capng_c 0.1.5 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.clang-format +5 -0
- data/.github/workflows/apt.yml +35 -0
- data/.github/workflows/linux.yml +1 -1
- data/.github/workflows/yum.yml +39 -0
- data/Gemfile +3 -1
- data/README.md +14 -2
- data/capng_c.gemspec +2 -1
- data/ci/apt-test.sh +15 -0
- data/ci/yum-test.sh +64 -0
- data/example/file_capability.rb +2 -1
- data/ext/capng/capability.c +375 -25
- data/ext/capng/capability_info.c +82 -0
- data/ext/capng/capng.c +299 -149
- data/ext/capng/capng.h +33 -17
- data/ext/capng/enum-action.c +35 -0
- data/ext/capng/enum-flags.c +44 -0
- data/ext/capng/enum-result.c +38 -0
- data/ext/capng/enum-select.c +39 -0
- data/ext/capng/enum-type.c +42 -0
- data/ext/capng/enum.c +7 -45
- data/ext/capng/extconf.rb +4 -0
- data/ext/capng/print.c +127 -76
- data/ext/capng/state.c +55 -21
- data/ext/capng/utils.c +7 -7
- data/lib/capng.rb +7 -13
- data/lib/capng/version.rb +1 -1
- metadata +30 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a26ab3bf7c3169172ec3e2c162630f0079b161533ec473984e4d52737d522b91
|
4
|
+
data.tar.gz: 9f378edbfb74593fc731acb2f4ead7b591207b0f358f9ce4e1caf28e747188d3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 92d50ae4dc1c276709d38a2bbac7421ac0ec68d8dee70d8f5d28c4b2aa3e33ef81ae179dafd7f214703d68a8eeda5b4f2220eca786f50fdd77838a88fec754fd
|
7
|
+
data.tar.gz: 2f2f6cff1a51adeb4fe038871b3e3a5e5ec7b9075b18f31653000a5aea785e610bce39570cc4a2252c4dc4518ecd9f0be20436a28473d3769a4329fa98a912ae
|
data/.clang-format
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
name: Apt based Linux
|
2
|
+
on:
|
3
|
+
push:
|
4
|
+
pull_request:
|
5
|
+
jobs:
|
6
|
+
build:
|
7
|
+
name: Build
|
8
|
+
strategy:
|
9
|
+
fail-fast: false
|
10
|
+
matrix:
|
11
|
+
label:
|
12
|
+
- Debian GNU/Linux Buster amd64
|
13
|
+
- Ubuntu Bionic amd64
|
14
|
+
- Ubuntu Focal amd64
|
15
|
+
include:
|
16
|
+
- label: Debian GNU/Linux Buster amd64
|
17
|
+
test-docker-image: debian:buster
|
18
|
+
test-script: ci/apt-test.sh
|
19
|
+
- label: Ubuntu Bionic amd64
|
20
|
+
test-docker-image: ubuntu:bionic
|
21
|
+
test-script: ci/apt-test.sh
|
22
|
+
- label: Ubuntu Focal amd64
|
23
|
+
test-docker-image: ubuntu:focal
|
24
|
+
test-script: ci/apt-test.sh
|
25
|
+
runs-on: ubuntu-latest
|
26
|
+
steps:
|
27
|
+
- uses: actions/checkout@master
|
28
|
+
- name: rake compile & rake test
|
29
|
+
run: |
|
30
|
+
docker run \
|
31
|
+
--rm \
|
32
|
+
--tty \
|
33
|
+
--volume ${PWD}:/capng \
|
34
|
+
${{ matrix.test-docker-image }} \
|
35
|
+
/capng/${{ matrix.test-script }}
|
data/.github/workflows/linux.yml
CHANGED
@@ -0,0 +1,39 @@
|
|
1
|
+
name: Yum based Linux
|
2
|
+
on:
|
3
|
+
push:
|
4
|
+
pull_request:
|
5
|
+
jobs:
|
6
|
+
build:
|
7
|
+
name: Build
|
8
|
+
strategy:
|
9
|
+
fail-fast: false
|
10
|
+
matrix:
|
11
|
+
label:
|
12
|
+
- CentOS 7 x86_64
|
13
|
+
- CentOS 8 x86_64
|
14
|
+
- Fedora 33 x86_64
|
15
|
+
- AmazonLinux 2 x86_64
|
16
|
+
include:
|
17
|
+
- label: CentOS 7 x86_64
|
18
|
+
test-docker-image: centos:7
|
19
|
+
test-script: ci/yum-test.sh
|
20
|
+
- label: CentOS 8 x86_64
|
21
|
+
test-docker-image: centos:8
|
22
|
+
test-script: ci/yum-test.sh
|
23
|
+
- label: Fedora 33 x86_64
|
24
|
+
test-docker-image: fedora:33
|
25
|
+
test-script: ci/yum-test.sh
|
26
|
+
- label: AmazonLinux 2 x86_64
|
27
|
+
test-docker-image: amazonlinux:2
|
28
|
+
test-script: ci/yum-test.sh
|
29
|
+
runs-on: ubuntu-latest
|
30
|
+
steps:
|
31
|
+
- uses: actions/checkout@master
|
32
|
+
- name: rake compile & rake test
|
33
|
+
run: |
|
34
|
+
docker run \
|
35
|
+
--rm \
|
36
|
+
--tty \
|
37
|
+
--volume ${PWD}:/capng \
|
38
|
+
${{ matrix.test-docker-image }} \
|
39
|
+
/capng/${{ matrix.test-script }}
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,9 +1,21 @@
|
|
1
1
|
# Capng_c
|
2
2
|
|
3
|
-

|
4
|
+

|
5
|
+

|
4
6
|
|
5
7
|
libcap-ng bindings for Ruby.
|
6
8
|
|
9
|
+
## Prerequisites
|
10
|
+
|
11
|
+
* pkg-config package for linking libcap-ng library
|
12
|
+
* libcap-ng and its development packages
|
13
|
+
* libcap-ng-dev on Debian GNU/Linux and Ubuntu
|
14
|
+
* libcap-ng-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
|
15
|
+
* Ruby and its development packages
|
16
|
+
* ruby-dev on Debian GNU/Linux and Ubuntu
|
17
|
+
* ruby-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
|
18
|
+
|
7
19
|
## Installation
|
8
20
|
|
9
21
|
Add this line to your application's Gemfile:
|
@@ -32,4 +44,4 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
32
44
|
|
33
45
|
## Contributing
|
34
46
|
|
35
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/
|
47
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/fluent-plugins-nursery/capng_c.
|
data/capng_c.gemspec
CHANGED
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
10
10
|
|
11
11
|
spec.summary = %q{libcap-ng bindings for Ruby.}
|
12
12
|
spec.description = spec.summary
|
13
|
-
spec.homepage = "https://github.com/
|
13
|
+
spec.homepage = "https://github.com/fluent-plugins-nursery/capng_c"
|
14
14
|
spec.license = "Apache-2.0"
|
15
15
|
spec.metadata["allowed_push_host"] = "https://rubygems.org"
|
16
16
|
|
@@ -32,4 +32,5 @@ Gem::Specification.new do |spec|
|
|
32
32
|
spec.add_development_dependency "rake", "~> 12.0"
|
33
33
|
spec.add_development_dependency "rake-compiler", "~> 1.0"
|
34
34
|
spec.add_development_dependency "test-unit", "~> 3.3.3"
|
35
|
+
spec.add_development_dependency "yard", "~> 0.9"
|
35
36
|
end
|
data/ci/apt-test.sh
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -exu
|
4
|
+
|
5
|
+
export DEBIAN_FRONTEND=noninteractive
|
6
|
+
|
7
|
+
apt update
|
8
|
+
apt install -V -y lsb-release
|
9
|
+
|
10
|
+
apt install -V -y ruby-dev git build-essential pkg-config
|
11
|
+
apt install -V -y libcap-ng-dev
|
12
|
+
cd /capng && \
|
13
|
+
gem install bundler --no-document && \
|
14
|
+
bundle install && \
|
15
|
+
bundle exec rake
|
data/ci/yum-test.sh
ADDED
@@ -0,0 +1,64 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -exu
|
4
|
+
|
5
|
+
distribution=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f2)
|
6
|
+
version=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f4)
|
7
|
+
USE_SCL=0
|
8
|
+
USE_AMZN_EXT=0
|
9
|
+
|
10
|
+
case ${distribution} in
|
11
|
+
amazon)
|
12
|
+
case ${version} in
|
13
|
+
2)
|
14
|
+
DNF=yum
|
15
|
+
USE_AMZN_EXT=1
|
16
|
+
;;
|
17
|
+
esac
|
18
|
+
;;
|
19
|
+
centos)
|
20
|
+
case ${version} in
|
21
|
+
7)
|
22
|
+
DNF=yum
|
23
|
+
USE_SCL=1
|
24
|
+
;;
|
25
|
+
*)
|
26
|
+
DNF="dnf --enablerepo=PowerTools"
|
27
|
+
;;
|
28
|
+
esac
|
29
|
+
;;
|
30
|
+
fedoraproject)
|
31
|
+
case ${version} in
|
32
|
+
33)
|
33
|
+
DNF=yum
|
34
|
+
;;
|
35
|
+
esac
|
36
|
+
;;
|
37
|
+
esac
|
38
|
+
|
39
|
+
${DNF} groupinstall -y "Development Tools"
|
40
|
+
|
41
|
+
if [ $USE_SCL -eq 1 ]; then
|
42
|
+
${DNF} install -y centos-release-scl && \
|
43
|
+
${DNF} install -y \
|
44
|
+
rh-ruby26-ruby-devel \
|
45
|
+
rh-ruby26-rubygems \
|
46
|
+
rh-ruby26-rubygem-rake \
|
47
|
+
rpm-build
|
48
|
+
elif [ $USE_AMZN_EXT -eq 1 ]; then
|
49
|
+
amazon-linux-extras install -y ruby2.6 && \
|
50
|
+
${DNF} install -y ruby-devel
|
51
|
+
else
|
52
|
+
${DNF} install -y ruby-devel \
|
53
|
+
rubygems \
|
54
|
+
rpm-build
|
55
|
+
fi
|
56
|
+
${DNF} install -y libcap-ng-devel
|
57
|
+
|
58
|
+
if [ $USE_SCL -eq 1 ]; then
|
59
|
+
# For unbound variable error
|
60
|
+
export MANPATH=
|
61
|
+
cd /capng && source /opt/rh/rh-ruby26/enable && gem install bundler --no-document && bundle install && bundle exec rake
|
62
|
+
else
|
63
|
+
cd /capng && gem install bundler --no-document && bundle install && bundle exec rake
|
64
|
+
fi
|
data/example/file_capability.rb
CHANGED
data/ext/capng/capability.c
CHANGED
@@ -13,21 +13,37 @@
|
|
13
13
|
|
14
14
|
#include <capng.h>
|
15
15
|
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
16
|
+
/* clang-format off */
|
17
|
+
/*
|
18
|
+
* Document-class: CapNG::Capability
|
19
|
+
*
|
20
|
+
* Check Linux capabilities and define its constants.
|
21
|
+
*
|
22
|
+
* @example
|
23
|
+
* require 'capng'
|
24
|
+
*
|
25
|
+
* @cap = CapNG::Capability.new
|
26
|
+
*
|
27
|
+
* @cap.from_name(:dac_read_search) #=> 2
|
28
|
+
* @cap.to_name(CapNG::Capability::DAC_READ_SEARCH) #=> "dac_read_search"
|
29
|
+
*/
|
30
|
+
/* clang-format on */
|
31
|
+
|
32
|
+
struct CapNGCapability
|
33
|
+
{};
|
34
|
+
|
35
|
+
static void
|
36
|
+
capng_capability_free(void* capng);
|
37
|
+
|
38
|
+
static const rb_data_type_t rb_capng_capability_type = { "capng_capability/c_runtime",
|
39
|
+
{
|
40
|
+
0,
|
41
|
+
capng_capability_free,
|
42
|
+
0,
|
43
|
+
},
|
44
|
+
NULL,
|
45
|
+
NULL,
|
46
|
+
RUBY_TYPED_FREE_IMMEDIATELY };
|
31
47
|
|
32
48
|
static void
|
33
49
|
capng_capability_free(void* ptr)
|
@@ -45,16 +61,29 @@ rb_capng_capability_alloc(VALUE klass)
|
|
45
61
|
return obj;
|
46
62
|
}
|
47
63
|
|
64
|
+
/*
|
65
|
+
* Initalize Capability class.
|
66
|
+
*
|
67
|
+
* @return [nil]
|
68
|
+
*
|
69
|
+
*/
|
48
70
|
static VALUE
|
49
71
|
rb_capng_capability_initialize(VALUE self)
|
50
72
|
{
|
51
73
|
return Qnil;
|
52
74
|
}
|
53
75
|
|
76
|
+
/*
|
77
|
+
* Obtain capability name from capability value.
|
78
|
+
*
|
79
|
+
* @param rb_capability [Integer] Capability constant value.
|
80
|
+
* @return [String]
|
81
|
+
*
|
82
|
+
*/
|
54
83
|
static VALUE
|
55
84
|
rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
|
56
85
|
{
|
57
|
-
const char
|
86
|
+
const char* name = capng_capability_to_name(NUM2UINT(rb_capability));
|
58
87
|
|
59
88
|
if (name)
|
60
89
|
return rb_str_new2(name);
|
@@ -62,77 +91,360 @@ rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
|
|
62
91
|
return rb_str_new2("unknown");
|
63
92
|
}
|
64
93
|
|
94
|
+
/*
|
95
|
+
* Obtain capability value from capability name.
|
96
|
+
*
|
97
|
+
* @param rb_capability_name_or_symbol [String or Symbol] Capability constant value.
|
98
|
+
* @return [Integer]
|
99
|
+
*
|
100
|
+
*/
|
65
101
|
static VALUE
|
66
102
|
rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
|
67
103
|
{
|
68
104
|
unsigned int capability;
|
69
105
|
|
70
106
|
switch (TYPE(rb_capability_name_or_symbol)) {
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
107
|
+
case T_SYMBOL:
|
108
|
+
capability =
|
109
|
+
capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
|
110
|
+
break;
|
111
|
+
case T_STRING:
|
112
|
+
capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
|
113
|
+
break;
|
114
|
+
default:
|
115
|
+
rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
|
79
116
|
}
|
80
117
|
return INT2NUM(capability);
|
81
118
|
}
|
82
119
|
|
120
|
+
/*
|
121
|
+
* Obtain capability code and name pairs with enumerable.
|
122
|
+
*
|
123
|
+
* @yield [Integer, String]
|
124
|
+
* @return [nil]
|
125
|
+
*
|
126
|
+
*/
|
127
|
+
static VALUE
|
128
|
+
rb_capng_capability_each(VALUE self)
|
129
|
+
{
|
130
|
+
RETURN_ENUMERATOR(self, 0, 0);
|
131
|
+
|
132
|
+
for (int i = 0; capabilityInfoTable[i].name != NULL; i++) {
|
133
|
+
rb_yield_values(2,
|
134
|
+
INT2NUM(capabilityInfoTable[i].code),
|
135
|
+
rb_str_new2(capabilityInfoTable[i].name));
|
136
|
+
}
|
137
|
+
|
138
|
+
return Qnil;
|
139
|
+
}
|
140
|
+
|
83
141
|
void
|
84
142
|
Init_capng_capability(VALUE rb_cCapNG)
|
85
143
|
{
|
86
|
-
rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
|
144
|
+
VALUE rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
|
87
145
|
|
88
146
|
rb_define_alloc_func(rb_cCapability, rb_capng_capability_alloc);
|
89
147
|
|
90
148
|
rb_define_method(rb_cCapability, "initialize", rb_capng_capability_initialize, 0);
|
91
149
|
rb_define_method(rb_cCapability, "to_name", rb_capng_capability_to_name, 1);
|
92
150
|
rb_define_method(rb_cCapability, "from_name", rb_capng_capability_from_name, 1);
|
151
|
+
rb_define_method(rb_cCapability, "each", rb_capng_capability_each, 0);
|
93
152
|
|
94
153
|
// Capability constants.
|
154
|
+
|
155
|
+
/* Make arbitrary changes to file UIDs and GIDs (see chown(2)). */
|
95
156
|
rb_define_const(rb_cCapability, "CHOWN", INT2NUM(CAP_CHOWN));
|
157
|
+
/*
|
158
|
+
* Bypass file read, write, and execute permission checks. (DAC
|
159
|
+
* is an abbreviation of "discretionary access control".) */
|
96
160
|
rb_define_const(rb_cCapability, "DAC_OVERRIDE", INT2NUM(CAP_DAC_OVERRIDE));
|
161
|
+
/*
|
162
|
+
* * Bypass file read permission checks and directory read and execute permission
|
163
|
+
* checks;
|
164
|
+
* * invoke open_by_handle_at(2);
|
165
|
+
* * use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a
|
166
|
+
* file descriptor.
|
167
|
+
*/
|
97
168
|
rb_define_const(rb_cCapability, "DAC_READ_SEARCH", INT2NUM(CAP_DAC_READ_SEARCH));
|
169
|
+
/*
|
170
|
+
* * Bypass permission checks on operations that normally require
|
171
|
+
* the filesystem UID of the process to match the UID of the
|
172
|
+
* file (e.g., chmod(2), utime(2)), excluding those operations
|
173
|
+
* covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
|
174
|
+
* * set inode flags (see ioctl_iflags(2)) on arbitrary files;
|
175
|
+
* * set Access Control Lists (ACLs) on arbitrary files;
|
176
|
+
* * ignore directory sticky bit on file deletion;
|
177
|
+
* * modify user extended attributes on sticky directory owned by
|
178
|
+
* any user;
|
179
|
+
* * specify O_NOATIME for arbitrary files in open(2) and
|
180
|
+
* fcntl(2).
|
181
|
+
*/
|
98
182
|
rb_define_const(rb_cCapability, "FOWNER", INT2NUM(CAP_FOWNER));
|
183
|
+
/*
|
184
|
+
* * Don't clear set-user-ID and set-group-ID mode bits when a
|
185
|
+
* file is modified;
|
186
|
+
* * set the set-group-ID bit for a file whose GID does not match
|
187
|
+
* the filesystem or any of the supplementary GIDs of the
|
188
|
+
* calling process.
|
189
|
+
*/
|
99
190
|
rb_define_const(rb_cCapability, "FSETID", INT2NUM(CAP_FSETID));
|
191
|
+
/* Bypass permission checks for sending signals (see kill(2)).
|
192
|
+
* This includes use of the ioctl(2) KDSIGACCEPT operation. */
|
100
193
|
rb_define_const(rb_cCapability, "KILL", INT2NUM(CAP_KILL));
|
194
|
+
/*
|
195
|
+
* * Make arbitrary manipulations of process GIDs and
|
196
|
+
* supplementary GID list;
|
197
|
+
* * forge GID when passing socket credentials via UNIX domain
|
198
|
+
* sockets;
|
199
|
+
* * write a group ID mapping in a user namespace (see
|
200
|
+
* user_namespaces(7)).
|
201
|
+
*/
|
101
202
|
rb_define_const(rb_cCapability, "SETGID", INT2NUM(CAP_SETGID));
|
203
|
+
/*
|
204
|
+
* * Make arbitrary manipulations of process UIDs (setuid(2),
|
205
|
+
* setreuid(2), setresuid(2), setfsuid(2));
|
206
|
+
* * forge UID when passing socket credentials via UNIX domain
|
207
|
+
* sockets;
|
208
|
+
* * write a user ID mapping in a user namespace (see
|
209
|
+
* user_namespaces(7)).
|
210
|
+
*/
|
102
211
|
rb_define_const(rb_cCapability, "SETUID", INT2NUM(CAP_SETUID));
|
212
|
+
/*
|
213
|
+
* If file capabilities are supported (i.e., since Linux 2.6.24):
|
214
|
+
* add any capability from the calling thread's bounding set to
|
215
|
+
* its inheritable set; drop capabilities from the bounding set
|
216
|
+
* (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits
|
217
|
+
* flags.
|
218
|
+
*
|
219
|
+
* If file capabilities are not supported (i.e., kernels before
|
220
|
+
* Linux 2.6.24): grant or remove any capability in the caller's
|
221
|
+
* permitted capability set to or from any other process. (This
|
222
|
+
* property of CAP_SETPCAP is not available when the kernel is
|
223
|
+
* configured to support file capabilities, since CAP_SETPCAP has
|
224
|
+
* entirely different semantics for such kernels.)
|
225
|
+
*/
|
103
226
|
rb_define_const(rb_cCapability, "SETPCAP", INT2NUM(CAP_SETPCAP));
|
227
|
+
/* Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)). */
|
104
228
|
rb_define_const(rb_cCapability, "LINUX_IMMUTABLE", INT2NUM(CAP_LINUX_IMMUTABLE));
|
229
|
+
/* Bind a socket to Internet domain privileged ports (port numbers less than 1024).*/
|
105
230
|
rb_define_const(rb_cCapability, "NET_BIND_SERIVCE", INT2NUM(CAP_NET_BIND_SERVICE));
|
231
|
+
/* (Unused) Make socket broadcasts, and listen to multicasts. */
|
106
232
|
rb_define_const(rb_cCapability, "NET_BROATCAST", INT2NUM(CAP_NET_BROADCAST));
|
233
|
+
/* Perform various network-related operations:
|
234
|
+
*
|
235
|
+
* * interface configuration;
|
236
|
+
* * administration of IP firewall, masquerading, and accounting;
|
237
|
+
* * modify routing tables;
|
238
|
+
* * bind to any address for transparent proxying;
|
239
|
+
* * set type-of-service (TOS);
|
240
|
+
* * clear driver statistics;
|
241
|
+
* * set promiscuous mode;
|
242
|
+
* * enabling multicasting;
|
243
|
+
* * use setsockopt(2) to set the following socket options:
|
244
|
+
* * SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
|
245
|
+
* * range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
|
246
|
+
*/
|
107
247
|
rb_define_const(rb_cCapability, "NET_ADMIN", INT2NUM(CAP_NET_ADMIN));
|
248
|
+
/*
|
249
|
+
* * Use RAW and PACKET sockets;
|
250
|
+
* * bind to any address for transparent proxying.
|
251
|
+
*/
|
108
252
|
rb_define_const(rb_cCapability, "NET_RAW", INT2NUM(CAP_NET_RAW));
|
253
|
+
/* Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). */
|
109
254
|
rb_define_const(rb_cCapability, "IPC_LOCK", INT2NUM(CAP_IPC_LOCK));
|
255
|
+
/* Bypass permission checks for operations on System V IPC
|
256
|
+
* objects.
|
257
|
+
*/
|
110
258
|
rb_define_const(rb_cCapability, "IPC_OWNER", INT2NUM(CAP_IPC_OWNER));
|
259
|
+
/*
|
260
|
+
* * Load and unload kernel modules (see init_module(2) and
|
261
|
+
* delete_module(2)) in kernels before 2.6.25
|
262
|
+
* * drop capabilities from the system-wide capability bounding set.
|
263
|
+
*/
|
111
264
|
rb_define_const(rb_cCapability, "SYS_MODULE", INT2NUM(CAP_SYS_MODULE));
|
265
|
+
/*
|
266
|
+
* * Perform I/O port operations (iopl(2) and ioperm(2));
|
267
|
+
* * access /proc/kcore;
|
268
|
+
* * employ the FIBMAP ioctl(2) operation;
|
269
|
+
* * open devices for accessing x86 model-specific registers
|
270
|
+
* (MSRs, see msr(4));
|
271
|
+
* * update /proc/sys/vm/mmap_min_addr;
|
272
|
+
* * create memory mappings at addresses below the value
|
273
|
+
* specified by /proc/sys/vm/mmap_min_addr;
|
274
|
+
* * map files in /proc/bus/pci;
|
275
|
+
* * open /dev/mem and /dev/kmem;
|
276
|
+
* * perform various SCSI device commands;
|
277
|
+
* * perform certain operations on hpsa(4) and cciss(4) devices;
|
278
|
+
* * perform a range of device-specific operations on other
|
279
|
+
* devices.
|
280
|
+
*/
|
112
281
|
rb_define_const(rb_cCapability, "SYS_RAWIO", INT2NUM(CAP_SYS_RAWIO));
|
282
|
+
/*
|
283
|
+
* * Use chroot(2);
|
284
|
+
* * change mount namespaces using setns(2).
|
285
|
+
*/
|
113
286
|
rb_define_const(rb_cCapability, "SYS_CHROOT", INT2NUM(CAP_SYS_CHROOT));
|
287
|
+
/*
|
288
|
+
* * Trace arbitrary processes using ptrace(2);
|
289
|
+
* * apply get_robust_list(2) to arbitrary processes;
|
290
|
+
* * transfer data to or from the memory of arbitrary processes
|
291
|
+
* using process_vm_readv(2) and process_vm_writev(2);
|
292
|
+
* * inspect processes using kcmp(2).
|
293
|
+
*/
|
114
294
|
rb_define_const(rb_cCapability, "SYS_PTRACE", INT2NUM(CAP_SYS_PTRACE));
|
295
|
+
/* Use acct(2). */
|
115
296
|
rb_define_const(rb_cCapability, "SYS_PACCT", INT2NUM(CAP_SYS_PACCT));
|
297
|
+
/*
|
298
|
+
* Note:
|
299
|
+
* this capability is overloaded; see Notes to kernel developers, below.
|
300
|
+
*
|
301
|
+
* * Perform a range of system administration operations
|
302
|
+
* including: quotactl(2), mount(2), umount(2), pivot_root(2),
|
303
|
+
* swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
|
304
|
+
* * perform privileged syslog(2) operations (since Linux 2.6.37,
|
305
|
+
* CAP_SYSLOG should be used to permit such operations);
|
306
|
+
* * perform VM86_REQUEST_IRQ vm86(2) command;
|
307
|
+
* * access the same checkpoint/restore functionality that is
|
308
|
+
* governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker
|
309
|
+
* capability is preferred for accessing that functionality).
|
310
|
+
* * perform the same BPF operations as are governed by CAP_BPF
|
311
|
+
* (but the latter, weaker capability is preferred for
|
312
|
+
* accessing that functionality).
|
313
|
+
* * employ the same performance monitoring mechanisms as are
|
314
|
+
* governed by CAP_PERFMON (but the latter, weaker capability
|
315
|
+
* is preferred for accessing that functionality).
|
316
|
+
* * perform IPC_SET and IPC_RMID operations on arbitrary System
|
317
|
+
* V IPC objects;
|
318
|
+
* * override RLIMIT_NPROC resource limit;
|
319
|
+
* * perform operations on trusted and security extended
|
320
|
+
* attributes (see xattr(7));
|
321
|
+
* * use lookup_dcookie(2);
|
322
|
+
* * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
|
323
|
+
* Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
|
324
|
+
* * forge PID when passing socket credentials via UNIX domain
|
325
|
+
* sockets;
|
326
|
+
* * exceed /proc/sys/fs/file-max, the system-wide limit on the
|
327
|
+
* number of open files, in system calls that open files (e.g.,
|
328
|
+
* accept(2), execve(2), open(2), pipe(2));
|
329
|
+
* * employ CLONE_* flags that create new namespaces with
|
330
|
+
* clone(2) and unshare(2) (but, since Linux 3.8, creating user
|
331
|
+
* namespaces does not require any capability);
|
332
|
+
* * access privileged perf event information;
|
333
|
+
* * call setns(2) (requires CAP_SYS_ADMIN in the target
|
334
|
+
* namespace);
|
335
|
+
* * call fanotify_init(2);
|
336
|
+
* * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
|
337
|
+
* operations;
|
338
|
+
* * perform madvise(2) MADV_HWPOISON operation;
|
339
|
+
* * employ the TIOCSTI ioctl(2) to insert characters into the
|
340
|
+
* input queue of a terminal other than the caller's
|
341
|
+
* controlling terminal;
|
342
|
+
* * employ the obsolete nfsservctl(2) system call;
|
343
|
+
* * employ the obsolete bdflush(2) system call;
|
344
|
+
* * perform various privileged block-device ioctl(2) operations;
|
345
|
+
* * perform various privileged filesystem ioctl(2) operations;
|
346
|
+
* * perform privileged ioctl(2) operations on the /dev/random
|
347
|
+
* device (see random(4));
|
348
|
+
* * install a seccomp(2) filter without first having to set the
|
349
|
+
* no_new_privs thread attribute;
|
350
|
+
* * modify allow/deny rules for device control groups;
|
351
|
+
* * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
|
352
|
+
* dump tracee's seccomp filters;
|
353
|
+
* * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
|
354
|
+
* the tracee's seccomp protections (i.e., the
|
355
|
+
* PTRACE_O_SUSPEND_SECCOMP flag);
|
356
|
+
* * perform administrative operations on many device drivers;
|
357
|
+
* * modify autogroup nice values by writing to
|
358
|
+
* /proc/[pid]/autogroup (see sched(7)).
|
359
|
+
*/
|
116
360
|
rb_define_const(rb_cCapability, "SYS_ADMIN", INT2NUM(CAP_SYS_ADMIN));
|
361
|
+
/* Use reboot(2) and kexec_load(2). */
|
117
362
|
rb_define_const(rb_cCapability, "SYS_BOOT", INT2NUM(CAP_SYS_BOOT));
|
363
|
+
/*
|
364
|
+
* * Lower the process nice value (nice(2), setpriority(2)) and
|
365
|
+
* change the nice value for arbitrary processes;
|
366
|
+
* * set real-time scheduling policies for calling process, and
|
367
|
+
* set scheduling policies and priorities for arbitrary
|
368
|
+
* processes (sched_setscheduler(2), sched_setparam(2),
|
369
|
+
* sched_setattr(2));
|
370
|
+
* * set CPU affinity for arbitrary processes
|
371
|
+
* (sched_setaffinity(2));
|
372
|
+
* * set I/O scheduling class and priority for arbitrary
|
373
|
+
* processes (ioprio_set(2));
|
374
|
+
* * apply migrate_pages(2) to arbitrary processes and allow
|
375
|
+
* processes to be migrated to arbitrary nodes;
|
376
|
+
* * apply move_pages(2) to arbitrary processes;
|
377
|
+
* * use the MPOL_MF_MOVE_ALL flag with mbind(2) and
|
378
|
+
* move_pages(2).
|
379
|
+
*/
|
118
380
|
rb_define_const(rb_cCapability, "SYS_NICE", INT2NUM(CAP_SYS_NICE));
|
381
|
+
/*
|
382
|
+
* * Use reserved space on ext2 filesystems;
|
383
|
+
* * make ioctl(2) calls controlling ext3 journaling;
|
384
|
+
* * override disk quota limits;
|
385
|
+
* * increase resource limits (see setrlimit(2));
|
386
|
+
* * override RLIMIT_NPROC resource limit;
|
387
|
+
* * override maximum number of consoles on console allocation;
|
388
|
+
* * override maximum number of keymaps;
|
389
|
+
* * allow more than 64hz interrupts from the real-time clock;
|
390
|
+
* * raise msg_qbytes limit for a System V message queue above
|
391
|
+
* the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
|
392
|
+
* msgctl(2));
|
393
|
+
* * allow the RLIMIT_NOFILE resource limit on the number of "in-
|
394
|
+
* flight" file descriptors to be bypassed when passing file
|
395
|
+
* descriptors to another process via a UNIX domain socket (see
|
396
|
+
* unix(7));
|
397
|
+
* * override the /proc/sys/fs/pipe-size-max limit when setting
|
398
|
+
* the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
|
399
|
+
* command;
|
400
|
+
* * use F_SETPIPE_SZ to increase the capacity of a pipe above
|
401
|
+
* the limit specified by /proc/sys/fs/pipe-max-size;
|
402
|
+
* * override /proc/sys/fs/mqueue/queues_max,
|
403
|
+
* /proc/sys/fs/mqueue/msg_max, and
|
404
|
+
* /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX
|
405
|
+
* message queues (see mq_overview(7));
|
406
|
+
* * employ the prctl(2) PR_SET_MM operation;
|
407
|
+
* * set /proc/[pid]/oom_score_adj to a value lower than the
|
408
|
+
* value last set by a process with CAP_SYS_RESOURCE.
|
409
|
+
*/
|
119
410
|
rb_define_const(rb_cCapability, "SYS_RESOURCE", INT2NUM(CAP_SYS_RESOURCE));
|
411
|
+
/* Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
|
412
|
+
* real-time (hardware) clock.*/
|
120
413
|
rb_define_const(rb_cCapability, "SYS_TIME", INT2NUM(CAP_SYS_TIME));
|
414
|
+
/* Use vhangup(2); employ various privileged ioctl(2) operations
|
415
|
+
* on virtual terminals.
|
416
|
+
*/
|
121
417
|
rb_define_const(rb_cCapability, "TTY_CONFIG", INT2NUM(CAP_SYS_TTY_CONFIG));
|
418
|
+
/* Create special files using mknod(2). (since Linux 2.4) */
|
122
419
|
rb_define_const(rb_cCapability, "MKNOD", INT2NUM(CAP_MKNOD));
|
420
|
+
/* Establish leases on arbitrary files (see fcntl(2)). (since Linux 2.4) */
|
123
421
|
rb_define_const(rb_cCapability, "LEASE", INT2NUM(CAP_LEASE));
|
422
|
+
/* Write records to kernel auditing log. (since Linux 2.6.11) */
|
124
423
|
rb_define_const(rb_cCapability, "AUDIT_WRITE", INT2NUM(CAP_AUDIT_WRITE));
|
424
|
+
/* Enable and disable kernel auditing; change auditing filter
|
425
|
+
* rules; retrieve auditing status and filtering rules. (since Linux 2.6.11)*/
|
125
426
|
rb_define_const(rb_cCapability, "AUDIT_CONTROL", INT2NUM(CAP_AUDIT_CONTROL));
|
126
427
|
#ifdef CAP_SETFCAP
|
428
|
+
/* Set arbitrary capabilities on a file. since Linux 2.6.24) */
|
127
429
|
rb_define_const(rb_cCapability, "SETFCAP", INT2NUM(CAP_SETFCAP));
|
128
430
|
#endif
|
129
431
|
#ifdef CAP_MAC_OVERRIDE
|
130
432
|
rb_define_const(rb_cCapability, "MAC_OVERRIDE", INT2NUM(CAP_MAC_OVERRIDE));
|
131
433
|
#endif
|
132
434
|
#ifdef CAP_MAC_ADMIN
|
435
|
+
/* Allow MAC configuration or state changes. Implemented for the
|
436
|
+
* Smack Linux Security Module (LSM). (since Linux 2.6.25)
|
437
|
+
*/
|
133
438
|
rb_define_const(rb_cCapability, "MAC_ADMIN", INT2NUM(CAP_MAC_ADMIN));
|
134
439
|
#endif
|
135
440
|
#ifdef CAP_SYSLOG
|
441
|
+
/*
|
442
|
+
* * Perform privileged syslog(2) operations. See syslog(2) for
|
443
|
+
* information on which operations require privilege.
|
444
|
+
* * View kernel addresses exposed via /proc and other interfaces
|
445
|
+
* when /proc/sys/kernel/kptr_restrict has the value 1. (See
|
446
|
+
* the discussion of the kptr_restrict in proc(5).)
|
447
|
+
*/
|
136
448
|
rb_define_const(rb_cCapability, "SYSLOG", INT2NUM(CAP_SYSLOG));
|
137
449
|
#endif
|
138
450
|
#if defined(CAP_EPOLLWAKEUP) && defined(CAP_BLOCK_SUSPEND)
|
@@ -142,21 +454,59 @@ Init_capng_capability(VALUE rb_cCapNG)
|
|
142
454
|
rb_define_const(rb_cCapability, "EPOLLWAKEUP", INT2NUM(CAP_EPOLLWAKEUP));
|
143
455
|
#endif
|
144
456
|
#ifdef CAP_WAKE_ALARM
|
457
|
+
/* Trigger something that will wake up the system (set
|
458
|
+
* CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
|
459
|
+
*/
|
145
460
|
rb_define_const(rb_cCapability, "WAKE_ALARM", INT2NUM(CAP_WAKE_ALARM));
|
146
461
|
#endif
|
147
462
|
#ifdef CAP_BLOCK_SUSPEND
|
463
|
+
/*
|
464
|
+
Employ features that can block system suspend (epoll(7)
|
465
|
+
EPOLLWAKEUP, /proc/sys/wake_lock). (since Linux 3.5)
|
466
|
+
*/
|
148
467
|
rb_define_const(rb_cCapability, "BLOCK_SUSPEND", INT2NUM(CAP_BLOCK_SUSPEND));
|
149
468
|
#endif
|
150
469
|
#ifdef CAP_AUDIT_READ
|
470
|
+
/* Allow reading the audit log via a multicast netlink socket. (since Linux 3.16) */
|
151
471
|
rb_define_const(rb_cCapability, "AUDIT_READ", INT2NUM(CAP_AUDIT_READ));
|
152
472
|
#endif
|
153
473
|
#ifdef CAP_PERFMON
|
474
|
+
/*
|
475
|
+
* Employ various performance-monitoring mechanisms, including:
|
476
|
+
*
|
477
|
+
* * call perf_event_open(2)
|
478
|
+
* * employ various BPF operations that have performance
|
479
|
+
* implications.
|
480
|
+
*
|
481
|
+
* This capability was added in Linux 5.8 to separate out
|
482
|
+
* performance monitoring functionality from the overloaded
|
483
|
+
* CAP_SYS_ADMIN capability. See also the kernel source file
|
484
|
+
* Documentation/admin-guide/perf-security.rst.
|
485
|
+
*/
|
154
486
|
rb_define_const(rb_cCapability, "PERFMON", INT2NUM(CAP_PERFMON));
|
155
487
|
#endif
|
156
488
|
#ifdef CAP_BPF
|
489
|
+
/*
|
490
|
+
* Employ privileged BPF operations; see bpf(2) and
|
491
|
+
* bpf-helpers(7).
|
492
|
+
*
|
493
|
+
* This capability was added in Linux 5.8 to separate out BPF
|
494
|
+
* functionality from the overloaded CAP_SYS_ADMIN capability.
|
495
|
+
* (since Linux 5.8)
|
496
|
+
*/
|
157
497
|
rb_define_const(rb_cCapability, "BPF", INT2NUM(CAP_BPF));
|
158
498
|
#endif
|
159
499
|
#ifdef CAP_CHECKPOINT_RESTORE
|
500
|
+
/*
|
501
|
+
* * employ the set_tid feature of clone3(2);
|
502
|
+
* * read the contents of the symbolic links in
|
503
|
+
* /proc/[pid]/map_files for other processes.
|
504
|
+
*
|
505
|
+
* This capability was added in Linux 5.9 to separate out
|
506
|
+
* checkpoint/restore functionality from the overloaded
|
507
|
+
* CAP_SYS_ADMIN capability.
|
508
|
+
* (since Linux 5.9)
|
509
|
+
*/
|
160
510
|
rb_define_const(rb_cCapability, "CHECKPOINT_RESTORE", INT2NUM(CAP_CHECKPOINT_RESTORE));
|
161
511
|
#endif
|
162
512
|
}
|