github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/pkg/abi/linux/capability.go

github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/pkg/abi/linux/capability.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package linux
    16  
    17  // A Capability represents the ability to perform a privileged operation.
    18  type Capability int
    19  
    20  // Capabilities defined by Linux. Taken from the kernel's
    21  // include/uapi/linux/capability.h. See capabilities(7) or that file for more
    22  // detailed capability descriptions.
    23  const (
    24  	CAP_CHOWN            = Capability(0)
    25  	CAP_DAC_OVERRIDE     = Capability(1)
    26  	CAP_DAC_READ_SEARCH  = Capability(2)
    27  	CAP_FOWNER           = Capability(3)
    28  	CAP_FSETID           = Capability(4)
    29  	CAP_KILL             = Capability(5)
    30  	CAP_SETGID           = Capability(6)
    31  	CAP_SETUID           = Capability(7)
    32  	CAP_SETPCAP          = Capability(8)
    33  	CAP_LINUX_IMMUTABLE  = Capability(9)
    34  	CAP_NET_BIND_SERVICE = Capability(10)
    35  	CAP_NET_BROADCAST    = Capability(11)
    36  	CAP_NET_ADMIN        = Capability(12)
    37  	CAP_NET_RAW          = Capability(13)
    38  	CAP_IPC_LOCK         = Capability(14)
    39  	CAP_IPC_OWNER        = Capability(15)
    40  	CAP_SYS_MODULE       = Capability(16)
    41  	CAP_SYS_RAWIO        = Capability(17)
    42  	CAP_SYS_CHROOT       = Capability(18)
    43  	CAP_SYS_PTRACE       = Capability(19)
    44  	CAP_SYS_PACCT        = Capability(20)
    45  	CAP_SYS_ADMIN        = Capability(21)
    46  	CAP_SYS_BOOT         = Capability(22)
    47  	CAP_SYS_NICE         = Capability(23)
    48  	CAP_SYS_RESOURCE     = Capability(24)
    49  	CAP_SYS_TIME         = Capability(25)
    50  	CAP_SYS_TTY_CONFIG   = Capability(26)
    51  	CAP_MKNOD            = Capability(27)
    52  	CAP_LEASE            = Capability(28)
    53  	CAP_AUDIT_WRITE      = Capability(29)
    54  	CAP_AUDIT_CONTROL    = Capability(30)
    55  	CAP_SETFCAP          = Capability(31)
    56  	CAP_MAC_OVERRIDE     = Capability(32)
    57  	CAP_MAC_ADMIN        = Capability(33)
    58  	CAP_SYSLOG           = Capability(34)
    59  	CAP_WAKE_ALARM       = Capability(35)
    60  	CAP_BLOCK_SUSPEND    = Capability(36)
    61  	CAP_AUDIT_READ       = Capability(37)
    62  
    63  	// CAP_LAST_CAP is the highest-numbered capability.
    64  	// Seach for "CAP_LAST_CAP" to find other places that need to change.
    65  	CAP_LAST_CAP = CAP_AUDIT_READ
    66  )
    67  
    68  // Ok returns true if cp is a supported capability.
    69  func (cp Capability) Ok() bool {
    70  	return cp >= 0 && cp <= CAP_LAST_CAP
    71  }
    72  
    73  // String returns the capability name.
    74  func (cp Capability) String() string {
    75  	switch cp {
    76  	case CAP_CHOWN:
    77  		return "CAP_CHOWN"
    78  	case CAP_DAC_OVERRIDE:
    79  		return "CAP_DAC_OVERRIDE"
    80  	case CAP_DAC_READ_SEARCH:
    81  		return "CAP_DAC_READ_SEARCH"
    82  	case CAP_FOWNER:
    83  		return "CAP_FOWNER"
    84  	case CAP_FSETID:
    85  		return "CAP_FSETID"
    86  	case CAP_KILL:
    87  		return "CAP_KILL"
    88  	case CAP_SETGID:
    89  		return "CAP_SETGID"
    90  	case CAP_SETUID:
    91  		return "CAP_SETUID"
    92  	case CAP_SETPCAP:
    93  		return "CAP_SETPCAP"
    94  	case CAP_LINUX_IMMUTABLE:
    95  		return "CAP_LINUX_IMMUTABLE"
    96  	case CAP_NET_BIND_SERVICE:
    97  		return "CAP_NET_BIND_SERVICE"
    98  	case CAP_NET_BROADCAST:
    99  		return "CAP_NET_BROADCAST"
   100  	case CAP_NET_ADMIN:
   101  		return "CAP_NET_ADMIN"
   102  	case CAP_NET_RAW:
   103  		return "CAP_NET_RAW"
   104  	case CAP_IPC_LOCK:
   105  		return "CAP_IPC_LOCK"
   106  	case CAP_IPC_OWNER:
   107  		return "CAP_IPC_OWNER"
   108  	case CAP_SYS_MODULE:
   109  		return "CAP_SYS_MODULE"
   110  	case CAP_SYS_RAWIO:
   111  		return "CAP_SYS_RAWIO"
   112  	case CAP_SYS_CHROOT:
   113  		return "CAP_SYS_CHROOT"
   114  	case CAP_SYS_PTRACE:
   115  		return "CAP_SYS_PTRACE"
   116  	case CAP_SYS_PACCT:
   117  		return "CAP_SYS_PACCT"
   118  	case CAP_SYS_ADMIN:
   119  		return "CAP_SYS_ADMIN"
   120  	case CAP_SYS_BOOT:
   121  		return "CAP_SYS_BOOT"
   122  	case CAP_SYS_NICE:
   123  		return "CAP_SYS_NICE"
   124  	case CAP_SYS_RESOURCE:
   125  		return "CAP_SYS_RESOURCE"
   126  	case CAP_SYS_TIME:
   127  		return "CAP_SYS_TIME"
   128  	case CAP_SYS_TTY_CONFIG:
   129  		return "CAP_SYS_TTY_CONFIG"
   130  	case CAP_MKNOD:
   131  		return "CAP_MKNOD"
   132  	case CAP_LEASE:
   133  		return "CAP_LEASE"
   134  	case CAP_AUDIT_WRITE:
   135  		return "CAP_AUDIT_WRITE"
   136  	case CAP_AUDIT_CONTROL:
   137  		return "CAP_AUDIT_CONTROL"
   138  	case CAP_SETFCAP:
   139  		return "CAP_SETFCAP"
   140  	case CAP_MAC_OVERRIDE:
   141  		return "CAP_MAC_OVERRIDE"
   142  	case CAP_MAC_ADMIN:
   143  		return "CAP_MAC_ADMIN"
   144  	case CAP_SYSLOG:
   145  		return "CAP_SYSLOG"
   146  	case CAP_WAKE_ALARM:
   147  		return "CAP_WAKE_ALARM"
   148  	case CAP_BLOCK_SUSPEND:
   149  		return "CAP_BLOCK_SUSPEND"
   150  	case CAP_AUDIT_READ:
   151  		return "CAP_AUDIT_READ"
   152  	default:
   153  		return "UNKNOWN"
   154  	}
   155  }
   156  
   157  // Version numbers used by the capget/capset syscalls, defined in Linux's
   158  // include/uapi/linux/capability.h.
   159  const (
   160  	// LINUX_CAPABILITY_VERSION_1 causes the data pointer to be
   161  	// interpreted as a pointer to a single cap_user_data_t. Since capability
   162  	// sets are 64 bits and the "capability sets" in cap_user_data_t are 32
   163  	// bits only, this causes the upper 32 bits to be implicitly 0.
   164  	LINUX_CAPABILITY_VERSION_1 = 0x19980330
   165  
   166  	// LINUX_CAPABILITY_VERSION_2 and LINUX_CAPABILITY_VERSION_3 cause the
   167  	// data pointer to be interpreted as a pointer to an array of 2
   168  	// cap_user_data_t, using the second to store the 32 MSB of each capability
   169  	// set. Versions 2 and 3 are identical, but Linux printk's a warning on use
   170  	// of version 2 due to a userspace API defect.
   171  	LINUX_CAPABILITY_VERSION_2 = 0x20071026
   172  	LINUX_CAPABILITY_VERSION_3 = 0x20080522
   173  
   174  	// HighestCapabilityVersion is the highest supported
   175  	// LINUX_CAPABILITY_VERSION_* version.
   176  	HighestCapabilityVersion = LINUX_CAPABILITY_VERSION_3
   177  )
   178  
   179  // CapUserHeader is equivalent to Linux's cap_user_header_t.
   180  //
   181  // +marshal
   182  type CapUserHeader struct {
   183  	Version uint32
   184  	Pid     int32
   185  }
   186  
   187  // CapUserData is equivalent to Linux's cap_user_data_t.
   188  //
   189  // +marshal slice:CapUserDataSlice
   190  type CapUserData struct {
   191  	Effective   uint32
   192  	Permitted   uint32
   193  	Inheritable uint32
   194  }