@@ -1287,48 +1287,48 @@ options which are allowed by default and can be dropped.
12871287
12881288| Capability Key | Capability Description |
12891289|:-----------------|:------------------------------------------------------------------------------------------------------------------------------|
1290- | SETPCAP | Modify process capabilities. |
1291- | MKNOD | Create special files using mknod(2). |
12921290| AUDIT_WRITE | Write records to kernel auditing log. |
12931291| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
1294- | NET_RAW | Use RAW and PACKET sockets. |
12951292| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
12961293| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
12971294| FSETID | Don' t clear set-user-ID and set-group-ID permission bits when a file is modified. |
12981295| KILL | Bypass permission checks for sending signals. |
1296+ | MKNOD | Create special files using mknod(2). |
1297+ | NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
1298+ | NET_RAW | Use RAW and PACKET sockets. |
1299+ | SETFCAP | Set file capabilities. |
12991300| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
1301+ | SETPCAP | Modify process capabilities. |
13001302| SETUID | Make arbitrary manipulations of process UIDs. |
1301- | NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
13021303| SYS_CHROOT | Use chroot(2), change root directory. |
1303- | SETFCAP | Set file capabilities. |
13041304
13051305The next table shows the capabilities which are not granted by default and may be added.
13061306
13071307| Capability Key | Capability Description |
13081308| :----------------| :----------------------------------------------------------------------------------------------------------------|
1309- | SYS_MODULE | Load and unload kernel modules. |
1310- | SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
1311- | SYS_PACCT | Use acct(2), switch process accounting on or off. |
1312- | SYS_ADMIN | Perform a range of system administration operations. |
1313- | SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
1314- | SYS_RESOURCE | Override resource Limits. |
1315- | SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
1316- | SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
13171309| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
1310+ | BLOCK_SUSPEND | Employ features that can block system suspend. |
1311+ | DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
1312+ | IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
1313+ | IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
1314+ | LEASE | Establish leases on arbitrary files (see fcntl(2)). |
1315+ | LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
13181316| MAC_ADMIN | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
13191317| MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
13201318| NET_ADMIN | Perform various network-related operations. |
1321- | SYSLOG | Perform privileged syslog(2) operations. |
1322- | DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
1323- | LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
13241319| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
1325- | IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
1326- | IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
1327- | SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
1320+ | SYS_ADMIN | Perform a range of system administration operations. |
13281321| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
1329- | LEASE | Establish leases on arbitrary files (see fcntl(2)). |
1322+ | SYS_MODULE | Load and unload kernel modules. |
1323+ | SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
1324+ | SYS_PACCT | Use acct(2), switch process accounting on or off. |
1325+ | SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
1326+ | SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
1327+ | SYS_RESOURCE | Override resource Limits. |
1328+ | SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
1329+ | SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
1330+ | SYSLOG | Perform privileged syslog(2) operations. |
13301331| WAKE_ALARM | Trigger something that will wake up the system. |
1331- | BLOCK_SUSPEND | Employ features that can block system suspend. |
13321332
13331333Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
13341334
0 commit comments