capget(2) System Calls Manual capget(2) capget, capset - / () C (libc, -lc) #include /* CAP_* _LINUX_CAPABILITY_* */ #include /* SYS_* */ #include int syscall(SYS_capget, cap_user_header_t hdrp, cap_user_data_t datap); int syscall(SYS_capset, cap_user_header_t hdrp, const cap_user_data_t datap); : glibc , syscall(2). . , Linux, - , , ; ( , cap_user_*_t), . cap_set_proc(3) cap_get_proc(3); , ; . : #define _LINUX_CAPABILITY_VERSION_1 0x19980330 #define _LINUX_CAPABILITY_U32S_1 1 /* V2 added in Linux 2.6.25; deprecated */ #define _LINUX_CAPABILITY_VERSION_2 0x20071026 #define _LINUX_CAPABILITY_U32S_2 2 /* V3 added in Linux 2.6.26 */ #define _LINUX_CAPABILITY_VERSION_3 0x20080522 #define _LINUX_CAPABILITY_U32S_3 2 typedef struct __user_cap_header_struct { __u32 version; int pid; } *cap_user_header_t; typedef struct __user_cap_data_struct { __u32 effective; __u32 permitted; __u32 inheritable; } *cap_user_data_t; effective, permitted inheritable -- , capabilities(7). , CAP_* . , struct __user_cap_header_struct struct __user_cap_data_struct, typedef . Kernels prior to Linux 2.6.25 prefer 32-bit capabilities with version _LINUX_CAPABILITY_VERSION_1. Linux 2.6.25 added 64-bit capability sets, with version _LINUX_CAPABILITY_VERSION_2. There was, however, an API glitch, and Linux 2.6.26 added _LINUX_CAPABILITY_VERSION_3 to fix the problem. , 64- datap[0] datap[1], 32- datap[0]. , ( VFS) -. Linux 2.6.24 ( ) Linux 2.6.33. capget() , ID hdrp->pid. capabilities(7). VFS VFS ( xattr(7)), . . VFS capset() hdrp->pid 0 gettid(2), . VFS VFS capset(), CAP_SETPCAP, , . , pid hdrp, , , pid 0. pid , pid ; ID , gettid(2). capset() pid : -1 -- , init(1); -1 -- , ID -pid. 0. -1, errno . EINVAL version hdrp _LINUX_CAPABILITY_VERSION_?, version. . EFAULT . hdrp NULL. datap NULL , , . EINVAL . EPERM An attempt was made to add a capability to the permitted set, or to set a capability in the effective set that is not in the permitted set. EPERM An attempt was made to add a capability to the inheritable set, and either: o ; o , CAP_SETPCAP . EPERM The caller attempted to use capset() to modify the capabilities of a thread other than itself, but lacked sufficient privilege. For kernels supporting VFS capabilities, this is never permitted. For kernels lacking VFS support, the CAP_SETPCAP capability is required. (A bug in kernels before Linux 2.6.11 meant that this error could also occur if a thread without this capability tried to change its own capabilities by specifying the pid field as a nonzero value (i.e., the value returned by getpid(2)) instead of 0.) ESRCH . Linux. libcap, : clone(2), gettid(2), capabilities(7) () Azamat Hackimov , Dmitriy S. Seregin , Dmitry Bolkhovskikh , Katrin Kutepova , Yuri Kozlov , Kirill Rekhov ; GNU (GNU General Public License - GPL, 3 ) , - . - , , () () () <>. Linux 6.9.1 2 2024 . capget(2)