summaryrefslogtreecommitdiff
path: root/ANDROID_3.4.5/include/linux/capability.h
diff options
context:
space:
mode:
Diffstat (limited to 'ANDROID_3.4.5/include/linux/capability.h')
-rw-r--r--ANDROID_3.4.5/include/linux/capability.h560
1 files changed, 0 insertions, 560 deletions
diff --git a/ANDROID_3.4.5/include/linux/capability.h b/ANDROID_3.4.5/include/linux/capability.h
deleted file mode 100644
index c398cff3..00000000
--- a/ANDROID_3.4.5/include/linux/capability.h
+++ /dev/null
@@ -1,560 +0,0 @@
-/*
- * This is <linux/capability.h>
- *
- * Andrew G. Morgan <morgan@kernel.org>
- * Alexander Kjeldaas <astor@guardian.no>
- * with help from Aleph1, Roland Buresund and Andrew Main.
- *
- * See here for the libcap library ("POSIX draft" compliance):
- *
- * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
- */
-
-#ifndef _LINUX_CAPABILITY_H
-#define _LINUX_CAPABILITY_H
-
-#include <linux/types.h>
-
-struct task_struct;
-
-/* User-level do most of the mapping between kernel and user
- capabilities based on the version tag given by the kernel. The
- kernel might be somewhat backwards compatible, but don't bet on
- it. */
-
-/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
- a set of three capability sets. The transposition of 3*the
- following structure to such a composite is better handled in a user
- library since the draft standard requires the use of malloc/free
- etc.. */
-
-#define _LINUX_CAPABILITY_VERSION_1 0x19980330
-#define _LINUX_CAPABILITY_U32S_1 1
-
-#define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */
-#define _LINUX_CAPABILITY_U32S_2 2
-
-#define _LINUX_CAPABILITY_VERSION_3 0x20080522
-#define _LINUX_CAPABILITY_U32S_3 2
-
-typedef struct __user_cap_header_struct {
- __u32 version;
- int pid;
-} __user *cap_user_header_t;
-
-typedef struct __user_cap_data_struct {
- __u32 effective;
- __u32 permitted;
- __u32 inheritable;
-} __user *cap_user_data_t;
-
-
-#define VFS_CAP_REVISION_MASK 0xFF000000
-#define VFS_CAP_REVISION_SHIFT 24
-#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
-#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
-
-#define VFS_CAP_REVISION_1 0x01000000
-#define VFS_CAP_U32_1 1
-#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
-
-#define VFS_CAP_REVISION_2 0x02000000
-#define VFS_CAP_U32_2 2
-#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
-
-#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
-#define VFS_CAP_U32 VFS_CAP_U32_2
-#define VFS_CAP_REVISION VFS_CAP_REVISION_2
-
-struct vfs_cap_data {
- __le32 magic_etc; /* Little endian */
- struct {
- __le32 permitted; /* Little endian */
- __le32 inheritable; /* Little endian */
- } data[VFS_CAP_U32];
-};
-
-#ifndef __KERNEL__
-
-/*
- * Backwardly compatible definition for source code - trapped in a
- * 32-bit world. If you find you need this, please consider using
- * libcap to untrap yourself...
- */
-#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1
-#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1
-
-#else
-
-#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
-#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
-
-extern int file_caps_enabled;
-
-typedef struct kernel_cap_struct {
- __u32 cap[_KERNEL_CAPABILITY_U32S];
-} kernel_cap_t;
-
-/* exact same as vfs_cap_data but in cpu endian and always filled completely */
-struct cpu_vfs_cap_data {
- __u32 magic_etc;
- kernel_cap_t permitted;
- kernel_cap_t inheritable;
-};
-
-#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
-#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
-
-#endif
-
-
-/**
- ** POSIX-draft defined capabilities.
- **/
-
-/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
- overrides the restriction of changing file ownership and group
- ownership. */
-
-#define CAP_CHOWN 0
-
-/* Override all DAC access, including ACL execute access if
- [_POSIX_ACL] is defined. Excluding DAC access covered by
- CAP_LINUX_IMMUTABLE. */
-
-#define CAP_DAC_OVERRIDE 1
-
-/* Overrides all DAC restrictions regarding read and search on files
- and directories, including ACL restrictions if [_POSIX_ACL] is
- defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
-
-#define CAP_DAC_READ_SEARCH 2
-
-/* Overrides all restrictions about allowed operations on files, where
- file owner ID must be equal to the user ID, except where CAP_FSETID
- is applicable. It doesn't override MAC and DAC restrictions. */
-
-#define CAP_FOWNER 3
-
-/* Overrides the following restrictions that the effective user ID
- shall match the file owner ID when setting the S_ISUID and S_ISGID
- bits on that file; that the effective group ID (or one of the
- supplementary group IDs) shall match the file owner ID when setting
- the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
- cleared on successful return from chown(2) (not implemented). */
-
-#define CAP_FSETID 4
-
-/* Overrides the restriction that the real or effective user ID of a
- process sending a signal must match the real or effective user ID
- of the process receiving the signal. */
-
-#define CAP_KILL 5
-
-/* Allows setgid(2) manipulation */
-/* Allows setgroups(2) */
-/* Allows forged gids on socket credentials passing. */
-
-#define CAP_SETGID 6
-
-/* Allows set*uid(2) manipulation (including fsuid). */
-/* Allows forged pids on socket credentials passing. */
-
-#define CAP_SETUID 7
-
-
-/**
- ** Linux-specific capabilities
- **/
-
-/* Without VFS support for capabilities:
- * Transfer any capability in your permitted set to any pid,
- * remove any capability in your permitted set from any pid
- * With VFS support for capabilities (neither of above, but)
- * Add any capability from current's capability bounding set
- * to the current process' inheritable set
- * Allow taking bits out of capability bounding set
- * Allow modification of the securebits for a process
- */
-
-#define CAP_SETPCAP 8
-
-/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
-
-#define CAP_LINUX_IMMUTABLE 9
-
-/* Allows binding to TCP/UDP sockets below 1024 */
-/* Allows binding to ATM VCIs below 32 */
-
-#define CAP_NET_BIND_SERVICE 10
-
-/* Allow broadcasting, listen to multicast */
-
-#define CAP_NET_BROADCAST 11
-
-/* Allow interface configuration */
-/* Allow administration of IP firewall, masquerading and accounting */
-/* Allow setting debug option on sockets */
-/* Allow modification of routing tables */
-/* Allow setting arbitrary process / process group ownership on
- sockets */
-/* Allow binding to any address for transparent proxying (also via NET_RAW) */
-/* Allow setting TOS (type of service) */
-/* Allow setting promiscuous mode */
-/* Allow clearing driver statistics */
-/* Allow multicasting */
-/* Allow read/write of device-specific registers */
-/* Allow activation of ATM control sockets */
-
-#define CAP_NET_ADMIN 12
-
-/* Allow use of RAW sockets */
-/* Allow use of PACKET sockets */
-/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */
-
-#define CAP_NET_RAW 13
-
-/* Allow locking of shared memory segments */
-/* Allow mlock and mlockall (which doesn't really have anything to do
- with IPC) */
-
-#define CAP_IPC_LOCK 14
-
-/* Override IPC ownership checks */
-
-#define CAP_IPC_OWNER 15
-
-/* Insert and remove kernel modules - modify kernel without limit */
-#define CAP_SYS_MODULE 16
-
-/* Allow ioperm/iopl access */
-/* Allow sending USB messages to any device via /proc/bus/usb */
-
-#define CAP_SYS_RAWIO 17
-
-/* Allow use of chroot() */
-
-#define CAP_SYS_CHROOT 18
-
-/* Allow ptrace() of any process */
-
-#define CAP_SYS_PTRACE 19
-
-/* Allow configuration of process accounting */
-
-#define CAP_SYS_PACCT 20
-
-/* Allow configuration of the secure attention key */
-/* Allow administration of the random device */
-/* Allow examination and configuration of disk quotas */
-/* Allow setting the domainname */
-/* Allow setting the hostname */
-/* Allow calling bdflush() */
-/* Allow mount() and umount(), setting up new smb connection */
-/* Allow some autofs root ioctls */
-/* Allow nfsservctl */
-/* Allow VM86_REQUEST_IRQ */
-/* Allow to read/write pci config on alpha */
-/* Allow irix_prctl on mips (setstacksize) */
-/* Allow flushing all cache on m68k (sys_cacheflush) */
-/* Allow removing semaphores */
-/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
- and shared memory */
-/* Allow locking/unlocking of shared memory segment */
-/* Allow turning swap on/off */
-/* Allow forged pids on socket credentials passing */
-/* Allow setting readahead and flushing buffers on block devices */
-/* Allow setting geometry in floppy driver */
-/* Allow turning DMA on/off in xd driver */
-/* Allow administration of md devices (mostly the above, but some
- extra ioctls) */
-/* Allow tuning the ide driver */
-/* Allow access to the nvram device */
-/* Allow administration of apm_bios, serial and bttv (TV) device */
-/* Allow manufacturer commands in isdn CAPI support driver */
-/* Allow reading non-standardized portions of pci configuration space */
-/* Allow DDI debug ioctl on sbpcd driver */
-/* Allow setting up serial ports */
-/* Allow sending raw qic-117 commands */
-/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
- arbitrary SCSI commands */
-/* Allow setting encryption key on loopback filesystem */
-/* Allow setting zone reclaim policy */
-
-#define CAP_SYS_ADMIN 21
-
-/* Allow use of reboot() */
-
-#define CAP_SYS_BOOT 22
-
-/* Allow raising priority and setting priority on other (different
- UID) processes */
-/* Allow use of FIFO and round-robin (realtime) scheduling on own
- processes and setting the scheduling algorithm used by another
- process. */
-/* Allow setting cpu affinity on other processes */
-
-#define CAP_SYS_NICE 23
-
-/* Override resource limits. Set resource limits. */
-/* Override quota limits. */
-/* Override reserved space on ext2 filesystem */
-/* Modify data journaling mode on ext3 filesystem (uses journaling
- resources) */
-/* NOTE: ext2 honors fsuid when checking for resource overrides, so
- you can override using fsuid too */
-/* Override size restrictions on IPC message queues */
-/* Allow more than 64hz interrupts from the real-time clock */
-/* Override max number of consoles on console allocation */
-/* Override max number of keymaps */
-
-#define CAP_SYS_RESOURCE 24
-
-/* Allow manipulation of system clock */
-/* Allow irix_stime on mips */
-/* Allow setting the real-time clock */
-
-#define CAP_SYS_TIME 25
-
-/* Allow configuration of tty devices */
-/* Allow vhangup() of tty */
-
-#define CAP_SYS_TTY_CONFIG 26
-
-/* Allow the privileged aspects of mknod() */
-
-#define CAP_MKNOD 27
-
-/* Allow taking of leases on files */
-
-#define CAP_LEASE 28
-
-#define CAP_AUDIT_WRITE 29
-
-#define CAP_AUDIT_CONTROL 30
-
-#define CAP_SETFCAP 31
-
-/* Override MAC access.
- The base kernel enforces no MAC policy.
- An LSM may enforce a MAC policy, and if it does and it chooses
- to implement capability based overrides of that policy, this is
- the capability it should use to do so. */
-
-#define CAP_MAC_OVERRIDE 32
-
-/* Allow MAC configuration or state changes.
- The base kernel requires no MAC configuration.
- An LSM may enforce a MAC policy, and if it does and it chooses
- to implement capability based checks on modifications to that
- policy or the data required to maintain it, this is the
- capability it should use to do so. */
-
-#define CAP_MAC_ADMIN 33
-
-/* Allow configuring the kernel's syslog (printk behaviour) */
-
-#define CAP_SYSLOG 34
-
-/* Allow triggering something that will wake the system */
-
-#define CAP_WAKE_ALARM 35
-
-/* Allow preventing system suspends while epoll events are pending */
-
-#define CAP_EPOLLWAKEUP 36
-
-#define CAP_LAST_CAP CAP_EPOLLWAKEUP
-
-#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
-
-/*
- * Bit location of each capability (used by user-space library and kernel)
- */
-
-#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
-#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
-
-#ifdef __KERNEL__
-
-struct dentry;
-struct user_namespace;
-
-struct user_namespace *current_user_ns(void);
-
-extern const kernel_cap_t __cap_empty_set;
-extern const kernel_cap_t __cap_init_eff_set;
-
-/*
- * Internal kernel functions only
- */
-
-#define CAP_FOR_EACH_U32(__capi) \
- for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
-
-/*
- * CAP_FS_MASK and CAP_NFSD_MASKS:
- *
- * The fs mask is all the privileges that fsuid==0 historically meant.
- * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
- *
- * It has never meant setting security.* and trusted.* xattrs.
- *
- * We could also define fsmask as follows:
- * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
- * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
- */
-
-# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
- | CAP_TO_MASK(CAP_MKNOD) \
- | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
- | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
- | CAP_TO_MASK(CAP_FOWNER) \
- | CAP_TO_MASK(CAP_FSETID))
-
-# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
-
-#if _KERNEL_CAPABILITY_U32S != 2
-# error Fix up hand-coded capability macro initializers
-#else /* HAND-CODED capability initializers */
-
-# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
-# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
-# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
- | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
- CAP_FS_MASK_B1 } })
-# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
- | CAP_TO_MASK(CAP_SYS_RESOURCE), \
- CAP_FS_MASK_B1 } })
-
-#endif /* _KERNEL_CAPABILITY_U32S != 2 */
-
-# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
-
-#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
-#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
-#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
-
-#define CAP_BOP_ALL(c, a, b, OP) \
-do { \
- unsigned __capi; \
- CAP_FOR_EACH_U32(__capi) { \
- c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
- } \
-} while (0)
-
-#define CAP_UOP_ALL(c, a, OP) \
-do { \
- unsigned __capi; \
- CAP_FOR_EACH_U32(__capi) { \
- c.cap[__capi] = OP a.cap[__capi]; \
- } \
-} while (0)
-
-static inline kernel_cap_t cap_combine(const kernel_cap_t a,
- const kernel_cap_t b)
-{
- kernel_cap_t dest;
- CAP_BOP_ALL(dest, a, b, |);
- return dest;
-}
-
-static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
- const kernel_cap_t b)
-{
- kernel_cap_t dest;
- CAP_BOP_ALL(dest, a, b, &);
- return dest;
-}
-
-static inline kernel_cap_t cap_drop(const kernel_cap_t a,
- const kernel_cap_t drop)
-{
- kernel_cap_t dest;
- CAP_BOP_ALL(dest, a, drop, &~);
- return dest;
-}
-
-static inline kernel_cap_t cap_invert(const kernel_cap_t c)
-{
- kernel_cap_t dest;
- CAP_UOP_ALL(dest, c, ~);
- return dest;
-}
-
-static inline int cap_isclear(const kernel_cap_t a)
-{
- unsigned __capi;
- CAP_FOR_EACH_U32(__capi) {
- if (a.cap[__capi] != 0)
- return 0;
- }
- return 1;
-}
-
-/*
- * Check if "a" is a subset of "set".
- * return 1 if ALL of the capabilities in "a" are also in "set"
- * cap_issubset(0101, 1111) will return 1
- * return 0 if ANY of the capabilities in "a" are not in "set"
- * cap_issubset(1111, 0101) will return 0
- */
-static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
-{
- kernel_cap_t dest;
- dest = cap_drop(a, set);
- return cap_isclear(dest);
-}
-
-/* Used to decide between falling back on the old suser() or fsuser(). */
-
-static inline int cap_is_fs_cap(int cap)
-{
- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
- return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
-}
-
-static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
-{
- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
- return cap_drop(a, __cap_fs_set);
-}
-
-static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
- const kernel_cap_t permitted)
-{
- const kernel_cap_t __cap_fs_set = CAP_FS_SET;
- return cap_combine(a,
- cap_intersect(permitted, __cap_fs_set));
-}
-
-static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
-{
- const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
- return cap_drop(a, __cap_fs_set);
-}
-
-static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
- const kernel_cap_t permitted)
-{
- const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
- return cap_combine(a,
- cap_intersect(permitted, __cap_nfsd_set));
-}
-
-extern bool has_capability(struct task_struct *t, int cap);
-extern bool has_ns_capability(struct task_struct *t,
- struct user_namespace *ns, int cap);
-extern bool has_capability_noaudit(struct task_struct *t, int cap);
-extern bool has_ns_capability_noaudit(struct task_struct *t,
- struct user_namespace *ns, int cap);
-extern bool capable(int cap);
-extern bool ns_capable(struct user_namespace *ns, int cap);
-extern bool nsown_capable(int cap);
-
-/* audit system wants to get cap info from files as well */
-extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
-
-#endif /* __KERNEL__ */
-
-#endif /* !_LINUX_CAPABILITY_H */
generated by cgit (git 2.34.1) at 2025-01-11 17:39:03 +0000