diff options
Diffstat (limited to 'doc/values')
41 files changed, 247 insertions, 0 deletions
diff --git a/doc/values/0.txt b/doc/values/0.txt new file mode 100644 index 0000000..dd2f360 --- /dev/null +++ b/doc/values/0.txt @@ -0,0 +1,2 @@ +Allows a process to arbitrarily change the user and +group ownership of a file. diff --git a/doc/values/1.txt b/doc/values/1.txt new file mode 100644 index 0000000..a0e7f72 --- /dev/null +++ b/doc/values/1.txt @@ -0,0 +1,5 @@ +Allows a process to override of all Discretionary +Access Control (DAC) access, including ACL execute +access. That is read, write or execute files that the +process would otherwise not have access to. This +excludes DAC access covered by CAP_LINUX_IMMUTABLE. diff --git a/doc/values/10.txt b/doc/values/10.txt new file mode 100644 index 0000000..8335a6b --- /dev/null +++ b/doc/values/10.txt @@ -0,0 +1,3 @@ +Allows a process to bind to privileged ports: + - TCP/UDP sockets below 1024 + - ATM VCIs below 32 diff --git a/doc/values/11.txt b/doc/values/11.txt new file mode 100644 index 0000000..6f63994 --- /dev/null +++ b/doc/values/11.txt @@ -0,0 +1,2 @@ +Allows a process to broadcast to the network and to +listen to multicast. diff --git a/doc/values/12.txt b/doc/values/12.txt new file mode 100644 index 0000000..f4dc172 --- /dev/null +++ b/doc/values/12.txt @@ -0,0 +1,17 @@ +Allows a process to perform network configuration +operations: + - interface configuration + - administration of IP firewall, masquerading and + accounting + - setting debug options on sockets + - modification of routing tables + - setting arbitrary process, and process group + ownership on sockets + - binding to any address for transparent proxying + (this is also allowed via CAP_NET_RAW) + - setting TOS (Type of service) + - setting promiscuous mode + - clearing driver statistics + - multicasing + - read/write of device-specific registers + - activation of ATM control sockets diff --git a/doc/values/13.txt b/doc/values/13.txt new file mode 100644 index 0000000..7a1faf7 --- /dev/null +++ b/doc/values/13.txt @@ -0,0 +1,5 @@ +Allows a process to use raw networking: + - RAW sockets + - PACKET sockets + - binding to any address for transparent proxying + (also permitted via CAP_NET_ADMIN) diff --git a/doc/values/14.txt b/doc/values/14.txt new file mode 100644 index 0000000..1f248d6 --- /dev/null +++ b/doc/values/14.txt @@ -0,0 +1,3 @@ +Allows a process to lock shared memory segments for IPC +purposes. Also enables mlock and mlockall system +calls. diff --git a/doc/values/15.txt b/doc/values/15.txt new file mode 100644 index 0000000..0f5e13c --- /dev/null +++ b/doc/values/15.txt @@ -0,0 +1 @@ +Allows a process to override IPC ownership checks. diff --git a/doc/values/16.txt b/doc/values/16.txt new file mode 100644 index 0000000..03373b0 --- /dev/null +++ b/doc/values/16.txt @@ -0,0 +1,3 @@ +Allows a process to initiate the loading and unloading +of kernel modules. This capability can effectively +modify kernel without limit. diff --git a/doc/values/17.txt b/doc/values/17.txt new file mode 100644 index 0000000..79474af --- /dev/null +++ b/doc/values/17.txt @@ -0,0 +1,4 @@ +Allows a process to perform raw IO: + - permit ioper/iopl access + - permit sending USB messages to any device via + /dev/bus/usb diff --git a/doc/values/18.txt b/doc/values/18.txt new file mode 100644 index 0000000..2ee0e2a --- /dev/null +++ b/doc/values/18.txt @@ -0,0 +1,3 @@ +Allows a process to perform a chroot syscall to change +the effective root of the process' file system: +redirect to directory "/" to some other location. diff --git a/doc/values/19.txt b/doc/values/19.txt new file mode 100644 index 0000000..2861571 --- /dev/null +++ b/doc/values/19.txt @@ -0,0 +1,2 @@ +Allows a process to perform a ptrace() of any other +process. diff --git a/doc/values/2.txt b/doc/values/2.txt new file mode 100644 index 0000000..99f0031 --- /dev/null +++ b/doc/values/2.txt @@ -0,0 +1,4 @@ +Allows a process to override all DAC restrictions +limiting the read and search of files and +directories. This excludes DAC access covered by +CAP_LINUX_IMMUTABLE. diff --git a/doc/values/20.txt b/doc/values/20.txt new file mode 100644 index 0000000..3f5796f --- /dev/null +++ b/doc/values/20.txt @@ -0,0 +1 @@ +Allows a process to configure process accounting. diff --git a/doc/values/21.txt b/doc/values/21.txt new file mode 100644 index 0000000..4cff57d --- /dev/null +++ b/doc/values/21.txt @@ -0,0 +1,43 @@ +Allows a process to perform a somewhat arbitrary +grab-bag of privileged operations. Over time, this +capability should weaken as specific capabilities are +created for subsets of CAP_SYS_ADMINs functionality: + - configuration of the secure attention key + - administration of the random device + - examination and configuration of disk quotas + - setting the domainname + - setting the hostname + - calling bdflush() + - mount() and umount(), setting up new SMB connection + - some autofs root ioctls + - nfsservctl + - VM86_REQUEST_IRQ + - to read/write pci config on alpha + - irix_prctl on mips (setstacksize) + - flushing all cache on m68k (sys_cacheflush) + - removing semaphores + - Used instead of CAP_CHOWN to "chown" IPC message + queues, semaphores and shared memory + - locking/unlocking of shared memory segment + - turning swap on/off + - forged pids on socket credentials passing + - setting readahead and flushing buffers on block + devices + - setting geometry in floppy driver + - turning DMA on/off in xd driver + - administration of md devices (mostly the above, but + some extra ioctls) + - tuning the ide driver + - access to the nvram device + - administration of apm_bios, serial and bttv (TV) + device + - manufacturer commands in isdn CAPI support driver + - reading non-standardized portions of PCI + configuration space + - DDI debug ioctl on sbpcd driver + - setting up serial ports + - sending raw qic-117 commands + - enabling/disabling tagged queuing on SCSI + controllers and sending arbitrary SCSI commands + - setting encryption key on loopback filesystem + - setting zone reclaim policy diff --git a/doc/values/22.txt b/doc/values/22.txt new file mode 100644 index 0000000..9380ceb --- /dev/null +++ b/doc/values/22.txt @@ -0,0 +1 @@ +Allows a process to initiate a reboot of the system. diff --git a/doc/values/23.txt b/doc/values/23.txt new file mode 100644 index 0000000..c5a0360 --- /dev/null +++ b/doc/values/23.txt @@ -0,0 +1,6 @@ +Allows a process to maipulate the execution priorities +of arbitrary processes: + - those involving different UIDs + - setting their CPU affinity + - alter the FIFO vs. round-robin (realtime) + scheduling for itself and other processes. diff --git a/doc/values/24.txt b/doc/values/24.txt new file mode 100644 index 0000000..4911e50 --- /dev/null +++ b/doc/values/24.txt @@ -0,0 +1,14 @@ +Allows a process to adjust resource related parameters +of processes and the system: + - set and override resource limits + - override quota limits + - override the reserved space on ext2 filesystem + (this can also be achieved via CAP_FSETID) + - modify the data journaling mode on ext3 filesystem, + which uses journaling resources + - override size restrictions on IPC message queues + - configure more than 64Hz interrupts from the + real-time clock + - override the maximum number of consoles for console + allocation + - override the maximum number of keymaps diff --git a/doc/values/25.txt b/doc/values/25.txt new file mode 100644 index 0000000..95fd513 --- /dev/null +++ b/doc/values/25.txt @@ -0,0 +1,4 @@ +Allows a process to perform time manipulation of clocks: + - alter the system clock + - enable irix_stime on MIPS + - set the real-time clock diff --git a/doc/values/26.txt b/doc/values/26.txt new file mode 100644 index 0000000..ee446ba --- /dev/null +++ b/doc/values/26.txt @@ -0,0 +1,3 @@ +Allows a process to manipulate tty devices: + - configure tty devices + - perform vhangup() of a tty diff --git a/doc/values/27.txt b/doc/values/27.txt new file mode 100644 index 0000000..0894164 --- /dev/null +++ b/doc/values/27.txt @@ -0,0 +1,2 @@ +Allows a process to perform privileged operations with +the mknod() system call. diff --git a/doc/values/28.txt b/doc/values/28.txt new file mode 100644 index 0000000..fd0b6b9 --- /dev/null +++ b/doc/values/28.txt @@ -0,0 +1 @@ +Allows a process to take leases on files. diff --git a/doc/values/29.txt b/doc/values/29.txt new file mode 100644 index 0000000..ca1fdb8 --- /dev/null +++ b/doc/values/29.txt @@ -0,0 +1,2 @@ +Allows a process to write to the audit log via a +unicast netlink socket. diff --git a/doc/values/3.txt b/doc/values/3.txt new file mode 100644 index 0000000..2d68efd --- /dev/null +++ b/doc/values/3.txt @@ -0,0 +1,8 @@ +Allows a process to perform operations on files, even +where file owner ID should otherwise need be equal to +the UID, except where CAP_FSETID is applicable. It +doesn't override MAC and DAC restrictions. + +This capability permits the deletion of a file owned +by another UID in a directory protected by the sticky +(t) bit. diff --git a/doc/values/30.txt b/doc/values/30.txt new file mode 100644 index 0000000..d1ef942 --- /dev/null +++ b/doc/values/30.txt @@ -0,0 +1,2 @@ +Allows a process to configure audit logging via a +unicast netlink socket. diff --git a/doc/values/31.txt b/doc/values/31.txt new file mode 100644 index 0000000..ae97df2 --- /dev/null +++ b/doc/values/31.txt @@ -0,0 +1,6 @@ +Allows a process to set capabilities on files. +Permits a process to uid_map the uid=0 of the +parent user namespace into that of the child +namespace. Also, permits a process to override +securebits locks through user namespace +creation. diff --git a/doc/values/32.txt b/doc/values/32.txt new file mode 100644 index 0000000..9c261d8 --- /dev/null +++ b/doc/values/32.txt @@ -0,0 +1,4 @@ +Allows a process to override Manditory Access Control +(MAC) access. Not all kernels are configured with a MAC +mechanism, but this is the capability reserved for +overriding them. diff --git a/doc/values/33.txt b/doc/values/33.txt new file mode 100644 index 0000000..a4e441e --- /dev/null +++ b/doc/values/33.txt @@ -0,0 +1,4 @@ +Allows a process to configure the Mandatory Access +Control (MAC) policy. Not all kernels are configured +with a MAC enabled, but if they are this capability is +reserved for code to perform administration tasks. diff --git a/doc/values/34.txt b/doc/values/34.txt new file mode 100644 index 0000000..9728790 --- /dev/null +++ b/doc/values/34.txt @@ -0,0 +1,2 @@ +Allows a process to configure the kernel's syslog +(printk) behavior. diff --git a/doc/values/35.txt b/doc/values/35.txt new file mode 100644 index 0000000..8ce5a17 --- /dev/null +++ b/doc/values/35.txt @@ -0,0 +1,2 @@ +Allows a process to trigger something that can wake the +system up. diff --git a/doc/values/36.txt b/doc/values/36.txt new file mode 100644 index 0000000..7088ba6 --- /dev/null +++ b/doc/values/36.txt @@ -0,0 +1,2 @@ +Allows a process to block system suspends - prevent the +system from entering a lower power state. diff --git a/doc/values/37.txt b/doc/values/37.txt new file mode 100644 index 0000000..fff9f60 --- /dev/null +++ b/doc/values/37.txt @@ -0,0 +1,2 @@ +Allows a process to read the audit log via a multicast +netlink socket. diff --git a/doc/values/38.txt b/doc/values/38.txt new file mode 100644 index 0000000..f75db74 --- /dev/null +++ b/doc/values/38.txt @@ -0,0 +1,4 @@ +Allows a process to enable observability of privileged +operations related to performance. The mechanisms +include perf_events, i915_perf and other kernel +subsystems. diff --git a/doc/values/39.txt b/doc/values/39.txt new file mode 100644 index 0000000..d05a5c6 --- /dev/null +++ b/doc/values/39.txt @@ -0,0 +1,33 @@ +Allows a process to manipulate aspects of the kernel +enhanced Berkeley Packet Filter (BPF) system. This is +an execution subsystem of the kernel, that manages BPF +programs. CAP_BPF permits a process to: + - create all types of BPF maps + - advanced verifier features: + - indirect variable access + - bounded loops + - BPF to BPF function calls + - scalar precision tracking + - larger complexity limits + - dead code elimination + - potentially other features + +Other capabilities can be used together with CAP_BFP to +further manipulate the BPF system: + - CAP_PERFMON relaxes the verifier checks as follows: + - BPF programs can use pointer-to-integer + conversions + - speculation attack hardening measures can be + bypassed + - bpf_probe_read to read arbitrary kernel memory is + permitted + - bpf_trace_printk to print the content of kernel + memory + - CAP_SYS_ADMIN permits the following: + - use of bpf_probe_write_user + - iteration over the system-wide loaded programs, + maps, links BTFs and convert their IDs to file + descriptors. + - CAP_PERFMON is required to load tracing programs. + - CAP_NET_ADMIN is required to load networking + programs. diff --git a/doc/values/4.txt b/doc/values/4.txt new file mode 100644 index 0000000..5797cf8 --- /dev/null +++ b/doc/values/4.txt @@ -0,0 +1,4 @@ +Allows a process to set the S_ISUID and S_ISUID bits of +the file permissions, even when the process' effective +UID or GID/supplementary GIDs do not match that of the +file. diff --git a/doc/values/40.txt b/doc/values/40.txt new file mode 100644 index 0000000..c5993cf --- /dev/null +++ b/doc/values/40.txt @@ -0,0 +1,4 @@ +Allows a process to perform checkpoint +and restore operations. Also permits +explicit PID control via clone3() and +also writing to ns_last_pid. diff --git a/doc/values/5.txt b/doc/values/5.txt new file mode 100644 index 0000000..c4ded8e --- /dev/null +++ b/doc/values/5.txt @@ -0,0 +1,3 @@ +Allows a process to send a kill(2) signal to any other +process - overriding the limitation that there be a +[E]UID match between source and target process. diff --git a/doc/values/6.txt b/doc/values/6.txt new file mode 100644 index 0000000..4ccc78b --- /dev/null +++ b/doc/values/6.txt @@ -0,0 +1,5 @@ +Allows a process to freely manipulate its own GIDs: + - arbitrarily set the GID, EGID, REGID, RESGID values + - arbitrarily set the supplementary GIDs + - allows the forging of GID credentials passed over a + socket diff --git a/doc/values/7.txt b/doc/values/7.txt new file mode 100644 index 0000000..fbc1240 --- /dev/null +++ b/doc/values/7.txt @@ -0,0 +1,5 @@ +Allows a process to freely manipulate its own UIDs: + - arbitrarily set the UID, EUID, REUID and RESUID + values + - allows the forging of UID credentials passed over a + socket diff --git a/doc/values/8.txt b/doc/values/8.txt new file mode 100644 index 0000000..de0b47c --- /dev/null +++ b/doc/values/8.txt @@ -0,0 +1,24 @@ +Allows a process to freely manipulate its inheritable +capabilities. + +Linux supports the POSIX.1e Inheritable set, the POXIX.1e (X +vector) known in Linux as the Bounding vector, as well as +the Linux extension Ambient vector. + +This capability permits dropping bits from the Bounding +vector (ie. raising B bits in the libcap IAB +representation). It also permits the process to raise +Ambient vector bits that are both raised in the Permitted +and Inheritable sets of the process. This capability cannot +be used to raise Permitted bits, Effective bits beyond those +already present in the process' permitted set, or +Inheritable bits beyond those present in the Bounding +vector. + +[Historical note: prior to the advent of file capabilities +(2008), this capability was suppressed by default, as its +unsuppressed behavior was not auditable: it could +asynchronously grant its own Permitted capabilities to and +remove capabilities from other processes arbitrarily. The +former leads to undefined behavior, and the latter is better +served by the kill system call.] diff --git a/doc/values/9.txt b/doc/values/9.txt new file mode 100644 index 0000000..651e1a0 --- /dev/null +++ b/doc/values/9.txt @@ -0,0 +1,2 @@ +Allows a process to modify the S_IMMUTABLE and +S_APPEND file attributes. |