Get the library to compile again.

Signed-off-by: Andrew G Morgan <morgan@kernel.org>

4 files changed, 379 insertions, 380 deletions

diff --git a/libcap/Makefile b/libcap/Makefile
index 4762c60..5e92596 100644
--- a/libcap/Makefile
+++ b/libcap/Makefile
@@ -43,7 +43,7 @@ $(GPERF_OUTPUT): cap_names.list.h
 
 cap_names.list.h: Makefile $(KERNEL_HEADERS)/linux/capability.h
 	@echo "=> making $@ from $(KERNEL_HEADERS)/linux/capability.h"
-	perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A-Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$val=$$2; $$tok =~ tr/A-Z/a-z/; print "{\"$$tok\",$$val},\n"; } }' $(KERNEL_HEADERS)/linux/capability.h | fgrep -v 0x > $@
+	perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A-Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$val=$$2; $$tok =~ tr/A-Z/a-z/; print "{\"$$tok\",$$val},\n"; } }' $(KERNEL_HEADERS)/uapi/linux/capability.h | fgrep -v 0x > $@
 
 $(STALIBNAME): $(OBJS)
 	$(AR) rcs $@ $^
diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h
index 4924f2a..a6ee1f9 100644
--- a/libcap/include/linux/capability.h
+++ b/libcap/include/linux/capability.h
@@ -9,85 +9,11 @@
  *
  * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
  */
-
 #ifndef _LINUX_CAPABILITY_H
 #define _LINUX_CAPABILITY_H
 
-#include <linux/types.h>
-
-struct task_struct;
-
-/* User-level do most of the mapping between kernel and user
-   capabilities based on the version tag given by the kernel. The
-   kernel might be somewhat backwards compatible, but don't bet on
-   it. */
-
-/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
-   a set of three capability sets.  The transposition of 3*the
-   following structure to such a composite is better handled in a user
-   library since the draft standard requires the use of malloc/free
-   etc.. */
-
-#define _LINUX_CAPABILITY_VERSION_1  0x19980330
-#define _LINUX_CAPABILITY_U32S_1     1
-
-#define _LINUX_CAPABILITY_VERSION_2  0x20071026  /* deprecated - use v3 */
-#define _LINUX_CAPABILITY_U32S_2     2
-
-#define _LINUX_CAPABILITY_VERSION_3  0x20080522
-#define _LINUX_CAPABILITY_U32S_3     2
-
-typedef struct __user_cap_header_struct {
-	__u32 version;
-	int pid;
-} __user *cap_user_header_t;
-
-typedef struct __user_cap_data_struct {
-        __u32 effective;
-        __u32 permitted;
-        __u32 inheritable;
-} __user *cap_user_data_t;
-
-
-#define XATTR_CAPS_SUFFIX "capability"
-#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
-
-#define VFS_CAP_REVISION_MASK	0xFF000000
-#define VFS_CAP_REVISION_SHIFT	24
-#define VFS_CAP_FLAGS_MASK	~VFS_CAP_REVISION_MASK
-#define VFS_CAP_FLAGS_EFFECTIVE	0x000001
-
-#define VFS_CAP_REVISION_1	0x01000000
-#define VFS_CAP_U32_1           1
-#define XATTR_CAPS_SZ_1         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
-
-#define VFS_CAP_REVISION_2	0x02000000
-#define VFS_CAP_U32_2           2
-#define XATTR_CAPS_SZ_2         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
+#include <uapi/linux/capability.h>
 
-#define XATTR_CAPS_SZ           XATTR_CAPS_SZ_2
-#define VFS_CAP_U32             VFS_CAP_U32_2
-#define VFS_CAP_REVISION	VFS_CAP_REVISION_2
-
-struct vfs_cap_data {
-	__le32 magic_etc;            /* Little endian */
-	struct {
-		__le32 permitted;    /* Little endian */
-		__le32 inheritable;  /* Little endian */
-	} data[VFS_CAP_U32];
-};
-
-#ifndef __KERNEL__
-
-/*
- * Backwardly compatible definition for source code - trapped in a
- * 32-bit world. If you find you need this, please consider using
- * libcap to untrap yourself...
- */
-#define _LINUX_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
-#define _LINUX_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
-
-#else
 
 #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
 #define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3
@@ -108,270 +34,16 @@ struct cpu_vfs_cap_data {
 #define _USER_CAP_HEADER_SIZE  (sizeof(struct __user_cap_header_struct))
 #define _KERNEL_CAP_T_SIZE     (sizeof(kernel_cap_t))
 
-#endif
-
-
-/**
- ** POSIX-draft defined capabilities.
- **/
-
-/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
-   overrides the restriction of changing file ownership and group
-   ownership. */
-
-#define CAP_CHOWN            0
-
-/* Override all DAC access, including ACL execute access if
-   [_POSIX_ACL] is defined. Excluding DAC access covered by
-   CAP_LINUX_IMMUTABLE. */
-
-#define CAP_DAC_OVERRIDE     1
-
-/* Overrides all DAC restrictions regarding read and search on files
-   and directories, including ACL restrictions if [_POSIX_ACL] is
-   defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
-
-#define CAP_DAC_READ_SEARCH  2
-
-/* Overrides all restrictions about allowed operations on files, where
-   file owner ID must be equal to the user ID, except where CAP_FSETID
-   is applicable. It doesn't override MAC and DAC restrictions. */
-
-#define CAP_FOWNER           3
-
-/* Overrides the following restrictions that the effective user ID
-   shall match the file owner ID when setting the S_ISUID and S_ISGID
-   bits on that file; that the effective group ID (or one of the
-   supplementary group IDs) shall match the file owner ID when setting
-   the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
-   cleared on successful return from chown(2) (not implemented). */
-
-#define CAP_FSETID           4
-
-/* Overrides the restriction that the real or effective user ID of a
-   process sending a signal must match the real or effective user ID
-   of the process receiving the signal. */
-
-#define CAP_KILL             5
-
-/* Allows setgid(2) manipulation */
-/* Allows setgroups(2) */
-/* Allows forged gids on socket credentials passing. */
-
-#define CAP_SETGID           6
-
-/* Allows set*uid(2) manipulation (including fsuid). */
-/* Allows forged pids on socket credentials passing. */
-
-#define CAP_SETUID           7
-
-
-/**
- ** Linux-specific capabilities
- **/
-
-/* Without VFS support for capabilities:
- *   Transfer any capability in your permitted set to any pid,
- *   remove any capability in your permitted set from any pid
- * With VFS support for capabilities (neither of above, but)
- *   Add any capability from current's capability bounding set
- *       to the current process' inheritable set
- *   Allow taking bits out of capability bounding set
- *   Allow modification of the securebits for a process
- */
-
-#define CAP_SETPCAP          8
-
-/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
-
-#define CAP_LINUX_IMMUTABLE  9
-
-/* Allows binding to TCP/UDP sockets below 1024 */
-/* Allows binding to ATM VCIs below 32 */
-
-#define CAP_NET_BIND_SERVICE 10
-
-/* Allow broadcasting, listen to multicast */
-
-#define CAP_NET_BROADCAST    11
-
-/* Allow interface configuration */
-/* Allow administration of IP firewall, masquerading and accounting */
-/* Allow setting debug option on sockets */
-/* Allow modification of routing tables */
-/* Allow setting arbitrary process / process group ownership on
-   sockets */
-/* Allow binding to any address for transparent proxying */
-/* Allow setting TOS (type of service) */
-/* Allow setting promiscuous mode */
-/* Allow clearing driver statistics */
-/* Allow multicasting */
-/* Allow read/write of device-specific registers */
-/* Allow activation of ATM control sockets */
-
-#define CAP_NET_ADMIN        12
-
-/* Allow use of RAW sockets */
-/* Allow use of PACKET sockets */
-
-#define CAP_NET_RAW          13
-
-/* Allow locking of shared memory segments */
-/* Allow mlock and mlockall (which doesn't really have anything to do
-   with IPC) */
-
-#define CAP_IPC_LOCK         14
-
-/* Override IPC ownership checks */
 
-#define CAP_IPC_OWNER        15
-
-/* Insert and remove kernel modules - modify kernel without limit */
-#define CAP_SYS_MODULE       16
-
-/* Allow ioperm/iopl access */
-/* Allow sending USB messages to any device via /proc/bus/usb */
-
-#define CAP_SYS_RAWIO        17
-
-/* Allow use of chroot() */
-
-#define CAP_SYS_CHROOT       18
-
-/* Allow ptrace() of any process */
-
-#define CAP_SYS_PTRACE       19
-
-/* Allow configuration of process accounting */
-
-#define CAP_SYS_PACCT        20
-
-/* Allow configuration of the secure attention key */
-/* Allow administration of the random device */
-/* Allow examination and configuration of disk quotas */
-/* Allow configuring the kernel's syslog (printk behaviour) */
-/* Allow setting the domainname */
-/* Allow setting the hostname */
-/* Allow calling bdflush() */
-/* Allow mount() and umount(), setting up new smb connection */
-/* Allow some autofs root ioctls */
-/* Allow nfsservctl */
-/* Allow VM86_REQUEST_IRQ */
-/* Allow to read/write pci config on alpha */
-/* Allow irix_prctl on mips (setstacksize) */
-/* Allow flushing all cache on m68k (sys_cacheflush) */
-/* Allow removing semaphores */
-/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
-   and shared memory */
-/* Allow locking/unlocking of shared memory segment */
-/* Allow turning swap on/off */
-/* Allow forged pids on socket credentials passing */
-/* Allow setting readahead and flushing buffers on block devices */
-/* Allow setting geometry in floppy driver */
-/* Allow turning DMA on/off in xd driver */
-/* Allow administration of md devices (mostly the above, but some
-   extra ioctls) */
-/* Allow tuning the ide driver */
-/* Allow access to the nvram device */
-/* Allow administration of apm_bios, serial and bttv (TV) device */
-/* Allow manufacturer commands in isdn CAPI support driver */
-/* Allow reading non-standardized portions of pci configuration space */
-/* Allow DDI debug ioctl on sbpcd driver */
-/* Allow setting up serial ports */
-/* Allow sending raw qic-117 commands */
-/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
-   arbitrary SCSI commands */
-/* Allow setting encryption key on loopback filesystem */
-/* Allow setting zone reclaim policy */
-
-#define CAP_SYS_ADMIN        21
-
-/* Allow use of reboot() */
-
-#define CAP_SYS_BOOT         22
-
-/* Allow raising priority and setting priority on other (different
-   UID) processes */
-/* Allow use of FIFO and round-robin (realtime) scheduling on own
-   processes and setting the scheduling algorithm used by another
-   process. */
-/* Allow setting cpu affinity on other processes */
-
-#define CAP_SYS_NICE         23
-
-/* Override resource limits. Set resource limits. */
-/* Override quota limits. */
-/* Override reserved space on ext2 filesystem */
-/* Modify data journaling mode on ext3 filesystem (uses journaling
-   resources) */
-/* NOTE: ext2 honors fsuid when checking for resource overrides, so
-   you can override using fsuid too */
-/* Override size restrictions on IPC message queues */
-/* Allow more than 64hz interrupts from the real-time clock */
-/* Override max number of consoles on console allocation */
-/* Override max number of keymaps */
-
-#define CAP_SYS_RESOURCE     24
-
-/* Allow manipulation of system clock */
-/* Allow irix_stime on mips */
-/* Allow setting the real-time clock */
-
-#define CAP_SYS_TIME         25
-
-/* Allow configuration of tty devices */
-/* Allow vhangup() of tty */
-
-#define CAP_SYS_TTY_CONFIG   26
-
-/* Allow the privileged aspects of mknod() */
-
-#define CAP_MKNOD            27
-
-/* Allow taking of leases on files */
-
-#define CAP_LEASE            28
-
-#define CAP_AUDIT_WRITE      29
-
-#define CAP_AUDIT_CONTROL    30
-
-#define CAP_SETFCAP	     31
-
-/* Override MAC access.
-   The base kernel enforces no MAC policy.
-   An LSM may enforce a MAC policy, and if it does and it chooses
-   to implement capability based overrides of that policy, this is
-   the capability it should use to do so. */
-
-#define CAP_MAC_OVERRIDE     32
-
-/* Allow MAC configuration or state changes.
-   The base kernel requires no MAC configuration.
-   An LSM may enforce a MAC policy, and if it does and it chooses
-   to implement capability based checks on modifications to that
-   policy or the data required to maintain it, this is the
-   capability it should use to do so. */
-
-#define CAP_MAC_ADMIN        33
-
-
-/* Privileged syslog operations currently require CAP_SYSLOG.
-   CAP_SYS_ADMIN is not acceptable anymore. */
-#define CAP_SYSLOG           34
-
-#define CAP_LAST_CAP         CAP_SYSLOG
-
-#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
-
-/*
- * Bit location of each capability (used by user-space library and kernel)
- */
+struct file;
+struct inode;
+struct dentry;
+struct user_namespace;
 
-#define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
-#define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
+struct user_namespace *current_user_ns(void);
 
-#ifdef __KERNEL__
+extern const kernel_cap_t __cap_empty_set;
+extern const kernel_cap_t __cap_init_eff_set;
 
 /*
  * Internal kernel functions only
@@ -408,7 +80,6 @@ struct cpu_vfs_cap_data {
 
 # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
 # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
-# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
 # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
 				    | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
 				    CAP_FS_MASK_B1 } })
@@ -418,11 +89,7 @@ struct cpu_vfs_cap_data {
 
 #endif /* _KERNEL_CAPABILITY_U32S != 2 */
 
-#define CAP_INIT_INH_SET    CAP_EMPTY_SET
-
 # define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)
-# define cap_set_full(c)      do { (c) = __cap_full_set; } while (0)
-# define cap_set_init_eff(c)  do { (c) = __cap_init_eff_set; } while (0)
 
 #define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
 #define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
@@ -535,42 +202,18 @@ static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
 			   cap_intersect(permitted, __cap_nfsd_set));
 }
 
-extern const kernel_cap_t __cap_empty_set;
-extern const kernel_cap_t __cap_full_set;
-extern const kernel_cap_t __cap_init_eff_set;
-
-/**
- * has_capability - Determine if a task has a superior capability available
- * @t: The task in question
- * @cap: The capability to be tested for
- *
- * Return true if the specified task has the given superior capability
- * currently in effect, false if not.
- *
- * Note that this does not set PF_SUPERPRIV on the task.
- */
-#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
-
-/**
- * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
- * @t: The task in question
- * @cap: The capability to be tested for
- *
- * Return true if the specified task has the given superior capability
- * currently in effect, false if not, but don't write an audit message for the
- * check.
- *
- * Note that this does not set PF_SUPERPRIV on the task.
- */
-#define has_capability_noaudit(t, cap) \
-	(security_real_capable_noaudit((t), (cap)) == 0)
-
-extern int capable(int cap);
+extern bool has_capability(struct task_struct *t, int cap);
+extern bool has_ns_capability(struct task_struct *t,
+			      struct user_namespace *ns, int cap);
+extern bool has_capability_noaudit(struct task_struct *t, int cap);
+extern bool has_ns_capability_noaudit(struct task_struct *t,
+				      struct user_namespace *ns, int cap);
+extern bool capable(int cap);
+extern bool ns_capable(struct user_namespace *ns, int cap);
+extern bool inode_capable(const struct inode *inode, int cap);
+extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
 
 /* audit system wants to get cap info from files as well */
-struct dentry;
 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
 
-#endif /* __KERNEL__ */
-
 #endif /* !_LINUX_CAPABILITY_H */
diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h
index 4b54acc..56fc7fd 100644
--- a/libcap/include/sys/capability.h
+++ b/libcap/include/sys/capability.h
@@ -23,13 +23,11 @@ extern "C" {
 #include <stdint.h>
 #include <linux/types.h>
 
-/*
- * Required to limit what gets defined in the kernel header file.
- */
 #ifndef __user
 #define __user
 #endif
-#include <linux/capability.h>
+#include <uapi/linux/capability.h>
+#include <linux/xattr.h>
 
 /*
  * POSIX capability types
diff --git a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h
new file mode 100644
index 0000000..ba478fa
--- /dev/null
+++ b/libcap/include/uapi/linux/capability.h
@@ -0,0 +1,358 @@
+/*
+ * This is <linux/capability.h>
+ *
+ * Andrew G. Morgan <morgan@kernel.org>
+ * Alexander Kjeldaas <astor@guardian.no>
+ * with help from Aleph1, Roland Buresund and Andrew Main.
+ *
+ * See here for the libcap library ("POSIX draft" compliance):
+ *
+ * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
+ */
+
+#ifndef _UAPI_LINUX_CAPABILITY_H
+#define _UAPI_LINUX_CAPABILITY_H
+
+#include <linux/types.h>
+
+struct task_struct;
+
+/* User-level do most of the mapping between kernel and user
+   capabilities based on the version tag given by the kernel. The
+   kernel might be somewhat backwards compatible, but don't bet on
+   it. */
+
+/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
+   a set of three capability sets.  The transposition of 3*the
+   following structure to such a composite is better handled in a user
+   library since the draft standard requires the use of malloc/free
+   etc.. */
+
+#define _LINUX_CAPABILITY_VERSION_1  0x19980330
+#define _LINUX_CAPABILITY_U32S_1     1
+
+#define _LINUX_CAPABILITY_VERSION_2  0x20071026  /* deprecated - use v3 */
+#define _LINUX_CAPABILITY_U32S_2     2
+
+#define _LINUX_CAPABILITY_VERSION_3  0x20080522
+#define _LINUX_CAPABILITY_U32S_3     2
+
+typedef struct __user_cap_header_struct {
+	__u32 version;
+	int pid;
+} __user *cap_user_header_t;
+
+typedef struct __user_cap_data_struct {
+        __u32 effective;
+        __u32 permitted;
+        __u32 inheritable;
+} __user *cap_user_data_t;
+
+
+#define VFS_CAP_REVISION_MASK	0xFF000000
+#define VFS_CAP_REVISION_SHIFT	24
+#define VFS_CAP_FLAGS_MASK	~VFS_CAP_REVISION_MASK
+#define VFS_CAP_FLAGS_EFFECTIVE	0x000001
+
+#define VFS_CAP_REVISION_1	0x01000000
+#define VFS_CAP_U32_1           1
+#define XATTR_CAPS_SZ_1         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
+
+#define VFS_CAP_REVISION_2	0x02000000
+#define VFS_CAP_U32_2           2
+#define XATTR_CAPS_SZ_2         (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
+
+#define XATTR_CAPS_SZ           XATTR_CAPS_SZ_2
+#define VFS_CAP_U32             VFS_CAP_U32_2
+#define VFS_CAP_REVISION	VFS_CAP_REVISION_2
+
+struct vfs_cap_data {
+	__le32 magic_etc;            /* Little endian */
+	struct {
+		__le32 permitted;    /* Little endian */
+		__le32 inheritable;  /* Little endian */
+	} data[VFS_CAP_U32];
+};
+
+#ifndef __KERNEL__
+
+/*
+ * Backwardly compatible definition for source code - trapped in a
+ * 32-bit world. If you find you need this, please consider using
+ * libcap to untrap yourself...
+ */
+#define _LINUX_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
+#define _LINUX_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
+
+#endif
+
+
+/**
+ ** POSIX-draft defined capabilities.
+ **/
+
+/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
+   overrides the restriction of changing file ownership and group
+   ownership. */
+
+#define CAP_CHOWN            0
+
+/* Override all DAC access, including ACL execute access if
+   [_POSIX_ACL] is defined. Excluding DAC access covered by
+   CAP_LINUX_IMMUTABLE. */
+
+#define CAP_DAC_OVERRIDE     1
+
+/* Overrides all DAC restrictions regarding read and search on files
+   and directories, including ACL restrictions if [_POSIX_ACL] is
+   defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
+
+#define CAP_DAC_READ_SEARCH  2
+
+/* Overrides all restrictions about allowed operations on files, where
+   file owner ID must be equal to the user ID, except where CAP_FSETID
+   is applicable. It doesn't override MAC and DAC restrictions. */
+
+#define CAP_FOWNER           3
+
+/* Overrides the following restrictions that the effective user ID
+   shall match the file owner ID when setting the S_ISUID and S_ISGID
+   bits on that file; that the effective group ID (or one of the
+   supplementary group IDs) shall match the file owner ID when setting
+   the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
+   cleared on successful return from chown(2) (not implemented). */
+
+#define CAP_FSETID           4
+
+/* Overrides the restriction that the real or effective user ID of a
+   process sending a signal must match the real or effective user ID
+   of the process receiving the signal. */
+
+#define CAP_KILL             5
+
+/* Allows setgid(2) manipulation */
+/* Allows setgroups(2) */
+/* Allows forged gids on socket credentials passing. */
+
+#define CAP_SETGID           6
+
+/* Allows set*uid(2) manipulation (including fsuid). */
+/* Allows forged pids on socket credentials passing. */
+
+#define CAP_SETUID           7
+
+
+/**
+ ** Linux-specific capabilities
+ **/
+
+/* Without VFS support for capabilities:
+ *   Transfer any capability in your permitted set to any pid,
+ *   remove any capability in your permitted set from any pid
+ * With VFS support for capabilities (neither of above, but)
+ *   Add any capability from current's capability bounding set
+ *       to the current process' inheritable set
+ *   Allow taking bits out of capability bounding set
+ *   Allow modification of the securebits for a process
+ */
+
+#define CAP_SETPCAP          8
+
+/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
+
+#define CAP_LINUX_IMMUTABLE  9
+
+/* Allows binding to TCP/UDP sockets below 1024 */
+/* Allows binding to ATM VCIs below 32 */
+
+#define CAP_NET_BIND_SERVICE 10
+
+/* Allow broadcasting, listen to multicast */
+
+#define CAP_NET_BROADCAST    11
+
+/* Allow interface configuration */
+/* Allow administration of IP firewall, masquerading and accounting */
+/* Allow setting debug option on sockets */
+/* Allow modification of routing tables */
+/* Allow setting arbitrary process / process group ownership on
+   sockets */
+/* Allow binding to any address for transparent proxying (also via NET_RAW) */
+/* Allow setting TOS (type of service) */
+/* Allow setting promiscuous mode */
+/* Allow clearing driver statistics */
+/* Allow multicasting */
+/* Allow read/write of device-specific registers */
+/* Allow activation of ATM control sockets */
+
+#define CAP_NET_ADMIN        12
+
+/* Allow use of RAW sockets */
+/* Allow use of PACKET sockets */
+/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */
+
+#define CAP_NET_RAW          13
+
+/* Allow locking of shared memory segments */
+/* Allow mlock and mlockall (which doesn't really have anything to do
+   with IPC) */
+
+#define CAP_IPC_LOCK         14
+
+/* Override IPC ownership checks */
+
+#define CAP_IPC_OWNER        15
+
+/* Insert and remove kernel modules - modify kernel without limit */
+#define CAP_SYS_MODULE       16
+
+/* Allow ioperm/iopl access */
+/* Allow sending USB messages to any device via /proc/bus/usb */
+
+#define CAP_SYS_RAWIO        17
+
+/* Allow use of chroot() */
+
+#define CAP_SYS_CHROOT       18
+
+/* Allow ptrace() of any process */
+
+#define CAP_SYS_PTRACE       19
+
+/* Allow configuration of process accounting */
+
+#define CAP_SYS_PACCT        20
+
+/* Allow configuration of the secure attention key */
+/* Allow administration of the random device */
+/* Allow examination and configuration of disk quotas */
+/* Allow setting the domainname */
+/* Allow setting the hostname */
+/* Allow calling bdflush() */
+/* Allow mount() and umount(), setting up new smb connection */
+/* Allow some autofs root ioctls */
+/* Allow nfsservctl */
+/* Allow VM86_REQUEST_IRQ */
+/* Allow to read/write pci config on alpha */
+/* Allow irix_prctl on mips (setstacksize) */
+/* Allow flushing all cache on m68k (sys_cacheflush) */
+/* Allow removing semaphores */
+/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
+   and shared memory */
+/* Allow locking/unlocking of shared memory segment */
+/* Allow turning swap on/off */
+/* Allow forged pids on socket credentials passing */
+/* Allow setting readahead and flushing buffers on block devices */
+/* Allow setting geometry in floppy driver */
+/* Allow turning DMA on/off in xd driver */
+/* Allow administration of md devices (mostly the above, but some
+   extra ioctls) */
+/* Allow tuning the ide driver */
+/* Allow access to the nvram device */
+/* Allow administration of apm_bios, serial and bttv (TV) device */
+/* Allow manufacturer commands in isdn CAPI support driver */
+/* Allow reading non-standardized portions of pci configuration space */
+/* Allow DDI debug ioctl on sbpcd driver */
+/* Allow setting up serial ports */
+/* Allow sending raw qic-117 commands */
+/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
+   arbitrary SCSI commands */
+/* Allow setting encryption key on loopback filesystem */
+/* Allow setting zone reclaim policy */
+
+#define CAP_SYS_ADMIN        21
+
+/* Allow use of reboot() */
+
+#define CAP_SYS_BOOT         22
+
+/* Allow raising priority and setting priority on other (different
+   UID) processes */
+/* Allow use of FIFO and round-robin (realtime) scheduling on own
+   processes and setting the scheduling algorithm used by another
+   process. */
+/* Allow setting cpu affinity on other processes */
+
+#define CAP_SYS_NICE         23
+
+/* Override resource limits. Set resource limits. */
+/* Override quota limits. */
+/* Override reserved space on ext2 filesystem */
+/* Modify data journaling mode on ext3 filesystem (uses journaling
+   resources) */
+/* NOTE: ext2 honors fsuid when checking for resource overrides, so
+   you can override using fsuid too */
+/* Override size restrictions on IPC message queues */
+/* Allow more than 64hz interrupts from the real-time clock */
+/* Override max number of consoles on console allocation */
+/* Override max number of keymaps */
+
+#define CAP_SYS_RESOURCE     24
+
+/* Allow manipulation of system clock */
+/* Allow irix_stime on mips */
+/* Allow setting the real-time clock */
+
+#define CAP_SYS_TIME         25
+
+/* Allow configuration of tty devices */
+/* Allow vhangup() of tty */
+
+#define CAP_SYS_TTY_CONFIG   26
+
+/* Allow the privileged aspects of mknod() */
+
+#define CAP_MKNOD            27
+
+/* Allow taking of leases on files */
+
+#define CAP_LEASE            28
+
+#define CAP_AUDIT_WRITE      29
+
+#define CAP_AUDIT_CONTROL    30
+
+#define CAP_SETFCAP	     31
+
+/* Override MAC access.
+   The base kernel enforces no MAC policy.
+   An LSM may enforce a MAC policy, and if it does and it chooses
+   to implement capability based overrides of that policy, this is
+   the capability it should use to do so. */
+
+#define CAP_MAC_OVERRIDE     32
+
+/* Allow MAC configuration or state changes.
+   The base kernel requires no MAC configuration.
+   An LSM may enforce a MAC policy, and if it does and it chooses
+   to implement capability based checks on modifications to that
+   policy or the data required to maintain it, this is the
+   capability it should use to do so. */
+
+#define CAP_MAC_ADMIN        33
+
+/* Allow configuring the kernel's syslog (printk behaviour) */
+
+#define CAP_SYSLOG           34
+
+/* Allow triggering something that will wake the system */
+
+#define CAP_WAKE_ALARM            35
+
+/* Allow preventing system suspends */
+
+#define CAP_BLOCK_SUSPEND    36
+
+#define CAP_LAST_CAP         CAP_BLOCK_SUSPEND
+
+#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
+
+/*
+ * Bit location of each capability (used by user-space library and kernel)
+ */
+
+#define CAP_TO_INDEX(x)     ((x) >> 5)        /* 1 << 5 == bits in __u32 */
+#define CAP_TO_MASK(x)      (1 << ((x) & 31)) /* mask for indexed __u32 */
+
+
+#endif /* _UAPI_LINUX_CAPABILITY_H */