From 89dfcbb5696b970cf070581ce4ae0b59fd017f58 Mon Sep 17 00:00:00 2001
From: Tao Su <st498824@antgroup.com>
Date: Thu, 28 Aug 2025 07:04:44 +0000
Subject: [PATCH] Add `prctl`, `capget` and `capset` syscall limitation to the
 book

---
 book/src/kernel/linux-compatibility/README.md |  6 +-
 .../namespaces-cgroups-and-security.md        | 90 ++++++++++++++++++-
 2 files changed, 92 insertions(+), 4 deletions(-)

diff --git a/book/src/kernel/linux-compatibility/README.md b/book/src/kernel/linux-compatibility/README.md
index 61a176f9e..32189dda3 100644
--- a/book/src/kernel/linux-compatibility/README.md
+++ b/book/src/kernel/linux-compatibility/README.md
@@ -145,8 +145,8 @@ provided by Linux on x86-64 architecture.
 | 122     | setfsuid               | ✅             |     |
 | 123     | setfsgid               | ✅             |     |
 | 124     | getsid                 | ✅             |     |
-| 125     | capget                 | ✅             |     |
-| 126     | capset                 | ✅             |     |
+| 125     | capget                 | ✅             | [⚠️](limitations-on-system-calls/namespaces-cgroups-and-security.md#capget-and-capset) |
+| 126     | capset                 | ✅             | [⚠️](limitations-on-system-calls/namespaces-cgroups-and-security.md#capget-and-capset) |
 | 127     | rt_sigpending          | ✅             |     |
 | 128     | rt_sigtimedwait        | ❌             |     |
 | 129     | rt_sigqueueinfo        | ❌             |     |
@@ -177,7 +177,7 @@ provided by Linux on x86-64 architecture.
 | 154     | modify_ldt             | ❌             |     |
 | 155     | pivot_root             | ❌             |     |
 | 156     | _sysctl                | ❌             |     |
-| 157     | prctl                  | ✅             |     |
+| 157     | prctl                  | ✅             | [⚠️](limitations-on-system-calls/namespaces-cgroups-and-security.md#prctl) |
 | 158     | arch_prctl             | ✅             | [⚠️](limitations-on-system-calls/system-information-and-misc.md#arch_prctl) |
 | 159     | adjtimex               | ❌             |     |
 | 160     | setrlimit              | ✅             |     |
diff --git a/book/src/kernel/linux-compatibility/limitations-on-system-calls/namespaces-cgroups-and-security.md b/book/src/kernel/linux-compatibility/limitations-on-system-calls/namespaces-cgroups-and-security.md
index e20eb6c1d..8c9e8c271 100644
--- a/book/src/kernel/linux-compatibility/limitations-on-system-calls/namespaces-cgroups-and-security.md
+++ b/book/src/kernel/linux-compatibility/limitations-on-system-calls/namespaces-cgroups-and-security.md
@@ -6,4 +6,92 @@ unshare, setns, clone (with namespace flags), chroot, pivot_root, prctl,
 capset, seccomp, landlock_create_ruleset, landlock_add_rule, 
 landlock_restrict_self, and bpf
 under this category.
--->
\ No newline at end of file
+-->
+
+## `prctl`
+
+Supported functionality in SCML:
+
+```c
+// Retrieve or set the parent-death signal
+prctl(op = PR_GET_PDEATHSIG ｜ PR_SET_PDEATHSIG, sig);
+
+// Get or set the name of calling thread
+prctl(op = PR_GET_NAME ｜ PR_SET_NAME, name);
+
+// Query whether process retains permitted capabilities after `UID` changes
+prctl(op = PR_GET_KEEPCAPS);
+
+// Configure permitted capabilities retention after `UID` changes
+prctl(op = PR_SET_KEEPCAPS, state);
+
+// Retrieve or set "child subreaper" attribute
+prctl(op = PR_GET_CHILD_SUBREAPER | PR_SET_CHILD_SUBREAPER, isset);
+```
+
+Partially-supported operations:
+* `PR_GET_DUMPABLE` and `PR_SET_DUMPABLE` because coredump is not supported
+
+Unsupported operations:
+* `PR_CAP_AMBIENT`, `PR_CAPBSET_READ` and `PR_CAPBSET_DROP`
+* `PR_GET_ENDIAN` and `PR_SET_ENDIAN`
+* `PR_GET_FP_MODE` and `PR_SET_FP_MODE`
+* `PR_GET_FPEMU` and `PR_SET_FPEMU`
+* `PR_GET_FPEXC` and `PR_SET_FPEXC`
+* `PR_GET_IO_FLUSHER` and `PR_SET_IO_FLUSHER`
+* `PR_MCE_KILL` and `PR_MCE_KILL_GET`
+* `PR_SET_MM` and `PR_SET_VMA`
+* `PR_MPX_ENABLE_MANAGEMENT` and `PR_MPX_DISABLE_MANAGEMENT`
+* `PR_GET_NO_NEW_PRIVS` and `PR_SET_NO_NEW_PRIVS`
+* `PR_PAC_RESET_KEYS`
+* `PR_SET_PTRACER`
+* `PR_GET_SECCOMP` and `PR_SET_SECCOMP`
+* `PR_GET_SECUREBITS` and `PR_SET_SECUREBITS`
+* `PR_GET_SPECULATION_CTRL` and `PR_SET_SPECULATION_CTRL`
+* `PR_SVE_GET_VL` and `PR_SVE_SET_VL`
+* `PR_SET_SYSCALL_USER_DISPATCH`
+* `PR_GET_TAGGED_ADDR_CTRL` and `PR_SET_TAGGED_ADDR_CTRL`
+* `PR_TASK_PERF_EVENTS_ENABLE` and `PR_TASK_PERF_EVENTS_DISABLE`
+* `PR_GET_THP_DISABLE` and `PR_SET_THP_DISABLE`
+* `PR_GET_TID_ADDRESS`
+* `PR_GET_TIMERSLACK` and `PR_SET_TIMERSLACK`
+* `PR_GET_TIMING` and `PR_SET_TIMING`
+* `PR_GET_TSC` and `PR_SET_TSC`
+* `PR_GET_UNALIGN` and `PR_SET_UNALIGN`
+* `PR_GET_AUXV`
+* `PR_GET_MDWE` and `PR_SET_MDWE`
+* `PR_RISCV_SET_ICACHE_FLUSH_CTX`
+
+For more information,
+see [the man page](https://man7.org/linux/man-pages/man2/prctl.2.html).
+
+## `capget` and `capset`
+
+Supported functionality in SCML:
+
+```c
+// Get capabilities of thread
+capget(
+    hdrp = {
+        version = _LINUX_CAPABILITY_VERSION_3,
+        ..
+    },
+    datap
+);
+
+// Set capabilities of thread
+capset(
+    hdrp = {
+        version = _LINUX_CAPABILITY_VERSION_3,
+        ..
+    },
+    datap
+);
+```
+
+Unsupported versions:
+* `_LINUX_CAPABILITY_VERSION_1`
+* `_LINUX_CAPABILITY_VERSION_2`
+
+For more information,
+see [the man page](https://man7.org/linux/man-pages/man2/capget.2.html).
\ No newline at end of file