Differs processes the result of Compare and determines if the Flag's components were different.

DropBound attempts to suppress bounding set Values.

FromName converts a named capability Value to its binary representation.

FromText converts the canonical text representation for a Set into a freshly allocated Set.

FuncLauncher returns a new launcher whose purpose is to only execute fn in a disposable security context.

GetAmbient determines if a specific capability is currently part of the local ambient set.

GetBound determines if a specific capability is currently part of the local bounding set.

GetFd returns the file capabilities of an open (*os.File).Fd().

GetFile returns the file capabilities of a named file.

GetMode assesses the current process state and summarizes it as a Mode.

GetPID returns the capability set associated with the target process id; pid=0 is an alias for current.

GetProc returns the capability Set of the current process.

GetSecbits returns the current setting of the process' Secbits.

IABFromText parses a string representing an IAB, as generated by IAB.String(), to generate an IAB.

IABGetPID returns the IAB tuple of a specified process.

IABGetProc summarizes the Inh, Amb and Bound capability vectors of the current process.

IABInit allocates a new IAB tuple.

Import imports a Set from a byte array where it has been stored in a portable (lossless) way.

MaxBits returns the number of kernel-named capabilities discovered at runtime in the current system.

NewIAB returns an empty IAB.

NewLauncher returns a new launcher for the specified program path and args with the specified environment.

NewSet returns an empty capability set.

Prctl is a convenience function that performs a syscall.Prctl() that either reads state using a single OS thread, or performs a Prctl that is treated as a process wide setting.

Prctlw is a convenience function for performing a syscall.Prctl() call that executes on all the threads of the process.

ProcRoot sets the local mount point for the Linux /proc filesystem.

ResetAmbient attempts to ensure the Ambient set is fully cleared.

SetAmbient attempts to set a specific Value bit to the state, enable.

SetGroups is a convenience function for robustly setting the GID and all other variants of GID (EGID etc) to the specified value, as well as setting all of the supplementary groups.

SetUID is a convenience function for robustly setting the UID and all other variants of UID (EUID etc) to the specified value without dropping the privilege of the current process.

Inh, Amb, Bound enumerate the IAB vector components.

AUDIT_CONTROL allows a process to configure audit logging via a unicast netlink socket.

AUDIT_READ allows a process to read the audit log via a multicast netlink socket.

AUDIT_WRITE allows a process to write to the audit log via a unicast netlink socket.

BLOCK_SUSPEND allows a process to block system suspends - prevent the system from entering a lower power state.

Inh, Amb, Bound enumerate the IAB vector components.

BPF allows a process to manipulate aspects of the kernel enhanced Berkeley Packet Filter (BPF) system.

CHECKPOINT_RESTORE allows a process to perform checkpoint and restore operations.

CHOWN allows a process to arbitrarily change the user and group ownership of a file.

DAC_OVERRIDE allows a process to override of all Discretionary Access Control (DAC) access, including ACL execute access.

DAC_READ_SEARCH allows a process to override all DAC restrictions limiting the read and search of files and directories.

Effective, Permitted, Inheritable are the three Flags of Values held in a Set.

ExtMagic is the 32-bit (little endian) magic for an external capability set.

FOWNER allows a process to perform operations on files, even where file owner ID should otherwise need be equal to the UID, except where cap.FSETID is applicable.

FSETID allows a process to set the S_ISUID and S_ISUID bits of the file permissions, even when the process' effective UID or GID/supplementary GIDs do not match that of the file.

Inh, Amb, Bound enumerate the IAB vector components.

Effective, Permitted, Inheritable are the three Flags of Values held in a Set.

IPC_LOCK allows a process to lock shared memory segments for IPC purposes.

IPC_OWNER allows a process to override IPC ownership checks.

KILL allows a process to send a kill(2) signal to any other process - overriding the limitation that there be a [E]UID match between source and target process.

LaunchSupported indicates that is safe to return from a locked OS Thread and have that OS Thread be terminated by the runtime.

LEASE allows a process to take leases on files.

LINUX_IMMUTABLE allows a process to modify the S_IMMUTABLE and S_APPEND file attributes.

MAC_ADMIN allows a process to configure the Mandatory Access Control (MAC) policy.

MAC_OVERRIDE allows a process to override Manditory Access Control (MAC) access.

MKNOD allows a process to perform privileged operations with the mknod() system call.

ModeUncertain etc are how libcap summarizes security modes involving capabilities and secure-bits.

ModeUncertain etc are how libcap summarizes security modes involving capabilities and secure-bits.

ModeUncertain etc are how libcap summarizes security modes involving capabilities and secure-bits.

ModeUncertain etc are how libcap summarizes security modes involving capabilities and secure-bits.

ModeUncertain etc are how libcap summarizes security modes involving capabilities and secure-bits.

NamedCount holds the number of capability values, with official names, known at the time this libcap/cap version was released.

NET_ADMIN allows a process to perform network configuration operations: - interface configuration - administration of IP firewall, masquerading and accounting - setting debug options on sockets - modification of routing tables - setting arbitrary process, and process group ownership on sockets - binding to any address for transparent proxying (this is also allowed via cap.NET_RAW) - setting TOS (Type of service) - setting promiscuous mode - clearing driver statistics - multicasing - read/write of device-specific registers - activation of ATM control sockets.

NET_BIND_SERVICE allows a process to bind to privileged ports: - TCP/UDP sockets below 1024 - ATM VCIs below 32.

NET_BROADCAST allows a process to broadcast to the network and to listen to multicast.

NET_RAW allows a process to use raw networking: - RAW sockets - PACKET sockets - binding to any address for transparent proxying (also permitted via cap.NET_ADMIN).

PERFMON allows a process to enable observability of privileged operations related to performance.

Effective, Permitted, Inheritable are the three Flags of Values held in a Set.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SecbitNoRoot etc are the bitmasks associated with the supported Secbit masks.

SETFCAP allows a process to set capabilities on files.

SETGID allows a process to freely manipulate its own GIDs: - arbitrarily set the GID, EGID, REGID, RESGID values - arbitrarily set the supplementary GIDs - allows the forging of GID credentials passed over a socket.

SETPCAP allows a process to freely manipulate its inheritable capabilities.

SETUID allows a process to freely manipulate its own UIDs: - arbitrarily set the UID, EUID, REUID and RESUID values - allows the forging of UID credentials passed over a socket.

SYS_ADMIN allows a process to perform a somewhat arbitrary grab-bag of privileged operations.

SYS_BOOT allows a process to initiate a reboot of the system.

SYS_CHROOT allows a process to perform a chroot syscall to change the effective root of the process' file system: redirect to directory "/" to some other location.

SYS_MODULE allows a process to initiate the loading and unloading of kernel modules.

SYS_NICE allows a process to maipulate the execution priorities of arbitrary processes: - those involving different UIDs - setting their CPU affinity - alter the FIFO vs.

SYS_PACCT allows a process to configure process accounting.

SYS_PTRACE allows a process to perform a ptrace() of any other process.

SYS_RAWIO allows a process to perform raw IO: - permit ioper/iopl access - permit sending USB messages to any device via /dev/bus/usb.

SYS_RESOURCE allows a process to adjust resource related parameters of processes and the system: - set and override resource limits - override quota limits - override the reserved space on ext2 filesystem (this can also be achieved via cap.FSETID) - modify the data journaling mode on ext3 filesystem, which uses journaling resources - override size restrictions on IPC message queues - configure more than 64Hz interrupts from the real-time clock - override the maximum number of consoles for console allocation - override the maximum number of keymaps.

SYS_TIME allows a process to perform time manipulation of clocks: - alter the system clock - enable irix_stime on MIPS - set the real-time clock.

SYS_TTY_CONFIG allows a process to manipulate tty devices: - configure tty devices - perform vhangup() of a tty.

SYSLOG allows a process to configure the kernel's syslog (printk) behavior.

WAKE_ALARM allows a process to trigger something that can wake the system up.

ErrAmbiguousAmbient indicates that the Launcher is being used in addition to a callback supplied ambient set and the former should be used exclusively in a Launch call.

ErrAmbiguousChroot indicates that the Launcher is being used in addition to a callback supplied Chroot.

ErrAmbiguousIDs indicates that the Launcher is being used in addition to a callback supplied Credentials.

ErrBadMagic indicates that the kernel preferred magic number for capability Set values is not supported by this package.

ErrBadMode is the error returned when an attempt is made to set an unrecognized libcap security mode.

ErrBadPath indicates a failed attempt to set a file capability on an irregular (non-executable) file.

ErrBadSet indicates a nil pointer was used for a *Set, or the request of the Set is invalid in some way.

ErrBadSize indicates the loaded file capability has an invalid number of bytes in it.

ErrBadText is returned if the text for a capability set cannot be parsed.

ErrBadValue indicates a bad capability value was specified.

ErrLaunchFailed is returned if a launch was aborted with no more specific error.

ErrNoLaunch indicates the go runtime available to this binary does not reliably support launching.

ErrOutOfRange indicates an erroneous value for MinExtFlagSize.

MinExtFlagSize defaults to 8 in order to be equivalent to libcap defaults.

IAB holds a summary of all of the inheritable capability vectors: Inh, Amb and Bound.

Launcher holds a configuration for executing an optional callback function and/or launching a child process with capability state different from the parent.

Set is an opaque capabilities container for a set of system capbilities.

Diff summarizes the result of the (*Set).Cf() function.

Flag is the type of one of the three Value dimensions held in a Set.

IABDiff holds the non-error result of an (*IAB).Cf() function call.

Mode summarizes a complicated secure-bits and capability mode in a libcap preferred way.

Secbits capture the prctl settable secure-bits of a process.

Value is the type of a single capability (or permission) bit.

Vector enumerates which of the inheritable IAB capability vectors is being manipulated.