On this page
§6.2
Privilege Catalog
This is the complete set of Peios privileges. Each privilege is listed with a description and its enforcement category:
- Kernel standalone — enforced at a specific operation boundary, independent of AccessCheck.
- AccessCheck — evaluated inside the AccessCheck pipeline.
- Application-level — checked by a userspace service, not by the kernel.
- Reserved — allocated for format compatibility but not enforced in v0.20.
§6.2.1 Identity and token management
| Privilege | Description | Enforcement |
|---|---|---|
| SeCreateTokenPrivilege | Create tokens from scratch. Only TCB components (authd, peinit). | Kernel standalone |
| SeAssignPrimaryTokenPrivilege | Install a token as another process's primary identity. | Kernel standalone |
| SeImpersonatePrivilege | Impersonate another principal's identity on the current thread. Required by every service that handles requests on behalf of users. | Kernel standalone |
§6.2.2 Access control
| Privilege | Description | Enforcement |
|---|---|---|
| SeSecurityPrivilege | Read and write an object's SACL. | AccessCheck |
| SeTakeOwnershipPrivilege | Take ownership of any object regardless of current permissions. | AccessCheck |
| SeBackupPrivilege | Read any object regardless of DACL, for backup. Intent-gated: only evaluated when the caller passes BACKUP_INTENT. | AccessCheck |
| SeRestorePrivilege | Write any object, modify permissions, change ownership, access SACL -- everything needed to restore an object. Intent-gated: only evaluated when the caller passes RESTORE_INTENT. | AccessCheck |
| SeRelabelPrivilege | Change an object's integrity label. Punches WRITE_OWNER through MIC for non-dominant callers. Removes the "only at or below own level" restriction at label-write time. | AccessCheck + enforcement layer |
| SeChangeNotifyPrivilege | Bypass traverse checking. Without this privilege, accessing a file requires execute permission on every intermediate directory. Granted to all principals by default. | Kernel standalone |
| SeCreateSymbolicLinkPrivilege | Create symbolic links. Granted to all principals by default. | Kernel standalone |
§6.2.3 System operations
| Privilege | Description | Enforcement |
|---|---|---|
| SeTcbPrivilege | Act as part of the trusted computing base. Catch-all for system operations that do not map to a more specific privilege. Only TCB services need this. | Kernel standalone |
| SeShutdownPrivilege | Shut down or reboot the local system. | Kernel standalone |
| SeRemoteShutdownPrivilege | Shut down the system from a remote connection. When a shutdown request comes from a remote logon type, both SeShutdownPrivilege and SeRemoteShutdownPrivilege are required. | Kernel standalone |
| SeLoadDriverPrivilege | Load or unload kernel modules. MUST be stripped from all non-peinit tokens via FilterToken. | Kernel standalone |
| SeDebugPrivilege | Attach to and inspect any process regardless of its SD. Does not bypass PIP. | Kernel standalone |
| SeSystemtimePrivilege | Change the system clock. | Kernel standalone |
| SeIncreaseBasePriorityPrivilege | Raise process scheduling priority and set CPU affinity for other processes. | Kernel standalone |
| SeIncreaseQuotaPrivilege | Override resource limits (ulimits) for a process. | Kernel standalone |
| SeLockMemoryPrivilege | Lock pages in physical memory (mlock/mlockall). | Kernel standalone |
| SeAuditPrivilege | Write events to the audit log. | Kernel standalone |
| SeProfileSingleProcessPrivilege | Use performance monitoring tools (perf_event_open). | Kernel standalone |
| SeCreateJobPrivilege | Submit supervised jobs via JFS. Custom Peios privilege. | Kernel standalone |
§6.2.4 Network
| Privilege | Description | Enforcement |
|---|---|---|
| SeBindPrivilegedPortPrivilege | Bind to TCP/UDP ports below 1024. Custom Peios privilege -- retains the Linux convention as defense-in-depth. | Kernel standalone |
§6.2.5 Directory and domain operations
| Privilege | Description | Enforcement |
|---|---|---|
| SeSyncAgentPrivilege | Read all objects in the directory regardless of per-object permissions. For AD replication agents. | Application-level |
| SeEnableDelegationPrivilege | Mark a principal account as trusted for delegation in the directory. | Application-level |
| SeMachineAccountPrivilege | Add computer accounts to the domain. | Application-level |
§6.2.6 Reserved
The following privileges are allocated for format compatibility. The positions exist so that tokens from Active Directory environments can carry these privileges without information loss. They have no enforcement point in v0.20.
| Privilege | Reservation rationale |
|---|---|
| SeCreateGlobalPrivilege | Peios has no per-session object namespaces. |
| SeCreatePagefilePrivilege | Absorbed in SeTcbPrivilege. |
| SeCreatePermanentPrivilege | No Linux equivalent. |
| SeIncreaseWorkingSetPrivilege | Linux does not gate memory residency hints. |
| SeManageVolumePrivilege | Absorbed in SeTcbPrivilege. |
| SeTrustedCredManAccessPrivilege | Reserved for future secrets infrastructure. |
| SeSystemEnvironmentPrivilege | Gated by SDs on efivar files under FACS. |
| SeSystemProfilePrivilege | Absorbed in SeProfileSingleProcessPrivilege. |
| SeTimeZonePrivilege | Linux does not gate timezone changes. |
| SeUndockPrivilege | Server operating system. |
§6.2.7 Custom privilege allocation
Custom Peios privileges are allocated from the high end of the privilege space, while format-compatible privileges occupy their standard positions. This avoids collision if new privileges are defined in future AD releases.
ⓘ Informative
An implementation MAY encode this as high bit positions growing downward in a bitmask while standard positions grow upward from the low end.