Explicitly disable Linux capabilities

libc/sysv/consts/cap.h

@@ -0,0 +1,47 @@
+#ifndef COSMOPOLITAN_LIBC_SYSV_CONSTS_CAP_H_
+#define COSMOPOLITAN_LIBC_SYSV_CONSTS_CAP_H_
+
+#define CAP_CHOWN              0
+#define CAP_DAC_OVERRIDE       1
+#define CAP_DAC_READ_SEARCH    2
+#define CAP_FOWNER             3
+#define CAP_FSETID             4
+#define CAP_KILL               5
+#define CAP_SETGID             6
+#define CAP_SETUID             7
+#define CAP_SETPCAP            8
+#define CAP_LINUX_IMMUTABLE    9
+#define CAP_NET_BIND_SERVICE   10
+#define CAP_NET_BROADCAST      11
+#define CAP_NET_ADMIN          12
+#define CAP_NET_RAW            13
+#define CAP_IPC_LOCK           14
+#define CAP_IPC_OWNER          15
+#define CAP_SYS_MODULE         16
+#define CAP_SYS_RAWIO          17
+#define CAP_SYS_CHROOT         18
+#define CAP_SYS_PTRACE         19
+#define CAP_SYS_PACCT          20
+#define CAP_SYS_ADMIN          21
+#define CAP_SYS_BOOT           22
+#define CAP_SYS_NICE           23
+#define CAP_SYS_RESOURCE       24
+#define CAP_SYS_TIME           25
+#define CAP_SYS_TTY_CONFIG     26
+#define CAP_MKNOD              27
+#define CAP_LEASE              28
+#define CAP_AUDIT_WRITE        29
+#define CAP_AUDIT_CONTROL      30
+#define CAP_SETFCAP            31
+#define CAP_MAC_OVERRIDE       32
+#define CAP_MAC_ADMIN          33
+#define CAP_SYSLOG             34
+#define CAP_WAKE_ALARM         35
+#define CAP_BLOCK_SUSPEND      36
+#define CAP_AUDIT_READ         37
+#define CAP_PERFMON            38
+#define CAP_BPF                39
+#define CAP_CHECKPOINT_RESTORE 40
+#define CAP_LAST_CAP           CAP_CHECKPOINT_RESTORE
+
+#endif /* COSMOPOLITAN_LIBC_SYSV_CONSTS_CAP_H_ */

libc/sysv/consts/fs.h

@@ -0,0 +1,38 @@
+#ifndef COSMOPOLITAN_LIBC_SYSV_CONSTS_FS_H_
+#define COSMOPOLITAN_LIBC_SYSV_CONSTS_FS_H_
+
+#define FS_IOC_GETFLAGS   0x80086601
+#define FS_IOC_SETFLAGS   0x40086602
+#define FS_IOC_GETVERSION 0x80087601
+#define FS_IOC_SETVERSION 0x40087602
+#define FS_IOC_FIEMAP     0xc020660b
+#define FS_IOC_FSGETXATTR 0x801c581f
+#define FS_IOC_FSSETXATTR 0x401c5820
+#define FS_IOC_GETFSLABEL 0x81009431
+#define FS_IOC_SETFSLABEL 0x41009432
+
+#define FS_FL_USER_VISIBLE    0x0003DFFF /* user visible flags */
+#define FS_FL_USER_MODIFIABLE 0x000380FF /* user modifiable flags */
+#define FS_SECRM_FL           0x00000001 /* secure deletion */
+#define FS_UNRM_FL            0x00000002 /* undelete */
+#define FS_COMPR_FL           0x00000004 /* compress */
+#define FS_SYNC_FL            0x00000008 /* synchronous */
+#define FS_IMMUTABLE_FL       0x00000010
+#define FS_APPEND_FL          0x00000020 /* append-only */
+#define FS_NODUMP_FL          0x00000040
+#define FS_NOATIME_FL         0x00000080
+#define FS_DIRTY_FL           0x00000100
+#define FS_COMPRBLK_FL        0x00000200
+#define FS_NOCOMP_FL          0x00000400
+#define FS_ENCRYPT_FL         0x00000800 /* encrypted file */
+#define FS_BTREE_FL           0x00001000
+#define FS_INDEX_FL           0x00001000 /* hash-indexed directory */
+#define FS_IMAGIC_FL          0x00002000
+#define FS_JOURNAL_DATA_FL    0x00004000
+#define FS_NOTAIL_FL          0x00008000
+#define FS_DIRSYNC_FL         0x00010000
+#define FS_TOPDIR_FL          0x00020000
+#define FS_HUGE_FILE_FL       0x00040000
+#define FS_EXTENT_FL          0x00080000
+
+#endif /* COSMOPOLITAN_LIBC_SYSV_CONSTS_FS_H_ */

libc/sysv/consts/pr.h

@@ -7,6 +7,9 @@
 #define SECCOMP_MODE_STRICT   1
 #define SECCOMP_MODE_FILTER   2
 
+#define PR_CAPBSET_READ 23
+#define PR_CAPBSET_DROP 24
+
 #define PR_SET_NO_NEW_PRIVS 38
 #define PR_GET_NO_NEW_PRIVS 39
 
@@ -73,8 +76,6 @@
 #define PR_SET_MM_EXE_FILE          13
 #define PR_SET_MM_MAP               14
 #define PR_SET_MM_MAP_SIZE          15
-#define PR_CAPBSET_READ             23
-#define PR_CAPBSET_DROP             24
 #define PR_GET_TSC                  25
 #define PR_SET_TSC                  26
 #define PR_GET_SECUREBITS           27