Merge pull request #2726 from thaJeztah/add_new_caps

Add docs and bash-completion for new Linux capabilities

contrib/completion/bash/docker

@@ -837,6 +837,8 @@ __docker_complete_capabilities_addable() {
 		CAP_AUDIT_CONTROL
 		CAP_AUDIT_READ
 		CAP_BLOCK_SUSPEND
+		CAP_BPF
+		CAP_CHECKPOINT_RESTORE
 		CAP_DAC_READ_SEARCH
 		CAP_IPC_LOCK
 		CAP_IPC_OWNER
@@ -846,6 +848,7 @@ __docker_complete_capabilities_addable() {
 		CAP_MAC_OVERRIDE
 		CAP_NET_ADMIN
 		CAP_NET_BROADCAST
+		CAP_PERFMON
 		CAP_SYS_ADMIN
 		CAP_SYS_BOOT
 		CAP_SYSLOG

docs/reference/run.md

@@ -1286,7 +1286,7 @@ list of capabilities that are kept. The following table lists the Linux capabili
 options which are allowed by default and can be dropped.
 
 | Capability Key        | Capability Description                                                                                                         |
-|:-----------------|:------------------------------------------------------------------------------------------------------------------------------|
+|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------|
 | AUDIT_WRITE           | Write records to kernel auditing log.                                                                                          |
 | CHOWN                 | Make arbitrary changes to file UIDs and GIDs (see chown(2)).                                                                   |
 | DAC_OVERRIDE          | Bypass file read, write, and execute permission checks.                                                                        |
@@ -1305,10 +1305,12 @@ options which are allowed by default and can be dropped.
 The next table shows the capabilities which are not granted by default and may be added.
 
 | Capability Key        | Capability Description                                                                                                         |
-|:----------------|:----------------------------------------------------------------------------------------------------------------|
+|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------|
 | AUDIT_CONTROL         | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.                |
-| AUDIT_READ      | Allow reading audit messages from the kernel.                                                                   |
-| BLOCK_SUSPEND   | Employ features that can block system suspend.                                                                  |
+| AUDIT_READ            | Allow reading the audit log via multicast netlink socket.                                                                      |
+| BLOCK_SUSPEND         | Allow preventing system suspends.                                                                                              |
+| BPF                   | Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.                    |
+| CHECKPOINT_RESTORE    | Allow checkpoint/restore related operations.  Introduced in kernel 5.9.                                                        |
 | DAC_READ_SEARCH       | Bypass file read permission checks and directory read and execute permission checks.                                           |
 | IPC_LOCK              | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).                                                                       |
 | IPC_OWNER             | Bypass permission checks for operations on System V IPC objects.                                                               |
@@ -1318,6 +1320,7 @@ The next table shows the capabilities which are not granted by default and may b
 | MAC_OVERRIDE          | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).                                |
 | NET_ADMIN             | Perform various network-related operations.                                                                                    |
 | NET_BROADCAST         | Make socket broadcasts, and listen to multicasts.                                                                              |
+| PERFMON               | Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems      |
 | SYS_ADMIN             | Perform a range of system administration operations.                                                                           |
 | SYS_BOOT              | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.                                             |
 | SYS_MODULE            | Load and unload kernel modules.                                                                                                |
@@ -1331,7 +1334,8 @@ The next table shows the capabilities which are not granted by default and may b
 | SYSLOG                | Perform privileged syslog(2) operations.                                                                                       |
 | WAKE_ALARM            | Trigger something that will wake up the system.                                                                                |
 
-Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
+Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html),
+and in the [Linux kernel source code](https://github.com/torvalds/linux/blob/124ea650d3072b005457faed69909221c2905a1f/include/uapi/linux/capability.h).
 
 Both flags support the value `ALL`, so to allow a container to use all capabilities
 except for `MKNOD`: