com.github.dockerjava.api.model.Capability Maven / Gradle / Ivy
package com.github.dockerjava.api.model;
/**
* The Linux capabilities supported by Docker. The list of capabilities is defined in Docker's types.go, {@link #ALL} was added manually.
*
* @see http://man7.org/linux/man-pages/man7/capabilities.7.html
*/
public enum Capability {
/**
* This meta capability includes all Linux capabilities.
*/
ALL,
/**
*
* - Enable and disable kernel auditing.
*
- Change auditing filter rules.
*
- Retrieve auditing status and filtering rules.
*
*/
AUDIT_CONTROL,
/**
* Allow reading the audit log via multicast netlink socket.
*/
AUDIT_READ,
/**
* Write records to kernel auditing log.
*/
AUDIT_WRITE,
/**
* Employ features that can block system suspend.
*/
BLOCK_SUSPEND,
/**
* Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
*/
BPF,
/**
* Allow checkpoint/restore related operations. Introduced in kernel 5.9.
*/
CHECKPOINT_RESTORE,
/**
* Make arbitrary changes to file UIDs and GIDs (see chown(2)).
*/
CHOWN,
/**
* Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)
*/
DAC_OVERRIDE,
/**
* Bypass file read permission checks and directory read and execute permission checks.
*/
DAC_READ_SEARCH,
/**
*
* - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file
* (e.g., chmod(2), utime(2)), excluding those operations covered by the {@link #DAC_OVERRIDE} and {@link #DAC_READ_SEARCH}.
*
- Set extended file attributes (see chattr(1)) on arbitrary files.
*
- Set Access Control Lists (ACLs) on arbitrary files.
*
- Ignore directory sticky bit on file deletion.
*
- Specify O_NOATIME for arbitrary files in open(2)and fcntl(2).
*
*/
FOWNER,
/**
*
* - Don't clear set-user-ID and set-group-ID permission bits when a file is modified.
*
- Set the set-group-ID bit for a file whose GID does not match the file system or any of the supplementary GIDs of the calling
* process.
*
*/
FSETID,
/**
* Permit memory locking (mlock(2), mlockall(2), mmap(2), shmctl(2)).
*/
IPC_LOCK,
/**
* Bypass permission checks for operations on System V IPC objects.
*/
IPC_OWNER,
/**
* Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.
*/
KILL,
/**
* Establish leases on arbitrary files (see fcntl(2)).
*/
LEASE,
/**
* Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1)).
*/
LINUX_IMMUTABLE,
/**
* Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).
*/
MAC_ADMIN,
/**
* Allow MAC configuration or state changes. Implemented for the Smack LSM.
*/
MAC_OVERRIDE,
/**
* Create special files using mknod(2).
*/
MKNOD,
/**
* Perform various network-related operations:
*
* - Interface configuration.
*
- Administration of IP firewall, masquerading, and accounting.
*
- Modify routing tables.
*
- Bind to any address for transparent proxying.
*
- Set type-of-service (TOS).
*
- Clear driver statistics.
*
- Set promiscuous mode.
*
- Enabling multicasting.
*
- Use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6),
* SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
*
*/
NET_ADMIN,
/**
* Bind a socket to Internet domain privileged ports (port numbers less than 1024).
*/
NET_BIND_SERVICE,
/**
* (Unused) Make socket broadcasts, and listen to multicasts.
*/
NET_BROADCAST,
/**
*
* - Use RAW and PACKET sockets.
*
- Bind to any address for transparent proxying.
*
*/
NET_RAW,
/**
* Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems
*/
PERFMON,
/**
* Set file capabilities.
*/
SETFCAP,
/**
*
* - Make arbitrary manipulations of process GIDs and supplementary GID list.
*
- Forge GID when passing socket credentials via UNIX domain sockets.
*
*/
SETGID,
/**
* If file capabilities are not supported:
*
* - grant or remove any capability in the caller's permitted capability set to or from any other process. (This property of
* CAP_SETPCAP is not available when the kernel is configured to support file capabilities, since CAP_SETPCAP has entirely different
* semantics for such kernels.)
*
*
* If file capabilities are supported:
*
* - Add any capability from the calling thread's bounding set to its inheritable set.
*
- Drop capabilities from the bounding set (via prctl(2) PR_CAPBSET_DROP).
*
- Make changes to the securebits flags.
*
*/
SETPCAP,
/**
*
* - Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)).
*
- Make forged UID when passing socket credentials via UNIX domain sockets.
*
*/
SETUID,
/**
*
* - Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2),
* sethostname(2), and setdomainname(2).
*
- Perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations).
*
- Perform VM86_REQUEST_IRQ vm86(2) command.
*
- Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects.
*
- Perform operations on trusted and security Extended Attributes (see attr(5)).
*
- Use lookup_dcookie(2)
*
- Use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes.
*
- Forge UID when passing socket credentials.
*
- Exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g.,
* accept(2), execve(2), open(2), pipe(2)).
*
- Employ CLONE_* flags that create new namespaces with clone(2) and unshare(2).
*
- Call perf_event_open(2).
*
- Access privileged perf event information.
*
- Call setns(2).
*
- Call fanotify_init(2).
*
- Perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations.
*
- Perform madvise(2) MADV_HWPOISON operation.
*
- Employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller's controlling terminal.
*
- Employ the obsolete nfsservctl(2) system call.
*
- Employ the obsolete bdflush(2) system call.
*
- Perform various privileged block-device ioctl(2) operations.
*
- Perform various privileged file-system ioctl(2) operations.
*
- Perform administrative operations on many device drivers.
*
*/
SYS_ADMIN,
/**
* Use reboot(2) and kexec_load(2).
*/
SYS_BOOT,
/**
* Use chroot(2).
*/
SYS_CHROOT,
/**
*
* - Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege.
*
- View kernel addresses exposed via /proc and other interfaces when /proc/sys/kernel/kptr_restrict has the value 1. (See the
* discussion of the kptr_restrict in proc(5).)
*
*/
SYSLOG,
/**
*
* - Load and unload kernel modules (see init_module(2) and delete_module(2))
*
- In kernels before 2.6.25: drop capabilities from the system-wide capability bounding set.
*
*/
SYS_MODULE,
/**
*
* - Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
*
- Set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes
* (sched_setscheduler(2), sched_setparam(2)).
*
- Set CPU affinity for arbitrary processes (sched_setaffinity(2)).
*
- Set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)).
*
- Apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes.
*
- Apply move_pages(2) to arbitrary processes.
*
- Use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).
*
*/
SYS_NICE,
/**
* Use acct(2).
*/
SYS_PACCT,
/**
*
* - Trace arbitrary processes using ptrace(2).
*
- Apply get_robust_list(2) to arbitrary processes.
*
- Inspect processes using kcmp(2).
*
*/
SYS_PTRACE,
/**
*
* - Perform I/O port operations (iopl(2) and ioperm(2)).
*
- Access /proc/kcore.
*
- Employ the FIBMAP ioctl(2) operation.
*
- Open devices for accessing x86 model-specific registers (MSRs, see msr(4)).
*
- Update /proc/sys/vm/mmap_min_addr.
*
- Create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr.
*
- Map files in /proc/pci/bus.
*
- Open /dev/mem and /dev/kmem.
*
- Perform various SCSI device commands.
*
- Perform certain operations on hpsa(4) and cciss(4) devices.
*
- Perform a range of device-specific operations on other devices.
*
*/
SYS_RAWIO,
/**
*
* - Use reserved space on ext2 file systems.
*
- Make ioctl(2) calls controlling ext3 journaling.
*
- Override disk quota limits.
*
- Increase resource limits (see setrlimit(2)).
*
- Override RLIMIT_NPROC resource limit.
*
- Override maximum number of consoles on console allocation.
*
- Override maximum number of keymaps.
*
- Allow more than 64hz interrupts from the real-time clock.
*
- Raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2)).
*
- Override the /proc/sys/fs/pipe-size-max limit when setting the capacity of a pipe using the F_SETPIPE_SZ fcntl(2) command.
*
- Use F_SETPIPE_SZ to increase the capacity of a pipe above the limit specified by /proc/sys/fs/pipe-max-size.
*
- Override /proc/sys/fs/mqueue/queues_max limit when creating POSIX message queues (see mq_overview(7)).
*
- Employ prctl(2) PR_SET_MM operation.
*
- Set /proc/PID/oom_score_adj to a value lower than the value last set by a process with CAP_SYS_RESOURCE.
*
*/
SYS_RESOURCE,
/**
*
* - Set system clock (settimeofday(2), stime(2), adjtimex(2)).
*
- Set real-time (hardware) clock.
*
*/
SYS_TIME,
/**
*
* - Use vhangup(2).
*
- Employ various privileged ioctl(2) operations on virtual terminals.
*
*/
SYS_TTY_CONFIG,
/**
* Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
*/
WAKE_ALARM
}