ELF>a@ @8 @@@@33@@@))pppCC0008888PPDDStd888PPPtd\\QtdRtd000/lib64/ld-linux-x86-64.so.2@GNUGNU^.4R6~QWRRGNUxU=R Ellwyy3/ B L(8[gAldt]O, -,cF"}IH_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable__cxa_finalize__libc_start_main__printf_chkcap_freecap_to_nameputsputcharcap_get_proccap_to_textperrorexitcap_iab_get_proccap_iab_to_textcap_get_flagcap_set_flag__stack_chk_failstrcmpcap_set_ambientcap_get_boundstrdupcap_from_namestrtokstderr__fprintf_chkfwritesysconfcap_max_bitsstrlenstrtoulstrncmpcap_set_proccap_drop_boundcap_get_ambientcap_reset_ambientcap_clear_flagmallocmemcpycap_from_textcap_get_modecap_mode_nameforksleep__sprintf_chkcap_set_secbitscap_dupchrootprctl__errno_locationstrerrorcap_set_modechdirstrtoullgetpwnamgetgrouplistcap_setgroupscap_setuidsetenvcallocgetgrnam_r__ctype_b_locsetgidkillwaitpidgetenvaccesscap_get_secbitsgetuidgetpwuidgeteuidgetgidgetgrgidgetgroupsexecvecap_iab_from_textcap_iab_set_procstrcasestrcap_new_launchercap_launchlibcap.so.2libc.so.6GLIBC_2.3GLIBC_2.3.4GLIBC_2.14GLIBC_2.4GLIBC_2.34GLIBC_2.2.5ii ti ii ui 0pb8 b@HP`X `hpx@`@ ` `0 `P @( 08@H@PX`hpx`  (08w`h@pxx؏ w@`wuȐ(`x"xȑ1x Ax(80h8@ȒHNxPX8`axpoxxH{xx@ HXPXȕ8pxؖ8hxx ȗ(x@P0Xxhxxy8yTy0qyX  (X0y8@yHȚ`hyp0xXx؛H Hyyyz ,z(;z08@HPzP8Xp`hhzpОxz8`zzzPzzР8p 0ȡ8z`h8ph{Ȣ"{83{pP{ (W{0g{8@@x`hz{p{xؤ{8`{@ȥ{{@h{ (Ц0 |@H"|` h<|puxXاu8h `J|uЩPȪH@pHPR|X`]|P]|(`ȭ| 8(p08`hHpxxh| XȰ}|`hpx      (08@HPX `!h"p#x$%&'()*+,-./012345678 9(:0;8<@=H>P?X@`AhBpCxDEFGHIJKLMNOPQRSTHHHtHAWAVAUATUSH(|$ Ht$(HT$@dH%(H$1HD$(E1D$4AD$LXH|0DT$HD$8D$0L$fH$H=w0L0LэAWLH=R0Œ LH=U0LH=H0u] LH=S0p8 LH=@0S.LH=-06.LH=90 LH=$0LH=:0ь*t$f.D$H$AD9d$ 1@IHH|$E1V"LH=.H[tJjf.H7DHAEEAD̋xxHuDRADHt$`I~ y|$`L$H$<I H HH81HGH>fxHH8ctzH5:P1HH$L0WfD1`PH=-LHD$HyDd$ H|$Lt$`L-7,;H+|$`HAE:1L%IHt-LLHu|$`ADHDd$ HH|$iI~  UI~ 1 ED$48*H=,uHH-|$HI1HcHH?HH$HLrHT$L͈HHH| IHT$HHztLH=p,jIWHHHHHHHMtLLHHlLH=+ttLH= ,vLH=,qAF<=/ ~H5/,H1b|$HH$HHD$HxHHyHtH·HHH{ LH=+-LH=+[ LH=+w LH=+Z LH=+=q|$0I~ H5+ ÅyJD$0U.5L$I H H7 H=6UMIH )HH1H=-6\I LHHCLHH571DUH6HHH\H81H͆H=5pH5L)HF)L-G)LL1ȅHIHiuϿ JLH3DD$`LH'HH81( InAH(HL:AD1HIH҄u̿HH5y(1/ LH=I)LH=)J LH=)uLH=)X LH=);LH=*  LH=>*, LH=6*LH=**e LH=* LH=* LH=z*l LH=e*T LH=*O)IFHD$8qI~ H5f'HÉNA؉HR5HSH81ȃ"HH;HHH1AHH e|ZHsH2H$HHx HD$H߉AHL$I Hb4H lI~H52&É1@8Ha3IH7H81ǂD8łHH5[%HUH=3cH=d3KH=%ƀH߉L$H=2Ł H=2Ht$`I~ |$`!L$DD$`H4I H ~1I~ H5&HH1HHH'1L-!L=!@HHHtHT$HT$HIHL1LҀLL$I H /ILHH#L$D$`dHL$`pLL@Hct$`}L?}f]|$4Hu H=%~MLH=%~H=u% EIH~IHHD$H~HHDH$Dd$H1L-B HHx HD$XHD$ "yN LH=X"xyLH=r"[yLH="+zQLH="zD LH="y LH="x LH="xADž8LH="y@AFA>=EDT$L$D$ EHD$(DL(LwH<$4w|* H5xH=Hń H5ywH= h wۄŸ@IHHtHэpHHH0 3u1HE1E111'1wHL5>AwHIٿQHH-AAUH L-1H5d+wAHLHEA^_IEH51wAHLHEAH5Q+IE1wA HLHEAIEH51fw1>vx*AǀHLHEA@H5 +ID10wBvljvIWvʼnvL $HtLH MtIMAH5(1vvÉuH HtHH$1E1H5L-vH51zvH޿dL5o-vHC>HT$B<{uHT$MHtLB H51#vILD9 t>uÉuٿH5aH1u-L}vHI/HL$(HcD$ 1Ҁ|$+HHHT$@H;HtHvH HWH81vH;suH=%uuE1E111Ҿ&tH=KuuI~uHHHtH= uQuI~ H5J1Hpt9AH?5I~ H5 Hs9TAHL$HI H1Ht$`I~osxe|$`s L$H>)I HHt$`I~3sx)|$`rL$H(I HL$I HHt$`I~rxsHHt=t$`HL$XHru |$XbL$HI HKH=!ssHt$XI~qrcsHHtËt$XHL$`H|ru |$`L$HI HE1L5,nEA II)DKDsHH>H$H|$ HHp HD$rH|$ HD$rHL$HA\$Et pyHt$`I~ yq|$`xw(~hpT$`9}DH51rL$`H5'HH1qEH5b1q Ha'bL$HI H H$HHHD$Hp qHH;HuH= q HD$(H5&H1Gq1qE1E1111'pHrH=)HqsqDH= AqL$IL$H|$8DoqL$IH<$oHq&H=$H qH<$n1H]q&H=$HppH1q2H=($HppL$H I H=%,pHp!H=!H^pHpH=H8p%pH!-L$0H!H=ooHXpH=HooH=\fooH=lNooH=6o{oH=vocoL$HI HoH=eH7o$oH=n ovmHHtn1H3nÅHn1Ht$`in9tUH6oDD$`H"H81nH=KnnH=3nxnD$`AAtZHnH:AP~9Hw"1Rn7nH=kmnAHc"n1I^HHPTE11H=kf.H=1yH*yH9tHkHt H=yH5xH)HH?HHHtHmHtfD=xu3UH=mHt H=mmcx]f.ff.@gAWH1AVL5o AUL-v ATL%>UHH5T S1HAl,HLL1"lLilMՅx3tlIHuLH5 1kfDu$HH= []A\A]A^A_%jfH []A\A]A^A_%jUSHdkHt@H1HiH5 HH1WkHkHH[]%kH=bkkUSHiHtCHHkkHHtGHH5b 1jH+kHH[]%kH= j4kH= jHjkSHdH%(HD$1uxQjHH1HL$HiuW|$t=A1HH .LjHD$dH+%(uHH[HOj1iH=j]jH=X jEjDAWAVAUIATUS1HdH%(HD$1uiLH=4 I itT@fihyHD$dH+%(wHL[]A\A]A^A_%|i@LiIHMHL- Lt$,fLHh|$h1LiHHuL iHD$dH+%(HL[]A\A]A^A_%gYiH  HH HZHDHOiIH81hHhhH&iHپH?H81hhDL$IؾH H HDHhH H81ghLhfHhH=[ H-hhf.SgH~[IHfhHH81ggfHcHbATUHSHhIeL9}yH5 1 gLTg1HH5ifHHt+HH-HH1fHSHu[]A\fDH51ffUHSHHdH%(HD$1neHt9;-t41HHfH$:uHT$dH+%(uCurrent: %s failed to get IAB for processfailed to obtain text for IABCurrent IAB: %s Capabilities not availableclearraiseallfailed to allocate names failed to %s ambient [%s=%u] %s (%d) %s /bin/bashunlockedyesno???--quiet--drop=failed to drop [%s=%u] --dropped=--has-ambientambient set not supported--addamb=--delamb=--noambfailed to reset ambient set--noenv--inh=Out of memory for inh setnone%s %s+i--strict--caps=unable to interpret [%s] --modesSupported modes:UNKNOWN %s--modeunsupported mode: %s failed to set mode [%s]: %s unrecognized command [%s] Mode: %s --inmode=--keep=invalid --keep value--chroot=/--secbits=invalid --secbits value--forkfor=already forked invalid --forkfor valueunable to fork()--killit=invalid --killit signo valueno forked process to kill Unable to kill child process--uid=invalid --uid valueFailed to set uid=%u: %s --cap-uid=invalid --cap-uid valueFailed to cap_setuid(%u): %s --gid=invalid --gid valueFailed to set gid=%u: %s --groups=No memory for [%s] operation No memory for gid list Failed to setgroups. --user=User [%s] not known unable to set HOMEunable to set USER--decode=0x%016llx=--supports=--printBoundingAmbient secure-noroot: %s (%s) secure-keep-caps: %s (%s) uid=%u(%s) euid=%u(%s) gid=%u(%s) %s%u(%s)Guessed mode: %s (%d) --==-+=+PATH%s/%sfailed to create launcherchild failed to startexecve '%s' failed! --shell=--has-p=cap[%s] not permitted --has-i=cap[%s] not inheritable --has-a=--has-b=--is-uid=invalid --is-uid valueuid: got=%d, want=%d --is-gid=invalid --is-gid valuegid: got=%d, want=%d --iab=iab: '%s' malformed unable to set IAB tuple--no-new-privsunable to set no-new-privs--has-no-new-privsno-new-privs not set --license--explain=unrecognised value '%s' (%d) (%d)--suggest=invalid named cap--current--help-halso writing to ns_last_pid. - bounded loops - dead code elimination conversions bypassed permitted memory descriptors. programs.subsystems.system up.(printk) behavior.overriding them.creation.unicast netlink socket.the mknod() system call. - configure tty devices - alter the system clock - enable irix_stime on MIPS - set the real-time clockof processes and the system: - override quota limits real-time clock allocationof arbitrary processes: - setting the domainname - setting the hostname - calling bdflush() - some autofs root ioctls - nfsservctl - VM86_REQUEST_IRQ - removing semaphores - turning swap on/off devices some extra ioctls) - tuning the ide driver device configuration space - setting up serial portsprocess. - permit ioper/iopl access /dev/bus/usbmodify kernel without limit.calls. - RAW sockets - PACKET socketsoperations: - interface configuration accounting ownership on sockets - setting promiscuous mode - multicasinglisten to multicast. - ATM VCIs below 32S_APPEND file attributes.capabilities.vector. values socketCAP_LINUX_IMMUTABLE.group ownership of a file.failed to get process capabilitiesUnable to check CAP_EFFECTIVE CAP_SETPCAP valueUnable to %s ambient capability [%s] capability [%s] is unknown to libcap sysconf(%d) returned a non-positive number: %ld [/proc/self/status:CapXXX: 0x%016llx] %s: want non-negative integer, got "%s" obtaining highest capability nameWARNING: libcap needs an update (cap=%d should have a name). unable to raise CAP_SETPCAP for BSET changesunable to lower CAP_SETPCAP post BSET changeUnable to drop bounding capability [%s] cap[%s] not recognized by library cap[%s] raised in bounding vector libcap:cap_clear_flag() internal errorFatal error concerning process capabilitiesFatal error internalizing capabilitiesUnable to set inheritable capabilitiesUnable to set capabilities [%s] mismatched mode got=%s want=%s prctl(PR_SET_KEEPCAPS, %u) failed: %s Unable to duplicate capabilitiesunable to select CAP_SET_SYS_CHROOTunable to raise CAP_SYS_CHROOTunable to lower CAP_SYS_CHROOTUnable to chroot/chdir to [%s]failed to set securebits to 0%o/0x%x require non-zero --forkfor value waitpid didn't match child: %u != %u child terminated with odd signal (%d != %d) Too many groups specified (%d) Failed to identify gid for group [%s] Unable to get group list for userUnable to set group list for userFailed to set uid=%u(user=%s): %s cap[%s=%d] not supported by kernel Securebits: 0%lo/0x%lx/%u'b%s (no-new-privs=%d) secure-no-suid-fixup: %s (%s) secure-no-ambient-raise: %s (%s) no PATH environment variable found for re-execing insufficient memory for parts of path insufficient memory for path building failed to wait for PID=%d, result=%x: child PID=%d terminated by signo=%d child PID=%d generated result=%0x cap[%s] not in ambient vector cap[%s] not in bounding vector %s see License file for details. Copyright (c) 2008-11,16,19-21 Andrew G. Morgan negative capability (%d) invalid [/proc/self/status:CapXXX: 0x%016llx] usage: %s [args ...] --addamb=xxx add xxx,... capabilities to ambient set --cap-uid= use libcap cap_setuid() to change uid --caps=xxx set caps as per cap_from_text() --chroot=path chroot(2) to this path --current show current caps and IAB vectors --decode=xxx decode a hex string to a list of caps --delamb=xxx remove xxx,... capabilities from ambient --drop=xxx drop xxx,... caps from bounding set --explain=xxx explain what capability xxx permits --forkfor= fork and make child sleep for sec --gid= set gid to (hint: id ) --groups=g,... set the supplemental groups --has-a=xxx exit 1 if capability xxx not ambient --has-b=xxx exit 1 if capability xxx not dropped --has-ambient exit 1 unless ambient vector supported --has-i=xxx exit 1 if capability xxx not inheritable --has-p=xxx exit 1 if capability xxx not permitted --has-no-new-privs exit 1 if privs not limited --help, -h this message (or try 'man capsh') --iab=... use cap_iab_from_text() to set iab --inh=xxx set xxx,.. inheritable set --inmode= exit 1 if current mode is not --is-uid= exit 1 if uid != --is-gid= exit 1 if gid != --keep= set keep-capability bit to --killit= send signal(n) to child --license display license info --mode display current libcap mode --mode= set libcap mode to --modes list libcap named modes --no-new-privs set sticky process privilege limiter --noamb reset (drop) all ambient capabilities --noenv no fixup of env vars (for --user) --print display capability relevant state --quiet if first argument skip max cap check --secbits= write a new value for securebits --shell=/xx/yy use /xx/yy instead of /bin/bash for -- --strict toggle --caps, --drop and --inh fixups --suggest=text search cap descriptions for text --supports=xxx exit 1 if capability xxx unsupported --uid= set uid to (hint: id ) --user= set uid,gid and groups to that of user == re-exec(capsh) with args as for -- =+ cap_launch capsh with args as for -+ -- remaining arguments are for /bin/bash -+ cap_launch /bin/bash with remaining args (without -- [%s] will simply exit(0)) unable to find executable '%s' in PATH Allows a process to perform checkpointand restore operations. Also permitsexplicit PID control via clone3() andAllows a process to manipulate aspects of the kernelenhanced Berkeley Packet Filter (BPF) system. This isan execution subsystem of the kernel, that manages BPFprograms. CAP_BPF permits a process to: - create all types of BPF maps - advanced verifier features: - indirect variable access - BPF to BPF function calls - scalar precision tracking - larger complexity limits - potentially other featuresOther capabilities can be used together with CAP_BFP tofurther manipulate the BPF system: - CAP_PERFMON relaxes the verifier checks as follows: - BPF programs can use pointer-to-integer - speculation attack hardening measures can be - bpf_probe_read to read arbitrary kernel memory is - bpf_trace_printk to print the content of kernel - CAP_SYS_ADMIN permits the following: - use of bpf_probe_write_user - iteration over the system-wide loaded programs, maps, links BTFs and convert their IDs to file - CAP_PERFMON is required to load tracing programs. - CAP_NET_ADMIN is required to load networkingAllows a process to enable observability of privilegedoperations related to performance. The mechanismsinclude perf_events, i915_perf and other kernelAllows a process to read the audit log via a multicastAllows a process to block system suspends - prevent thesystem from entering a lower power state.Allows a process to trigger something that can wake theAllows a process to configure the kernel's syslogAllows a process to configure the Mandatory AccessControl (MAC) policy. Not all kernels are configuredwith a MAC enabled, but if they are this capability isreserved for code to perform administration tasks.Allows a process to override Manditory Access Control(MAC) access. Not all kernels are configured with a MACmechanism, but this is the capability reserved forAllows a process to set capabilities on files.Permits a process to uid_map the uid=0 of theparent user namespace into that of the childnamespace. Also, permits a process to overridesecurebits locks through user namespaceAllows a process to configure audit logging via aAllows a process to write to the audit log via aAllows a process to take leases on files.Allows a process to perform privileged operations withAllows a process to manipulate tty devices: - perform vhangup() of a ttyAllows a process to perform time manipulation of clocks:Allows a process to adjust resource related parameters - set and override resource limits - override the reserved space on ext2 filesystem (this can also be achieved via CAP_FSETID) - modify the data journaling mode on ext3 filesystem, which uses journaling resources - override size restrictions on IPC message queues - configure more than 64Hz interrupts from the - override the maximum number of consoles for console - override the maximum number of keymapsAllows a process to maipulate the execution priorities - those involving different UIDs - setting their CPU affinity - alter the FIFO vs. round-robin (realtime) scheduling for itself and other processes.Allows a process to initiate a reboot of the system.Allows a process to perform a somewhat arbitrarygrab-bag of privileged operations. Over time, thiscapability should weaken as specific capabilities arecreated for subsets of CAP_SYS_ADMINs functionality: - configuration of the secure attention key - administration of the random device - examination and configuration of disk quotas - mount() and umount(), setting up new SMB connection - to read/write pci config on alpha - irix_prctl on mips (setstacksize) - flushing all cache on m68k (sys_cacheflush) - Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory - locking/unlocking of shared memory segment - forged pids on socket credentials passing - setting readahead and flushing buffers on block - setting geometry in floppy driver - turning DMA on/off in xd driver - administration of md devices (mostly the above, but - access to the nvram device - administration of apm_bios, serial and bttv (TV) - manufacturer commands in isdn CAPI support driver - reading non-standardized portions of PCI - DDI debug ioctl on sbpcd driver - sending raw qic-117 commands - enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands - setting encryption key on loopback filesystem - setting zone reclaim policyAllows a process to configure process accounting.Allows a process to perform a ptrace() of any otherAllows a process to perform a chroot syscall to changethe effective root of the process' file system:redirect to directory "/" to some other location.Allows a process to perform raw IO: - permit sending USB messages to any device viaAllows a process to initiate the loading and unloadingof kernel modules. This capability can effectivelyAllows a process to override IPC ownership checks.Allows a process to lock shared memory segments for IPCpurposes. Also enables mlock and mlockall systemAllows a process to use raw networking: - binding to any address for transparent proxying (also permitted via CAP_NET_ADMIN)Allows a process to perform network configuration - administration of IP firewall, masquerading and - setting debug options on sockets - modification of routing tables - setting arbitrary process, and process group (this is also allowed via CAP_NET_RAW) - setting TOS (Type of service) - clearing driver statistics - read/write of device-specific registers - activation of ATM control socketsAllows a process to broadcast to the network and toAllows a process to bind to privileged ports: - TCP/UDP sockets below 1024Allows a process to modify the S_IMMUTABLE andAllows a process to freely manipulate its inheritableLinux supports the POSIX.1e Inheritable set, the POXIX.1e (Xvector) known in Linux as the Bounding vector, as well asthe Linux extension Ambient vector.This capability permits dropping bits from the Boundingvector (ie. raising B bits in the libcap IABrepresentation). It also permits the process to raiseAmbient vector bits that are both raised in the Permittedand Inheritable sets of the process. This capability cannotbe used to raise Permitted bits, Effective bits beyond thosealready present in the process' permitted set, orInheritable bits beyond those present in the Bounding[Historical note: prior to the advent of file capabilities(2008), this capability was suppressed by default, as itsunsuppressed behavior was not auditable: it couldasynchronously grant its own Permitted capabilities to andremove capabilities from other processes arbitrarily. Theformer leads to undefined behavior, and the latter is betterserved by the kill system call.]Allows a process to freely manipulate its own UIDs: - arbitrarily set the UID, EUID, REUID and RESUID - allows the forging of UID credentials passed over aAllows a process to freely manipulate its own GIDs: - arbitrarily set the GID, EGID, REGID, RESGID values - arbitrarily set the supplementary GIDs - allows the forging of GID credentials passed over aAllows a process to send a kill(2) signal to any otherprocess - overriding the limitation that there be a[E]UID match between source and target process.Allows a process to set the S_ISUID and S_ISUID bits ofthe file permissions, even when the process' effectiveUID or GID/supplementary GIDs do not match that of theAllows a process to perform operations on files, evenwhere file owner ID should otherwise need be equal tothe UID, except where CAP_FSETID is applicable. Itdoesn't override MAC and DAC restrictions.Allows a process to override all DAC restrictionslimiting the read and search of files anddirectories. This excludes DAC access covered byAllows a process to override of all DiscretionaryAccess Control (DAC) access, including ACL executeaccess. That is read, write or execute files that theprocess would otherwise not have access to. Thisexcludes DAC access covered by CAP_LINUX_IMMUTABLE.Allows a process to arbitrarily change the user and;X D|t|lܲlDAN A ,LCD  ABG (LADG0K AAG DЌX!FBB B(A0A8GOpApb b` @`@ ` `0 `P@ @`  @ i08o   " ooooow@x؏ w@`wuȐ(`x"xȑ1xAx8hȒNx8axpoxxH{xx Xȕ8pxؖ8hxxȗx0xhxxy8yTy0qyX XyyȚy0Xx؛H Hyyyz,z;zPz8phzОz8`zzzPzzР8pȡz8h{Ȣ"{83{pP{W{g{@xz{{ؤ{8`{@ȥ{{@h{Ц |"| <|uXاu8h `J|uЩPȪHpR|]|P]|(`ȭ|8pHxh| XȰ}|GCC: (GNU) 12.1.0capsh.debug};.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.got.data.bss.comment.gnu_debuglink 88P&$9 GoQ Y aonop}"@@ @ @(ii ppA\``40088@@H HH h 0