[SOLVED] How does linux capability.h use 32-bit mask for 34 elements?

How does linux capability.h use 32-bit mask for 34 elements?

The file in /usr/include/linux/capability.h #defines 34 possible capabilities. It goes like:

#define CAP_CHOWN            0

#define CAP_DAC_OVERRIDE     1

.....

#define CAP_MAC_ADMIN        33

#define CAP_LAST_CAP         CAP_MAC_ADMIN

each process has capabilities defined thusly

typedef struct __user_cap_data_struct {

        __u32 effective;
        __u32 permitted;
        __u32 inheritable;
} * cap_user_data_t;

I'm confused - a process can have 32-bits of effective capabilities, yet the total amount of capabilities defined in capability.h is 34. How is it possible to encode 34 positions in a 32-bit mask?

Solution

Because you haven't read all of the manual.

The capget manual starts by convincing you to not use it :

These two functions are the raw kernel interface for getting  and  set‐
ting  thread capabilities.  Not only are these system calls specific to
Linux, but the kernel API is likely to change and use  of  these  func‐
tions  (in  particular the format of the cap_user_*_t types) is subject
to extension with each kernel revision,  but  old  programs  will  keep
working.

The  portable  interfaces  are  cap_set_proc(3) and cap_get_proc(3); if
possible you should use those interfaces in applications.  If you  wish
to use the Linux extensions in applications, you should use the easier-
to-use interfaces capsetp(3) and capgetp(3).

Current details

Now that you have been warned, some current kernel details.  The struc‐
tures are defined as follows.

#define _LINUX_CAPABILITY_VERSION_1  0x19980330
#define _LINUX_CAPABILITY_U32S_1     1

#define _LINUX_CAPABILITY_VERSION_2  0x20071026
#define _LINUX_CAPABILITY_U32S_2     2

[...]
effective,  permitted,  inheritable  are  bitmasks  of the capabilities
defined in capability(7).  Note the CAP_* values are  bit  indexes  and
need to be bit-shifted before ORing into the bit fields.
[...]
Kernels  prior  to  2.6.25  prefer  32-bit  capabilities  with  version
_LINUX_CAPABILITY_VERSION_1, and kernels 2.6.25+ prefer 64-bit capabil‐
ities with version _LINUX_CAPABILITY_VERSION_2.  Note, 64-bit capabili‐
ties  use  datap[0]  and datap[1], whereas 32-bit capabilities only use
datap[0].

where datap is defined earlier as a pointer to a __user_cap_data_struct. So you just represent a 64bit values with two __u32 in an array of two __user_cap_data_struct.

This, alone, tells me to not ever use this API, so i didn't read the rest of the manual.