Capability (docker-java-api 3.5.0 API)

java.lang.Object
- java.lang.Enum<Capability>
- - com.github.dockerjava.api.model.Capability

All Implemented Interfaces:

Serializable, Comparable<Capability>
```
public enum Capability
extends Enum<Capability>
```
The Linux capabilities supported by Docker. The list of capabilities is defined in Docker's types.go, ALL was added manually.

See Also:

http://man7.org/linux/man-pages/man7/capabilities.7.html

Enum Constant Summary

Enum Constants
Enum Constant and Description
`ALL` This meta capability includes all Linux capabilities.
`AUDIT_CONTROL` Enable and disable kernel auditing.
`AUDIT_READ` Allow reading the audit log via multicast netlink socket.
`AUDIT_WRITE` Write records to kernel auditing log.
`BLOCK_SUSPEND` Employ features that can block system suspend.
`BPF` Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
`CHECKPOINT_RESTORE` Allow checkpoint/restore related operations.
`CHOWN` Make arbitrary changes to file UIDs and GIDs (see chown(2)).
`DAC_OVERRIDE` Bypass file read, write, and execute permission checks.
`DAC_READ_SEARCH` Bypass file read permission checks and directory read and execute permission checks.
`FOWNER` Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by the `DAC_OVERRIDE` and `DAC_READ_SEARCH`.
`FSETID` Don't clear set-user-ID and set-group-ID permission bits when a file is modified.
`IPC_LOCK` Permit memory locking (mlock(2), mlockall(2), mmap(2), shmctl(2)).
`IPC_OWNER` Bypass permission checks for operations on System V IPC objects.
`KILL` Bypass permission checks for sending signals (see kill(2)).
`LEASE` Establish leases on arbitrary files (see fcntl(2)).
`LINUX_IMMUTABLE` Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1)).
`MAC_ADMIN` Override Mandatory Access Control (MAC).
`MAC_OVERRIDE` Allow MAC configuration or state changes.
`MKNOD` Create special files using mknod(2).
`NET_ADMIN` Perform various network-related operations: Interface configuration.
`NET_BIND_SERVICE` Bind a socket to Internet domain privileged ports (port numbers less than 1024).
`NET_BROADCAST` (Unused) Make socket broadcasts, and listen to multicasts.
`NET_RAW` Use RAW and PACKET sockets.
`PERFMON` Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems
`SETFCAP` Set file capabilities.
`SETGID` Make arbitrary manipulations of process GIDs and supplementary GID list.
`SETPCAP` If file capabilities are not supported: grant or remove any capability in the caller's permitted capability set to or from any other process.
`SETUID` Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)).
`SYS_ADMIN` Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2).
`SYS_BOOT` Use reboot(2) and kexec_load(2).
`SYS_CHROOT` Use chroot(2).
`SYS_MODULE` Load and unload kernel modules (see init_module(2) and delete_module(2)) In kernels before 2.6.25: drop capabilities from the system-wide capability bounding set.
`SYS_NICE` Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
`SYS_PACCT` Use acct(2).
`SYS_PTRACE` Trace arbitrary processes using ptrace(2).
`SYS_RAWIO` Perform I/O port operations (iopl(2) and ioperm(2)).
`SYS_RESOURCE` Use reserved space on ext2 file systems.
`SYS_TIME` Set system clock (settimeofday(2), stime(2), adjtimex(2)).
`SYS_TTY_CONFIG` Use vhangup(2).
`SYSLOG` Perform privileged syslog(2) operations.
`WAKE_ALARM` Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).

Method Summary

All Methods Static Methods Concrete Methods
Modifier and Type	Method and Description
`static Capability`	`valueOf(String name)` Returns the enum constant of this type with the specified name.
`static Capability[]`	`values()` Returns an array containing the constants of this enum type, in the order they are declared.

Methods inherited from class java.lang.Enum
clone, compareTo, equals, finalize, getDeclaringClass, hashCode, name, ordinal, toString, valueOf

Methods inherited from class java.lang.Object
getClass, notify, notifyAll, wait, wait, wait

- Enum Constant Detail
  - ALL
```
public static final Capability ALL
```
    This meta capability includes all Linux capabilities.
  - AUDIT_CONTROL
```
public static final Capability AUDIT_CONTROL
```
    - Enable and disable kernel auditing.
    - Change auditing filter rules.
    - Retrieve auditing status and filtering rules.
  - AUDIT_READ
```
public static final Capability AUDIT_READ
```
    Allow reading the audit log via multicast netlink socket.
  - AUDIT_WRITE
```
public static final Capability AUDIT_WRITE
```
    Write records to kernel auditing log.
  - BLOCK_SUSPEND
```
public static final Capability BLOCK_SUSPEND
```
    Employ features that can block system suspend.
  - BPF
```
public static final Capability BPF
```
    Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
  - CHECKPOINT_RESTORE
```
public static final Capability CHECKPOINT_RESTORE
```
    Allow checkpoint/restore related operations. Introduced in kernel 5.9.
  - CHOWN
```
public static final Capability CHOWN
```
    Make arbitrary changes to file UIDs and GIDs (see chown(2)).
  - DAC_OVERRIDE
```
public static final Capability DAC_OVERRIDE
```
    Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)
  - DAC_READ_SEARCH
```
public static final Capability DAC_READ_SEARCH
```
    Bypass file read permission checks and directory read and execute permission checks.
  - FOWNER
```
public static final Capability FOWNER
```
    - Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by the DAC_OVERRIDE and DAC_READ_SEARCH.
    - Set extended file attributes (see chattr(1)) on arbitrary files.
    - Set Access Control Lists (ACLs) on arbitrary files.
    - Ignore directory sticky bit on file deletion.
    - Specify O_NOATIME for arbitrary files in open(2)and fcntl(2).
  - FSETID
```
public static final Capability FSETID
```
    - Don't clear set-user-ID and set-group-ID permission bits when a file is modified.
    - Set the set-group-ID bit for a file whose GID does not match the file system or any of the supplementary GIDs of the calling process.
  - IPC_LOCK
```
public static final Capability IPC_LOCK
```
    Permit memory locking (mlock(2), mlockall(2), mmap(2), shmctl(2)).
  - IPC_OWNER
```
public static final Capability IPC_OWNER
```
    Bypass permission checks for operations on System V IPC objects.
  - KILL
```
public static final Capability KILL
```
    Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.
  - LEASE
```
public static final Capability LEASE
```
    Establish leases on arbitrary files (see fcntl(2)).
  - LINUX_IMMUTABLE
```
public static final Capability LINUX_IMMUTABLE
```
    Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1)).
  - MAC_ADMIN
```
public static final Capability MAC_ADMIN
```
    Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).
  - MAC_OVERRIDE
```
public static final Capability MAC_OVERRIDE
```
    Allow MAC configuration or state changes. Implemented for the Smack LSM.
  - MKNOD
```
public static final Capability MKNOD
```
    Create special files using mknod(2).
  - NET_ADMIN
```
public static final Capability NET_ADMIN
```
    Perform various network-related operations:
    - Interface configuration.
    - Administration of IP firewall, masquerading, and accounting.
    - Modify routing tables.
    - Bind to any address for transparent proxying.
    - Set type-of-service (TOS).
    - Clear driver statistics.
    - Set promiscuous mode.
    - Enabling multicasting.
    - Use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
  - NET_BIND_SERVICE
```
public static final Capability NET_BIND_SERVICE
```
    Bind a socket to Internet domain privileged ports (port numbers less than 1024).
  - NET_BROADCAST
```
public static final Capability NET_BROADCAST
```
    (Unused) Make socket broadcasts, and listen to multicasts.
  - NET_RAW
```
public static final Capability NET_RAW
```
    - Use RAW and PACKET sockets.
    - Bind to any address for transparent proxying.
  - PERFMON
```
public static final Capability PERFMON
```
    Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems
  - SETFCAP
```
public static final Capability SETFCAP
```
    Set file capabilities.
  - SETGID
```
public static final Capability SETGID
```
    - Make arbitrary manipulations of process GIDs and supplementary GID list.
    - Forge GID when passing socket credentials via UNIX domain sockets.
  - SETPCAP
```
public static final Capability SETPCAP
```
    If file capabilities are not supported:
    - grant or remove any capability in the caller's permitted capability set to or from any other process. (This property of CAP_SETPCAP is not available when the kernel is configured to support file capabilities, since CAP_SETPCAP has entirely different semantics for such kernels.)
    If file capabilities are supported:
    - Add any capability from the calling thread's bounding set to its inheritable set.
    - Drop capabilities from the bounding set (via prctl(2) PR_CAPBSET_DROP).
    - Make changes to the securebits flags.
  - SETUID
```
public static final Capability SETUID
```
    - Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)).
    - Make forged UID when passing socket credentials via UNIX domain sockets.
  - SYS_ADMIN
```
public static final Capability SYS_ADMIN
```
    - Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2).
    - Perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations).
    - Perform VM86_REQUEST_IRQ vm86(2) command.
    - Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects.
    - Perform operations on trusted and security Extended Attributes (see attr(5)).
    - Use lookup_dcookie(2)
    - Use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes.
    - Forge UID when passing socket credentials.
    - Exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2)).
    - Employ CLONE_* flags that create new namespaces with clone(2) and unshare(2).
    - Call perf_event_open(2).
    - Access privileged perf event information.
    - Call setns(2).
    - Call fanotify_init(2).
    - Perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations.
    - Perform madvise(2) MADV_HWPOISON operation.
    - Employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller's controlling terminal.
    - Employ the obsolete nfsservctl(2) system call.
    - Employ the obsolete bdflush(2) system call.
    - Perform various privileged block-device ioctl(2) operations.
    - Perform various privileged file-system ioctl(2) operations.
    - Perform administrative operations on many device drivers.
  - SYS_BOOT
```
public static final Capability SYS_BOOT
```
    Use reboot(2) and kexec_load(2).
  - SYS_CHROOT
```
public static final Capability SYS_CHROOT
```
    Use chroot(2).
  - SYSLOG
```
public static final Capability SYSLOG
```
    - Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege.
    - View kernel addresses exposed via /proc and other interfaces when /proc/sys/kernel/kptr_restrict has the value 1. (See the discussion of the kptr_restrict in proc(5).)
  - SYS_MODULE
```
public static final Capability SYS_MODULE
```
    - Load and unload kernel modules (see init_module(2) and delete_module(2))
    - In kernels before 2.6.25: drop capabilities from the system-wide capability bounding set.
  - SYS_NICE
```
public static final Capability SYS_NICE
```
    - Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
    - Set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2)).
    - Set CPU affinity for arbitrary processes (sched_setaffinity(2)).
    - Set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)).
    - Apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes.
    - Apply move_pages(2) to arbitrary processes.
    - Use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).
  - SYS_PACCT
```
public static final Capability SYS_PACCT
```
    Use acct(2).
  - SYS_PTRACE
```
public static final Capability SYS_PTRACE
```
    - Trace arbitrary processes using ptrace(2).
    - Apply get_robust_list(2) to arbitrary processes.
    - Inspect processes using kcmp(2).
  - SYS_RAWIO
```
public static final Capability SYS_RAWIO
```
    - Perform I/O port operations (iopl(2) and ioperm(2)).
    - Access /proc/kcore.
    - Employ the FIBMAP ioctl(2) operation.
    - Open devices for accessing x86 model-specific registers (MSRs, see msr(4)).
    - Update /proc/sys/vm/mmap_min_addr.
    - Create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr.
    - Map files in /proc/pci/bus.
    - Open /dev/mem and /dev/kmem.
    - Perform various SCSI device commands.
    - Perform certain operations on hpsa(4) and cciss(4) devices.
    - Perform a range of device-specific operations on other devices.
  - SYS_RESOURCE
```
public static final Capability SYS_RESOURCE
```
    - Use reserved space on ext2 file systems.
    - Make ioctl(2) calls controlling ext3 journaling.
    - Override disk quota limits.
    - Increase resource limits (see setrlimit(2)).
    - Override RLIMIT_NPROC resource limit.
    - Override maximum number of consoles on console allocation.
    - Override maximum number of keymaps.
    - Allow more than 64hz interrupts from the real-time clock.
    - Raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2)).
    - Override the /proc/sys/fs/pipe-size-max limit when setting the capacity of a pipe using the F_SETPIPE_SZ fcntl(2) command.
    - Use F_SETPIPE_SZ to increase the capacity of a pipe above the limit specified by /proc/sys/fs/pipe-max-size.
    - Override /proc/sys/fs/mqueue/queues_max limit when creating POSIX message queues (see mq_overview(7)).
    - Employ prctl(2) PR_SET_MM operation.
    - Set /proc/PID/oom_score_adj to a value lower than the value last set by a process with CAP_SYS_RESOURCE.
  - SYS_TIME
```
public static final Capability SYS_TIME
```
    - Set system clock (settimeofday(2), stime(2), adjtimex(2)).
    - Set real-time (hardware) clock.
  - SYS_TTY_CONFIG
```
public static final Capability SYS_TTY_CONFIG
```
    - Use vhangup(2).
    - Employ various privileged ioctl(2) operations on virtual terminals.
  - WAKE_ALARM
```
public static final Capability WAKE_ALARM
```
    Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).
- Method Detail
  - values
```
public static Capability[] values()
```
    Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows:
```
for (Capability c : Capability.values())
    System.out.println(c);
```
    Returns:
    
    an array containing the constants of this enum type, in the order they are declared
  - valueOf
```
public static Capability valueOf(String name)
```
    Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)
    
    Parameters:
    
    name - the name of the enum constant to be returned.
    
    Returns:
    
    the enum constant with the specified name
    
    Throws:
    
    IllegalArgumentException - if this enum type has no constant with the specified name
    
    NullPointerException - if the argument is null

Enum Capability

Enum Constant Summary

Method Summary

Methods inherited from class java.lang.Enum

Methods inherited from class java.lang.Object

Enum Constant Detail

ALL

AUDIT_CONTROL

AUDIT_READ

AUDIT_WRITE

BLOCK_SUSPEND

BPF

CHECKPOINT_RESTORE

CHOWN

DAC_OVERRIDE

DAC_READ_SEARCH

FOWNER

FSETID

IPC_LOCK

IPC_OWNER

KILL

LEASE

LINUX_IMMUTABLE

MAC_ADMIN

MAC_OVERRIDE

MKNOD

NET_ADMIN

NET_BIND_SERVICE

NET_BROADCAST

NET_RAW

PERFMON

SETFCAP

SETGID

SETPCAP

SETUID

SYS_ADMIN

SYS_BOOT

SYS_CHROOT

SYSLOG

SYS_MODULE

SYS_NICE

SYS_PACCT

SYS_PTRACE

SYS_RAWIO

SYS_RESOURCE

SYS_TIME

SYS_TTY_CONFIG

WAKE_ALARM

Method Detail

values

valueOf