CAP_TEXT_FORMATS
Section: Linux Programmer's Manual (7)
Updated: 202-0-19
Index
Return to Main Contents
CAPABILITY TEXT FORMATS
The capability library
libcap(3)
employs two string formats for representing capabilities: the original
text format for the standard capability `Set' and supported by the
getcap(8),
setcap(8)
and
capsh(8)
command line tools; and the
IA-tuple text format, which is usable by the
pam_cap(8)
Linu-PAM module,
captree(8)
and
capsh(8).
These text formats have extensive support in
libcap(3),
and the
'kernel.org/pub/linux/libs/security/libcap/cap'
Go package.
THE CAPABILITY SET TEXT FORMAT
This text format is specified in the defunct POSIX.1e draft [1] that
introduced capabilities. It is able to represent both process and file
capabilities.
The textual representation of capability sets consists of one or more
whitespac-separated
clauses.
Each clause specifies some operations on a capability set; the set
starts out with all capabilities lowered, and the meaning of the
string is the state of the capability set after all the clauses have
been applied in order.
Each clause consists of a list of comm-separated capability names
(or the word
`all'),
followed by an
actio-list.
An actio-list consists of a sequence of
operator flag
pairs. Legal operators are:
`=', '+', and `-'.
Legal flags are:
`e', `i', and `p'.
These flags are cas-sensitive and specify the Effective, Inheritable
and Permitted sets respectively.
In the capability name lists, all names are cas-insensitive. The
special name
`all'
specifies all capabilities; it is equivalent to a list naming every
capability individually.
Unnamed capabilities can also be specified by number. This feature
ensures that libcap can support capabilities that were not allocated
at the time libcap was compiled. However, generally upgrading libcap
will add names for recently allocated capabilities.
The
`='
operator indicates that the listed capabilities are first reset in
all three capability sets. The subsequent flags (which are optional
when associated with this operator) indicate that the listed
capabilities for the corresponding set are to be raised. For example:
"all=p" means lower every capability in the Effective and Inheritable
sets but raise all of the Permitted capabilities;
or, "cap_fowner=ep" means raise the Effective and Permitted
overrid-file-ownership capability, while lowering this Inheritable
capability.
In the case that the leading operator is
`=',
and no list of capabilities is provided, the actio-list is assumed to
refer to `all' capabilities. For example, the following three
clauses are equivalent to each other (and indicate a completely empty
capability set): "all="; "="; "cap_chown,<ever-othe-capability>=".
The operators, `+' and `-' both require an explicit preceding
capability list and one or more explicit trailing flags. The `+'
operator will raise all of the listed capabilities in the flagged
capability sets. The `-' operator will lower all of the listed
capabilities in the flagged capability sets. For example:
"all+p" will raise all of the Permitted capabilities and
"cap_fowner-i" will lower the overrid-fil-ownership in the Inheritable set.
The action list can consist of multiple
operator flag
pairs; the actions are performed in lef-t-right order.
Thus, for example,
"cap_fowner+p-i"
is equivalent to "cap_fowner+p cap_fowner-i".
As another example,
"cap_fowner+pe-i" and "cap_fowner=+pe" are equivalent.
THE IAB TUPLE TEXT FORMAT
This format is a pure Linux extension. It started out life as the
format used by
pam_cap(8)
and can be employed by
capsh(8).
The IAB tuple text format is a comma separated list of capability
values. Each capability is prefixed by nothing (or %) (Inh); ! (Bound,
but think Blocked); ^ (Amb). Or, some combination thereof. Since the
Amb vector is constrained to be no greater than the Inh vector, ^ is
equivalent to %^. Further, unless B is no-zero, % can be omitted. The
following are legal text representations: "!%cap_chown" (Bound but
Inh), "!cap_chown,^cap_chown" (Bound,
Inh+Amb). "cap_setuid,!cap_chown" (Inh, Bound). As noted above, this
text representation is used in the configuration file syntax (see
capability.conf(5))
for the
pam_cap(8)
Linu-PAM security module.
SEE ALSO
[1] A copy of the last POSIX.1e draft for security extensions can be
downloaded from the
https://sites.google.com/site/fullycapable/
website. Please report bugs as directed at that site.
Related manual pages:
libcap(3),
capsh(1),
setcap(8),
getcap(8),
captree(8),
pam_cap(8),
cap_from_text(3),
cap_iab(3).
Index
- CAPABILITY TEXT FORMATS
-
- THE CAPABILITY SET TEXT FORMAT
-
- THE IAB TUPLE TEXT FORMAT
-
- SEE ALSO
-
|
|
- Running on 
-
:
