github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/sentry/kernel/auth/capability_set.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package auth 16 17 import ( 18 "github.com/MerlinKodo/gvisor/pkg/abi/linux" 19 "github.com/MerlinKodo/gvisor/pkg/bits" 20 ) 21 22 // A CapabilitySet is a set of capabilities implemented as a bitset. The zero 23 // value of CapabilitySet is a set containing no capabilities. 24 type CapabilitySet uint64 25 26 // AllCapabilities is a CapabilitySet containing all valid capabilities. 27 var AllCapabilities = CapabilitySetOf(linux.CAP_LAST_CAP+1) - 1 28 29 // CapabilitySetOf returns a CapabilitySet containing only the given 30 // capability. 31 func CapabilitySetOf(cp linux.Capability) CapabilitySet { 32 return CapabilitySet(bits.MaskOf64(int(cp))) 33 } 34 35 // CapabilitySetOfMany returns a CapabilitySet containing the given capabilities. 36 func CapabilitySetOfMany(cps []linux.Capability) CapabilitySet { 37 var cs uint64 38 for _, cp := range cps { 39 cs |= bits.MaskOf64(int(cp)) 40 } 41 return CapabilitySet(cs) 42 } 43 44 // TaskCapabilities represents all the capability sets for a task. Each of these 45 // sets is explained in greater detail in capabilities(7). 46 type TaskCapabilities struct { 47 // Permitted is a limiting superset for the effective capabilities that 48 // the thread may assume. 49 PermittedCaps CapabilitySet 50 // Inheritable is a set of capabilities preserved across an execve(2). 51 InheritableCaps CapabilitySet 52 // Effective is the set of capabilities used by the kernel to perform 53 // permission checks for the thread. 54 EffectiveCaps CapabilitySet 55 // Bounding is a limiting superset for the capabilities that a thread 56 // can add to its inheritable set using capset(2). 57 BoundingCaps CapabilitySet 58 // Ambient is a set of capabilities that are preserved across an 59 // execve(2) of a program that is not privileged. 60 AmbientCaps CapabilitySet 61 }