1 .\" Copyright: written by Andrew Morgan <morgan@kernel.org>
2 .\" and Copyright 2006, 2008, Michael Kerrisk <tmk.manpages@gmail.com>
4 .\" SPDX-License-Identifier: GPL-1.0-or-later
6 .\" Modified by David A. Wheeler <dwheeler@ida.org>
7 .\" Modified 2004-05-27, mtk
8 .\" Modified 2004-06-21, aeb
9 .\" Modified 2008-04-28, morgan of kernel.org
10 .\" Update in line with addition of file capabilities and
11 .\" 64-bit capability sets in kernel 2.6.2[45].
12 .\" Modified 2009-01-26, andi kleen
14 .TH CAPGET 2 2021-03-22 "Linux man-pages (unreleased)"
16 capget, capset \- set/get capabilities of thread(s)
19 .RI ( libc ", " \-lc )
22 .BR "#include <linux/capability.h>" " /* Definition of " CAP_* " and"
23 .BR " _LINUX_CAPABILITY_*" " constants */"
24 .BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
25 .B #include <unistd.h>
27 .BI "int syscall(SYS_capget, cap_user_header_t " hdrp ,
28 .BI " cap_user_data_t " datap );
29 .BI "int syscall(SYS_capset, cap_user_header_t " hdrp ,
30 .BI " const cap_user_data_t " datap );
34 glibc provides no wrappers for these system calls,
35 necessitating the use of
38 These two system calls are the raw kernel interface for getting and
39 setting thread capabilities.
40 Not only are these system calls specific to Linux,
41 but the kernel API is likely to change and use of
42 these system calls (in particular the format of the
44 types) is subject to extension with each kernel revision,
45 but old programs will keep working.
47 The portable interfaces are
51 if possible, you should use those interfaces in applications; see NOTES.
54 Now that you have been warned, some current kernel details.
55 The structures are defined as follows.
59 #define _LINUX_CAPABILITY_VERSION_1 0x19980330
60 #define _LINUX_CAPABILITY_U32S_1 1
62 /* V2 added in Linux 2.6.25; deprecated */
63 #define _LINUX_CAPABILITY_VERSION_2 0x20071026
64 .\" commit e338d263a76af78fe8f38a72131188b58fceb591
65 .\" Added 64 bit capability support
66 #define _LINUX_CAPABILITY_U32S_2 2
68 /* V3 added in Linux 2.6.26 */
69 #define _LINUX_CAPABILITY_VERSION_3 0x20080522
70 .\" commit ca05a99a54db1db5bca72eccb5866d2a86f8517f
71 #define _LINUX_CAPABILITY_U32S_3 2
73 typedef struct __user_cap_header_struct {
78 typedef struct __user_cap_data_struct {
91 fields are bit masks of the capabilities defined in
95 values are bit indexes and need to be bit-shifted before ORing into
97 To define the structures for passing to the system call, you have to use the
98 .I struct __user_cap_header_struct
100 .I struct __user_cap_data_struct
101 names because the typedefs are only pointers.
103 Kernels prior to 2.6.25 prefer
104 32-bit capabilities with version
105 .BR _LINUX_CAPABILITY_VERSION_1 .
106 Linux 2.6.25 added 64-bit capability sets, with version
107 .BR _LINUX_CAPABILITY_VERSION_2 .
108 There was, however, an API glitch, and Linux 2.6.26 added
109 .B _LINUX_CAPABILITY_VERSION_3
112 Note that 64-bit capabilities use
116 whereas 32-bit capabilities use only
119 On kernels that support file capabilities (VFS capabilities support),
120 these system calls behave slightly differently.
121 This support was added as an option in Linux 2.6.24,
122 and became fixed (nonoptional) in Linux 2.6.33.
126 calls, one can probe the capabilities of any process by specifying its
131 For details on the data, see
132 .BR capabilities (7).
134 .SS With VFS capabilities support
135 VFS capabilities employ a file extended attribute (see
137 to allow capabilities to be attached to executables.
138 This privilege model obsoletes kernel support for one process
139 asynchronously setting the capabilities of another.
140 That is, on kernels that have VFS capabilities support, when calling
142 the only permitted values for
144 are 0 or, equivalently, the value returned by
147 .SS Without VFS capabilities support
148 On older kernels that do not provide VFS capabilities support
150 can, if the caller has the
152 capability, be used to change not only the caller's own capabilities,
153 but also the capabilities of other threads.
154 The call operates on the capabilities of the thread specified by the
158 when that is nonzero, or on the capabilities of the calling thread if
163 refers to a single-threaded process, then
165 can be specified as a traditional process ID;
166 operating on a thread of a multithreaded process requires a thread ID
167 of the type returned by
172 can also be: \-1, meaning perform the change on all threads except the
175 or a value less than \-1, in which case the change is applied
176 to all members of the process group whose ID is \-\fIpid\fP.
178 On success, zero is returned.
179 On error, \-1 is returned, and
181 is set to indicate the error.
183 The calls fail with the error
189 to the kernel preferred value of
190 .B _LINUX_CAPABILITY_VERSION_?
194 In this way, one can probe what the current
195 preferred capability revision is.
203 may be NULL only when the user is trying to determine the preferred
204 capability version format supported by the kernel.
207 One of the arguments was invalid.
210 An attempt was made to add a capability to the permitted set, or to set
211 a capability in the effective set that is not in the
215 An attempt was made to add a capability to the inheritable set, and either:
218 that capability was not in the caller's bounding set; or
220 the capability was not in the caller's permitted set
221 and the caller lacked the
223 capability in its effective set.
227 The caller attempted to use
229 to modify the capabilities of a thread other than itself,
230 but lacked sufficient privilege.
231 For kernels supporting VFS
232 capabilities, this is never permitted.
233 For kernels lacking VFS
236 capability is required.
237 (A bug in kernels before 2.6.11 meant that this error could also
238 occur if a thread without this capability tried to change its
239 own capabilities by specifying the
241 field as a nonzero value (i.e., the value returned by
248 These system calls are Linux-specific.
250 The portable interface to the capability querying and setting
251 functions is provided by the
253 library and is available here:
255 .UR http://git.kernel.org/cgit\:/linux\:/kernel\:/git\:/morgan\:\:/libcap.git