#define MAC_CAP_SCHED 0b000000000000001 #define MAC_CAP_SPAWN 0b000000000000010 #define MAC_CAP_ENTROPY 0b000000000000100 #define MAC_CAP_SYS_MEM 0b000000000001000 #define MAC_CAP_USE_NET 0b000000000010000 #define MAC_CAP_SYS_NET 0b000000000100000 #define MAC_CAP_SYS_MNT 0b000000001000000 #define MAC_CAP_SYS_PWR 0b000000010000000 #define MAC_CAP_PTRACE 0b000000100000000 #define MAC_CAP_SETUID 0b000001000000000 #define MAC_CAP_SYS_MAC 0b000010000000000 #define MAC_CAP_SIGNALALL 0b000100000000000 #define MAC_CAP_SETGID 0b001000000000000 #define MAC_CAP_IPC 0b010000000000000 #define MAC_CAP_SYS_LOG 0b100000000000000 unsigned long get_mac_capabilities(void); int set_mac_capabilities(unsigned long request);
These syscalls allow to fetch and set MAC capabilities on the way described in Mandatory access control (MAC).
Both syscalls cannot fail, get_mac_capabilities always returns the
capabilities of the callee process and set_mac_capabilities always
returns 0, settings will just be ignored if permission to change them
is not granted.