From b68487041016e9ea32dd2fab2a6d52f09079e6f4 Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Sat, 13 Jan 2018 20:55:53 +0100 Subject: [PATCH] capabilities.7: Describe file capability versioning Signed-off-by: Michael Kerrisk --- man7/capabilities.7 | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/man7/capabilities.7 b/man7/capabilities.7 index caf46eea9..693c57f02 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -932,6 +932,40 @@ then the effective flag must also be specified as enabled for all other capabilities for which the corresponding permitted or inheritable flags is enabled. .\" +.SS File capability version numbering +To allow extensibility, +the kernel supports a scheme to encode a version number inside the +.I security.capability +extended attribute that is used to implement file capabilities. +These version numbers are internal to the implementation, +and not directly visible to user-space applications. +To date, the following versions are supported: +.TP +.BR VFS_CAP_REVISION_1 +This was the original file capability implementation, +which supported 32-bit masks for file capabilities. +.TP +.BR VFS_CAP_REVISION_2 " (since Linux 2.6.25)" +.\" commit e338d263a76af78fe8f38a72131188b58fceb591 +This version allows for file capability masks that are 64 bits in size, +and was necessary as the number of supported capabilities grew beyond 32. +The kernel transparently continues to support the execution of files +that have 32-bit version 1 capability masks, +but when adding capabilities to files that did not previously +have capabilities, or modifying the capabilities of existing files, +it automatically uses the version 2 scheme. +.TP +.BR VFS_CAP_REVISION_3 " (since Linux 4.14)" +.\" commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 +Version 3 file capabilities are designed to coexist +with version 2 capabilities, but serve a different purpose: +to support namespaced file capabilities. +As with version 2 file capabilities, +the capability masks are 64 bits in size. +In addition, the namespace root user ID is encoded in the +.I security.capability +extended attribute. +.\" .SS Transformation of capabilities during execve() .PP During an