diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2021-09-07 10:47:45 -0700 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2021-09-07 10:47:45 -0700 |
| commit | 8434c10a690f3352ff5d8cb011859502718a60b7 (patch) | |
| tree | 0984bdf323e0d94e8a58b2611c90cf75569b202e /cap/names.go | |
| parent | 8b3ffc23b6cbe42d2eac5a3c0d970fd26472a246 (diff) | |
| download | libcap-8434c10a690f3352ff5d8cb011859502718a60b7.tar.gz | |
Be more systematic about POSIX.1e value group names
cap.Set's have Flag component Values
cap.IAB's have Vector component Values
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'cap/names.go')
| -rw-r--r-- | cap/names.go | 39 |
1 files changed, 22 insertions, 17 deletions
diff --git a/cap/names.go b/cap/names.go index 8ee96d1..356da9e 100644 --- a/cap/names.go +++ b/cap/names.go @@ -70,24 +70,29 @@ const ( SETUID // SETPCAP allows a process to freely manipulate its inheritable - // capabilities. Linux supports the POSIX.1e Inheritable - // set, as well as Bounding and Ambient Linux extension - // vectors. This capability permits dropping bits from the - // Bounding vector. It also permits the process to raise - // Ambient vector bits that are both raised in the - // Permitted and Inheritable sets of the process. This - // capability cannot be used to raise Permitted bits, or - // Effective bits beyond those already present in the - // process' permitted set. + // capabilities. // - // [Historical note: prior to the advent of file - // capabilities (2008), this capability was suppressed by - // default, as its unsuppressed behavior was not - // auditable: it could asynchronously grant its own - // Permitted capabilities to and remove capabilities from - // other processes arbitrarily. The former leads to - // undefined behavior, and the latter is better served by - // the kill system call.] + // Linux supports the POSIX.1e Inheritable set, the POXIX.1e (X + // vector) known in Linux as the Bounding vector, as well as + // the Linux extension Ambient vector. + // + // This capability permits dropping bits from the Bounding + // vector (ie. raising B bits in the libcap IAB + // representation). It also permits the process to raise + // Ambient vector bits that are both raised in the Permitted + // and Inheritable sets of the process. This capability cannot + // be used to raise Permitted bits, Effective bits beyond those + // already present in the process' permitted set, or + // Inheritable bits beyond those present in the Bounding + // vector. + // + // [Historical note: prior to the advent of file capabilities + // (2008), this capability was suppressed by default, as its + // unsuppressed behavior was not auditable: it could + // asynchronously grant its own Permitted capabilities to and + // remove capabilities from other processes arbitrarily. The + // former leads to undefined behavior, and the latter is better + // served by the kill system call.] SETPCAP // LINUX_IMMUTABLE allows a process to modify the S_IMMUTABLE and |