blob: 7d96f013e7e372e020a6f36b76be00ba805776a7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
// Copyright 2018 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package linux
// A Capability represents the ability to perform a privileged operation.
type Capability int
// Capabilities defined by Linux. Taken from the kernel's
// include/uapi/linux/capability.h. See capabilities(7) or that file for more
// detailed capability descriptions.
const (
CAP_CHOWN = Capability(0)
CAP_DAC_OVERRIDE = Capability(1)
CAP_DAC_READ_SEARCH = Capability(2)
CAP_FOWNER = Capability(3)
CAP_FSETID = Capability(4)
CAP_KILL = Capability(5)
CAP_SETGID = Capability(6)
CAP_SETUID = Capability(7)
CAP_SETPCAP = Capability(8)
CAP_LINUX_IMMUTABLE = Capability(9)
CAP_NET_BIND_SERVICE = Capability(10)
CAP_NET_BROADCAST = Capability(11)
CAP_NET_ADMIN = Capability(12)
CAP_NET_RAW = Capability(13)
CAP_IPC_LOCK = Capability(14)
CAP_IPC_OWNER = Capability(15)
CAP_SYS_MODULE = Capability(16)
CAP_SYS_RAWIO = Capability(17)
CAP_SYS_CHROOT = Capability(18)
CAP_SYS_PTRACE = Capability(19)
CAP_SYS_PACCT = Capability(20)
CAP_SYS_ADMIN = Capability(21)
CAP_SYS_BOOT = Capability(22)
CAP_SYS_NICE = Capability(23)
CAP_SYS_RESOURCE = Capability(24)
CAP_SYS_TIME = Capability(25)
CAP_SYS_TTY_CONFIG = Capability(26)
CAP_MKNOD = Capability(27)
CAP_LEASE = Capability(28)
CAP_AUDIT_WRITE = Capability(29)
CAP_AUDIT_CONTROL = Capability(30)
CAP_SETFCAP = Capability(31)
CAP_MAC_OVERRIDE = Capability(32)
CAP_MAC_ADMIN = Capability(33)
CAP_SYSLOG = Capability(34)
CAP_WAKE_ALARM = Capability(35)
CAP_BLOCK_SUSPEND = Capability(36)
CAP_AUDIT_READ = Capability(37)
// MaxCapability is the highest-numbered capability.
MaxCapability = CAP_AUDIT_READ
)
// Ok returns true if cp is a supported capability.
func (cp Capability) Ok() bool {
return cp >= 0 && cp <= MaxCapability
}
// Version numbers used by the capget/capset syscalls, defined in Linux's
// include/uapi/linux/capability.h.
const (
// LINUX_CAPABILITY_VERSION_1 causes the data pointer to be
// interpreted as a pointer to a single cap_user_data_t. Since capability
// sets are 64 bits and the "capability sets" in cap_user_data_t are 32
// bits only, this causes the upper 32 bits to be implicitly 0.
LINUX_CAPABILITY_VERSION_1 = 0x19980330
// LINUX_CAPABILITY_VERSION_2 and LINUX_CAPABILITY_VERSION_3 cause the
// data pointer to be interpreted as a pointer to an array of 2
// cap_user_data_t, using the second to store the 32 MSB of each capability
// set. Versions 2 and 3 are identical, but Linux printk's a warning on use
// of version 2 due to a userspace API defect.
LINUX_CAPABILITY_VERSION_2 = 0x20071026
LINUX_CAPABILITY_VERSION_3 = 0x20080522
// HighestCapabilityVersion is the highest supported
// LINUX_CAPABILITY_VERSION_* version.
HighestCapabilityVersion = LINUX_CAPABILITY_VERSION_3
)
// CapUserHeader is equivalent to Linux's cap_user_header_t.
type CapUserHeader struct {
Version uint32
Pid int32
}
// CapUserData is equivalent to Linux's cap_user_data_t.
type CapUserData struct {
Effective uint32
Permitted uint32
Inheritable uint32
}
|