github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/sentry/kernel/auth/capability_set.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package auth
    16  
    17  import (
    18  	"github.com/MerlinKodo/gvisor/pkg/abi/linux"
    19  	"github.com/MerlinKodo/gvisor/pkg/bits"
    20  )
    21  
    22  // A CapabilitySet is a set of capabilities implemented as a bitset. The zero
    23  // value of CapabilitySet is a set containing no capabilities.
    24  type CapabilitySet uint64
    25  
    26  // AllCapabilities is a CapabilitySet containing all valid capabilities.
    27  var AllCapabilities = CapabilitySetOf(linux.CAP_LAST_CAP+1) - 1
    28  
    29  // CapabilitySetOf returns a CapabilitySet containing only the given
    30  // capability.
    31  func CapabilitySetOf(cp linux.Capability) CapabilitySet {
    32  	return CapabilitySet(bits.MaskOf64(int(cp)))
    33  }
    34  
    35  // CapabilitySetOfMany returns a CapabilitySet containing the given capabilities.
    36  func CapabilitySetOfMany(cps []linux.Capability) CapabilitySet {
    37  	var cs uint64
    38  	for _, cp := range cps {
    39  		cs |= bits.MaskOf64(int(cp))
    40  	}
    41  	return CapabilitySet(cs)
    42  }
    43  
    44  // TaskCapabilities represents all the capability sets for a task. Each of these
    45  // sets is explained in greater detail in capabilities(7).
    46  type TaskCapabilities struct {
    47  	// Permitted is a limiting superset for the effective capabilities that
    48  	// the thread may assume.
    49  	PermittedCaps CapabilitySet
    50  	// Inheritable is a set of capabilities preserved across an execve(2).
    51  	InheritableCaps CapabilitySet
    52  	// Effective is the set of capabilities used by the kernel to perform
    53  	// permission checks for the thread.
    54  	EffectiveCaps CapabilitySet
    55  	// Bounding is a limiting superset for the capabilities that a thread
    56  	// can add to its inheritable set using capset(2).
    57  	BoundingCaps CapabilitySet
    58  	// Ambient is a set of capabilities that are preserved across an
    59  	// execve(2) of a program that is not privileged.
    60  	AmbientCaps CapabilitySet
    61  }