suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
gh-pages
man-pages/man2/capget.2.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

379 lines
9.0 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of CAPGET</TITLE>
</HEAD><BODY>
<H1>CAPGET</H1>
Section: Linux Programmer's Manual (2)<BR>Updated: 2020-02-09<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
capget, capset - set/get capabilities of thread(s)
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<B>#include &lt;<A HREF="file:///usr/include/sys/capability.h">sys/capability.h</A>&gt;</B>
<P>
<B>int capget(cap_user_header_t </B><I>hdrp</I><B>, cap_user_data_t </B><I>datap</I><B>);</B>
<P>
<B>int capset(cap_user_header_t </B><I>hdrp</I><B>, const cap_user_data_t </B><I>datap</I><B>);</B>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
These two system calls are the raw kernel interface for getting and
setting thread capabilities.
Not only are these system calls specific to Linux,
but the kernel API is likely to change and use of
these system calls (in particular the format of the
<I>cap_user_*_t</I>
types) is subject to extension with each kernel revision,
but old programs will keep working.
<P>
The portable interfaces are
<B><A HREF="/cgi-bin/man/man2html?3+cap_set_proc">cap_set_proc</A></B>(3)
and
<B><A HREF="/cgi-bin/man/man2html?3+cap_get_proc">cap_get_proc</A></B>(3);
if possible, you should use those interfaces in applications.
<A NAME="lbAE">&nbsp;</A>
<H3>Current details</H3>
Now that you have been warned, some current kernel details.
The structures are defined as follows.
<P>
#define _LINUX_CAPABILITY_VERSION_1 0x19980330
#define _LINUX_CAPABILITY_U32S_1 1
<P>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/*&nbsp;V2&nbsp;added&nbsp;in&nbsp;Linux&nbsp;2.6.25;&nbsp;deprecated&nbsp;*/
#define _LINUX_CAPABILITY_VERSION_2 0x20071026
#define _LINUX_CAPABILITY_U32S_2 2
<P>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/*&nbsp;V3&nbsp;added&nbsp;in&nbsp;Linux&nbsp;2.6.26&nbsp;*/
#define _LINUX_CAPABILITY_VERSION_3 0x20080522
#define _LINUX_CAPABILITY_U32S_3 2
<P>
typedef struct __user_cap_header_struct {
<BR>&nbsp;&nbsp;&nbsp;__u32&nbsp;version;
<BR>&nbsp;&nbsp;&nbsp;int&nbsp;pid;
} *cap_user_header_t;
<P>
typedef struct __user_cap_data_struct {
<BR>&nbsp;&nbsp;&nbsp;__u32&nbsp;effective;
<BR>&nbsp;&nbsp;&nbsp;__u32&nbsp;permitted;
<BR>&nbsp;&nbsp;&nbsp;__u32&nbsp;inheritable;
} *cap_user_data_t;
<P>
The
<I>effective</I>,
<I>permitted</I>,
and
<I>inheritable</I>
fields are bit masks of the capabilities defined in
<B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7).
Note that the
<B>CAP_*</B>
values are bit indexes and need to be bit-shifted before ORing into
the bit fields.
To define the structures for passing to the system call, you have to use the
<I>struct __user_cap_header_struct</I>
and
<I>struct __user_cap_data_struct</I>
names because the typedefs are only pointers.
<P>
Kernels prior to 2.6.25 prefer
32-bit capabilities with version
<B>_LINUX_CAPABILITY_VERSION_1</B>.
Linux 2.6.25 added 64-bit capability sets, with version
<B>_LINUX_CAPABILITY_VERSION_2</B>.
There was, however, an API glitch, and Linux 2.6.26 added
<B>_LINUX_CAPABILITY_VERSION_3</B>
to fix the problem.
<P>
Note that 64-bit capabilities use
<I>datap</I>[0]
and
<I>datap</I>[1],
whereas 32-bit capabilities use only
<I>datap</I>[0].
<P>
On kernels that support file capabilities (VFS capabilities support),
these system calls behave slightly differently.
This support was added as an option in Linux 2.6.24,
and became fixed (nonoptional) in Linux 2.6.33.
<P>
For
<B>capget</B>()
calls, one can probe the capabilities of any process by specifying its
process ID with the
<I>hdrp-&gt;pid</I>
field value.
<P>
For details on the data, see
<B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7).
<A NAME="lbAF">&nbsp;</A>
<H3>With VFS capabilities support</H3>
VFS capabilities employ a file extended attribute (see
<B><A HREF="/cgi-bin/man/man2html?7+xattr">xattr</A></B>(7))
to allow capabilities to be attached to executables.
This privilege model obsoletes kernel support for one process
asynchronously setting the capabilities of another.
That is, on kernels that have VFS capabilities support, when calling
<B>capset</B>(),
the only permitted values for
<I>hdrp-&gt;pid</I>
are 0 or, equivalently, the value returned by
<B><A HREF="/cgi-bin/man/man2html?2+gettid">gettid</A></B>(2).
<A NAME="lbAG">&nbsp;</A>
<H3>Without VFS capabilities support</H3>
On older kernels that do not provide VFS capabilities support
<B>capset</B>()
can, if the caller has the
<B>CAP_SETPCAP</B>
capability, be used to change not only the caller's own capabilities,
but also the capabilities of other threads.
The call operates on the capabilities of the thread specified by the
<I>pid</I>
field of
<I>hdrp</I>
when that is nonzero, or on the capabilities of the calling thread if
<I>pid</I>
is 0.
If
<I>pid</I>
refers to a single-threaded process, then
<I>pid</I>
can be specified as a traditional process ID;
operating on a thread of a multithreaded process requires a thread ID
of the type returned by
<B><A HREF="/cgi-bin/man/man2html?2+gettid">gettid</A></B>(2).
For
<B>capset</B>(),
<I>pid</I>
can also be: -1, meaning perform the change on all threads except the
caller and
<B><A HREF="/cgi-bin/man/man2html?1+init">init</A></B>(1);
or a value less than -1, in which case the change is applied
to all members of the process group whose ID is -<I>pid</I>.
<A NAME="lbAH">&nbsp;</A>
<H2>RETURN VALUE</H2>
On success, zero is returned.
On error, -1 is returned, and
<I>errno</I>
is set appropriately.
<P>
The calls fail with the error
<B>EINVAL</B>,
and set the
<I>version</I>
field of
<I>hdrp</I>
to the kernel preferred value of
<B>_LINUX_CAPABILITY_VERSION_?</B>
when an unsupported
<I>version</I>
value is specified.
In this way, one can probe what the current
preferred capability revision is.
<A NAME="lbAI">&nbsp;</A>
<H2>ERRORS</H2>
<DL COMPACT>
<DT id="1"><B>EFAULT</B>
<DD>
Bad memory address.
<I>hdrp</I>
must not be NULL.
<I>datap</I>
may be NULL only when the user is trying to determine the preferred
capability version format supported by the kernel.
<DT id="2"><B>EINVAL</B>
<DD>
One of the arguments was invalid.
<DT id="3"><B>EPERM</B>
<DD>
An attempt was made to add a capability to the permitted set, or to set
a capability in the effective set that is not in the
permitted set.
<DT id="4"><B>EPERM</B>
<DD>
An attempt was made to add a capability to the inheritable set, and either:
<DL COMPACT><DT id="5"><DD>
<DL COMPACT>
<DT id="6">*<DD>
that capability was not in the caller's bounding set; or
<DT id="7">*<DD>
the capability was not in the caller's permitted set
and the caller lacked the
<B>CAP_SETPCAP</B>
capability in its effective set.
</DL>
</DL>
<DT id="8"><B>EPERM</B>
<DD>
The caller attempted to use
<B>capset</B>()
to modify the capabilities of a thread other than itself,
but lacked sufficient privilege.
For kernels supporting VFS
capabilities, this is never permitted.
For kernels lacking VFS
support, the
<B>CAP_SETPCAP</B>
capability is required.
(A bug in kernels before 2.6.11 meant that this error could also
occur if a thread without this capability tried to change its
own capabilities by specifying the
<I>pid</I>
field as a nonzero value (i.e., the value returned by
<B><A HREF="/cgi-bin/man/man2html?2+getpid">getpid</A></B>(2))
instead of 0.)
<DT id="9"><B>ESRCH</B>
<DD>
No such thread.
</DL>
<A NAME="lbAJ">&nbsp;</A>
<H2>CONFORMING TO</H2>
These system calls are Linux-specific.
<A NAME="lbAK">&nbsp;</A>
<H2>NOTES</H2>
The portable interface to the capability querying and setting
functions is provided by the
<I>libcap</I>
library and is available here:
<BR>
<A NAME="lbAL">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?2+clone">clone</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?2+gettid">gettid</A></B>(2),
<B><A HREF="/cgi-bin/man/man2html?7+capabilities">capabilities</A></B>(7)
<A NAME="lbAM">&nbsp;</A>
<H2>COLOPHON</H2>
This page is part of release 5.05 of the Linux
<I>man-pages</I>
project.
A description of the project,
information about reporting bugs,
and the latest version of this page,
can be found at
<A HREF="https://www.kernel.org/doc/man-pages/.">https://www.kernel.org/doc/man-pages/.</A>
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="10"><A HREF="#lbAB">NAME</A><DD>
<DT id="11"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="12"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DL>
<DT id="13"><A HREF="#lbAE">Current details</A><DD>
<DT id="14"><A HREF="#lbAF">With VFS capabilities support</A><DD>
<DT id="15"><A HREF="#lbAG">Without VFS capabilities support</A><DD>
</DL>
<DT id="16"><A HREF="#lbAH">RETURN VALUE</A><DD>
<DT id="17"><A HREF="#lbAI">ERRORS</A><DD>
<DT id="18"><A HREF="#lbAJ">CONFORMING TO</A><DD>
<DT id="19"><A HREF="#lbAK">NOTES</A><DD>
<DT id="20"><A HREF="#lbAL">SEE ALSO</A><DD>
<DT id="21"><A HREF="#lbAM">COLOPHON</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:32 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink