solti_exec/utils/capability.rs
1//! # Capability: Linux capability identifiers.
2//!
3//! [`LinuxCapability`] enumerates the most commonly used Linux capabilities with their kernel constant values from `<linux/capability.h>`.
4//!
5//! ## API
6//!
7//! | Method | Returns | Platform |
8//! |--------------------|--------------------------------|--------------------|
9//! | [`name()`] | `&'static str` (`"NET_ADMIN"`) | any |
10//! | [`to_cap_value()`] | `u32` (kernel number) | any (`pub(crate)`) |
11//!
12//! ## Cap values (reference)
13//! ```text
14//! 0 CHOWN 10 NET_BIND_SERVICE 21 SYS_ADMIN
15//! 1 DAC_OVERRIDE 12 NET_ADMIN 22 SYS_BOOT
16//! 2 DAC_READ_SEARCH 13 NET_RAW 23 SYS_NICE
17//! 3 FOWNER 18 SYS_CHROOT 24 SYS_RESOURCE
18//! 4 FSETID 19 SYS_PTRACE 25 SYS_TIME
19//! 5 KILL 27 MKNOD 29 AUDIT_WRITE
20//! 6 SETGID 30 AUDIT_CONTROL 31 SETFCAP
21//! 7 SETUID
22//! 8 SETPCAP
23//! ```
24//!
25//! ## Rules
26//! - Values match `<linux/capability.h>` from Linux 6.x
27//!
28//! ## Also
29//!
30//! - [`SecurityConfig`](super::SecurityConfig) uses `LinuxCapability` in the keep list.
31
32/// Linux process capability.
33///
34/// Covers the most commonly used capabilities.
35#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
36#[non_exhaustive]
37pub enum LinuxCapability {
38 /// `CAP_CHOWN`: Make arbitrary changes to file UIDs and GIDs
39 Chown,
40 /// `CAP_DAC_OVERRIDE`: Bypass file read, write, and execute permission checks
41 DacOverride,
42 /// `CAP_DAC_READ_SEARCH`: Bypass file read permission checks and directory read/execute checks
43 DacReadSearch,
44 /// `CAP_FOWNER`: Bypass permission checks on operations that normally require the filesystem UID
45 FOwner,
46 /// `CAP_FSETID`: Don't clear set-user-ID and set-group-ID mode bits
47 FSetId,
48 /// `CAP_KILL`: Bypass permission checks for sending signals
49 Kill,
50 /// `CAP_SETGID`: Make arbitrary manipulations of process GIDs and supplementary GID list
51 SetGid,
52 /// `CAP_SETUID`: Make arbitrary manipulations of process UIDs
53 SetUid,
54 /// `CAP_SETPCAP`: Modify process capabilities
55 SetPCap,
56 /// `CAP_NET_BIND_SERVICE`: Bind a socket to privileged ports (port numbers less than 1024)
57 NetBindService,
58 /// `CAP_NET_RAW`: Use RAW and PACKET sockets; bind to any address for transparent proxying
59 NetRaw,
60 /// `CAP_NET_ADMIN`: Perform various network-related operations
61 NetAdmin,
62 /// `CAP_SYS_CHROOT`: Use chroot()
63 SysChroot,
64 /// `CAP_SYS_PTRACE`: Trace arbitrary processes using ptrace()
65 SysPtrace,
66 /// `CAP_SYS_ADMIN`: Perform a range of system administration operations
67 SysAdmin,
68 /// `CAP_SYS_BOOT`: Use reboot() and kexec_load()
69 SysBoot,
70 /// `CAP_SYS_NICE`: Raise process nice value and change the nice value for arbitrary processes
71 SysNice,
72 /// `CAP_SYS_RESOURCE`: Override resource limits
73 SysResource,
74 /// `CAP_SYS_TIME`: Set system clock; set real-time (hardware) clock
75 SysTime,
76 /// `CAP_MKNOD`: Create special files using mknod()
77 MkNod,
78 /// `CAP_AUDIT_WRITE`: Write records to kernel auditing log
79 AuditWrite,
80 /// `CAP_AUDIT_CONTROL`: Enable and disable kernel auditing
81 AuditControl,
82 /// `CAP_SETFCAP`: Set file capabilities
83 SetFCap,
84}
85
86impl LinuxCapability {
87 /// Kernel-style capability name (e.g. `"NET_ADMIN"`, `"SYS_PTRACE"`).
88 pub fn name(self) -> &'static str {
89 match self {
90 Self::Chown => "CHOWN",
91 Self::DacOverride => "DAC_OVERRIDE",
92 Self::DacReadSearch => "DAC_READ_SEARCH",
93 Self::FOwner => "FOWNER",
94 Self::FSetId => "FSETID",
95 Self::Kill => "KILL",
96 Self::SetGid => "SETGID",
97 Self::SetUid => "SETUID",
98 Self::SetPCap => "SETPCAP",
99 Self::NetBindService => "NET_BIND_SERVICE",
100 Self::NetRaw => "NET_RAW",
101 Self::NetAdmin => "NET_ADMIN",
102 Self::SysChroot => "SYS_CHROOT",
103 Self::SysPtrace => "SYS_PTRACE",
104 Self::SysAdmin => "SYS_ADMIN",
105 Self::SysBoot => "SYS_BOOT",
106 Self::SysNice => "SYS_NICE",
107 Self::SysResource => "SYS_RESOURCE",
108 Self::SysTime => "SYS_TIME",
109 Self::MkNod => "MKNOD",
110 Self::AuditWrite => "AUDIT_WRITE",
111 Self::AuditControl => "AUDIT_CONTROL",
112 Self::SetFCap => "SETFCAP",
113 }
114 }
115
116 /// Numeric value as in `<linux/capability.h>`.
117 ///
118 /// Platform-independent so that `KeepMask` can be unit-tested on any OS.
119 #[cfg_attr(not(target_os = "linux"), allow(dead_code))]
120 pub(crate) fn to_cap_value(self) -> u32 {
121 match self {
122 Self::Chown => 0, // CAP_CHOWN
123 Self::DacOverride => 1, // CAP_DAC_OVERRIDE
124 Self::DacReadSearch => 2, // CAP_DAC_READ_SEARCH
125 Self::FOwner => 3, // CAP_FOWNER
126 Self::FSetId => 4, // CAP_FSETID
127 Self::Kill => 5, // CAP_KILL
128 Self::SetGid => 6, // CAP_SETGID
129 Self::SetUid => 7, // CAP_SETUID
130 Self::SetPCap => 8, // CAP_SETPCAP
131 Self::NetBindService => 10, // CAP_NET_BIND_SERVICE
132 Self::NetAdmin => 12, // CAP_NET_ADMIN
133 Self::NetRaw => 13, // CAP_NET_RAW
134 Self::SysChroot => 18, // CAP_SYS_CHROOT
135 Self::SysPtrace => 19, // CAP_SYS_PTRACE
136 Self::SysAdmin => 21, // CAP_SYS_ADMIN
137 Self::SysBoot => 22, // CAP_SYS_BOOT
138 Self::SysNice => 23, // CAP_SYS_NICE
139 Self::SysResource => 24, // CAP_SYS_RESOURCE
140 Self::SysTime => 25, // CAP_SYS_TIME
141 Self::MkNod => 27, // CAP_MKNOD
142 Self::AuditWrite => 29, // CAP_AUDIT_WRITE
143 Self::AuditControl => 30, // CAP_AUDIT_CONTROL
144 Self::SetFCap => 31, // CAP_SETFCAP
145 }
146 }
147}