LCOV - code coverage report
Current view: top level - include/linux - capability.h (source / functions) Hit Total Coverage
Test: coverage.info Lines: 2 2 100.0 %
Date: 2017-01-25 Functions: 0 0 -

          Line data    Source code
       1             : /*
       2             :  * This is <linux/capability.h>
       3             :  *
       4             :  * Andrew G. Morgan <morgan@kernel.org>
       5             :  * Alexander Kjeldaas <astor@guardian.no>
       6             :  * with help from Aleph1, Roland Buresund and Andrew Main.
       7             :  *
       8             :  * See here for the libcap library ("POSIX draft" compliance):
       9             :  *
      10             :  * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
      11             :  */
      12             : 
      13             : #ifndef _LINUX_CAPABILITY_H
      14             : #define _LINUX_CAPABILITY_H
      15             : 
      16             : #include <linux/types.h>
      17             : 
      18             : struct task_struct;
      19             : 
      20             : /* User-level do most of the mapping between kernel and user
      21             :    capabilities based on the version tag given by the kernel. The
      22             :    kernel might be somewhat backwards compatible, but don't bet on
      23             :    it. */
      24             : 
      25             : /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
      26             :    a set of three capability sets.  The transposition of 3*the
      27             :    following structure to such a composite is better handled in a user
      28             :    library since the draft standard requires the use of malloc/free
      29             :    etc.. */
      30             : 
      31             : #define _LINUX_CAPABILITY_VERSION_1  0x19980330
      32             : #define _LINUX_CAPABILITY_U32S_1     1
      33             : 
      34             : #define _LINUX_CAPABILITY_VERSION_2  0x20071026  /* deprecated - use v3 */
      35             : #define _LINUX_CAPABILITY_U32S_2     2
      36             : 
      37             : #define _LINUX_CAPABILITY_VERSION_3  0x20080522
      38             : #define _LINUX_CAPABILITY_U32S_3     2
      39             : 
      40             : typedef struct __user_cap_header_struct {
      41             :         __u32 version;
      42             :         int pid;
      43             : } __user *cap_user_header_t;
      44             : 
      45             : typedef struct __user_cap_data_struct {
      46             :         __u32 effective;
      47             :         __u32 permitted;
      48             :         __u32 inheritable;
      49             : } __user *cap_user_data_t;
      50             : 
      51             : 
      52             : #define XATTR_CAPS_SUFFIX "capability"
      53             : #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
      54             : 
      55             : #define VFS_CAP_REVISION_MASK   0xFF000000
      56             : #define VFS_CAP_REVISION_SHIFT  24
      57             : #define VFS_CAP_FLAGS_MASK      ~VFS_CAP_REVISION_MASK
      58             : #define VFS_CAP_FLAGS_EFFECTIVE 0x000001
      59             : 
      60             : #define VFS_CAP_REVISION_1      0x01000000
      61             : #define VFS_CAP_U32_1           1
      62             : #define XATTR_CAPS_SZ_1         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
      63             : 
      64             : #define VFS_CAP_REVISION_2      0x02000000
      65             : #define VFS_CAP_U32_2           2
      66             : #define XATTR_CAPS_SZ_2         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
      67             : 
      68             : #define XATTR_CAPS_SZ           XATTR_CAPS_SZ_2
      69             : #define VFS_CAP_U32             VFS_CAP_U32_2
      70             : #define VFS_CAP_REVISION        VFS_CAP_REVISION_2
      71             : 
      72             : struct vfs_cap_data {
      73             :         __le32 magic_etc;            /* Little endian */
      74             :         struct {
      75             :                 __le32 permitted;    /* Little endian */
      76             :                 __le32 inheritable;  /* Little endian */
      77             :         } data[VFS_CAP_U32];
      78             : };
      79             : 
      80             : #ifndef __KERNEL__
      81             : 
      82             : /*
      83             :  * Backwardly compatible definition for source code - trapped in a
      84             :  * 32-bit world. If you find you need this, please consider using
      85             :  * libcap to untrap yourself...
      86             :  */
      87             : #define _LINUX_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
      88             : #define _LINUX_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
      89             : 
      90             : #else
      91             : 
      92             : #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
      93             : #define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3
      94             : 
      95             : extern int file_caps_enabled;
      96           1 : 
      97             : typedef struct kernel_cap_struct {
      98             :         __u32 cap[_KERNEL_CAPABILITY_U32S];
      99           1 : } kernel_cap_t;
     100             : 
     101             : /* exact same as vfs_cap_data but in cpu endian and always filled completely */
     102             : struct cpu_vfs_cap_data {
     103             :         __u32 magic_etc;
     104             :         kernel_cap_t permitted;
     105             :         kernel_cap_t inheritable;
     106             : };
     107             : 
     108             : #define _USER_CAP_HEADER_SIZE  (sizeof(struct __user_cap_header_struct))
     109             : #define _KERNEL_CAP_T_SIZE     (sizeof(kernel_cap_t))
     110             : 
     111             : #endif
     112             : 
     113             : 
     114             : /**
     115             :  ** POSIX-draft defined capabilities.
     116             :  **/
     117             : 
     118             : /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
     119             :    overrides the restriction of changing file ownership and group
     120             :    ownership. */
     121             : 
     122             : #define CAP_CHOWN            0
     123             : 
     124             : /* Override all DAC access, including ACL execute access if
     125             :    [_POSIX_ACL] is defined. Excluding DAC access covered by
     126             :    CAP_LINUX_IMMUTABLE. */
     127             : 
     128             : #define CAP_DAC_OVERRIDE     1
     129             : 
     130             : /* Overrides all DAC restrictions regarding read and search on files
     131             :    and directories, including ACL restrictions if [_POSIX_ACL] is
     132             :    defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
     133             : 
     134             : #define CAP_DAC_READ_SEARCH  2
     135             : 
     136             : /* Overrides all restrictions about allowed operations on files, where
     137             :    file owner ID must be equal to the user ID, except where CAP_FSETID
     138             :    is applicable. It doesn't override MAC and DAC restrictions. */
     139             : 
     140             : #define CAP_FOWNER           3
     141             : 
     142             : /* Overrides the following restrictions that the effective user ID
     143             :    shall match the file owner ID when setting the S_ISUID and S_ISGID
     144             :    bits on that file; that the effective group ID (or one of the
     145             :    supplementary group IDs) shall match the file owner ID when setting
     146             :    the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
     147             :    cleared on successful return from chown(2) (not implemented). */
     148             : 
     149             : #define CAP_FSETID           4
     150             : 
     151             : /* Overrides the restriction that the real or effective user ID of a
     152             :    process sending a signal must match the real or effective user ID
     153             :    of the process receiving the signal. */
     154             : 
     155             : #define CAP_KILL             5
     156             : 
     157             : /* Allows setgid(2) manipulation */
     158             : /* Allows setgroups(2) */
     159             : /* Allows forged gids on socket credentials passing. */
     160             : 
     161             : #define CAP_SETGID           6
     162             : 
     163             : /* Allows set*uid(2) manipulation (including fsuid). */
     164             : /* Allows forged pids on socket credentials passing. */
     165             : 
     166             : #define CAP_SETUID           7
     167             : 
     168             : 
     169             : /**
     170             :  ** Linux-specific capabilities
     171             :  **/
     172             : 
     173             : /* Without VFS support for capabilities:
     174             :  *   Transfer any capability in your permitted set to any pid,
     175             :  *   remove any capability in your permitted set from any pid
     176             :  * With VFS support for capabilities (neither of above, but)
     177             :  *   Add any capability from current's capability bounding set
     178             :  *       to the current process' inheritable set
     179             :  *   Allow taking bits out of capability bounding set
     180             :  *   Allow modification of the securebits for a process
     181             :  */
     182             : 
     183             : #define CAP_SETPCAP          8
     184             : 
     185             : /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
     186             : 
     187             : #define CAP_LINUX_IMMUTABLE  9
     188             : 
     189             : /* Allows binding to TCP/UDP sockets below 1024 */
     190             : /* Allows binding to ATM VCIs below 32 */
     191             : 
     192             : #define CAP_NET_BIND_SERVICE 10
     193             : 
     194             : /* Allow broadcasting, listen to multicast */
     195             : 
     196             : #define CAP_NET_BROADCAST    11
     197             : 
     198             : /* Allow interface configuration */
     199             : /* Allow administration of IP firewall, masquerading and accounting */
     200             : /* Allow setting debug option on sockets */
     201             : /* Allow modification of routing tables */
     202             : /* Allow setting arbitrary process / process group ownership on
     203             :    sockets */
     204             : /* Allow binding to any address for transparent proxying */
     205             : /* Allow setting TOS (type of service) */
     206             : /* Allow setting promiscuous mode */
     207             : /* Allow clearing driver statistics */
     208             : /* Allow multicasting */
     209             : /* Allow read/write of device-specific registers */
     210             : /* Allow activation of ATM control sockets */
     211             : 
     212             : #define CAP_NET_ADMIN        12
     213             : 
     214             : /* Allow use of RAW sockets */
     215             : /* Allow use of PACKET sockets */
     216             : 
     217             : #define CAP_NET_RAW          13
     218             : 
     219             : /* Allow locking of shared memory segments */
     220             : /* Allow mlock and mlockall (which doesn't really have anything to do
     221             :    with IPC) */
     222             : 
     223             : #define CAP_IPC_LOCK         14
     224             : 
     225             : /* Override IPC ownership checks */
     226             : 
     227             : #define CAP_IPC_OWNER        15
     228             : 
     229             : /* Insert and remove kernel modules - modify kernel without limit */
     230             : #define CAP_SYS_MODULE       16
     231             : 
     232             : /* Allow ioperm/iopl access */
     233             : /* Allow sending USB messages to any device via /proc/bus/usb */
     234             : 
     235             : #define CAP_SYS_RAWIO        17
     236             : 
     237             : /* Allow use of chroot() */
     238             : 
     239             : #define CAP_SYS_CHROOT       18
     240             : 
     241             : /* Allow ptrace() of any process */
     242             : 
     243             : #define CAP_SYS_PTRACE       19
     244             : 
     245             : /* Allow configuration of process accounting */
     246             : 
     247             : #define CAP_SYS_PACCT        20
     248             : 
     249             : /* Allow configuration of the secure attention key */
     250             : /* Allow administration of the random device */
     251             : /* Allow examination and configuration of disk quotas */
     252             : /* Allow configuring the kernel's syslog (printk behaviour) */
     253             : /* Allow setting the domainname */
     254             : /* Allow setting the hostname */
     255             : /* Allow calling bdflush() */
     256             : /* Allow mount() and umount(), setting up new smb connection */
     257             : /* Allow some autofs root ioctls */
     258             : /* Allow nfsservctl */
     259             : /* Allow VM86_REQUEST_IRQ */
     260             : /* Allow to read/write pci config on alpha */
     261             : /* Allow irix_prctl on mips (setstacksize) */
     262             : /* Allow flushing all cache on m68k (sys_cacheflush) */
     263             : /* Allow removing semaphores */
     264             : /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
     265             :    and shared memory */
     266             : /* Allow locking/unlocking of shared memory segment */
     267             : /* Allow turning swap on/off */
     268             : /* Allow forged pids on socket credentials passing */
     269             : /* Allow setting readahead and flushing buffers on block devices */
     270             : /* Allow setting geometry in floppy driver */
     271             : /* Allow turning DMA on/off in xd driver */
     272             : /* Allow administration of md devices (mostly the above, but some
     273             :    extra ioctls) */
     274             : /* Allow tuning the ide driver */
     275             : /* Allow access to the nvram device */
     276             : /* Allow administration of apm_bios, serial and bttv (TV) device */
     277             : /* Allow manufacturer commands in isdn CAPI support driver */
     278             : /* Allow reading non-standardized portions of pci configuration space */
     279             : /* Allow DDI debug ioctl on sbpcd driver */
     280             : /* Allow setting up serial ports */
     281             : /* Allow sending raw qic-117 commands */
     282             : /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
     283             :    arbitrary SCSI commands */
     284             : /* Allow setting encryption key on loopback filesystem */
     285             : /* Allow setting zone reclaim policy */
     286             : 
     287             : #define CAP_SYS_ADMIN        21
     288             : 
     289             : /* Allow use of reboot() */
     290             : 
     291             : #define CAP_SYS_BOOT         22
     292             : 
     293             : /* Allow raising priority and setting priority on other (different
     294             :    UID) processes */
     295             : /* Allow use of FIFO and round-robin (realtime) scheduling on own
     296             :    processes and setting the scheduling algorithm used by another
     297             :    process. */
     298             : /* Allow setting cpu affinity on other processes */
     299             : 
     300             : #define CAP_SYS_NICE         23
     301             : 
     302             : /* Override resource limits. Set resource limits. */
     303             : /* Override quota limits. */
     304             : /* Override reserved space on ext2 filesystem */
     305             : /* Modify data journaling mode on ext3 filesystem (uses journaling
     306             :    resources) */
     307             : /* NOTE: ext2 honors fsuid when checking for resource overrides, so
     308             :    you can override using fsuid too */
     309             : /* Override size restrictions on IPC message queues */
     310             : /* Allow more than 64hz interrupts from the real-time clock */
     311             : /* Override max number of consoles on console allocation */
     312             : /* Override max number of keymaps */
     313             : 
     314             : #define CAP_SYS_RESOURCE     24
     315             : 
     316             : /* Allow manipulation of system clock */
     317             : /* Allow irix_stime on mips */
     318             : /* Allow setting the real-time clock */
     319             : 
     320             : #define CAP_SYS_TIME         25
     321             : 
     322             : /* Allow configuration of tty devices */
     323             : /* Allow vhangup() of tty */
     324             : 
     325             : #define CAP_SYS_TTY_CONFIG   26
     326             : 
     327             : /* Allow the privileged aspects of mknod() */
     328             : 
     329             : #define CAP_MKNOD            27
     330             : 
     331             : /* Allow taking of leases on files */
     332             : 
     333             : #define CAP_LEASE            28
     334             : 
     335             : #define CAP_AUDIT_WRITE      29
     336             : 
     337             : #define CAP_AUDIT_CONTROL    30
     338             : 
     339             : #define CAP_SETFCAP          31
     340             : 
     341             : /* Override MAC access.
     342             :    The base kernel enforces no MAC policy.
     343             :    An LSM may enforce a MAC policy, and if it does and it chooses
     344             :    to implement capability based overrides of that policy, this is
     345             :    the capability it should use to do so. */
     346             : 
     347             : #define CAP_MAC_OVERRIDE     32
     348             : 
     349             : /* Allow MAC configuration or state changes.
     350             :    The base kernel requires no MAC configuration.
     351             :    An LSM may enforce a MAC policy, and if it does and it chooses
     352             :    to implement capability based checks on modifications to that
     353             :    policy or the data required to maintain it, this is the
     354             :    capability it should use to do so. */
     355             : 
     356             : #define CAP_MAC_ADMIN        33
     357             : 
     358             : #define CAP_LAST_CAP         CAP_MAC_ADMIN
     359             : 
     360             : #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
     361             : 
     362             : /*
     363             :  * Bit location of each capability (used by user-space library and kernel)
     364             :  */
     365             : 
     366             : #define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
     367             : #define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
     368             : 
     369             : #ifdef __KERNEL__
     370             : 
     371             : /*
     372             :  * Internal kernel functions only
     373             :  */
     374             : 
     375             : #define CAP_FOR_EACH_U32(__capi)  \
     376             :         for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
     377             : 
     378             : /*
     379             :  * CAP_FS_MASK and CAP_NFSD_MASKS:
     380             :  *
     381             :  * The fs mask is all the privileges that fsuid==0 historically meant.
     382             :  * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
     383             :  *
     384             :  * It has never meant setting security.* and trusted.* xattrs.
     385             :  *
     386             :  * We could also define fsmask as follows:
     387             :  *   1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
     388             :  *   2. The security.* and trusted.* xattrs are fs-related MAC permissions
     389             :  */
     390             : 
     391             : # define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)             \
     392             :                             | CAP_TO_MASK(CAP_MKNOD)            \
     393             :                             | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
     394             :                             | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
     395             :                             | CAP_TO_MASK(CAP_FOWNER)           \
     396             :                             | CAP_TO_MASK(CAP_FSETID))
     397             : 
     398             : # define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))
     399             : 
     400             : #if _KERNEL_CAPABILITY_U32S != 2
     401             : # error Fix up hand-coded capability macro initializers
     402             : #else /* HAND-CODED capability initializers */
     403             : 
     404             : # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
     405             : # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
     406             : # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
     407             : # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
     408             :                                     | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
     409             :                                     CAP_FS_MASK_B1 } })
     410             : # define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
     411             :                                     | CAP_TO_MASK(CAP_SYS_RESOURCE), \
     412             :                                     CAP_FS_MASK_B1 } })
     413             : 
     414             : #endif /* _KERNEL_CAPABILITY_U32S != 2 */
     415             : 
     416             : #define CAP_INIT_INH_SET    CAP_EMPTY_SET
     417             : 
     418             : # define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)
     419             : # define cap_set_full(c)      do { (c) = __cap_full_set; } while (0)
     420             : # define cap_set_init_eff(c)  do { (c) = __cap_init_eff_set; } while (0)
     421             : 
     422             : #define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
     423             : #define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
     424             : #define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
     425             : 
     426             : #define CAP_BOP_ALL(c, a, b, OP)                                    \
     427             : do {                                                                \
     428             :         unsigned __capi;                                            \
     429             :         CAP_FOR_EACH_U32(__capi) {                                  \
     430             :                 c.cap[__capi] = a.cap[__capi] OP b.cap[__capi];     \
     431             :         }                                                           \
     432             : } while (0)
     433             : 
     434             : #define CAP_UOP_ALL(c, a, OP)                                       \
     435             : do {                                                                \
     436             :         unsigned __capi;                                            \
     437             :         CAP_FOR_EACH_U32(__capi) {                                  \
     438             :                 c.cap[__capi] = OP a.cap[__capi];                   \
     439             :         }                                                           \
     440             : } while (0)
     441             : 
     442             : static inline kernel_cap_t cap_combine(const kernel_cap_t a,
     443             :                                        const kernel_cap_t b)
     444             : {
     445             :         kernel_cap_t dest;
     446             :         CAP_BOP_ALL(dest, a, b, |);
     447             :         return dest;
     448             : }
     449             : 
     450             : static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
     451             :                                          const kernel_cap_t b)
     452             : {
     453             :         kernel_cap_t dest;
     454             :         CAP_BOP_ALL(dest, a, b, &);
     455             :         return dest;
     456             : }
     457             : 
     458             : static inline kernel_cap_t cap_drop(const kernel_cap_t a,
     459             :                                     const kernel_cap_t drop)
     460             : {
     461             :         kernel_cap_t dest;
     462             :         CAP_BOP_ALL(dest, a, drop, &~);
     463             :         return dest;
     464             : }
     465             : 
     466             : static inline kernel_cap_t cap_invert(const kernel_cap_t c)
     467             : {
     468             :         kernel_cap_t dest;
     469             :         CAP_UOP_ALL(dest, c, ~);
     470             :         return dest;
     471             : }
     472             : 
     473             : static inline int cap_isclear(const kernel_cap_t a)
     474             : {
     475             :         unsigned __capi;
     476             :         CAP_FOR_EACH_U32(__capi) {
     477             :                 if (a.cap[__capi] != 0)
     478             :                         return 0;
     479             :         }
     480             :         return 1;
     481             : }
     482             : 
     483             : /*
     484             :  * Check if "a" is a subset of "set".
     485             :  * return 1 if ALL of the capabilities in "a" are also in "set"
     486             :  *      cap_issubset(0101, 1111) will return 1
     487             :  * return 0 if ANY of the capabilities in "a" are not in "set"
     488             :  *      cap_issubset(1111, 0101) will return 0
     489             :  */
     490             : static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
     491             : {
     492             :         kernel_cap_t dest;
     493             :         dest = cap_drop(a, set);
     494             :         return cap_isclear(dest);
     495             : }
     496             : 
     497             : /* Used to decide between falling back on the old suser() or fsuser(). */
     498             : 
     499             : static inline int cap_is_fs_cap(int cap)
     500             : {
     501             :         const kernel_cap_t __cap_fs_set = CAP_FS_SET;
     502             :         return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
     503             : }
     504             : 
     505             : static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
     506             : {
     507             :         const kernel_cap_t __cap_fs_set = CAP_FS_SET;
     508             :         return cap_drop(a, __cap_fs_set);
     509             : }
     510             : 
     511             : static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
     512             :                                             const kernel_cap_t permitted)
     513             : {
     514             :         const kernel_cap_t __cap_fs_set = CAP_FS_SET;
     515             :         return cap_combine(a,
     516             :                            cap_intersect(permitted, __cap_fs_set));
     517             : }
     518             : 
     519             : static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
     520             : {
     521             :         const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
     522             :         return cap_drop(a, __cap_fs_set);
     523             : }
     524             : 
     525             : static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
     526             :                                               const kernel_cap_t permitted)
     527             : {
     528             :         const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
     529             :         return cap_combine(a,
     530             :                            cap_intersect(permitted, __cap_nfsd_set));
     531             : }
     532             : 
     533             : extern const kernel_cap_t __cap_empty_set;
     534             : extern const kernel_cap_t __cap_full_set;
     535             : extern const kernel_cap_t __cap_init_eff_set;
     536             : 
     537             : /**
     538             :  * has_capability - Determine if a task has a superior capability available
     539             :  * @t: The task in question
     540             :  * @cap: The capability to be tested for
     541             :  *
     542             :  * Return true if the specified task has the given superior capability
     543             :  * currently in effect, false if not.
     544             :  *
     545             :  * Note that this does not set PF_SUPERPRIV on the task.
     546             :  */
     547             : #define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
     548             : 
     549             : /**
     550             :  * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
     551             :  * @t: The task in question
     552             :  * @cap: The capability to be tested for
     553             :  *
     554             :  * Return true if the specified task has the given superior capability
     555             :  * currently in effect, false if not, but don't write an audit message for the
     556             :  * check.
     557             :  *
     558             :  * Note that this does not set PF_SUPERPRIV on the task.
     559             :  */
     560             : #define has_capability_noaudit(t, cap) \
     561             :         (security_real_capable_noaudit((t), (cap)) == 0)
     562             : 
     563             : extern int capable(int cap);
     564             : 
     565             : /* audit system wants to get cap info from files as well */
     566             : struct dentry;
     567             : extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
     568             : 
     569             : #endif /* __KERNEL__ */
     570             : 
     571             : #endif /* !_LINUX_CAPABILITY_H */

Generated by: LCOV version 1.10