mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Describe file capability versioning
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
924f766741
commit
b684870410
|
@ -932,6 +932,40 @@ then the effective flag must also be specified as enabled
|
|||
for all other capabilities for which the corresponding permitted or
|
||||
inheritable flags is enabled.
|
||||
.\"
|
||||
.SS File capability version numbering
|
||||
To allow extensibility,
|
||||
the kernel supports a scheme to encode a version number inside the
|
||||
.I security.capability
|
||||
extended attribute that is used to implement file capabilities.
|
||||
These version numbers are internal to the implementation,
|
||||
and not directly visible to user-space applications.
|
||||
To date, the following versions are supported:
|
||||
.TP
|
||||
.BR VFS_CAP_REVISION_1
|
||||
This was the original file capability implementation,
|
||||
which supported 32-bit masks for file capabilities.
|
||||
.TP
|
||||
.BR VFS_CAP_REVISION_2 " (since Linux 2.6.25)"
|
||||
.\" commit e338d263a76af78fe8f38a72131188b58fceb591
|
||||
This version allows for file capability masks that are 64 bits in size,
|
||||
and was necessary as the number of supported capabilities grew beyond 32.
|
||||
The kernel transparently continues to support the execution of files
|
||||
that have 32-bit version 1 capability masks,
|
||||
but when adding capabilities to files that did not previously
|
||||
have capabilities, or modifying the capabilities of existing files,
|
||||
it automatically uses the version 2 scheme.
|
||||
.TP
|
||||
.BR VFS_CAP_REVISION_3 " (since Linux 4.14)"
|
||||
.\" commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340
|
||||
Version 3 file capabilities are designed to coexist
|
||||
with version 2 capabilities, but serve a different purpose:
|
||||
to support namespaced file capabilities.
|
||||
As with version 2 file capabilities,
|
||||
the capability masks are 64 bits in size.
|
||||
In addition, the namespace root user ID is encoded in the
|
||||
.I security.capability
|
||||
extended attribute.
|
||||
.\"
|
||||
.SS Transformation of capabilities during execve()
|
||||
.PP
|
||||
During an
|
||||
|
|
Loading…
Reference in New Issue