As of Linux Kernel v5.17, 41 capabilities have been introduced. Our mapping includes 126 system calls, which depend on at least one of the 41 available capabilities to perform some privileged operation. Visual representation of this mapping is also available here.
The resulting mapping of our effort to identify the system calls that depend on each capability.
| Capability | System call(s) |
|---|---|
| CAP_AUDIT_CONTROL | sendto, recv, recvfrom, recvmsg |
| CAP_AUDIT_READ | bind |
| CAP_AUDIT_WRITE | sendto |
| CAP_BLOCK_SUSPEND | epoll_ctl |
| CAP_SYS_ADMIN | bpf, perf_event_open, syslog, mount, umount, pivot_root, swapon, swapoff, setdomainname, vm86, setns, fanotify_init, unshare, lookup_dcookie, io_submit, prctl, clone, quotactl, msgctl, setrlimit, shmctl, ioprio_set, keyctl, madvise, ioctl, seccomp, ptrace, sethostname |
| CAP_BPF | bpf |
| CAP_PERFMON | perf_event_open |
| CAP_SYSLOG | syslog |
| CAP_CHECKPOINT_RESTORE | clone |
| CAP_CHOWN | chown, fchown, lchown, fchownat |
| CAP_DAC_READ_SEARCH | open, openat, openat2, open_by_handle_at, linkat |
| CAP_DAC_OVERRIDE | utime, utimensat, utimes, open, openat, openat2 |
| CAP_FOWNER | chmod, fchmod, fchmodat, utime, utimes, utimensat, unlink, unlinkat, open, openat, openat2, fcntl, rename, renameat, renameat2, rmdir, ioctl |
| CAP_LEASE | fcntl |
| CAP_FSETID | chmod, fchmod, fchmodat |
| CAP_IPC_LOCK | mlock, mlock2, mlockall, mmap, memfd_create |
| CAP_IPC_OWNER | msgrcv, msgsnd, semop, semtimedop, shmat, shmdt, msgctl, msgget, shmctl |
| CAP_KILL | kill, ioctl |
| CAP_LINUX_IMMUTABLE | ioctl |
| CAP_MAC_ADMIN | setxattr, lsetxattr, fsetxattr |
| CAP_MAC_OVERRIDE | socket |
| CAP_MKNOD | mknod, mknodat, renameat2 |
| CAP_NET_ADMIN | setsockopt, ioctl |
| CAP_NET_BIND_SERVICE | bind |
| CAP_NET_BROADCAST | |
| CAP_NET_RAW | socket |
| CAP_SETGID | setgroups, setfsgid, setgid, setregid, setresgid |
| CAP_SETFCAP | clone |
| CAP_SETPCAP | capset, prctl |
| CAP_SETUID | setuid, setreuid, setresuid, setfsuid, keyctl |
| CAP_SYS_BOOT | reboot, kexec_file_load, kexec_load |
| CAP_SYS_CHROOT | chroot, setns |
| CAP_SYS_MODULE | finit_module, init_module, create_module, delete_module |
| CAP_SYS_NICE | sched_setscheduler, sched_setparam, sched_setattr, migrate_pages, setpriority, sched_setaffinity, nice, ioprio_set, move_pages, spu_create, mbind |
| CAP_SYS_PACCT | acct |
| CAP_SYS_PTRACE | ptrace, userfaultfd, kcmp, set_robust_list, process_vm_readv, process_vm_writev |
| CAP_SYS_RAWIO | iopl, ioperm |
| CAP_SYS_RESOURCE | send, sendto, sendmsg, prctl, msgctl, setrlimit, fcntl, prlimit, mq_open, ioctl |
| CAP_SYS_TIME | settimeofday, stime, adjtimex, clock_adjtime, ntp_adjtime |
| CAP_SYS_TTY_CONFIG | vhangup, ioctl |
| CAP_WAKE_ALARM | timer_create, timerfd_create |
System calls that conditionally depend on CAP_SYS_ADMIN according to certain values of the highlighted arguments.
| System calls |
|---|
| int clone(int (*fn)(void *), void *child_stack, int flags, void *arg, ... /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */); |
| int prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); |
| int quotactl(int cmd, const char *special, int id, caddr_t addr); |
| int msgctl(int msqid, int cmd, struct msqid_ds *buf); |
| int setrlimit(int resource, const struct rlimit *rlim); |
| int shmctl(int shmid, int cmd, struct shmid_ds *buf); |
| int syscall(SYS_ioprio_set, int which, int who, int ioprio); |
| long syscall(SYS_keyctl, int operation, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); |
| int madvise(void *addr, size_t length, int advice); |
| int ioctl(int fd, unsigned long request, ...); |
| int syscall(SYS_seccomp, unsigned int operation, unsigned int flags, void *args); |
| long ptrace(enum __ptrace_request request, pid_t pid,void *addr, void *data); |