(7) Miscellaneous Information Manual - : ( 0 root) ( ). (: ). 2.2 . (thread). : CAP_AUDIT_CONTROL ( 2.6.11) . CAP_AUDIT_READ ( 3.16) netlink . CAP_AUDIT_WRITE ( 2.6.11) . CAP_BLOCK_SUSPEND ( 3.5) (epoll(7) EPOLLWAKEUP /proc/sys/wake_lock). CAP_BPF ( 5.8) BPF bpf(2) bpf-helpers(7). 5.8 BPF CAP_SYS_ADMIN . CAP_CHECKPOINT_RESTORE ( 5.9) o /proc/sys/kernel/ns_last_pid ( pid_namespaces(7)) o set_tid clone3(2) o /proc/pid/map_files . 5.9 / CAP_SYS_ADMIN . CAP_CHOWN ( chown(2)). CAP_DAC_OVERRIDE . (DAC "discretionary access control" .) CAP_DAC_READ_SEARCH o o open_by_handle_at(2) o AT_EMPTY_PATH linkat(2) (file descriptor). CAP_FOWNER o ( chmod(2) utime(2)) CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH o (inode) ( FS_IOC_SETFLAGS(2const)) o (ACLs) o (sticky bit) o o O_NOATIME open(2) fcntl(2). CAP_FSETID o (set-user-ID) (set-group-ID) o (set-group-ID) (GID) . CAP_IPC_LOCK o (mlock(2) mlockall(2) mmap(2) shmctl(2)) o (memfd_create(2) mmap(2) shmctl(2)). CAP_IPC_OWNER System V IPC. CAP_KILL ( kill(2)). KDSIGACCEPT ioctl(2). CAP_LEASE ( 2.4) (leases) ( fcntl(2)). CAP_LINUX_IMMUTABLE FS_APPEND_FL FS_IMMUTABLE_FL ( FS_IOC_SETFLAGS(2const)). CAP_MAC_ADMIN ( 2.6.25) MAC . Smack (LSM). CAP_MAC_OVERRIDE ( 2.6.25) (MAC). Smack LSM. CAP_MKNOD ( 2.4) mknod(2). CAP_NET_ADMIN : o o IP (masquerading) o o o (TOS) o o (promiscuous mode) o o setsockopt(2) : SO_DEBUG SO_MARK SO_PRIORITY ( 0 6) SO_RCVBUFFORCE SO_SNDBUFFORCE. CAP_NET_BIND_SERVICE ( 1024). CAP_NET_BROADCAST ( ) . CAP_NET_RAW o RAW PACKET o . CAP_PERFMON ( 5.8) : o perf_event_open(2) o BPF . 5.8 CAP_SYS_ADMIN . Documentation/admin-guide/perf-security.rst. CAP_SETGID o o o ( user_namespaces(7)). CAP_SETFCAP ( 2.6.24) . 5.12 0 user_namespaces(7) . CAP_SETPCAP ( 2.6.24): ( prctl(2) PR_CAPBSET_DROP) securebits. ( 2.6.24): . ( CAP_SETPCAP CAP_SETPCAP .) CAP_SETUID o (setuid(2) setreuid(2) setresuid(2) setfsuid(2)) o o ( user_namespaces(7)). CAP_SYS_ADMIN : . o : quotactl(2) mount(2) umount(2) pivot_root(2) swapon(2) swapoff(2) sethostname(2) setdomainname(2) o syslog(2) ( 2.6.37 CAP_SYSLOG ) o VM86_REQUEST_IRQ vm86(2) o / CAP_CHECKPOINT_RESTORE ( ). o BPF CAP_BPF ( ). o CAP_PERFMON ( ). o IPC_SET IPC_RMID System V IPC o RLIMIT_NPROC o trusted security ( xattr(7)) o lookup_dcookie(2) o ioprio_set(2) / IOPRIO_CLASS_RT ( 2.6.25) IOPRIO_CLASS_IDLE o (PID) o /proc/sys/fs/file-max (: accept(2) execve(2) open(2) pipe(2)) o CLONE_* clone(2) unshare(2) ( 3.8 ) o perf o setns(2) ( CAP_SYS_ADMIN ) o fanotify_init(2) o KEYCTL_CHOWN KEYCTL_SETPERM keyctl(2) o MADV_HWPOISON madvise(2) o TIOCSTI ioctl(2) o nfsservctl(2) o bdflush(2) o ioctl(2) o ioctl(2) o ioctl(2) /dev/random ( random(4)) o seccomp(2) no_new_privs o / o PTRACE_SECCOMP_GET_FILTER ptrace(2) seccomp o PTRACE_SETOPTIONS ptrace(2) seccomp ( PTRACE_O_SUSPEND_SECCOMP) o o (nice) /proc/pid/autogroup ( sched(7)). CAP_SYS_BOOT reboot(2) kexec_load(2). CAP_SYS_CHROOT o chroot(2) o setns(2). CAP_SYS_MODULE o ( init_module(2) delete_module(2)) o 2.6.25: . CAP_SYS_NICE o (nice) (nice(2) setpriority(2)) o (sched_setscheduler(2) sched_setparam(2) sched_setattr(2)) o (CPU affinity) (sched_setaffinity(2)) o / (ioprio_set(2)) o migrate_pages(2) o move_pages(2) o MPOL_MF_MOVE_ALL mbind(2) move_pages(2). CAP_SYS_PACCT acct(2). CAP_SYS_PTRACE o ptrace(2) o /proc ( /proc/pid/maps /proc/pid/mem /proc/pid/exe /proc/pid/fd/*) o get_robust_list(2) o process_vm_readv(2) process_vm_writev(2) o kcmp(2) o . ( ptrace_may_access().) CAP_SYS_RAWIO o / (iopl(2) ioperm(2)) o /proc/kcore o FIBMAP ioctl(2) o x86 (MSRs msr(4)) o /proc/sys/vm/mmap_min_addr o /proc/sys/vm/mmap_min_addr o /proc/bus/pci o /dev/mem /dev/kmem o SCSI o hpsa(4) cciss(4) o . CAP_SYS_RESOURCE o ext2 o ioctl(2) ext3 o o ( setrlimit(2)) o RLIMIT_NPROC o o o 64 o msg_qbytes System V /proc/sys/kernel/msgmnb ( msgop(2) msgctl(2)) o RLIMIT_NOFILE " " ( unix(7)) o /proc/sys/fs/pipe-size-max F_SETPIPE_SZ fcntl(2) o F_SETPIPE_SZ /proc/sys/fs/pipe-max-size o /proc/sys/fs/mqueue/queues_max /proc/sys/fs/mqueue/msg_max /proc/sys/fs/mqueue/msgsize_max POSIX ( mq_overview(7)) o PR_SET_MM prctl(2) o /proc/pid/oom_score_adj CAP_SYS_RESOURCE. CAP_SYS_TIME (settimeofday(2) stime(2) adjtimex(2)) (). CAP_SYS_TTY_CONFIG vhangup(2) ioctl(2) . CAP_SYSLOG ( 2.6.37) o syslog(2) . syslog(2) . o /proc /proc/sys/kernel/kptr_restrict 1. ( kptr_restrict proc(5).) CAP_WAKE_ALARM ( 3.0) ( CLOCK_REALTIME_ALARM CLOCK_BOOTTIME_ALARM). : o . o . o . 2.6.24 2.6.24 . (capability) . o (root). o . . ( : 64 ). o <<>> (silo) . . . o CAP_SYS_ADMIN ! ( ). << >> . . CAP_SYS_ADMIN . o << >>. CAP_SYS_PACCT . . (Thread) : (Permitted) . CAP_SETPCAP . ( execve(2) set-user-ID-root ). (Inheritable) execve(2). . execve(2) (ambient) . (Effective) . (Bounding) ( 2.6.25) execve(2). 2.6.25 . . . (Ambient) ( 4.3) execve(2) . . prctl(2). . (UID) (GID) set-user-ID set-group-ID . execve(2). execve(2) ld.so(8). fork(2) . execve(2) execve() . capset(2) . 3.2 /proc/sys/kernel/cap_last_cap . 2.6.24 setcap(8). ( setxattr(2) xattr(7)) security.capability. CAP_SETFCAP. execve(2). : ( ): . ( ): AND execve(2). : . execve(2) . execve(2). execve(2) ( execve() ) . (setcap(8) cap_set_file(3) cap_set_fd(3)) (effective flag) . security.capability . . : VFS_CAP_REVISION_1 32 . VFS_CAP_REVISION_2 ( 2.6.25) 64 32. 1 32 2 ( 3 ). VFS_CAP_REVISION_3 ( 4.14) 3 (namespaced) ( ). 2 3 64 . security.capability. ( 0 ). 3 2 2 3. 4.14 VFS_CAP_REVISION_2. 4.14 security.capability . 4.14 security.capability 3 (VFS_CAP_REVISION_3) ( ) : o . ( : ). o CAP_SETFCAP (inode) () CAP_SETFCAP () (UID) (GID) . security.capability VFS_CAP_REVISION_3 . security.capability (CAP_SETFCAP) ( ) 2 (VFS_CAP_REVISION_2). security.capability 3 . (setxattr(2)) security.capability 2 3 . (getxattr(2)) ( ) security.capability 3 () 2 ( 2 ). ( setcap(1) getcap(1)) security.capability 3. security.capability 2 3 : security.capability . execve() execve(2) : P'(ambient) = ( ) ? 0 : P(ambient) P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & P(bounding)) | P'(ambient) P'(effective) = F(effective) ? P'(permitted) : P'(ambient) P'(inheritable) = P(inheritable) [ ] P'(bounding) = P(bounding) [ ] : P() execve(2) P'() execve(2) F() : o 4.3. execve(2) set-user-ID set-group-ID . o 2.6.25 . execve(2) P(bounding). : ( ) set-user-ID set-group-ID execve(2). no_file_caps. : execve(2) . execve(2) . (capability-dumb) libcap(3) . ( set-user-ID-root ). . . . ( ). execve(2) EPERM. . libcap(3). 0 () set-user-ID-root. set-user-ID - 0 () set-user-ID-root- : (1) 0 () ( ). ( set-user-ID-root ). (2) 0 () (). execve(2). execve(2) set-user-ID-root execve(2) : P'(permitted) = P(inheritable) | P(bounding) P'(effective) = P'(permitted) . ( P'(permitted) P'(ambient) P(inheritable)). 0 () (securebits) . set-user-ID-root . () () 0 () () 0 () ( ). set-UID-root . ( set-user-ID-root ). set-user-ID-root 0 . execve(2). : o execve(2) AND . . o ( 2.6.25) capset(2). execve(2) . . . . 2.6.25 2.6.25 . ( ). fork(2) execve(2). PR_CAPBSET_DROP prctl(2) CAP_SETPCAP. . PR_CAPBSET_READ prctl(2). (compiled) . 2.6.33 CONFIG_SECURITY_FILE_CAPABILITIES. 2.6.33 . init ( ) . init CAP_SETPCAP . (bounding set) . . 2.6.25 2.6.25 . /proc/sys/kernel/cap-bound. ( /proc/sys/kernel/cap-bound.) init ( : CAP_SYS_MODULE) . CAP_SETPCAP. ( !) CAP_INIT_EFF_SET include/linux/capability.h . 2.2.11. 0 ( setuid(2) setresuid(2) ): o 0 . o 0 . o 0 . o 0 ( setfsuid(2)) : CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_LINUX_IMMUTABLE ( 2.6.30) CAP_MAC_OVERRIDE CAP_MKNOD ( 2.6.30). 0 . 0 securebits SECBIT_KEEP_CAPS . capget(2) capset(2). cap_get_proc(3) cap_set_proc(3) libcap . : o CAP_SETPCAP . o ( 2.6.25) . o ( ). o . securebits: 2.6.26 securebits 0 (root). : SECBIT_KEEP_CAPS 0 . . execve(2). SECBIT_KEEP_CAPS . . SECBIT_KEEP_CAPS SECBIT_NO_SETUID_FIXUP . ( .) prctl(2) PR_SET_KEEPCAPS . SECBIT_NO_SETUID_FIXUP . . SECBIT_NOROOT set-user-ID-root 0 execve(2). ( root .) SECBIT_NO_CAP_AMBIENT_RAISE prctl(2) PR_CAP_AMBIENT_RAISE. "" "" (locked) . "" "" . : SECBIT_KEEP_CAPS_LOCKED SECBIT_NO_SETUID_FIXUP_LOCKED SECBIT_NOROOT_LOCKED SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED. securebits prctl(2) PR_SET_SECUREBITS PR_GET_SECUREBITS. CAP_SETPCAP . SECBIT_* . securebits . execve(2) SECBIT_KEEP_CAPS . : prctl(PR_SET_SECUREBITS, /* SECBIT_KEEP_CAPS */ SECBIT_KEEP_CAPS_LOCKED | SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | SECBIT_NOROOT | SECBIT_NOROOT_LOCKED); /* / SECBIT_NO_CAP_AMBIENT_RAISE */ "set-user-ID-root" set-user-ID . execve(2) execve() root "root" . ( 2) . ( ) execve() . 2 . " " CAP_SETFCAP ( ). . . 4.14 . security.capability 3 ( VFS_CAP_REVISION_3). . security.capability 3 . VFS_CAP_REVISION_2 VFS_CAP_REVISION_3 execve(). 0 . user_namespaces(7). POSIX.1e . strace(1) ( set-user-ID-root) -u . : $ sudo strace -o trace.log -u ceci ./myprivprog 2.5.27 2.6.26 / CONFIG_SECURITY_CAPABILITIES. /proc/pid/task/TID/status . /proc/pid/status . 3.8 (1) . 3.8 ( CAP_LAST_CAP) (0). libcap capset(2) capget(2). setcap(8) getcap(8). . 2.6.24 2.6.24 2.6.32 CAP_SETPCAP . CAP_SETPCAP : o 2.6.25 /proc/sys/kernel/cap-bound CAP_SETPCAP . o ( CONFIG_SECURITY_FILE_CAPABILITIES ) init CAP_SETPCAP . capsh(1) setpriv(1) prctl(2) setfsuid(2) cap_clear(3) cap_copy_ext(3) cap_from_text(3) cap_get_file(3) cap_get_proc(3) cap_init(3) capgetp(3) capsetp(3) libcap(3) proc(5) credentials(7) pthreads(7) user_namespaces(7) captest(8) filecap(8) getcap(8) getpcaps(8) netcap(8) pscap(8) setcap(8) include/linux/capability.h 3 . . : . 6.18 8 2026 (7)