lookup_dcookie(2);
|
300
|
+
* * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
|
301
|
+
* Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
|
302
|
+
* * forge PID when passing socket credentials via UNIX domain
|
303
|
+
* sockets;
|
304
|
+
* * exceed /proc/sys/fs/file-max, the system-wide limit on the
|
305
|
+
* number of open files, in system calls that open files (e.g.,
|
306
|
+
* accept(2), execve(2), open(2), pipe(2));
|
307
|
+
* * employ CLONE_* flags that create new namespaces with
|
308
|
+
* clone(2) and unshare(2) (but, since Linux 3.8, creating user
|
309
|
+
* namespaces does not require any capability);
|
310
|
+
* * access privileged perf event information;
|
311
|
+
* * call setns(2) (requires CAP_SYS_ADMIN in the target
|
312
|
+
* namespace);
|
313
|
+
* * call fanotify_init(2);
|
314
|
+
* * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
|
315
|
+
* operations;
|
316
|
+
* * perform madvise(2) MADV_HWPOISON operation;
|
317
|
+
* * employ the TIOCSTI ioctl(2) to insert characters into the
|
318
|
+
* input queue of a terminal other than the caller's
|
319
|
+
* controlling terminal;
|
320
|
+
* * employ the obsolete nfsservctl(2) system call;
|
321
|
+
* * employ the obsolete bdflush(2) system call;
|
322
|
+
* * perform various privileged block-device ioctl(2) operations;
|
323
|
+
* * perform various privileged filesystem ioctl(2) operations;
|
324
|
+
* * perform privileged ioctl(2) operations on the /dev/random
|
325
|
+
* device (see random(4));
|
326
|
+
* * install a seccomp(2) filter without first having to set the
|
327
|
+
* no_new_privs thread attribute;
|
328
|
+
* * modify allow/deny rules for device control groups;
|
329
|
+
* * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
|
330
|
+
* dump tracee's seccomp filters;
|
331
|
+
* * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
|
332
|
+
* the tracee's seccomp protections (i.e., the
|
333
|
+
* PTRACE_O_SUSPEND_SECCOMP flag);
|
334
|
+
* * perform administrative operations on many device drivers;
|
335
|
+
* * modify autogroup nice values by writing to
|
336
|
+
* /proc/[pid]/autogroup (see sched(7)).
|
337
|
+
*/
|
116
338
|
rb_define_const(rb_cCapability, "SYS_ADMIN", INT2NUM(CAP_SYS_ADMIN));
|
339
|
+
/* Use reboot(2) and kexec_load(2). */
|
117
340
|
rb_define_const(rb_cCapability, "SYS_BOOT", INT2NUM(CAP_SYS_BOOT));
|
341
|
+
/*
|
342
|
+
* * Lower the process nice value (nice(2), setpriority(2)) and
|
343
|
+
* change the nice value for arbitrary processes;
|
344
|
+
* * set real-time scheduling policies for calling process, and
|
345
|
+
* set scheduling policies and priorities for arbitrary
|
346
|
+
* processes (sched_setscheduler(2), sched_setparam(2),
|
347
|
+
* sched_setattr(2));
|
348
|
+
* * set CPU affinity for arbitrary processes
|
349
|
+
* (sched_setaffinity(2));
|
350
|
+
* * set I/O scheduling class and priority for arbitrary
|
351
|
+
* processes (ioprio_set(2));
|
352
|
+
* * apply migrate_pages(2) to arbitrary processes and allow
|
353
|
+
* processes to be migrated to arbitrary nodes;
|
354
|
+
* * apply move_pages(2) to arbitrary processes;
|
355
|
+
* * use the MPOL_MF_MOVE_ALL flag with mbind(2) and
|
356
|
+
* move_pages(2).
|
357
|
+
*/
|
118
358
|
rb_define_const(rb_cCapability, "SYS_NICE", INT2NUM(CAP_SYS_NICE));
|
359
|
+
/*
|
360
|
+
* * Use reserved space on ext2 filesystems;
|
361
|
+
* * make ioctl(2) calls controlling ext3 journaling;
|
362
|
+
* * override disk quota limits;
|
363
|
+
* * increase resource limits (see setrlimit(2));
|
364
|
+
* * override RLIMIT_NPROC resource limit;
|
365
|
+
* * override maximum number of consoles on console allocation;
|
366
|
+
* * override maximum number of keymaps;
|
367
|
+
* * allow more than 64hz interrupts from the real-time clock;
|
368
|
+
* * raise msg_qbytes limit for a System V message queue above
|
369
|
+
* the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
|
370
|
+
* msgctl(2));
|
371
|
+
* * allow the RLIMIT_NOFILE resource limit on the number of "in-
|
372
|
+
* flight" file descriptors to be bypassed when passing file
|
373
|
+
* descriptors to another process via a UNIX domain socket (see
|
374
|
+
* unix(7));
|
375
|
+
* * override the /proc/sys/fs/pipe-size-max limit when setting
|
376
|
+
* the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
|
377
|
+
* command;
|
378
|
+
* * use F_SETPIPE_SZ to increase the capacity of a pipe above
|
379
|
+
* the limit specified by /proc/sys/fs/pipe-max-size;
|
380
|
+
* * override /proc/sys/fs/mqueue/queues_max,
|
381
|
+
* /proc/sys/fs/mqueue/msg_max, and
|
382
|
+
* /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX
|
383
|
+
* message queues (see mq_overview(7));
|
384
|
+
* * employ the prctl(2) PR_SET_MM operation;
|
385
|
+
* * set /proc/[pid]/oom_score_adj to a value lower than the
|
386
|
+
* value last set by a process with CAP_SYS_RESOURCE.
|
387
|
+
*/
|
119
388
|
rb_define_const(rb_cCapability, "SYS_RESOURCE", INT2NUM(CAP_SYS_RESOURCE));
|
389
|
+
/* Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
|
390
|
+
* real-time (hardware) clock.*/
|
120
391
|
rb_define_const(rb_cCapability, "SYS_TIME", INT2NUM(CAP_SYS_TIME));
|
392
|
+
/* Use vhangup(2); employ various privileged ioctl(2) operations
|
393
|
+
* on virtual terminals.
|
394
|
+
*/
|
121
395
|
rb_define_const(rb_cCapability, "TTY_CONFIG", INT2NUM(CAP_SYS_TTY_CONFIG));
|
396
|
+
/* Create special files using mknod(2). (since Linux 2.4) */
|
122
397
|
rb_define_const(rb_cCapability, "MKNOD", INT2NUM(CAP_MKNOD));
|
398
|
+
/* Establish leases on arbitrary files (see fcntl(2)). (since Linux 2.4) */
|
123
399
|
rb_define_const(rb_cCapability, "LEASE", INT2NUM(CAP_LEASE));
|
400
|
+
/* Write records to kernel auditing log. (since Linux 2.6.11) */
|
124
401
|
rb_define_const(rb_cCapability, "AUDIT_WRITE", INT2NUM(CAP_AUDIT_WRITE));
|
402
|
+
/* Enable and disable kernel auditing; change auditing filter
|
403
|
+
* rules; retrieve auditing status and filtering rules. (since Linux 2.6.11)*/
|
125
404
|
rb_define_const(rb_cCapability, "AUDIT_CONTROL", INT2NUM(CAP_AUDIT_CONTROL));
|
126
405
|
#ifdef CAP_SETFCAP
|
406
|
+
/* Set arbitrary capabilities on a file. since Linux 2.6.24) */
|
127
407
|
rb_define_const(rb_cCapability, "SETFCAP", INT2NUM(CAP_SETFCAP));
|
128
408
|
#endif
|
129
409
|
#ifdef CAP_MAC_OVERRIDE
|
130
410
|
rb_define_const(rb_cCapability, "MAC_OVERRIDE", INT2NUM(CAP_MAC_OVERRIDE));
|
131
411
|
#endif
|
132
412
|
#ifdef CAP_MAC_ADMIN
|
413
|
+
/* Allow MAC configuration or state changes. Implemented for the
|
414
|
+
* Smack Linux Security Module (LSM). (since Linux 2.6.25)
|
415
|
+
*/
|
133
416
|
rb_define_const(rb_cCapability, "MAC_ADMIN", INT2NUM(CAP_MAC_ADMIN));
|
134
417
|
#endif
|
135
418
|
#ifdef CAP_SYSLOG
|
419
|
+
/*
|
420
|
+
* * Perform privileged syslog(2) operations. See syslog(2) for
|
421
|
+
* information on which operations require privilege.
|
422
|
+
* * View kernel addresses exposed via /proc and other interfaces
|
423
|
+
* when /proc/sys/kernel/kptr_restrict has the value 1. (See
|
424
|
+
* the discussion of the kptr_restrict in proc(5).)
|
425
|
+
*/
|
136
426
|
rb_define_const(rb_cCapability, "SYSLOG", INT2NUM(CAP_SYSLOG));
|
137
427
|
#endif
|
138
428
|
#if defined(CAP_EPOLLWAKEUP) && defined(CAP_BLOCK_SUSPEND)
|
@@ -142,21 +432,59 @@ Init_capng_capability(VALUE rb_cCapNG)
|
|
142
432
|
rb_define_const(rb_cCapability, "EPOLLWAKEUP", INT2NUM(CAP_EPOLLWAKEUP));
|
143
433
|
#endif
|
144
434
|
#ifdef CAP_WAKE_ALARM
|
435
|
+
/* Trigger something that will wake up the system (set
|
436
|
+
* CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
|
437
|
+
*/
|
145
438
|
rb_define_const(rb_cCapability, "WAKE_ALARM", INT2NUM(CAP_WAKE_ALARM));
|
146
439
|
#endif
|
147
440
|
#ifdef CAP_BLOCK_SUSPEND
|
441
|
+
/*
|
442
|
+
Employ features that can block system suspend (epoll(7)
|
443
|
+
EPOLLWAKEUP, /proc/sys/wake_lock). (since Linux 3.5)
|
444
|
+
*/
|
148
445
|
rb_define_const(rb_cCapability, "BLOCK_SUSPEND", INT2NUM(CAP_BLOCK_SUSPEND));
|
149
446
|
#endif
|
150
447
|
#ifdef CAP_AUDIT_READ
|
448
|
+
/* Allow reading the audit log via a multicast netlink socket. (since Linux 3.16) */
|
151
449
|
rb_define_const(rb_cCapability, "AUDIT_READ", INT2NUM(CAP_AUDIT_READ));
|
152
450
|
#endif
|
153
451
|
#ifdef CAP_PERFMON
|
452
|
+
/*
|
453
|
+
* Employ various performance-monitoring mechanisms, including:
|
454
|
+
*
|
455
|
+
* * call perf_event_open(2)
|
456
|
+
* * employ various BPF operations that have performance
|
457
|
+
* implications.
|
458
|
+
*
|
459
|
+
* This capability was added in Linux 5.8 to separate out
|
460
|
+
* performance monitoring functionality from the overloaded
|
461
|
+
* CAP_SYS_ADMIN capability. See also the kernel source file
|
462
|
+
* Documentation/admin-guide/perf-security.rst.
|
463
|
+
*/
|
154
464
|
rb_define_const(rb_cCapability, "PERFMON", INT2NUM(CAP_PERFMON));
|
155
465
|
#endif
|
156
466
|
#ifdef CAP_BPF
|
467
|
+
/*
|
468
|
+
* Employ privileged BPF operations; see bpf(2) and
|
469
|
+
* bpf-helpers(7).
|
470
|
+
*
|
471
|
+
* This capability was added in Linux 5.8 to separate out BPF
|
472
|
+
* functionality from the overloaded CAP_SYS_ADMIN capability.
|
473
|
+
* (since Linux 5.8)
|
474
|
+
*/
|
157
475
|
rb_define_const(rb_cCapability, "BPF", INT2NUM(CAP_BPF));
|
158
476
|
#endif
|
159
477
|
#ifdef CAP_CHECKPOINT_RESTORE
|
478
|
+
/*
|
479
|
+
* * employ the set_tid feature of clone3(2);
|
480
|
+
* * read the contents of the symbolic links in
|
481
|
+
* /proc/[pid]/map_files for other processes.
|
482
|
+
*
|
483
|
+
* This capability was added in Linux 5.9 to separate out
|
484
|
+
* checkpoint/restore functionality from the overloaded
|
485
|
+
* CAP_SYS_ADMIN capability.
|
486
|
+
* (since Linux 5.9)
|
487
|
+
*/
|
160
488
|
rb_define_const(rb_cCapability, "CHECKPOINT_RESTORE", INT2NUM(CAP_CHECKPOINT_RESTORE));
|
161
489
|
#endif
|
162
490
|
}
|