Reputation: 11
Is there any limitation of capN for setcap?
I am trying to use setcap to give an app some capabilities on linux.
It is working well with less than or equal to 18 caps.
$ setcap "0,1,2,3,4,5,6,7,8,10,12,13,14,16,17,18,19,21"+eip test_app
$ getcap test_app
test_app cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=eip
$
But when I give greater than 18 caps, it is not working. It looks like that I give the caps 9,11,15,20,22,24,25,26,27,28,29,30,31,32,33,34,35,36 to setcap, but I actually gave 0,1,2,3,4,5,6,7,8,10,12,13,14,16,17,18,19,21,23.
$ setcap "0,1,2,3,4,5,6,7,8,10,12,13,14,16,17,18,19,21,23"+eip test_app
$ getcap test_app
test_app =eip cap_linux_immutable,cap_net_broadcast,cap_ipc_owner,cap_sys_pacct,cap_sys_boot,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend-eip
$
The linux kernel version is 3.10.0.
Thanks
I can't find any clue why this issue is happened.
Upvotes: 1
Views: 150
Answers (1)
Reputation: 1068
The Linux kernel has space for 64 capabilities. At present, only 41 of them are defined. capability.h.
On your system, you can do this to list them all (cap_chown=0, cap_dac_override=1, etc):
$ grep CapBnd /proc/1/status
CapBnd: 000001ffffffffff
$ capsh --decode=000001ffffffffff
0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Update 2023-10-06:
The string output syntax of getcap might be confusing you:
=eip cap_linux_immutable,...,cap_block_suspend-eip
means "=eip" (all capabilities known to the system) " cap_linux_immutable,...,-eip" (minus these ones). Specifically, once you have explicitly listed enough capabilities, it is more efficient to summarize what you have as everything minus a list instead of here is the full list. As you add more and more capabilities to your list you eventually pass the point where listing what you don't have is less complicated.
The cap_from_text man page has some explanation of this text output format. I found some more examples of the same format behavior in the Go package function cap.FromText().
Upvotes: 1
Related Questions
- Is there a way for non-root processes to bind to "privileged" ports on Linux?
- Bash ignoring error for a particular command
- Argument list too long error for rm, cp, mv commands
- How do I prompt for Yes/No/Cancel input in a Linux shell script?
- Sleep for milliseconds
- Start / stop CAN boards from userspace using libsocketcan