CapabilityCheck checks the given capability on pid.

See more: linux/capability.h.

Allow configuration of audit via unicast netlink socket */.

Allow reading the audit log via multicast netlink socket */.

Allow writing the audit log via unicast netlink socket */.

Allow preventing system suspends */.

* CAP_BPF allows the following BPF operations: * - Creating all types of BPF maps * - Advanced verifier features * - Indirect variable access * - Bounded loops * - BPF to BPF function calls * - Scalar precision tracking * - Larger complexity limits * - Dead code elimination * - And potentially other features * - Loading BPF Type Format (BTF) data * - Retrieve xlated and JITed code of BPF programs * - Use bpf_spin_lock() helper * * CAP_PERFMON relaxes the verifier checks further: * - BPF progs can use of pointer-to-integer conversions * - speculation attack hardening measures are bypassed * - bpf_probe_read to read arbitrary kernel memory is allowed * - bpf_trace_printk to print kernel memory is allowed * * CAP_SYS_ADMIN is required to use bpf_probe_write_user.

Allow checkpoint/restore related operations */ Allow PID selection during clone3() */ Allow writing to ns_last_pid */.

In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership.

Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined.

Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined.

Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable.

Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented).

Allow locking of shared memory segments */ Allow mlock and mlockall (which doesn't really have anything to do with IPC) */.

Override IPC ownership checks */.

Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal.

Allow taking of leases on files */.

Allow modification of S_IMMUTABLE and S_APPEND file attributes */.

Allow MAC configuration or state changes.

Override MAC access.

Allow the privileged aspects of mknod() */.

Allow interface configuration */ Allow administration of IP firewall, masquerading and accounting */ Allow setting debug option on sockets */ Allow modification of routing tables */ Allow setting arbitrary process / process group ownership on sockets */ Allow binding to any address for transparent proxying (also via NET_RAW) */ Allow setting TOS (type of service) */ Allow setting promiscuous mode */ Allow clearing driver statistics */ Allow multicasting */ Allow read/write of device-specific registers */ Allow activation of ATM control sockets */.

Allows binding to TCP/UDP sockets below 1024 */ Allows binding to ATM VCIs below 32 */.

Allow broadcasting, listen to multicast */.

Allow use of RAW sockets */ Allow use of PACKET sockets */ Allow binding to any address for transparent proxying (also via NET_ADMIN) */.

* Allow system performance and observability privileged operations * using perf_events, i915_perf and other kernel subsystems */.

Set or remove capabilities on files.

Allows setgid(2) manipulation */ Allows setgroups(2) */ Allows forged gids on socket credentials passing.

Without VFS support for capabilities: * Transfer any capability in your permitted set to any pid, * remove any capability in your permitted set from any pid * With VFS support for capabilities (neither of above, but) * Add any capability from current's capability bounding set * to the current process' inheritable set * Allow taking bits out of capability bounding set * Allow modification of the securebits for a process */.

Allows set*uid(2) manipulation (including fsuid).

Allow configuration of the secure attention key */ Allow administration of the random device */ Allow examination and configuration of disk quotas */ Allow setting the domainname */ Allow setting the hostname */ Allow calling bdflush() */ Allow mount() and umount(), setting up new smb connection */ Allow some autofs root ioctls */ Allow nfsservctl */ Allow VM86_REQUEST_IRQ */ Allow to read/write pci config on alpha */ Allow irix_prctl on mips (setstacksize) */ Allow flushing all cache on m68k (sys_cacheflush) */ Allow removing semaphores */ Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory */ Allow locking/unlocking of shared memory segment */ Allow turning swap on/off */ Allow forged pids on socket credentials passing */ Allow setting readahead and flushing buffers on block devices */ Allow setting geometry in floppy driver */ Allow turning DMA on/off in xd driver */ Allow administration of md devices (mostly the above, but some extra ioctls) */ Allow tuning the ide driver */ Allow access to the nvram device */ Allow administration of apm_bios, serial and bttv (TV) device */ Allow manufacturer commands in isdn CAPI support driver */ Allow reading non-standardized portions of pci configuration space */ Allow DDI debug ioctl on sbpcd driver */ Allow setting up serial ports */ Allow sending raw qic-117 commands */ Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands */ Allow setting encryption key on loopback filesystem */ Allow setting zone reclaim policy */ Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility */.

Allow use of reboot() */.

Allow use of chroot() */.

Insert and remove kernel modules - modify kernel without limit */.

Allow raising priority and setting priority on other (different UID) processes */ Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process.

Allow configuration of process accounting */.

Allow ptrace() of any process */.

Allow ioperm/iopl access */ Allow sending USB messages to any device via /dev/bus/usb */.

Override resource limits.

Allow manipulation of system clock */ Allow irix_stime on mips */ Allow setting the real-time clock */.

Allow configuration of tty devices */ Allow vhangup() of tty */.

Allow configuring the kernel's syslog (printk behaviour) */.

Allow triggering something that will wake the system */.