#define MAC_CAP_SCHED 0b00000000000001 #define MAC_CAP_SPAWN 0b00000000000010 #define MAC_CAP_ENTROPY 0b00000000000100 #define MAC_CAP_SYS_MEM 0b00000000001000 #define MAC_CAP_USE_NET 0b00000000010000 #define MAC_CAP_SYS_NET 0b00000000100000 #define MAC_CAP_SYS_MNT 0b00000001000000 #define MAC_CAP_SYS_PWR 0b00000010000000 #define MAC_CAP_PTRACE 0b00000100000000 #define MAC_CAP_SETUID 0b00001000000000 #define MAC_CAP_SYS_MAC 0b00010000000000 #define MAC_CAP_SIGNALALL 0b00100000000000 #define MAC_CAP_SETGID 0b01000000000000 #define MAC_CAP_IPC 0b10000000000000 unsigned long get_mac_capabilities(void); int set_mac_capabilities(unsigned long request);
These syscalls allow to fetch and set MAC capabilities on the way described in Mandatory access control (MAC).
Both syscalls cannot fail, get_mac_capabilities always returns the
capabilities of the callee process and set_mac_capabilities always
returns 0, settings will just be ignored if permission to change them
is not granted.