capng_c 0.1.6 → 0.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: eea2ca339ebb678c88b6c3ee7726878a46c2bdef9a8756daca982bb22bc009a5
4
- data.tar.gz: 6b792b28771206844c5daac503ad2003c443799ebbf64b27f2f4cc616694a5e7
3
+ metadata.gz: 2282b438c73cafe667183986b8beef357b3d397eff60249658f94d71326cafc8
4
+ data.tar.gz: 8bb3439b3e3934efe4e83bda4e256780f4c7bb718a7f4883bc33d530483b5813
5
5
  SHA512:
6
- metadata.gz: 3071407d369065ac165ed2e1c4c8c9962205f9e67601152c884dc0d76bed6720e8c95ebd28b951029ed752f74a82b734876fbfed102e66325dd548b7a23a85b2
7
- data.tar.gz: f1d1728a2b9de22433383cfeae38d7682f43af05995ef4c26fb4dcf89df58398525a3c8f10cc688ce11e847a55109811add8398c02a6b976d70b2210440c659c
6
+ metadata.gz: d24ec898c4b40f26cee597a369f10c4ada7973fdba6c4cb51e85812702f2d6684b83e69946e4f019d94ff595380663150d4af1833b99e0f84cba99599a579110
7
+ data.tar.gz: d077c6cbbc46950174bbd6e0c2cbf296ac679b69a2231f560de846203718d562c920b53343db7d2dde48bd484cbcf3b50904c763f37ae99d330616bac0c015b1
@@ -0,0 +1,5 @@
1
+ BasedOnStyle: Mozilla
2
+ ColumnLimit: 90
3
+ BinPackParameters: true
4
+ BinPackArguments: false
5
+ AllowShortCaseLabelsOnASingleLine: false
@@ -0,0 +1,35 @@
1
+ name: Apt based Linux
2
+ on:
3
+ push:
4
+ pull_request:
5
+ jobs:
6
+ build:
7
+ name: Build
8
+ strategy:
9
+ fail-fast: false
10
+ matrix:
11
+ label:
12
+ - Debian GNU/Linux Buster amd64
13
+ - Ubuntu Bionic amd64
14
+ - Ubuntu Focal amd64
15
+ include:
16
+ - label: Debian GNU/Linux Buster amd64
17
+ test-docker-image: debian:buster
18
+ test-script: ci/apt-test.sh
19
+ - label: Ubuntu Bionic amd64
20
+ test-docker-image: ubuntu:bionic
21
+ test-script: ci/apt-test.sh
22
+ - label: Ubuntu Focal amd64
23
+ test-docker-image: ubuntu:focal
24
+ test-script: ci/apt-test.sh
25
+ runs-on: ubuntu-latest
26
+ steps:
27
+ - uses: actions/checkout@master
28
+ - name: rake compile & rake test
29
+ run: |
30
+ docker run \
31
+ --rm \
32
+ --tty \
33
+ --volume ${PWD}:/capng \
34
+ ${{ matrix.test-docker-image }} \
35
+ /capng/${{ matrix.test-script }}
@@ -1,4 +1,4 @@
1
- name: Linux testing
1
+ name: Multiple Ruby version tests
2
2
  on:
3
3
  - push
4
4
  - pull_request
@@ -0,0 +1,39 @@
1
+ name: Yum based Linux
2
+ on:
3
+ push:
4
+ pull_request:
5
+ jobs:
6
+ build:
7
+ name: Build
8
+ strategy:
9
+ fail-fast: false
10
+ matrix:
11
+ label:
12
+ - CentOS 7 x86_64
13
+ - CentOS 8 x86_64
14
+ - Fedora 33 x86_64
15
+ - AmazonLinux 2 x86_64
16
+ include:
17
+ - label: CentOS 7 x86_64
18
+ test-docker-image: centos:7
19
+ test-script: ci/yum-test.sh
20
+ - label: CentOS 8 x86_64
21
+ test-docker-image: centos:8
22
+ test-script: ci/yum-test.sh
23
+ - label: Fedora 33 x86_64
24
+ test-docker-image: fedora:33
25
+ test-script: ci/yum-test.sh
26
+ - label: AmazonLinux 2 x86_64
27
+ test-docker-image: amazonlinux:2
28
+ test-script: ci/yum-test.sh
29
+ runs-on: ubuntu-latest
30
+ steps:
31
+ - uses: actions/checkout@master
32
+ - name: rake compile & rake test
33
+ run: |
34
+ docker run \
35
+ --rm \
36
+ --tty \
37
+ --volume ${PWD}:/capng \
38
+ ${{ matrix.test-docker-image }} \
39
+ /capng/${{ matrix.test-script }}
data/Gemfile CHANGED
@@ -2,3 +2,5 @@ source "https://rubygems.org"
2
2
 
3
3
  # Specify your gem's dependencies in capng_c.gemspec
4
4
  gemspec
5
+
6
+ gem "irb"
data/README.md CHANGED
@@ -1,9 +1,24 @@
1
1
  # Capng_c
2
2
 
3
- ![Linux testing](https://github.com/cosmo0920/capng_c/workflows/Linux%20testing/badge.svg?branch=main)
3
+ ![Multiple Ruby version tests](https://github.com/fluent-plugins-nursery/capng_c/workflows/Multiple%20Ruby%20version%20tests/badge.svg?branch=main)
4
+ ![Apt based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Apt%20based%20Linux/badge.svg?branch=main)
5
+ ![Yum based Linux](https://github.com/fluent-plugins-nursery/capng_c/workflows/Yum%20based%20Linux/badge.svg?branch=main)
4
6
 
5
7
  libcap-ng bindings for Ruby.
6
8
 
9
+ ## Prerequisites
10
+
11
+ * Building C environment
12
+ * build-essential on Debian GNU/Linux and Ubuntu
13
+ * "Development Tools" package group on CentOS 7/8, Fedora 33, AmazonLinux 2
14
+ * pkg-config package for linking libcap-ng library
15
+ * libcap-ng and its development packages
16
+ * libcap-ng-dev on Debian GNU/Linux and Ubuntu
17
+ * libcap-ng-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
18
+ * Ruby and its development packages
19
+ * ruby-dev on Debian GNU/Linux and Ubuntu
20
+ * ruby-devel on CentOS 7/8, Fedora 33, AmazonLinux 2
21
+
7
22
  ## Installation
8
23
 
9
24
  Add this line to your application's Gemfile:
@@ -32,4 +47,4 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
32
47
 
33
48
  ## Contributing
34
49
 
35
- Bug reports and pull requests are welcome on GitHub at https://github.com/cosmo0920/capng_c.
50
+ Bug reports and pull requests are welcome on GitHub at https://github.com/fluent-plugins-nursery/capng_c.
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
10
10
 
11
11
  spec.summary = %q{libcap-ng bindings for Ruby.}
12
12
  spec.description = spec.summary
13
- spec.homepage = "https://github.com/cosmo0920/cap-ng_c"
13
+ spec.homepage = "https://github.com/fluent-plugins-nursery/capng_c"
14
14
  spec.license = "Apache-2.0"
15
15
  spec.metadata["allowed_push_host"] = "https://rubygems.org"
16
16
 
@@ -29,7 +29,8 @@ Gem::Specification.new do |spec|
29
29
  spec.required_ruby_version = Gem::Requirement.new(">= 2.4".freeze)
30
30
 
31
31
  spec.add_development_dependency "bundler", [">= 1.16", "< 3"]
32
- spec.add_development_dependency "rake", "~> 12.0"
32
+ spec.add_development_dependency "rake", "~> 13.0"
33
33
  spec.add_development_dependency "rake-compiler", "~> 1.0"
34
34
  spec.add_development_dependency "test-unit", "~> 3.3.3"
35
+ spec.add_development_dependency "yard", "~> 0.9"
35
36
  end
@@ -0,0 +1,15 @@
1
+ #!/bin/bash
2
+
3
+ set -exu
4
+
5
+ export DEBIAN_FRONTEND=noninteractive
6
+
7
+ apt update
8
+ apt install -V -y lsb-release
9
+
10
+ apt install -V -y ruby-dev git build-essential pkg-config
11
+ apt install -V -y libcap-ng-dev
12
+ cd /capng && \
13
+ gem install bundler --no-document && \
14
+ bundle install && \
15
+ bundle exec rake
@@ -0,0 +1,64 @@
1
+ #!/bin/bash
2
+
3
+ set -exu
4
+
5
+ distribution=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f2)
6
+ version=$(cat /etc/system-release-cpe | awk '{print substr($0, index($1, "o"))}' | cut -d: -f4)
7
+ USE_SCL=0
8
+ USE_AMZN_EXT=0
9
+
10
+ case ${distribution} in
11
+ amazon)
12
+ case ${version} in
13
+ 2)
14
+ DNF=yum
15
+ USE_AMZN_EXT=1
16
+ ;;
17
+ esac
18
+ ;;
19
+ centos)
20
+ case ${version} in
21
+ 7)
22
+ DNF=yum
23
+ USE_SCL=1
24
+ ;;
25
+ *)
26
+ DNF="dnf --enablerepo=powertools"
27
+ ;;
28
+ esac
29
+ ;;
30
+ fedoraproject)
31
+ case ${version} in
32
+ 33)
33
+ DNF=yum
34
+ ;;
35
+ esac
36
+ ;;
37
+ esac
38
+
39
+ ${DNF} groupinstall -y "Development Tools"
40
+
41
+ if [ $USE_SCL -eq 1 ]; then
42
+ ${DNF} install -y centos-release-scl && \
43
+ ${DNF} install -y \
44
+ rh-ruby26-ruby-devel \
45
+ rh-ruby26-rubygems \
46
+ rh-ruby26-rubygem-rake \
47
+ rpm-build
48
+ elif [ $USE_AMZN_EXT -eq 1 ]; then
49
+ amazon-linux-extras install -y ruby2.6 && \
50
+ ${DNF} install -y ruby-devel
51
+ else
52
+ ${DNF} install -y ruby-devel \
53
+ rubygems \
54
+ rpm-build
55
+ fi
56
+ ${DNF} install -y libcap-ng-devel
57
+
58
+ if [ $USE_SCL -eq 1 ]; then
59
+ # For unbound variable error
60
+ export MANPATH=
61
+ cd /capng && source /opt/rh/rh-ruby26/enable && gem install bundler --no-document && bundle install && bundle exec rake
62
+ else
63
+ cd /capng && gem install bundler --no-document && bundle install && bundle exec rake
64
+ fi
@@ -25,7 +25,8 @@ if Process.uid != 0
25
25
  end
26
26
 
27
27
  path = ARGV[0]
28
- capng = CapNG.new(:file, path)
28
+ capng = CapNG.new
29
+ capng.caps_file(path)
29
30
  print = CapNG::Print.new
30
31
  puts "capability: #{print.caps_text(:buffer, :effective)}"
31
32
  capng.clear(:caps)
@@ -13,21 +13,37 @@
13
13
 
14
14
  #include <capng.h>
15
15
 
16
- struct CapNGCapability {};
17
-
18
- static void capng_capability_free(void* capng);
19
-
20
- static const rb_data_type_t rb_capng_capability_type = {
21
- "capng_capability/c_runtime",
22
- {
23
- 0,
24
- capng_capability_free,
25
- 0,
26
- },
27
- NULL,
28
- NULL,
29
- RUBY_TYPED_FREE_IMMEDIATELY
30
- };
16
+ /* clang-format off */
17
+ /*
18
+ * Document-class: CapNG::Capability
19
+ *
20
+ * Check Linux capabilities and define its constants.
21
+ *
22
+ * @example
23
+ * require 'capng'
24
+ *
25
+ * @cap = CapNG::Capability.new
26
+ *
27
+ * @cap.from_name(:dac_read_search) #=> 2
28
+ * @cap.to_name(CapNG::Capability::DAC_READ_SEARCH) #=> "dac_read_search"
29
+ */
30
+ /* clang-format on */
31
+
32
+ struct CapNGCapability
33
+ {};
34
+
35
+ static void
36
+ capng_capability_free(void* capng);
37
+
38
+ static const rb_data_type_t rb_capng_capability_type = { "capng_capability/c_runtime",
39
+ {
40
+ 0,
41
+ capng_capability_free,
42
+ 0,
43
+ },
44
+ NULL,
45
+ NULL,
46
+ RUBY_TYPED_FREE_IMMEDIATELY };
31
47
 
32
48
  static void
33
49
  capng_capability_free(void* ptr)
@@ -45,16 +61,29 @@ rb_capng_capability_alloc(VALUE klass)
45
61
  return obj;
46
62
  }
47
63
 
64
+ /*
65
+ * Initalize Capability class.
66
+ *
67
+ * @return [nil]
68
+ *
69
+ */
48
70
  static VALUE
49
71
  rb_capng_capability_initialize(VALUE self)
50
72
  {
51
73
  return Qnil;
52
74
  }
53
75
 
76
+ /*
77
+ * Obtain capability name from capability value.
78
+ *
79
+ * @param rb_capability [Integer] Capability constant value.
80
+ * @return [String]
81
+ *
82
+ */
54
83
  static VALUE
55
84
  rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
56
85
  {
57
- const char *name = capng_capability_to_name(NUM2UINT(rb_capability));
86
+ const char* name = capng_capability_to_name(NUM2UINT(rb_capability));
58
87
 
59
88
  if (name)
60
89
  return rb_str_new2(name);
@@ -62,24 +91,53 @@ rb_capng_capability_to_name(VALUE self, VALUE rb_capability)
62
91
  return rb_str_new2("unknown");
63
92
  }
64
93
 
94
+ /*
95
+ * Obtain capability value from capability name.
96
+ *
97
+ * @param rb_capability_name_or_symbol [String or Symbol] Capability constant value.
98
+ * @return [Integer]
99
+ *
100
+ */
65
101
  static VALUE
66
102
  rb_capng_capability_from_name(VALUE self, VALUE rb_capability_name_or_symbol)
67
103
  {
68
104
  unsigned int capability;
69
105
 
70
106
  switch (TYPE(rb_capability_name_or_symbol)) {
71
- case T_SYMBOL:
72
- capability = capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
73
- break;
74
- case T_STRING:
75
- capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
76
- break;
77
- default:
78
- rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
107
+ case T_SYMBOL:
108
+ capability =
109
+ capng_name_to_capability(RSTRING_PTR(rb_sym2str(rb_capability_name_or_symbol)));
110
+ break;
111
+ case T_STRING:
112
+ capability = capng_name_to_capability(StringValuePtr(rb_capability_name_or_symbol));
113
+ break;
114
+ default:
115
+ rb_raise(rb_eArgError, "Expected a String or a Symbol instance");
79
116
  }
80
117
  return INT2NUM(capability);
81
118
  }
82
119
 
120
+ /*
121
+ * Obtain capability code and name pairs with enumerable.
122
+ *
123
+ * @yield [Integer, String]
124
+ * @return [nil]
125
+ *
126
+ */
127
+ static VALUE
128
+ rb_capng_capability_each(VALUE self)
129
+ {
130
+ RETURN_ENUMERATOR(self, 0, 0);
131
+
132
+ for (int i = 0; capabilityInfoTable[i].name != NULL; i++) {
133
+ rb_yield_values(2,
134
+ INT2NUM(capabilityInfoTable[i].code),
135
+ rb_str_new2(capabilityInfoTable[i].name));
136
+ }
137
+
138
+ return Qnil;
139
+ }
140
+
83
141
  void
84
142
  Init_capng_capability(VALUE rb_cCapNG)
85
143
  {
@@ -90,49 +148,303 @@ Init_capng_capability(VALUE rb_cCapNG)
90
148
  rb_define_method(rb_cCapability, "initialize", rb_capng_capability_initialize, 0);
91
149
  rb_define_method(rb_cCapability, "to_name", rb_capng_capability_to_name, 1);
92
150
  rb_define_method(rb_cCapability, "from_name", rb_capng_capability_from_name, 1);
151
+ rb_define_method(rb_cCapability, "each", rb_capng_capability_each, 0);
93
152
 
94
153
  // Capability constants.
154
+
155
+ /* Make arbitrary changes to file UIDs and GIDs (see chown(2)). */
95
156
  rb_define_const(rb_cCapability, "CHOWN", INT2NUM(CAP_CHOWN));
157
+ /*
158
+ * Bypass file read, write, and execute permission checks. (DAC
159
+ * is an abbreviation of "discretionary access control".) */
96
160
  rb_define_const(rb_cCapability, "DAC_OVERRIDE", INT2NUM(CAP_DAC_OVERRIDE));
161
+ /*
162
+ * * Bypass file read permission checks and directory read and execute permission
163
+ * checks;
164
+ * * invoke open_by_handle_at(2);
165
+ * * use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a
166
+ * file descriptor.
167
+ */
97
168
  rb_define_const(rb_cCapability, "DAC_READ_SEARCH", INT2NUM(CAP_DAC_READ_SEARCH));
169
+ /*
170
+ * * Bypass permission checks on operations that normally require
171
+ * the filesystem UID of the process to match the UID of the
172
+ * file (e.g., chmod(2), utime(2)), excluding those operations
173
+ * covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
174
+ * * set inode flags (see ioctl_iflags(2)) on arbitrary files;
175
+ * * set Access Control Lists (ACLs) on arbitrary files;
176
+ * * ignore directory sticky bit on file deletion;
177
+ * * modify user extended attributes on sticky directory owned by
178
+ * any user;
179
+ * * specify O_NOATIME for arbitrary files in open(2) and
180
+ * fcntl(2).
181
+ */
98
182
  rb_define_const(rb_cCapability, "FOWNER", INT2NUM(CAP_FOWNER));
183
+ /*
184
+ * * Don't clear set-user-ID and set-group-ID mode bits when a
185
+ * file is modified;
186
+ * * set the set-group-ID bit for a file whose GID does not match
187
+ * the filesystem or any of the supplementary GIDs of the
188
+ * calling process.
189
+ */
99
190
  rb_define_const(rb_cCapability, "FSETID", INT2NUM(CAP_FSETID));
191
+ /* Bypass permission checks for sending signals (see kill(2)).
192
+ * This includes use of the ioctl(2) KDSIGACCEPT operation. */
100
193
  rb_define_const(rb_cCapability, "KILL", INT2NUM(CAP_KILL));
194
+ /*
195
+ * * Make arbitrary manipulations of process GIDs and
196
+ * supplementary GID list;
197
+ * * forge GID when passing socket credentials via UNIX domain
198
+ * sockets;
199
+ * * write a group ID mapping in a user namespace (see
200
+ * user_namespaces(7)).
201
+ */
101
202
  rb_define_const(rb_cCapability, "SETGID", INT2NUM(CAP_SETGID));
203
+ /*
204
+ * * Make arbitrary manipulations of process UIDs (setuid(2),
205
+ * setreuid(2), setresuid(2), setfsuid(2));
206
+ * * forge UID when passing socket credentials via UNIX domain
207
+ * sockets;
208
+ * * write a user ID mapping in a user namespace (see
209
+ * user_namespaces(7)).
210
+ */
102
211
  rb_define_const(rb_cCapability, "SETUID", INT2NUM(CAP_SETUID));
212
+ /*
213
+ * If file capabilities are supported (i.e., since Linux 2.6.24):
214
+ * add any capability from the calling thread's bounding set to
215
+ * its inheritable set; drop capabilities from the bounding set
216
+ * (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits
217
+ * flags.
218
+ *
219
+ * If file capabilities are not supported (i.e., kernels before
220
+ * Linux 2.6.24): grant or remove any capability in the caller's
221
+ * permitted capability set to or from any other process. (This
222
+ * property of CAP_SETPCAP is not available when the kernel is
223
+ * configured to support file capabilities, since CAP_SETPCAP has
224
+ * entirely different semantics for such kernels.)
225
+ */
103
226
  rb_define_const(rb_cCapability, "SETPCAP", INT2NUM(CAP_SETPCAP));
227
+ /* Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see ioctl_iflags(2)). */
104
228
  rb_define_const(rb_cCapability, "LINUX_IMMUTABLE", INT2NUM(CAP_LINUX_IMMUTABLE));
229
+ /* Bind a socket to Internet domain privileged ports (port numbers less than 1024).*/
105
230
  rb_define_const(rb_cCapability, "NET_BIND_SERIVCE", INT2NUM(CAP_NET_BIND_SERVICE));
231
+ /* (Unused) Make socket broadcasts, and listen to multicasts. */
106
232
  rb_define_const(rb_cCapability, "NET_BROATCAST", INT2NUM(CAP_NET_BROADCAST));
233
+ /* Perform various network-related operations:
234
+ *
235
+ * * interface configuration;
236
+ * * administration of IP firewall, masquerading, and accounting;
237
+ * * modify routing tables;
238
+ * * bind to any address for transparent proxying;
239
+ * * set type-of-service (TOS);
240
+ * * clear driver statistics;
241
+ * * set promiscuous mode;
242
+ * * enabling multicasting;
243
+ * * use setsockopt(2) to set the following socket options:
244
+ * * SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
245
+ * * range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
246
+ */
107
247
  rb_define_const(rb_cCapability, "NET_ADMIN", INT2NUM(CAP_NET_ADMIN));
248
+ /*
249
+ * * Use RAW and PACKET sockets;
250
+ * * bind to any address for transparent proxying.
251
+ */
108
252
  rb_define_const(rb_cCapability, "NET_RAW", INT2NUM(CAP_NET_RAW));
253
+ /* Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). */
109
254
  rb_define_const(rb_cCapability, "IPC_LOCK", INT2NUM(CAP_IPC_LOCK));
255
+ /* Bypass permission checks for operations on System V IPC
256
+ * objects.
257
+ */
110
258
  rb_define_const(rb_cCapability, "IPC_OWNER", INT2NUM(CAP_IPC_OWNER));
259
+ /*
260
+ * * Load and unload kernel modules (see init_module(2) and
261
+ * delete_module(2)) in kernels before 2.6.25
262
+ * * drop capabilities from the system-wide capability bounding set.
263
+ */
111
264
  rb_define_const(rb_cCapability, "SYS_MODULE", INT2NUM(CAP_SYS_MODULE));
265
+ /*
266
+ * * Perform I/O port operations (iopl(2) and ioperm(2));
267
+ * * access /proc/kcore;
268
+ * * employ the FIBMAP ioctl(2) operation;
269
+ * * open devices for accessing x86 model-specific registers
270
+ * (MSRs, see msr(4));
271
+ * * update /proc/sys/vm/mmap_min_addr;
272
+ * * create memory mappings at addresses below the value
273
+ * specified by /proc/sys/vm/mmap_min_addr;
274
+ * * map files in /proc/bus/pci;
275
+ * * open /dev/mem and /dev/kmem;
276
+ * * perform various SCSI device commands;
277
+ * * perform certain operations on hpsa(4) and cciss(4) devices;
278
+ * * perform a range of device-specific operations on other
279
+ * devices.
280
+ */
112
281
  rb_define_const(rb_cCapability, "SYS_RAWIO", INT2NUM(CAP_SYS_RAWIO));
282
+ /*
283
+ * * Use chroot(2);
284
+ * * change mount namespaces using setns(2).
285
+ */
113
286
  rb_define_const(rb_cCapability, "SYS_CHROOT", INT2NUM(CAP_SYS_CHROOT));
287
+ /*
288
+ * * Trace arbitrary processes using ptrace(2);
289
+ * * apply get_robust_list(2) to arbitrary processes;
290
+ * * transfer data to or from the memory of arbitrary processes
291
+ * using process_vm_readv(2) and process_vm_writev(2);
292
+ * * inspect processes using kcmp(2).
293
+ */
114
294
  rb_define_const(rb_cCapability, "SYS_PTRACE", INT2NUM(CAP_SYS_PTRACE));
295
+ /* Use acct(2). */
115
296
  rb_define_const(rb_cCapability, "SYS_PACCT", INT2NUM(CAP_SYS_PACCT));
297
+ /*
298
+ * Note:
299
+ * this capability is overloaded; see Notes to kernel developers, below.
300
+ *
301
+ * * Perform a range of system administration operations
302
+ * including: quotactl(2), mount(2), umount(2), pivot_root(2),
303
+ * swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
304
+ * * perform privileged syslog(2) operations (since Linux 2.6.37,
305
+ * CAP_SYSLOG should be used to permit such operations);
306
+ * * perform VM86_REQUEST_IRQ vm86(2) command;
307
+ * * access the same checkpoint/restore functionality that is
308
+ * governed by CAP_CHECKPOINT_RESTORE (but the latter, weaker
309
+ * capability is preferred for accessing that functionality).
310
+ * * perform the same BPF operations as are governed by CAP_BPF
311
+ * (but the latter, weaker capability is preferred for
312
+ * accessing that functionality).
313
+ * * employ the same performance monitoring mechanisms as are
314
+ * governed by CAP_PERFMON (but the latter, weaker capability
315
+ * is preferred for accessing that functionality).
316
+ * * perform IPC_SET and IPC_RMID operations on arbitrary System
317
+ * V IPC objects;
318
+ * * override RLIMIT_NPROC resource limit;
319
+ * * perform operations on trusted and security extended
320
+ * attributes (see xattr(7));
321
+ * * use lookup_dcookie(2);
322
+ * * use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
323
+ * Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
324
+ * * forge PID when passing socket credentials via UNIX domain
325
+ * sockets;
326
+ * * exceed /proc/sys/fs/file-max, the system-wide limit on the
327
+ * number of open files, in system calls that open files (e.g.,
328
+ * accept(2), execve(2), open(2), pipe(2));
329
+ * * employ CLONE_* flags that create new namespaces with
330
+ * clone(2) and unshare(2) (but, since Linux 3.8, creating user
331
+ * namespaces does not require any capability);
332
+ * * access privileged perf event information;
333
+ * * call setns(2) (requires CAP_SYS_ADMIN in the target
334
+ * namespace);
335
+ * * call fanotify_init(2);
336
+ * * perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
337
+ * operations;
338
+ * * perform madvise(2) MADV_HWPOISON operation;
339
+ * * employ the TIOCSTI ioctl(2) to insert characters into the
340
+ * input queue of a terminal other than the caller's
341
+ * controlling terminal;
342
+ * * employ the obsolete nfsservctl(2) system call;
343
+ * * employ the obsolete bdflush(2) system call;
344
+ * * perform various privileged block-device ioctl(2) operations;
345
+ * * perform various privileged filesystem ioctl(2) operations;
346
+ * * perform privileged ioctl(2) operations on the /dev/random
347
+ * device (see random(4));
348
+ * * install a seccomp(2) filter without first having to set the
349
+ * no_new_privs thread attribute;
350
+ * * modify allow/deny rules for device control groups;
351
+ * * employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
352
+ * dump tracee's seccomp filters;
353
+ * * employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
354
+ * the tracee's seccomp protections (i.e., the
355
+ * PTRACE_O_SUSPEND_SECCOMP flag);
356
+ * * perform administrative operations on many device drivers;
357
+ * * modify autogroup nice values by writing to
358
+ * /proc/[pid]/autogroup (see sched(7)).
359
+ */
116
360
  rb_define_const(rb_cCapability, "SYS_ADMIN", INT2NUM(CAP_SYS_ADMIN));
361
+ /* Use reboot(2) and kexec_load(2). */
117
362
  rb_define_const(rb_cCapability, "SYS_BOOT", INT2NUM(CAP_SYS_BOOT));
363
+ /*
364
+ * * Lower the process nice value (nice(2), setpriority(2)) and
365
+ * change the nice value for arbitrary processes;
366
+ * * set real-time scheduling policies for calling process, and
367
+ * set scheduling policies and priorities for arbitrary
368
+ * processes (sched_setscheduler(2), sched_setparam(2),
369
+ * sched_setattr(2));
370
+ * * set CPU affinity for arbitrary processes
371
+ * (sched_setaffinity(2));
372
+ * * set I/O scheduling class and priority for arbitrary
373
+ * processes (ioprio_set(2));
374
+ * * apply migrate_pages(2) to arbitrary processes and allow
375
+ * processes to be migrated to arbitrary nodes;
376
+ * * apply move_pages(2) to arbitrary processes;
377
+ * * use the MPOL_MF_MOVE_ALL flag with mbind(2) and
378
+ * move_pages(2).
379
+ */
118
380
  rb_define_const(rb_cCapability, "SYS_NICE", INT2NUM(CAP_SYS_NICE));
381
+ /*
382
+ * * Use reserved space on ext2 filesystems;
383
+ * * make ioctl(2) calls controlling ext3 journaling;
384
+ * * override disk quota limits;
385
+ * * increase resource limits (see setrlimit(2));
386
+ * * override RLIMIT_NPROC resource limit;
387
+ * * override maximum number of consoles on console allocation;
388
+ * * override maximum number of keymaps;
389
+ * * allow more than 64hz interrupts from the real-time clock;
390
+ * * raise msg_qbytes limit for a System V message queue above
391
+ * the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
392
+ * msgctl(2));
393
+ * * allow the RLIMIT_NOFILE resource limit on the number of "in-
394
+ * flight" file descriptors to be bypassed when passing file
395
+ * descriptors to another process via a UNIX domain socket (see
396
+ * unix(7));
397
+ * * override the /proc/sys/fs/pipe-size-max limit when setting
398
+ * the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
399
+ * command;
400
+ * * use F_SETPIPE_SZ to increase the capacity of a pipe above
401
+ * the limit specified by /proc/sys/fs/pipe-max-size;
402
+ * * override /proc/sys/fs/mqueue/queues_max,
403
+ * /proc/sys/fs/mqueue/msg_max, and
404
+ * /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX
405
+ * message queues (see mq_overview(7));
406
+ * * employ the prctl(2) PR_SET_MM operation;
407
+ * * set /proc/[pid]/oom_score_adj to a value lower than the
408
+ * value last set by a process with CAP_SYS_RESOURCE.
409
+ */
119
410
  rb_define_const(rb_cCapability, "SYS_RESOURCE", INT2NUM(CAP_SYS_RESOURCE));
411
+ /* Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
412
+ * real-time (hardware) clock.*/
120
413
  rb_define_const(rb_cCapability, "SYS_TIME", INT2NUM(CAP_SYS_TIME));
414
+ /* Use vhangup(2); employ various privileged ioctl(2) operations
415
+ * on virtual terminals.
416
+ */
121
417
  rb_define_const(rb_cCapability, "TTY_CONFIG", INT2NUM(CAP_SYS_TTY_CONFIG));
418
+ /* Create special files using mknod(2). (since Linux 2.4) */
122
419
  rb_define_const(rb_cCapability, "MKNOD", INT2NUM(CAP_MKNOD));
420
+ /* Establish leases on arbitrary files (see fcntl(2)). (since Linux 2.4) */
123
421
  rb_define_const(rb_cCapability, "LEASE", INT2NUM(CAP_LEASE));
422
+ /* Write records to kernel auditing log. (since Linux 2.6.11) */
124
423
  rb_define_const(rb_cCapability, "AUDIT_WRITE", INT2NUM(CAP_AUDIT_WRITE));
424
+ /* Enable and disable kernel auditing; change auditing filter
425
+ * rules; retrieve auditing status and filtering rules. (since Linux 2.6.11)*/
125
426
  rb_define_const(rb_cCapability, "AUDIT_CONTROL", INT2NUM(CAP_AUDIT_CONTROL));
126
427
  #ifdef CAP_SETFCAP
428
+ /* Set arbitrary capabilities on a file. since Linux 2.6.24) */
127
429
  rb_define_const(rb_cCapability, "SETFCAP", INT2NUM(CAP_SETFCAP));
128
430
  #endif
129
431
  #ifdef CAP_MAC_OVERRIDE
130
432
  rb_define_const(rb_cCapability, "MAC_OVERRIDE", INT2NUM(CAP_MAC_OVERRIDE));
131
433
  #endif
132
434
  #ifdef CAP_MAC_ADMIN
435
+ /* Allow MAC configuration or state changes. Implemented for the
436
+ * Smack Linux Security Module (LSM). (since Linux 2.6.25)
437
+ */
133
438
  rb_define_const(rb_cCapability, "MAC_ADMIN", INT2NUM(CAP_MAC_ADMIN));
134
439
  #endif
135
440
  #ifdef CAP_SYSLOG
441
+ /*
442
+ * * Perform privileged syslog(2) operations. See syslog(2) for
443
+ * information on which operations require privilege.
444
+ * * View kernel addresses exposed via /proc and other interfaces
445
+ * when /proc/sys/kernel/kptr_restrict has the value 1. (See
446
+ * the discussion of the kptr_restrict in proc(5).)
447
+ */
136
448
  rb_define_const(rb_cCapability, "SYSLOG", INT2NUM(CAP_SYSLOG));
137
449
  #endif
138
450
  #if defined(CAP_EPOLLWAKEUP) && defined(CAP_BLOCK_SUSPEND)
@@ -142,21 +454,59 @@ Init_capng_capability(VALUE rb_cCapNG)
142
454
  rb_define_const(rb_cCapability, "EPOLLWAKEUP", INT2NUM(CAP_EPOLLWAKEUP));
143
455
  #endif
144
456
  #ifdef CAP_WAKE_ALARM
457
+ /* Trigger something that will wake up the system (set
458
+ * CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
459
+ */
145
460
  rb_define_const(rb_cCapability, "WAKE_ALARM", INT2NUM(CAP_WAKE_ALARM));
146
461
  #endif
147
462
  #ifdef CAP_BLOCK_SUSPEND
463
+ /*
464
+ Employ features that can block system suspend (epoll(7)
465
+ EPOLLWAKEUP, /proc/sys/wake_lock). (since Linux 3.5)
466
+ */
148
467
  rb_define_const(rb_cCapability, "BLOCK_SUSPEND", INT2NUM(CAP_BLOCK_SUSPEND));
149
468
  #endif
150
469
  #ifdef CAP_AUDIT_READ
470
+ /* Allow reading the audit log via a multicast netlink socket. (since Linux 3.16) */
151
471
  rb_define_const(rb_cCapability, "AUDIT_READ", INT2NUM(CAP_AUDIT_READ));
152
472
  #endif
153
473
  #ifdef CAP_PERFMON
474
+ /*
475
+ * Employ various performance-monitoring mechanisms, including:
476
+ *
477
+ * * call perf_event_open(2)
478
+ * * employ various BPF operations that have performance
479
+ * implications.
480
+ *
481
+ * This capability was added in Linux 5.8 to separate out
482
+ * performance monitoring functionality from the overloaded
483
+ * CAP_SYS_ADMIN capability. See also the kernel source file
484
+ * Documentation/admin-guide/perf-security.rst.
485
+ */
154
486
  rb_define_const(rb_cCapability, "PERFMON", INT2NUM(CAP_PERFMON));
155
487
  #endif
156
488
  #ifdef CAP_BPF
489
+ /*
490
+ * Employ privileged BPF operations; see bpf(2) and
491
+ * bpf-helpers(7).
492
+ *
493
+ * This capability was added in Linux 5.8 to separate out BPF
494
+ * functionality from the overloaded CAP_SYS_ADMIN capability.
495
+ * (since Linux 5.8)
496
+ */
157
497
  rb_define_const(rb_cCapability, "BPF", INT2NUM(CAP_BPF));
158
498
  #endif
159
499
  #ifdef CAP_CHECKPOINT_RESTORE
500
+ /*
501
+ * * employ the set_tid feature of clone3(2);
502
+ * * read the contents of the symbolic links in
503
+ * /proc/[pid]/map_files for other processes.
504
+ *
505
+ * This capability was added in Linux 5.9 to separate out
506
+ * checkpoint/restore functionality from the overloaded
507
+ * CAP_SYS_ADMIN capability.
508
+ * (since Linux 5.9)
509
+ */
160
510
  rb_define_const(rb_cCapability, "CHECKPOINT_RESTORE", INT2NUM(CAP_CHECKPOINT_RESTORE));
161
511
  #endif
162
512
  }