capng_c 0.1.5 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 46ab5a21fef03d5b25db0124526add7f625acc865ae10da0f8614b6290b5aec0
4
- data.tar.gz: cae7565475f00217336124b3c1d0bad6fd3772470e3c8e2605ebac09bac87829
3
+ metadata.gz: a26ab3bf7c3169172ec3e2c162630f0079b161533ec473984e4d52737d522b91
4
+ data.tar.gz: 9f378edbfb74593fc731acb2f4ead7b591207b0f358f9ce4e1caf28e747188d3
5
5
  SHA512:
6
- metadata.gz: 90fab6a90550512222604afee7896c75b766559d39f3288cad6191fb5b1192f080efc4bec6deef2c00377da4f7e8d129ec928191d67fa9277aac505652064b59
7
- data.tar.gz: eee3466a6e594b8b5d4fa1835c7650a6d7669cb20be1410c32c8e0b2d878d197263848ec2f1ea7923088428611a78400569f9be55ea16a4c0115ee3b6cd8547d
6
+ metadata.gz: 92d50ae4dc1c276709d38a2bbac7421ac0ec68d8dee70d8f5d28c4b2aa3e33ef81ae179dafd7f214703d68a8eeda5b4f2220eca786f50fdd77838a88fec754fd
7
+ data.tar.gz: 2f2f6cff1a51adeb4fe038871b3e3a5e5ec7b9075b18f31653000a5aea785e610bce39570cc4a2252c4dc4518ecd9f0be20436a28473d3769a4329fa98a912ae
@@ -0,0 +1,5 @@
1
+ BasedOnStyle: Mozilla
2
+ ColumnLimit: 90
3
+ BinPackParameters: true
4
+ BinPackArguments: false
5
+ AllowShortCaseLabelsOnASingleLine: false
@@ -0,0 +1,35 @@
1
+ name: Apt based Linux
2
+ on:
3
+ push:
4
+ pull_request:
5
+ jobs:
6
+ build:
7
+ name: Build
8
+ strategy:
9
+ fail-fast: false
10
+ matrix:
11
+ label:
12
+ - Debian GNU/Linux Buster amd64
13
+ - Ubuntu Bionic amd64
14
+ - Ubuntu Focal amd64
15
+ include:
16
+ - label: Debian GNU/Linux Buster amd64
17
+ test-docker-image: debian:buster
18
+ test-script: ci/apt-test.sh
19
+ - label: Ubuntu Bionic amd64
20
+ test-docker-image: ubuntu:bionic
21
+ test-script: ci/apt-test.sh
22
+ - label: Ubuntu Focal amd64
23
+ test-docker-image: ubuntu:focal
24
+ test-script: ci/apt-test.sh
25
+ runs-on: ubuntu-latest
26
+ steps:
27
+ - uses: actions/checkout@master
28
+ - name: rake compile & rake test
29
+ run: |
30
+ docker run \
31
+ --rm \
32
+ --tty \
33
+ --volume ${PWD}:/capng \
34
+ ${{ matrix.test-docker-image }} \
35
+ /capng/${{ matrix.test-script }}
@@ -1,4 +1,4 @@
1
- name: Linux testing
1
+ name: Multiple Ruby version tests
2
2
  on:
3
3
  - push
4
4
  - pull_request
@@ -0,0 +1,39 @@
1
+ name: Yum based Linux
2
+ on:
3
+ push:
4
+ pull_request:
5
+ jobs:
6
+ build:
7
+ name: Build
8
+ strategy:
9
+ fail-fast: false
10
+ matrix:
11
+ label:
12
+ - CentOS 7 x86_64
13
+ - CentOS 8 x86_64
14
+ - Fedora 33 x86_64
15
+ - AmazonLinux 2 x86_64
16
+ include:
17
+ - label: CentOS 7 x86_64
18
+ test-docker-image: centos:7
19
+ test-script: ci/yum-test.sh
20
+ - label: CentOS 8 x86_64
21
+ test-docker-image: centos:8
22
+ test-script: ci/yum-test.sh
23
+ - label: Fedora 33 x86_64
24
+ test-docker-image: fedora:33
25
+ test-script: ci/yum-test.sh
26
+ - label: AmazonLinux 2 x86_64
27
+ test-docker-image: amazonlinux:2
28
+ test-script: ci/yum-test.sh
29
+ runs-on: ubuntu-latest
30
+ steps:
31
+ - uses: actions/checkout@master
32
+ - name: rake compile & rake test
33
+ run: |
34
+ docker run \
35
+ --rm \
36
+ --tty \
37
+ --volume ${PWD}:/capng \
38
+ ${{ matrix.test-docker-image }} \
39
+ /capng/${{ matrix.test-script }}
data/Gemfile CHANGED
@@ -1,4 +1,6 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- # Specify your gem's dependencies in ioext.gemspec
3
+ # Specify your gem's dependencies in capng_c.gemspec
4
4
  gemspec
5
+
6
+ gem "irb"
data/README.md CHANGED
@@ -1,9 +1,21 @@
1
1
  # Capng_c
2
2
 
3
- ![Linux testing](https://github.com/cosmo0920/capng_c/workflows/Linux%20testing/badge.svg?branch=main)
3
+ ![Multiple Ruby version tests](https://github.com/fluent-plugins-nursery/capng_c/workflows/Multiple%20Ruby%20version%20tests/badge.svg?branch=main)
4
+ ![Apt based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Apt%20based%20Linux/badge.svg?branch=main)
5
+ ![Yum based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Yum%20based%20Linux/badge.svg?branch=main)
4
6
 
5
7
  libcap-ng bindings for Ruby.
6
8
 
9
+ ## Prerequisites
10
+
11
+ * pkg-config package for linking libcap-ng library
12
+ * libcap-ng and its development packages
13
+ * libcap-ng-dev on Debian GNU/Linux and Ubuntu
14
+ * libcap-ng-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
15
+ * Ruby and its development packages
16
+ * ruby-dev on Debian GNU/Linux and Ubuntu
17
+ * ruby-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
18
+
7
19
  ## Installation
8
20
 
9
21
  Add this line to your application's Gemfile:
@@ -32,4 +44,4 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
32
44
 
33
45
  ## Contributing
34
46
 
35
- Bug reports and pull requests are welcome on GitHub at https://github.com/cosmo0920/capng_c.
47
+ Bug reports and pull requests are welcome on GitHub at https://github.com/fluent-plugins-nursery/capng_c.
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
10
10
 
11
11
  spec.summary = %q{libcap-ng bindings for Ruby.}
12
12
  spec.description = spec.summary
13
- spec.homepage = "https://github.com/cosmo0920/cap-ng_c"
13
+ spec.homepage = "https://github.com/fluent-plugins-nursery/capng_c"
14
14
  spec.license = "Apache-2.0"
15
15
  spec.metadata["allowed_push_host"] = "https://rubygems.org"
16
16
 
@@ -32,4 +32,5 @@ Gem::Specification.new do |spec|
32
32
  spec.add_development_dependency "rake", "~> 12.0"
33
33
  spec.add_development_dependency "rake-compiler", "~> 1.0"
34
34
  spec.add_development_dependency "test-unit", "~> 3.3.3"
35
+ spec.add_development_dependency "yard", "~> 0.9"
35
36
  end
@@ -0,0 +1,15 @@
1
+ #!/bin/bash
2
+
3
+ set -exu
4
+
5
+ export DEBIAN_FRONTEND=noninteractive
6
+
7
+ apt update
8
+ apt install -V -y lsb-release
9
+
10
+ apt install -V -y ruby-dev git build-essential pkg-config
11
+ apt install -V -y libcap-ng-dev
12
+ cd /capng && \
13
+ gem install bundler --no-document && \
14
+ bundle install && \
15
+ bundle exec rake
@@ -0,0 +1,64 @@
1
+ #!/bin/bash
2
+
3
+ set -exu
4
+
5
+ distribution=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f2)
6
+ version=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f4)
7
+ USE_SCL=0
8
+ USE_AMZN_EXT=0
9
+
10
+ case ${distribution} in
11
+ amazon)
12
+ case ${version} in
13
+ 2)
14
+ DNF=yum
15
+ USE_AMZN_EXT=1
16
+ ;;
17
+ esac
18
+ ;;
19
+ centos)
20
+ case ${version} in
21
+ 7)
22
+ DNF=yum
23
+ USE_SCL=1
24
+ ;;
25
+ *)
26
+ DNF="dnf --enablerepo=PowerTools"
27
+ ;;
28
+ esac
29
+ ;;
30
+ fedoraproject)
31
+ case ${version} in
32
+ 33)
33
+ DNF=yum
34
+ ;;
35
+ esac
36
+ ;;
37
+ esac
38
+
39
+ ${DNF} groupinstall -y "Development Tools"
40
+
41
+ if [ $USE_SCL -eq 1 ]; then
42
+ ${DNF} install -y centos-release-scl && \
43
+ ${DNF} install -y \
44
+ rh-ruby26-ruby-devel \
45
+ rh-ruby26-rubygems \
46
+ rh-ruby26-rubygem-rake \
47
+ rpm-build
48
+ elif [ $USE_AMZN_EXT -eq 1 ]; then
49
+ amazon-linux-extras install -y ruby2.6 && \
50
+ ${DNF} install -y ruby-devel
51
+ else
52
+ ${DNF} install -y ruby-devel \
53
+ rubygems \
54
+ rpm-build
55
+ fi
56
+ ${DNF} install -y libcap-ng-devel
57
+
58
+ if [ $USE_SCL -eq 1 ]; then
59
+ # For unbound variable error
60
+ export MANPATH=
61
+ cd /capng && source /opt/rh/rh-ruby26/enable && gem install bundler --no-document && bundle install && bundle exec rake
62
+ else
63
+ cd /capng && gem install bundler --no-document && bundle install && bundle exec rake
64
+ fi
@@ -25,7 +25,8 @@ if Process.uid != 0
25
25
  end
26
26
 
27
27
  path = ARGV[0]
28
- capng = CapNG.new(:file, path)
28
+ capng = CapNG.new
29
+ capng.caps_file(path)
29
30
  print = CapNG::Print.new
30
31
  puts "capability: #{print.caps_text(:buffer, :effective)}"
31
32
  capng.clear(:caps)
@@ -13,21 +13,37 @@
13
13
 
14
14
  #include <capng.h>
15
15
 
16
- struct CapNGCapability {};
17
-
18
- static void capng_capability_free(void* capng);
19
-
20
- static const rb_data_type_t rb_capng_capability_type = {
21
- "capng_capability/c_runtime",
22
- {
23
- 0,
24
- capng_capability_free,
25
- 0,
26
- },
27
- NULL,
28
- NULL,
29
- RUBY_TYPED_FREE_IMMEDIATELY
30
- };
16
+ /* clang-format off */
17
+ /*
18
+ * Document-class: CapNG::Capability
19
+ *
20
+ * Check Linux capabilities and define its constants.
21
+ *
22
+ * @example
23
+ * require 'capng'
24
+ *
25
+ * @cap = CapNG::Capability.new
26
+ *
27
+ * @cap.from_name(:dac_read_search) #=> 2
28
+ * @cap.to_name(CapNG::Capability::DAC_READ_SEARCH) #=> "dac_read_search"
29
+ */
30
+ /* clang-format on */
31
+
32
+ struct CapNGCapability
33
+ {};
34
+
35
+ static void
36
+ capng_capability_free(void* capng);
37
+
38
+ static const rb_data_type_t rb_capng_capability_type = { "capng_capability/c_runtime",
39
+ {
40
+ 0,
41
+ capng_capability_free,
42
+ 0,
43
+ },
44
+ NULL,
45
+ NULL,
46
+ RUBY_TYPED_FREE_IMMEDIATELY };
31
47
 
32
48
  static void
33
49
  capng_capability_free(void* ptr)
@@ -45,16 +61,29 @@ rb_capng_capability_alloc(VALUE klass)
45
61
  return obj;
46
62
  }
47
63
 
64
+ /*
65
+ * Initalize Capability class.
66
+ *
67
+ * @return [nil]
68
+ *
69
+ */
48
70
  static VALUE
49
71
  rb_capng_capability_initialize(VALUE self)
50
72
  {
51
73
  return Qnil;
52
74
  }
53
75
 
76
+ /*
77
+ * Obtain capability name from capability value.
78
+ *
79
+ * @param rb_capability [Integer] Capability constant value.
80
+ * @return [String]
81
+ *
82
+ */
54
83
  static VALUE
55
84
  rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
56
85
  {
57
- const char *name = capng_capability_to_name(NUM2UINT(rb_capability));
86
+ const char* name = capng_capability_to_name(NUM2UINT(rb_capability));
58
87
 
59
88
  if (name)
60
89
  return rb_str_new2(name);
@@ -62,77 +91,360 @@ rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
62
91
  return rb_str_new2("unknown");
63
92
  }
64
93
 
94
+ /*
95
+ * Obtain capability value from capability name.
96
+ *
97
+ * @param rb_capability_name_or_symbol [String or Symbol] Capability constant value.
98
+ * @return [Integer]
99
+ *
100
+ */
65
101
  static VALUE
66
102
  rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
67
103
  {
68
104
  unsigned int capability;
69
105
 
70
106
  switch (TYPE(rb_capability_name_or_symbol)) {
71
- case T_SYMBOL:
72
- capability = capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
73
- break;
74
- case T_STRING:
75
- capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
76
- break;
77
- default:
78
- rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
107
+ case T_SYMBOL:
108
+ capability =
109
+ capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
110
+ break;
111
+ case T_STRING:
112
+ capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
113
+ break;
114
+ default:
115
+ rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
79
116
  }
80
117
  return INT2NUM(capability);
81
118
  }
82
119
 
120
+ /*
121
+ * Obtain capability code and name pairs with enumerable.
122
+ *
123
+ * @yield [Integer, String]
124
+ * @return [nil]
125
+ *
126
+ */
127
+ static VALUE
128
+ rb_capng_capability_each(VALUE self)
129
+ {
130
+ RETURN_ENUMERATOR(self, 0, 0);
131
+
132
+ for (int i = 0; capabilityInfoTable[i].name != NULL; i++) {
133
+ rb_yield_values(2,
134
+ INT2NUM(capabilityInfoTable[i].code),
135
+ rb_str_new2(capabilityInfoTable[i].name));
136
+ }
137
+
138
+ return Qnil;
139
+ }
140
+
83
141
  void
84
142
  Init_capng_capability(VALUE rb_cCapNG)
85
143
  {
86
- rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
144
+ VALUE rb_cCapability = rb_define_class_under(rb_cCapNG, "Capability", rb_cObject);
87
145
 
88
146
  rb_define_alloc_func(rb_cCapability, rb_capng_capability_alloc);
89
147
 
90
148
  rb_define_method(rb_cCapability, "initialize", rb_capng_capability_initialize, 0);
91
149
  rb_define_method(rb_cCapability, "to_name", rb_capng_capability_to_name, 1);
92
150
  rb_define_method(rb_cCapability, "from_name", rb_capng_capability_from_name, 1);
151
+ rb_define_method(rb_cCapability, "each", rb_capng_capability_each, 0);
93
152
 
94
153
  // Capability constants.
154
+
155
+ /* Make arbitrary changes to file UIDs and GIDs (see chown(2)). */
95
156
  rb_define_const(rb_cCapability, "CHOWN", INT2NUM(CAP_CHOWN));
157
+ /*
158
+ * Bypass file read, write, and execute permission checks. (DAC
159
+ * is an abbreviation of "discretionary access control".) */
96
160
  rb_define_const(rb_cCapability, "DAC_OVERRIDE", INT2NUM(CAP_DAC_OVERRIDE));
161
+ /*
162
+ * * Bypass file read permission checks and directory read and execute permission
163
+ * checks;
164
+ * * invoke open_by_handle_at(2);
165
+ * * use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a
166
+ * file descriptor.
167
+ */
97
168
  rb_define_const(rb_cCapability, "DAC_READ_SEARCH", INT2NUM(CAP_DAC_READ_SEARCH));
169
+ /*
170
+ * * Bypass permission checks on operations that normally require
171
+ * the filesystem UID of the process to match the UID of the
172
+ * file (e.g., chmod(2), utime(2)), excluding those operations
173
+ * covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
174
+ * * set inode flags (see ioctl_iflags(2)) on arbitrary files;
175
+ * * set Access Control Lists (ACLs) on arbitrary files;
176
+ * * ignore directory sticky bit on file deletion;
177
+ * * modify user extended attributes on sticky directory owned by
178
+ * any user;
179
+ * * specify O_NOATIME for arbitrary files in open(2) and
180
+ * fcntl(2).
181
+ */
98
182
  rb_define_const(rb_cCapability, "FOWNER", INT2NUM(CAP_FOWNER));
183
+ /*
184
+ * * Don't clear set-user-ID and set-group-ID mode bits when a
185
+ * file is modified;
186
+ * * set the set-group-ID bit for a file whose GID does not match
187
+ * the filesystem or any of the supplementary GIDs of the
188
+ * calling process.
189
+ */
99
190
  rb_define_const(rb_cCapability, "FSETID", INT2NUM(CAP_FSETID));
191
+ /* Bypass permission checks for sending signals (see kill(2)).
192
+ * This includes use of the ioctl(2) KDSIGACCEPT operation. */
100
193
  rb_define_const(rb_cCapability, "KILL", INT2NUM(CAP_KILL));
194
+ /*
195
+ * * Make arbitrary manipulations of process GIDs and
196
+ * supplementary GID list;
197
+ * * forge GID when passing socket credentials via UNIX domain
198
+ * sockets;
199
+ * * write a group ID mapping in a user namespace (see
200
+ * user_namespaces(7)).
201
+ */
101
202
  rb_define_const(rb_cCapability, "SETGID", INT2NUM(CAP_SETGID));
203
+ /*
204
+ * * Make arbitrary manipulations of process UIDs (setuid(2),
205
+ * setreuid(2), setresuid(2), setfsuid(2));
206
+ * * forge UID when passing socket credentials via UNIX domain
207
+ * sockets;
208
+ * * write a user ID mapping in a user namespace (see
209
+ * user_namespaces(7)).
210
+ */
102
211
  rb_define_const(rb_cCapability, "SETUID", INT2NUM(CAP_SETUID));
212
+ /*
213
+ * If file capabilities are supported (i.e., since Linux 2.6.24):
214
+ * add any capability from the calling thread's bounding set to
215
+ * its inheritable set; drop capabilities from the bounding set
216
+ * (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits
217
+ * flags.
218
+ *
219
+ * If file capabilities are not supported (i.e., kernels before
220
+ * Linux 2.6.24): grant or remove any capability in the caller's
221
+ * permitted capability set to or from any other process. (This
222
+ * property of CAP_SETPCAP is not available when the kernel is
223
+ * configured to support file capabilities, since CAP_SETPCAP has
224
+ * entirely different semantics for such kernels.)
225
+ */
103
226
  rb_define_const(rb_cCapability, "SETPCAP", INT2NUM(CAP_SETPCAP));
227
+ /* Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)). */
104
228
  rb_define_const(rb_cCapability, "LINUX_IMMUTABLE", INT2NUM(CAP_LINUX_IMMUTABLE));
229
+ /* Bind a socket to Internet domain privileged ports (port numbers less than 1024).*/
105
230
  rb_define_const(rb_cCapability, "NET_BIND_SERIVCE", INT2NUM(CAP_NET_BIND_SERVICE));
231
+ /* (Unused) Make socket broadcasts, and listen to multicasts. */
106
232
  rb_define_const(rb_cCapability, "NET_BROATCAST", INT2NUM(CAP_NET_BROADCAST));
233
+ /* Perform various network-related operations:
234
+ *
235
+ * * interface configuration;
236
+ * * administration of IP firewall, masquerading, and accounting;
237
+ * * modify routing tables;
238
+ * * bind to any address for transparent proxying;
239
+ * * set type-of-service (TOS);
240
+ * * clear driver statistics;
241
+ * * set promiscuous mode;
242
+ * * enabling multicasting;
243
+ * * use setsockopt(2) to set the following socket options:
244
+ * * SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
245
+ * * range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
246
+ */
107
247
  rb_define_const(rb_cCapability, "NET_ADMIN", INT2NUM(CAP_NET_ADMIN));
248
+ /*
249
+ * * Use RAW and PACKET sockets;
250
+ * * bind to any address for transparent proxying.
251
+ */
108
252
  rb_define_const(rb_cCapability, "NET_RAW", INT2NUM(CAP_NET_RAW));
253
+ /* Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). */
109
254
  rb_define_const(rb_cCapability, "IPC_LOCK", INT2NUM(CAP_IPC_LOCK));
255
+ /* Bypass permission checks for operations on System V IPC
256
+ * objects.
257
+ */
110
258
  rb_define_const(rb_cCapability, "IPC_OWNER", INT2NUM(CAP_IPC_OWNER));
259
+ /*
260
+ * * Load and unload kernel modules (see init_module(2) and
261
+ * delete_module(2)) in kernels before 2.6.25
262
+ * * drop capabilities from the system-wide capability bounding set.
263
+ */
111
264
  rb_define_const(rb_cCapability, "SYS_MODULE", INT2NUM(CAP_SYS_MODULE));
265
+ /*
266
+ * * Perform I/O port operations (iopl(2) and ioperm(2));
267
+ * * access /proc/kcore;
268
+ * * employ the FIBMAP ioctl(2) operation;
269
+ * * open devices for accessing x86 model-specific registers
270
+ * (MSRs, see msr(4));
271
+ * * update /proc/sys/vm/mmap_min_addr;
272
+ * * create memory mappings at addresses below the value
273
+ * specified by /proc/sys/vm/mmap_min_addr;
274
+ * * map files in /proc/bus/pci;
275
+ * * open /dev/mem and /dev/kmem;
276
+ * * perform various SCSI device commands;
277
+ * * perform certain operations on hpsa(4) and cciss(4) devices;
278
+ * * perform a range of device-specific operations on other
279
+ * devices.
280
+ */
112
281
  rb_define_const(rb_cCapability, "SYS_RAWIO", INT2NUM(CAP_SYS_RAWIO));
282
+ /*
283
+ * * Use chroot(2);
284
+ * * change mount namespaces using setns(2).
285
+ */
113
286
  rb_define_const(rb_cCapability, "SYS_CHROOT", INT2NUM(CAP_SYS_CHROOT));
287
+ /*
288
+ * * Trace arbitrary processes using ptrace(2);
289
+ * * apply get_robust_list(2) to arbitrary processes;
290
+ * * transfer data to or from the memory of arbitrary processes
291
+ * using process_vm_readv(2) and process_vm_writev(2);
292
+ * * inspect processes using kcmp(2).
293
+ */
114
294
  rb_define_const(rb_cCapability, "SYS_PTRACE", INT2NUM(CAP_SYS_PTRACE));
295
+ /* Use acct(2). */
115
296
  rb_define_const(rb_cCapability, "SYS_PACCT", INT2NUM(CAP_SYS_PACCT));
297
+ /*
298
+ * Note:
299
+ * this capability is overloaded; see Notes to kernel developers, below.
300
+ *
301
+ * * Perform a range of system administration operations
302
+ * including: quotactl(2), mount(2), umount(2), pivot_root(2),
303
+ * swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
304
+ * * perform privileged syslog(2) operations (since Linux 2.6.37,
305
+ * CAP_SYSLOG should be used to permit such operations);
306
+ * * perform VM86_REQUEST_IRQ vm86(2) command;
307
+ * * access the same checkpoint/restore functionality that is
308
+ * governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker
309
+ * capability is preferred for accessing that functionality).
310
+ * * perform the same BPF operations as are governed by CAP_BPF
311
+ * (but the latter, weaker capability is preferred for
312
+ * accessing that functionality).
313
+ * * employ the same performance monitoring mechanisms as are
314
+ * governed by CAP_PERFMON (but the latter, weaker capability
315
+ * is preferred for accessing that functionality).
316
+ * * perform IPC_SET and IPC_RMID operations on arbitrary System
317
+ * V IPC objects;
318
+ * * override RLIMIT_NPROC resource limit;
319
+ * * perform operations on trusted and security extended
320
+ * attributes (see xattr(7));
321
+ * * use lookup_dcookie(2);
322
+ * * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
323
+ * Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
324
+ * * forge PID when passing socket credentials via UNIX domain
325
+ * sockets;
326
+ * * exceed /proc/sys/fs/file-max, the system-wide limit on the
327
+ * number of open files, in system calls that open files (e.g.,
328
+ * accept(2), execve(2), open(2), pipe(2));
329
+ * * employ CLONE_* flags that create new namespaces with
330
+ * clone(2) and unshare(2) (but, since Linux 3.8, creating user
331
+ * namespaces does not require any capability);
332
+ * * access privileged perf event information;
333
+ * * call setns(2) (requires CAP_SYS_ADMIN in the target
334
+ * namespace);
335
+ * * call fanotify_init(2);
336
+ * * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
337
+ * operations;
338
+ * * perform madvise(2) MADV_HWPOISON operation;
339
+ * * employ the TIOCSTI ioctl(2) to insert characters into the
340
+ * input queue of a terminal other than the caller's
341
+ * controlling terminal;
342
+ * * employ the obsolete nfsservctl(2) system call;
343
+ * * employ the obsolete bdflush(2) system call;
344
+ * * perform various privileged block-device ioctl(2) operations;
345
+ * * perform various privileged filesystem ioctl(2) operations;
346
+ * * perform privileged ioctl(2) operations on the /dev/random
347
+ * device (see random(4));
348
+ * * install a seccomp(2) filter without first having to set the
349
+ * no_new_privs thread attribute;
350
+ * * modify allow/deny rules for device control groups;
351
+ * * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
352
+ * dump tracee's seccomp filters;
353
+ * * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
354
+ * the tracee's seccomp protections (i.e., the
355
+ * PTRACE_O_SUSPEND_SECCOMP flag);
356
+ * * perform administrative operations on many device drivers;
357
+ * * modify autogroup nice values by writing to
358
+ * /proc/[pid]/autogroup (see sched(7)).
359
+ */
116
360
  rb_define_const(rb_cCapability, "SYS_ADMIN", INT2NUM(CAP_SYS_ADMIN));
361
+ /* Use reboot(2) and kexec_load(2). */
117
362
  rb_define_const(rb_cCapability, "SYS_BOOT", INT2NUM(CAP_SYS_BOOT));
363
+ /*
364
+ * * Lower the process nice value (nice(2), setpriority(2)) and
365
+ * change the nice value for arbitrary processes;
366
+ * * set real-time scheduling policies for calling process, and
367
+ * set scheduling policies and priorities for arbitrary
368
+ * processes (sched_setscheduler(2), sched_setparam(2),
369
+ * sched_setattr(2));
370
+ * * set CPU affinity for arbitrary processes
371
+ * (sched_setaffinity(2));
372
+ * * set I/O scheduling class and priority for arbitrary
373
+ * processes (ioprio_set(2));
374
+ * * apply migrate_pages(2) to arbitrary processes and allow
375
+ * processes to be migrated to arbitrary nodes;
376
+ * * apply move_pages(2) to arbitrary processes;
377
+ * * use the MPOL_MF_MOVE_ALL flag with mbind(2) and
378
+ * move_pages(2).
379
+ */
118
380
  rb_define_const(rb_cCapability, "SYS_NICE", INT2NUM(CAP_SYS_NICE));
381
+ /*
382
+ * * Use reserved space on ext2 filesystems;
383
+ * * make ioctl(2) calls controlling ext3 journaling;
384
+ * * override disk quota limits;
385
+ * * increase resource limits (see setrlimit(2));
386
+ * * override RLIMIT_NPROC resource limit;
387
+ * * override maximum number of consoles on console allocation;
388
+ * * override maximum number of keymaps;
389
+ * * allow more than 64hz interrupts from the real-time clock;
390
+ * * raise msg_qbytes limit for a System V message queue above
391
+ * the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
392
+ * msgctl(2));
393
+ * * allow the RLIMIT_NOFILE resource limit on the number of "in-
394
+ * flight" file descriptors to be bypassed when passing file
395
+ * descriptors to another process via a UNIX domain socket (see
396
+ * unix(7));
397
+ * * override the /proc/sys/fs/pipe-size-max limit when setting
398
+ * the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
399
+ * command;
400
+ * * use F_SETPIPE_SZ to increase the capacity of a pipe above
401
+ * the limit specified by /proc/sys/fs/pipe-max-size;
402
+ * * override /proc/sys/fs/mqueue/queues_max,
403
+ * /proc/sys/fs/mqueue/msg_max, and
404
+ * /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX
405
+ * message queues (see mq_overview(7));
406
+ * * employ the prctl(2) PR_SET_MM operation;
407
+ * * set /proc/[pid]/oom_score_adj to a value lower than the
408
+ * value last set by a process with CAP_SYS_RESOURCE.
409
+ */
119
410
  rb_define_const(rb_cCapability, "SYS_RESOURCE", INT2NUM(CAP_SYS_RESOURCE));
411
+ /* Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
412
+ * real-time (hardware) clock.*/
120
413
  rb_define_const(rb_cCapability, "SYS_TIME", INT2NUM(CAP_SYS_TIME));
414
+ /* Use vhangup(2); employ various privileged ioctl(2) operations
415
+ * on virtual terminals.
416
+ */
121
417
  rb_define_const(rb_cCapability, "TTY_CONFIG", INT2NUM(CAP_SYS_TTY_CONFIG));
418
+ /* Create special files using mknod(2). (since Linux 2.4) */
122
419
  rb_define_const(rb_cCapability, "MKNOD", INT2NUM(CAP_MKNOD));
420
+ /* Establish leases on arbitrary files (see fcntl(2)). (since Linux 2.4) */
123
421
  rb_define_const(rb_cCapability, "LEASE", INT2NUM(CAP_LEASE));
422
+ /* Write records to kernel auditing log. (since Linux 2.6.11) */
124
423
  rb_define_const(rb_cCapability, "AUDIT_WRITE", INT2NUM(CAP_AUDIT_WRITE));
424
+ /* Enable and disable kernel auditing; change auditing filter
425
+ * rules; retrieve auditing status and filtering rules. (since Linux 2.6.11)*/
125
426
  rb_define_const(rb_cCapability, "AUDIT_CONTROL", INT2NUM(CAP_AUDIT_CONTROL));
126
427
  #ifdef CAP_SETFCAP
428
+ /* Set arbitrary capabilities on a file. since Linux 2.6.24) */
127
429
  rb_define_const(rb_cCapability, "SETFCAP", INT2NUM(CAP_SETFCAP));
128
430
  #endif
129
431
  #ifdef CAP_MAC_OVERRIDE
130
432
  rb_define_const(rb_cCapability, "MAC_OVERRIDE", INT2NUM(CAP_MAC_OVERRIDE));
131
433
  #endif
132
434
  #ifdef CAP_MAC_ADMIN
435
+ /* Allow MAC configuration or state changes. Implemented for the
436
+ * Smack Linux Security Module (LSM). (since Linux 2.6.25)
437
+ */
133
438
  rb_define_const(rb_cCapability, "MAC_ADMIN", INT2NUM(CAP_MAC_ADMIN));
134
439
  #endif
135
440
  #ifdef CAP_SYSLOG
441
+ /*
442
+ * * Perform privileged syslog(2) operations. See syslog(2) for
443
+ * information on which operations require privilege.
444
+ * * View kernel addresses exposed via /proc and other interfaces
445
+ * when /proc/sys/kernel/kptr_restrict has the value 1. (See
446
+ * the discussion of the kptr_restrict in proc(5).)
447
+ */
136
448
  rb_define_const(rb_cCapability, "SYSLOG", INT2NUM(CAP_SYSLOG));
137
449
  #endif
138
450
  #if defined(CAP_EPOLLWAKEUP) && defined(CAP_BLOCK_SUSPEND)
@@ -142,21 +454,59 @@ Init_capng_capability(VALUE rb_cCapNG)
142
454
  rb_define_const(rb_cCapability, "EPOLLWAKEUP", INT2NUM(CAP_EPOLLWAKEUP));
143
455
  #endif
144
456
  #ifdef CAP_WAKE_ALARM
457
+ /* Trigger something that will wake up the system (set
458
+ * CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
459
+ */
145
460
  rb_define_const(rb_cCapability, "WAKE_ALARM", INT2NUM(CAP_WAKE_ALARM));
146
461
  #endif
147
462
  #ifdef CAP_BLOCK_SUSPEND
463
+ /*
464
+ Employ features that can block system suspend (epoll(7)
465
+ EPOLLWAKEUP, /proc/sys/wake_lock). (since Linux 3.5)
466
+ */
148
467
  rb_define_const(rb_cCapability, "BLOCK_SUSPEND", INT2NUM(CAP_BLOCK_SUSPEND));
149
468
  #endif
150
469
  #ifdef CAP_AUDIT_READ
470
+ /* Allow reading the audit log via a multicast netlink socket. (since Linux 3.16) */
151
471
  rb_define_const(rb_cCapability, "AUDIT_READ", INT2NUM(CAP_AUDIT_READ));
152
472
  #endif
153
473
  #ifdef CAP_PERFMON
474
+ /*
475
+ * Employ various performance-monitoring mechanisms, including:
476
+ *
477
+ * * call perf_event_open(2)
478
+ * * employ various BPF operations that have performance
479
+ * implications.
480
+ *
481
+ * This capability was added in Linux 5.8 to separate out
482
+ * performance monitoring functionality from the overloaded
483
+ * CAP_SYS_ADMIN capability. See also the kernel source file
484
+ * Documentation/admin-guide/perf-security.rst.
485
+ */
154
486
  rb_define_const(rb_cCapability, "PERFMON", INT2NUM(CAP_PERFMON));
155
487
  #endif
156
488
  #ifdef CAP_BPF
489
+ /*
490
+ * Employ privileged BPF operations; see bpf(2) and
491
+ * bpf-helpers(7).
492
+ *
493
+ * This capability was added in Linux 5.8 to separate out BPF
494
+ * functionality from the overloaded CAP_SYS_ADMIN capability.
495
+ * (since Linux 5.8)
496
+ */
157
497
  rb_define_const(rb_cCapability, "BPF", INT2NUM(CAP_BPF));
158
498
  #endif
159
499
  #ifdef CAP_CHECKPOINT_RESTORE
500
+ /*
501
+ * * employ the set_tid feature of clone3(2);
502
+ * * read the contents of the symbolic links in
503
+ * /proc/[pid]/map_files for other processes.
504
+ *
505
+ * This capability was added in Linux 5.9 to separate out
506
+ * checkpoint/restore functionality from the overloaded
507
+ * CAP_SYS_ADMIN capability.
508
+ * (since Linux 5.9)
509
+ */
160
510
  rb_define_const(rb_cCapability, "CHECKPOINT_RESTORE", INT2NUM(CAP_CHECKPOINT_RESTORE));
161
511
  #endif
162
512
  }