debug lk

hc

2024-02-20 e636c8d336489bf3eed5878299e6cc045bbad077

 kernel/include/uapi/linux/capability.h
..
..
@@ -274,6 +274,7 @@
274
274
    arbitrary SCSI commands */
275
275
 /* Allow setting encryption key on loopback filesystem */
276
276
 /* Allow setting zone reclaim policy */
277
+/* Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility */
277
278
 
278
279
 #define CAP_SYS_ADMIN        21
279
280
 
..
..
@@ -301,6 +302,7 @@
301
302
 /* Allow more than 64hz interrupts from the real-time clock */
302
303
 /* Override max number of consoles on console allocation */
303
304
 /* Override max number of keymaps */
305
+/* Control memory reclaim behavior */
304
306
 
305
307
 #define CAP_SYS_RESOURCE     24
306
308
 
..
..
@@ -330,6 +332,9 @@
330
332
 /* Allow configuration of audit via unicast netlink socket */
331
333
 
332
334
 #define CAP_AUDIT_CONTROL    30
335
+
336
+/* Set or remove capabilities on files.
337
+   Map uid=0 into a child user namespace. */
333
338
 
334
339
 #define CAP_SETFCAP	     31
335
340
 
..
..
@@ -366,8 +371,52 @@
366
371
 
367
372
 #define CAP_AUDIT_READ		37
368
373
 
374
+/*
375
+ * Allow system performance and observability privileged operations
376
+ * using perf_events, i915_perf and other kernel subsystems
377
+ */
369
378
 
370
-#define CAP_LAST_CAP         CAP_AUDIT_READ
379
+#define CAP_PERFMON		38
380
+
381
+/*
382
+ * CAP_BPF allows the following BPF operations:
383
+ * - Creating all types of BPF maps
384
+ * - Advanced verifier features
385
+ *   - Indirect variable access
386
+ *   - Bounded loops
387
+ *   - BPF to BPF function calls
388
+ *   - Scalar precision tracking
389
+ *   - Larger complexity limits
390
+ *   - Dead code elimination
391
+ *   - And potentially other features
392
+ * - Loading BPF Type Format (BTF) data
393
+ * - Retrieve xlated and JITed code of BPF programs
394
+ * - Use bpf_spin_lock() helper
395
+ *
396
+ * CAP_PERFMON relaxes the verifier checks further:
397
+ * - BPF progs can use of pointer-to-integer conversions
398
+ * - speculation attack hardening measures are bypassed
399
+ * - bpf_probe_read to read arbitrary kernel memory is allowed
400
+ * - bpf_trace_printk to print kernel memory is allowed
401
+ *
402
+ * CAP_SYS_ADMIN is required to use bpf_probe_write_user.
403
+ *
404
+ * CAP_SYS_ADMIN is required to iterate system wide loaded
405
+ * programs, maps, links, BTFs and convert their IDs to file descriptors.
406
+ *
407
+ * CAP_PERFMON and CAP_BPF are required to load tracing programs.
408
+ * CAP_NET_ADMIN and CAP_BPF are required to load networking programs.
409
+ */
410
+#define CAP_BPF			39
411
+
412
+
413
+/* Allow checkpoint/restore related operations */
414
+/* Allow PID selection during clone3() */
415
+/* Allow writing to ns_last_pid */
416
+
417
+#define CAP_CHECKPOINT_RESTORE	40
418
+
419
+#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
371
420
 
372
421
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
373
422
 
..
..
@@ -376,7 +425,7 @@
376
425
  */
377
426
 
378
427
 #define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
379
-#define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
428
+#define CAP_TO_MASK(x)      (1U << ((x) & 31)) /* mask for indexed __u32 */
380
429
 
381
430
 
382
431
 #endif /* _UAPI_LINUX_CAPABILITY_H */