All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.github.dockerjava.api.model.Capability Maven / Gradle / Ivy

There is a newer version: 3.4.0
Show newest version
package com.github.dockerjava.api.model;

/**
 * The Linux capabilities supported by Docker. The list of capabilities is defined in Docker's types.go, {@link #ALL} was added manually.
 *
 * @see http://man7.org/linux/man-pages/man7/capabilities.7.html
 */
public enum Capability {
    /**
     * This meta capability includes all Linux capabilities.
     */
    ALL,
    /**
     * 
    *
  • Enable and disable kernel auditing. *
  • Change auditing filter rules. *
  • Retrieve auditing status and filtering rules. *
*/ AUDIT_CONTROL, /** * Allow reading the audit log via multicast netlink socket. */ AUDIT_READ, /** * Write records to kernel auditing log. */ AUDIT_WRITE, /** * Employ features that can block system suspend. */ BLOCK_SUSPEND, /** * Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. */ BPF, /** * Allow checkpoint/restore related operations. Introduced in kernel 5.9. */ CHECKPOINT_RESTORE, /** * Make arbitrary changes to file UIDs and GIDs (see chown(2)). */ CHOWN, /** * Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".) */ DAC_OVERRIDE, /** * Bypass file read permission checks and directory read and execute permission checks. */ DAC_READ_SEARCH, /** *
    *
  • Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file * (e.g., chmod(2), utime(2)), excluding those operations covered by the {@link #DAC_OVERRIDE} and {@link #DAC_READ_SEARCH}. *
  • Set extended file attributes (see chattr(1)) on arbitrary files. *
  • Set Access Control Lists (ACLs) on arbitrary files. *
  • Ignore directory sticky bit on file deletion. *
  • Specify O_NOATIME for arbitrary files in open(2)and fcntl(2). *
*/ FOWNER, /** *
    *
  • Don't clear set-user-ID and set-group-ID permission bits when a file is modified. *
  • Set the set-group-ID bit for a file whose GID does not match the file system or any of the supplementary GIDs of the calling * process. *
*/ FSETID, /** * Permit memory locking (mlock(2), mlockall(2), mmap(2), shmctl(2)). */ IPC_LOCK, /** * Bypass permission checks for operations on System V IPC objects. */ IPC_OWNER, /** * Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation. */ KILL, /** * Establish leases on arbitrary files (see fcntl(2)). */ LEASE, /** * Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1)). */ LINUX_IMMUTABLE, /** * Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). */ MAC_ADMIN, /** * Allow MAC configuration or state changes. Implemented for the Smack LSM. */ MAC_OVERRIDE, /** * Create special files using mknod(2). */ MKNOD, /** * Perform various network-related operations: *
    *
  • Interface configuration. *
  • Administration of IP firewall, masquerading, and accounting. *
  • Modify routing tables. *
  • Bind to any address for transparent proxying. *
  • Set type-of-service (TOS). *
  • Clear driver statistics. *
  • Set promiscuous mode. *
  • Enabling multicasting. *
  • Use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), * SO_RCVBUFFORCE, and SO_SNDBUFFORCE. *
*/ NET_ADMIN, /** * Bind a socket to Internet domain privileged ports (port numbers less than 1024). */ NET_BIND_SERVICE, /** * (Unused) Make socket broadcasts, and listen to multicasts. */ NET_BROADCAST, /** *
    *
  • Use RAW and PACKET sockets. *
  • Bind to any address for transparent proxying. *
*/ NET_RAW, /** * Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems */ PERFMON, /** * Set file capabilities. */ SETFCAP, /** *
    *
  • Make arbitrary manipulations of process GIDs and supplementary GID list. *
  • Forge GID when passing socket credentials via UNIX domain sockets. *
*/ SETGID, /** * If file capabilities are not supported: *
    *
  • grant or remove any capability in the caller's permitted capability set to or from any other process. (This property of * CAP_SETPCAP is not available when the kernel is configured to support file capabilities, since CAP_SETPCAP has entirely different * semantics for such kernels.) *
*

* If file capabilities are supported: *

    *
  • Add any capability from the calling thread's bounding set to its inheritable set. *
  • Drop capabilities from the bounding set (via prctl(2) PR_CAPBSET_DROP). *
  • Make changes to the securebits flags. *
*/ SETPCAP, /** *
    *
  • Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)). *
  • Make forged UID when passing socket credentials via UNIX domain sockets. *
*/ SETUID, /** *
    *
  • Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), * sethostname(2), and setdomainname(2). *
  • Perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations). *
  • Perform VM86_REQUEST_IRQ vm86(2) command. *
  • Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects. *
  • Perform operations on trusted and security Extended Attributes (see attr(5)). *
  • Use lookup_dcookie(2) *
  • Use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes. *
  • Forge UID when passing socket credentials. *
  • Exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., * accept(2), execve(2), open(2), pipe(2)). *
  • Employ CLONE_* flags that create new namespaces with clone(2) and unshare(2). *
  • Call perf_event_open(2). *
  • Access privileged perf event information. *
  • Call setns(2). *
  • Call fanotify_init(2). *
  • Perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations. *
  • Perform madvise(2) MADV_HWPOISON operation. *
  • Employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller's controlling terminal. *
  • Employ the obsolete nfsservctl(2) system call. *
  • Employ the obsolete bdflush(2) system call. *
  • Perform various privileged block-device ioctl(2) operations. *
  • Perform various privileged file-system ioctl(2) operations. *
  • Perform administrative operations on many device drivers. *
*/ SYS_ADMIN, /** * Use reboot(2) and kexec_load(2). */ SYS_BOOT, /** * Use chroot(2). */ SYS_CHROOT, /** *
    *
  • Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege. *
  • View kernel addresses exposed via /proc and other interfaces when /proc/sys/kernel/kptr_restrict has the value 1. (See the * discussion of the kptr_restrict in proc(5).) *
*/ SYSLOG, /** *
    *
  • Load and unload kernel modules (see init_module(2) and delete_module(2)) *
  • In kernels before 2.6.25: drop capabilities from the system-wide capability bounding set. *
*/ SYS_MODULE, /** *
    *
  • Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. *
  • Set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes * (sched_setscheduler(2), sched_setparam(2)). *
  • Set CPU affinity for arbitrary processes (sched_setaffinity(2)). *
  • Set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)). *
  • Apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes. *
  • Apply move_pages(2) to arbitrary processes. *
  • Use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2). *
*/ SYS_NICE, /** * Use acct(2). */ SYS_PACCT, /** *
    *
  • Trace arbitrary processes using ptrace(2). *
  • Apply get_robust_list(2) to arbitrary processes. *
  • Inspect processes using kcmp(2). *
*/ SYS_PTRACE, /** *
    *
  • Perform I/O port operations (iopl(2) and ioperm(2)). *
  • Access /proc/kcore. *
  • Employ the FIBMAP ioctl(2) operation. *
  • Open devices for accessing x86 model-specific registers (MSRs, see msr(4)). *
  • Update /proc/sys/vm/mmap_min_addr. *
  • Create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr. *
  • Map files in /proc/pci/bus. *
  • Open /dev/mem and /dev/kmem. *
  • Perform various SCSI device commands. *
  • Perform certain operations on hpsa(4) and cciss(4) devices. *
  • Perform a range of device-specific operations on other devices. *
*/ SYS_RAWIO, /** *
    *
  • Use reserved space on ext2 file systems. *
  • Make ioctl(2) calls controlling ext3 journaling. *
  • Override disk quota limits. *
  • Increase resource limits (see setrlimit(2)). *
  • Override RLIMIT_NPROC resource limit. *
  • Override maximum number of consoles on console allocation. *
  • Override maximum number of keymaps. *
  • Allow more than 64hz interrupts from the real-time clock. *
  • Raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2)). *
  • Override the /proc/sys/fs/pipe-size-max limit when setting the capacity of a pipe using the F_SETPIPE_SZ fcntl(2) command. *
  • Use F_SETPIPE_SZ to increase the capacity of a pipe above the limit specified by /proc/sys/fs/pipe-max-size. *
  • Override /proc/sys/fs/mqueue/queues_max limit when creating POSIX message queues (see mq_overview(7)). *
  • Employ prctl(2) PR_SET_MM operation. *
  • Set /proc/PID/oom_score_adj to a value lower than the value last set by a process with CAP_SYS_RESOURCE. *
*/ SYS_RESOURCE, /** *
    *
  • Set system clock (settimeofday(2), stime(2), adjtimex(2)). *
  • Set real-time (hardware) clock. *
*/ SYS_TIME, /** *
    *
  • Use vhangup(2). *
  • Employ various privileged ioctl(2) operations on virtual terminals. *
*/ SYS_TTY_CONFIG, /** * Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers). */ WAKE_ALARM }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy