This list is based on the declaration of *lids_caps_desc[]from lids_cap.c, from LIDS v2.2.2-2.6.14, and from the man page for capabilities(7), rather than the LIDS man pages, lidsconf -H, or other LIDS documentation, which is sometimes out of date.

CAP_AUDIT_CONTROL

Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.

CAP_AUDIT_WRITE

Allow records to be written to kernel auditing log.

CAP_CHOWN

Allow arbitrary changes to file UIDs and GIDs (see chown(2), chgrp(2))

CAP_DAC_OVERRIDE

Bypass file read, write, and execute permission checks. (DAC = "discretionary access control".)

CAP_DAC_READ_SEARCH

Bypass file read permission checks and directory read and execute permission checks.

CAP_FOWNER

Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by the CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH; set extended file attributes (see chattr(1)) on arbitrary files; set Access Control Lists (ACLs) on arbitrary files; ignore directory sticky bit on file deletion; specify O_NOATIME for arbitrary files in open(2) and fcntl(2).

CAP_FSETID

Don't clear set-user-ID and set-group-ID bits when a file is modified; permit setting of the set-group-ID bit for a file whose GID does not match the file system or any of the supplementary GIDs of the calling process.

CAP_IPC_LOCK

Permit memory locking (cf. mlock(2), mlockall(2), mmap(2) and shmctl(2))

CAP_IPC_OWNER

Bypass permission checks for operations on System V IPC objects.

CAP_KILL

Bypass permission checks for sending signals (see kill(2)). This includes use of the KDSIGACCEPT ioctl.

CAP_LEASE

Allow file leases to be established on arbitrary files (see fcntl(2)).

CAP_LINUX_IMMUTABLE

Allow setting of the EXT2_APPEND_FL and EXT2_IMMUTABLE_FL (and EXT3_ filesystem attributes (see chattr(1)).

CAP_MKNOD

Allow creation of special files using mknod(2).

CAP_NET_ADMIN

Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).

CAP_NET_BIND_SERVICE

Allow binding to Internet domain reserved socket ports (port numbers less than 1024).

CAP_NET_BROADCAST

Allow socket broadcasting, and listening multicasts.

CAP_NET_RAW

Permit use of RAW and PACKET sockets.

CAP_PROTECTED (specific to LIDS)

Protect the process from signals. Question: CAP_KILL vs CAP_PROTECTED?

CAP_SETGID

Allow arbitrary manipulations of process GIDs and supplementary GID list; allow forged GID when passing socket credentials via Unix domain sockets

CAP_SETPCAP

Grant or remove any capability in the caller's permitted capability set to or from any other process.

CAP_SETUID

Allow arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)); allow forged UID when passing socket credentials via Unix domain sockets.

CAP_SYS_ADMIN

Permit a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), setdomainname(2), IPC_SET and IPC_RMID operations on arbitrary System V IPC objects; perform operations on trusted and security Extended Attributes (see attr(5)); call lookup_dcookie(2); perform keyctl(2) KEYCTL_CHOWN and KEYCTL_SETPERM operations; allow forged UID when passing socket credentials; exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2); without this capability these system calls will fail with the error ENFILE if this limit is encountered).

CAP_SYS_BOOT

Permits calls to reboot(2) and kexec_load(2).

CAP_SYS_CHROOT

Permits calls to chroot(2)

CAP_SYS_MODULE

Allow loading and unloading of kernel modules; allow modifications to capability bounding set (see init_module(2) and delete_module(2)).

CAP_SYS_NICE

Allow raising process nice value (nice(2), setpriority(2)) and changing of the nice value for arbitrary processes; allow setting of real-time scheduling policies for calling process, and setting scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2)); set CPU affinity for arbitrary processes (sched_setaffinity()); use the MPOL_MF_MOVE_ALL with mbind(2).

CAP_SYS_PACCT

Permit calls to acct(2).

CAP_SYS_PTRACE

Allow arbitrary processes to be traced using ptrace(2)

CAP_SYS_RAWIO

Permit I/O port operations (ioperm(2) and iopl(2)

CAP_SYS_RESOURCE

Permit: use of reserved space on Ext2 file systems; ioctl(2) calls controlling Ext3 journaling; disk quota limits to be overridden; resource limits to be increased (see setrlimit(2)); RLIMIT_NPROC resource limit to be overridden; msg_qbytes limit for a message queue to be raised above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2).

CAP_SYS_TIME

Allow modification of system clock (settimeofday(2), adjtimex(2)); allow modification of real-time (hardware) clock.

CAP_SYS_TTY_CONFIG

Permit calls to vhangup(2).

Question: lids_acl.c refers to CAP_KILL_PROTECTED but this is certainly not available as a Capability (try it with lidsconf). Is this dead code?