Lines Matching +full:allow +full:- +full:set +full:- +full:time
1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
11 * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
19 /* User-level do most of the mapping between kernel and user
25 a set of three capability sets. The transposition of 3*the
33 #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */
95 * Backwardly compatible definition for source code - trapped in a
96 * 32-bit world. If you find you need this, please consider using
106 ** POSIX-draft defined capabilities.
154 /* Allows set*uid(2) manipulation (including fsuid). */
161 ** Linux-specific capabilities
165 * Transfer any capability in your permitted set to any pid,
166 * remove any capability in your permitted set from any pid
168 * Add any capability from current's capability bounding set
169 * to the current process' inheritable set
170 * Allow taking bits out of capability bounding set
171 * Allow modification of the securebits for a process
176 /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
185 /* Allow broadcasting, listen to multicast */
189 /* Allow interface configuration */
190 /* Allow administration of IP firewall, masquerading and accounting */
191 /* Allow setting debug option on sockets */
192 /* Allow modification of routing tables */
193 /* Allow setting arbitrary process / process group ownership on
195 /* Allow binding to any address for transparent proxying (also via NET_RAW) */
196 /* Allow setting TOS (type of service) */
197 /* Allow setting promiscuous mode */
198 /* Allow clearing driver statistics */
199 /* Allow multicasting */
200 /* Allow read/write of device-specific registers */
201 /* Allow activation of ATM control sockets */
205 /* Allow use of RAW sockets */
206 /* Allow use of PACKET sockets */
207 /* Allow binding to any address for transparent proxying (also via NET_ADMIN) */
211 /* Allow locking of shared memory segments */
212 /* Allow mlock and mlockall (which doesn't really have anything to do
221 /* Insert and remove kernel modules - modify kernel without limit */
224 /* Allow ioperm/iopl access */
225 /* Allow sending USB messages to any device via /dev/bus/usb */
229 /* Allow use of chroot() */
233 /* Allow ptrace() of any process */
237 /* Allow configuration of process accounting */
241 /* Allow configuration of the secure attention key */
242 /* Allow administration of the random device */
243 /* Allow examination and configuration of disk quotas */
244 /* Allow setting the domainname */
245 /* Allow setting the hostname */
246 /* Allow mount() and umount(), setting up new smb connection */
247 /* Allow some autofs root ioctls */
248 /* Allow nfsservctl */
249 /* Allow VM86_REQUEST_IRQ */
250 /* Allow to read/write pci config on alpha */
251 /* Allow irix_prctl on mips (setstacksize) */
252 /* Allow flushing all cache on m68k (sys_cacheflush) */
253 /* Allow removing semaphores */
256 /* Allow locking/unlocking of shared memory segment */
257 /* Allow turning swap on/off */
258 /* Allow forged pids on socket credentials passing */
259 /* Allow setting readahead and flushing buffers on block devices */
260 /* Allow setting geometry in floppy driver */
261 /* Allow turning DMA on/off in xd driver */
262 /* Allow administration of md devices (mostly the above, but some
264 /* Allow tuning the ide driver */
265 /* Allow access to the nvram device */
266 /* Allow administration of apm_bios, serial and bttv (TV) device */
267 /* Allow manufacturer commands in isdn CAPI support driver */
268 /* Allow reading non-standardized portions of pci configuration space */
269 /* Allow DDI debug ioctl on sbpcd driver */
270 /* Allow setting up serial ports */
271 /* Allow sending raw qic-117 commands */
272 /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
274 /* Allow setting encryption key on loopback filesystem */
275 /* Allow setting zone reclaim policy */
276 /* Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility */
280 /* Allow use of reboot() */
284 /* Allow raising priority and setting priority on other (different
286 /* Allow use of FIFO and round-robin (realtime) scheduling on own
289 /* Allow setting cpu affinity on other processes */
290 /* Allow setting realtime ioprio class */
291 /* Allow setting ioprio class on other processes */
295 /* Override resource limits. Set resource limits. */
303 /* Allow more than 64hz interrupts from the real-time clock */
310 /* Allow manipulation of system clock */
311 /* Allow irix_stime on mips */
312 /* Allow setting the real-time clock */
316 /* Allow configuration of tty devices */
317 /* Allow vhangup() of tty */
321 /* Allow the privileged aspects of mknod() */
325 /* Allow taking of leases on files */
329 /* Allow writing the audit log via unicast netlink socket */
333 /* Allow configuration of audit via unicast netlink socket */
337 /* Set or remove capabilities on files.
350 /* Allow MAC configuration or state changes.
359 /* Allow configuring the kernel's syslog (printk behaviour) */
363 /* Allow triggering something that will wake the system */
367 /* Allow preventing system suspends */
371 /* Allow reading the audit log via multicast netlink socket */
376 * Allow system performance and observability privileged operations
384 * - Creating all types of BPF maps
385 * - Advanced verifier features
386 * - Indirect variable access
387 * - Bounded loops
388 * - BPF to BPF function calls
389 * - Scalar precision tracking
390 * - Larger complexity limits
391 * - Dead code elimination
392 * - And potentially other features
393 * - Loading BPF Type Format (BTF) data
394 * - Retrieve xlated and JITed code of BPF programs
395 * - Use bpf_spin_lock() helper
398 * - BPF progs can use of pointer-to-integer conversions
399 * - speculation attack hardening measures are bypassed
400 * - bpf_probe_read to read arbitrary kernel memory is allowed
401 * - bpf_trace_printk to print kernel memory is allowed
414 /* Allow checkpoint/restore related operations */
415 /* Allow PID selection during clone3() */
416 /* Allow writing to ns_last_pid */
425 * Bit location of each capability (used by user-space library and kernel)