linux内核capable源代码分析【转】
转自:https://blog.csdn.net/sanwenyublog/article/details/50856849
capable函数定义在kernel/capability.c,作用是检验当前进程有没有相应的权限,定义如下
- int capable(int cap)
- {
- return __capable(current, cap);
- }
继续看__capable函数,这个函数也定义在kernel/capability.c,定义如下
- int __capable(struct task_struct *t, int cap)
- {
- /*首先执行security_capable函数检查,如果成功就给进程的flags置位,标志获得超级权限,PF_SUPERPRIV定义如下
- #define PF_SUPERPRIV 0x00000100 /* used super-user privileges */就是超级用户的意思
- */
- if (security_capable(t, cap) == 0) {
- t->flags |= PF_SUPERPRIV;
- return 1;
- }
- return 0;
- }
我们继续看security_capable函数,定义在linux/security.h
- static inline int security_capable(struct task_struct *tsk, int cap)
- {
- return cap_capable(tsk, cap);
- }
继续看cap_capable函数,定义在security/commonncap.c
- int cap_capable (struct task_struct *tsk, int cap)
- {
- /* 权限检查的主要工作函数 */
- if (cap_raised(tsk->cap_effective, cap))
- return 0;
- return -EPERM;
- }
我们继续看cap_raised,这是一个宏,定义如下
#define CAP_TO_MASK(x) (1 << (x))
#define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag))
#define cap_lower(c, flag) (cap_t(c) &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
所以可以看出cap_capable函数就是查看task_struct的cap_effective变量,然后与(1<<cap)执行按位与操作。
cap_effective变量就是进程结构体里的一个32位的int变量,每一个位代表一个权限,定义如下
- /**
- ** POSIX-标准定义的权限能力
- **/
- #define CAP_CHOWN 0
- /* Override all DAC access, including ACL execute access if
- [_POSIX_ACL] is defined. Excluding DAC access covered by
- CAP_LINUX_IMMUTABLE. */
- #define CAP_DAC_OVERRIDE 1
- /* Overrides all DAC restrictions regarding read and search on files
- and directories, including ACL restrictions if [_POSIX_ACL] is
- defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
- #define CAP_DAC_READ_SEARCH 2
- /* Overrides all restrictions about allowed operations on files, where
- file owner ID must be equal to the user ID, except where CAP_FSETID
- is applicable. It doesn't override MAC and DAC restrictions. */
- #define CAP_FOWNER 3
- /* Overrides the following restrictions that the effective user ID
- shall match the file owner ID when setting the S_ISUID and S_ISGID
- bits on that file; that the effective group ID (or one of the
- supplementary group IDs) shall match the file owner ID when setting
- the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
- cleared on successful return from chown(2) (not implemented). */
- #define CAP_FSETID 4
- /* Used to decide between falling back on the old suser() or fsuser(). */
- #define CAP_FS_MASK 0x1f
- /* Overrides the restriction that the real or effective user ID of a
- process sending a signal must match the real or effective user ID
- of the process receiving the signal. */
- #define CAP_KILL 5
- /* Allows setgid(2) manipulation */
- /* Allows setgroups(2) */
- /* Allows forged gids on socket credentials passing. */
- #define CAP_SETGID 6
- /* Allows set*uid(2) manipulation (including fsuid). */
- /* Allows forged pids on socket credentials passing. */
- #define CAP_SETUID 7
- /**
- ** Linux-specific capabilities
- **/
- /* Transfer any capability in your permitted set to any pid,
- remove any capability in your permitted set from any pid */
- #define CAP_SETPCAP 8
- /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
- #define CAP_LINUX_IMMUTABLE 9
- /* Allows binding to TCP/UDP sockets below 1024 */
- /* Allows binding to ATM VCIs below 32 */
- #define CAP_NET_BIND_SERVICE 10
- /* Allow broadcasting, listen to multicast */
- #define CAP_NET_BROADCAST 11
- /* Allow interface configuration */
- /* Allow administration of IP firewall, masquerading and accounting */
- /* Allow setting debug option on sockets */
- /* Allow modification of routing tables */
- /* Allow setting arbitrary process / process group ownership on
- sockets */
- /* Allow binding to any address for transparent proxying */
- /* Allow setting TOS (type of service) */
- /* Allow setting promiscuous mode */
- /* Allow clearing driver statistics */
- /* Allow multicasting */
- /* Allow read/write of device-specific registers */
- /* Allow activation of ATM control sockets */
- #define CAP_NET_ADMIN 12
- /* Allow use of RAW sockets */
- /* Allow use of PACKET sockets */
- #define CAP_NET_RAW 13
- /* Allow locking of shared memory segments */
- /* Allow mlock and mlockall (which doesn't really have anything to do
- with IPC) */
- #define CAP_IPC_LOCK 14
- /* Override IPC ownership checks */
- #define CAP_IPC_OWNER 15
- /* Insert and remove kernel modules - modify kernel without limit */
- /* Modify cap_bset */
- #define CAP_SYS_MODULE 16
- /* Allow ioperm/iopl access */
- /* Allow sending USB messages to any device via /proc/bus/usb */
- #define CAP_SYS_RAWIO 17
- /* Allow use of chroot() */
- #define CAP_SYS_CHROOT 18
- /* Allow ptrace() of any process */
- #define CAP_SYS_PTRACE 19
- /* Allow configuration of process accounting */
- #define CAP_SYS_PACCT 20
- /* Allow configuration of the secure attention key */
- /* Allow administration of the random device */
- /* Allow examination and configuration of disk quotas */
- /* Allow configuring the kernel's syslog (printk behaviour) */
- /* Allow setting the domainname */
- /* Allow setting the hostname */
- /* Allow calling bdflush() */
- /* Allow mount() and umount(), setting up new smb connection */
- /* Allow some autofs root ioctls */
- /* Allow nfsservctl */
- /* Allow VM86_REQUEST_IRQ */
- /* Allow to read/write pci config on alpha */
- /* Allow irix_prctl on mips (setstacksize) */
- /* Allow flushing all cache on m68k (sys_cacheflush) */
- /* Allow removing semaphores */
- /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
- and shared memory */
- /* Allow locking/unlocking of shared memory segment */
- /* Allow turning swap on/off */
- /* Allow forged pids on socket credentials passing */
- /* Allow setting readahead and flushing buffers on block devices */
- /* Allow setting geometry in floppy driver */
- /* Allow turning DMA on/off in xd driver */
- /* Allow administration of md devices (mostly the above, but some
- extra ioctls) */
- /* Allow tuning the ide driver */
- /* Allow access to the nvram device */
- /* Allow administration of apm_bios, serial and bttv (TV) device */
- /* Allow manufacturer commands in isdn CAPI support driver */
- /* Allow reading non-standardized portions of pci configuration space */
- /* Allow DDI debug ioctl on sbpcd driver */
- /* Allow setting up serial ports */
- /* Allow sending raw qic-117 commands */
- /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
- arbitrary SCSI commands */
- /* Allow setting encryption key on loopback filesystem */
- /* Allow setting zone reclaim policy */
- #define CAP_SYS_ADMIN 21
- /* Allow use of reboot() */
- #define CAP_SYS_BOOT 22
- /* Allow raising priority and setting priority on other (different
- UID) processes */
- /* Allow use of FIFO and round-robin (realtime) scheduling on own
- processes and setting the scheduling algorithm used by another
- process. */
- /* Allow setting cpu affinity on other processes */
- #define CAP_SYS_NICE 23
- /* Override resource limits. Set resource limits. */
- /* Override quota limits. */
- /* Override reserved space on ext2 filesystem */
- /* Modify data journaling mode on ext3 filesystem (uses journaling
- resources) */
- /* NOTE: ext2 honors fsuid when checking for resource overrides, so
- you can override using fsuid too */
- /* Override size restrictions on IPC message queues */
- /* Allow more than 64hz interrupts from the real-time clock */
- /* Override max number of consoles on console allocation */
- /* Override max number of keymaps */
- #define CAP_SYS_RESOURCE 24
- /* Allow manipulation of system clock */
- /* Allow irix_stime on mips */
- /* Allow setting the real-time clock */
- #define CAP_SYS_TIME 25
- /* Allow configuration of tty devices */
- /* Allow vhangup() of tty */
- #define CAP_SYS_TTY_CONFIG 26
- /* Allow the privileged aspects of mknod() */
- #define CAP_MKNOD 27
- /* Allow taking of leases on files */
- #define CAP_LEASE 28
- #define CAP_AUDIT_WRITE 29
- #define CAP_AUDIT_CONTROL 30
检验权限的时候,就检查进程结构体task_struct对应的位是不是1就ok了。
linux内核capable源代码分析【转】的更多相关文章
- 20169212《Linux内核原理与分析》第二周作业
<Linux内核原理与分析>第二周作业 这一周学习了MOOCLinux内核分析的第一讲,计算机是如何工作的?由于本科对相关知识的不熟悉,所以感觉有的知识理解起来了有一定的难度,不过多查查资 ...
- 2018-2019-1 20189221《Linux内核原理与分析》第四周作业
2018-2019-1 20189221<Linux内核原理与分析>第四周作业 教材学习:<庖丁解牛Linux内核分析> 第 3 章 MenuOS的构造 计算机三大法宝:存储程 ...
- Linux内核源码分析方法_转
Linux内核源码分析方法 转自:http://www.cnblogs.com/fanzhidongyzby/archive/2013/03/20/2970624.html 一.内核源码之我见 Lin ...
- 2019-2020-1 20199308《Linux内核原理与分析》第三周作业
<Linux内核分析> 第二章 操作系统是如何工作的 2.1 函数调用堆栈 3个关键性的方法机制(3个法宝) 存储程序计算机 函数调用堆栈机制 中断 堆栈相关的寄存器 ESP:堆栈指针(s ...
- 2019-2020-1 20199310《Linux内核原理与分析》第三周作业
1.问题描述 计算机的3大法宝是存储程序计算机,函数调用堆栈和中断机制,存储程序计算机已经在上一个博客中进行具体描述,本文将在剩下两方面出发对操作系统是如何工作的进行学习和探讨. 2.解决过程 2.1 ...
- 2019-2020-1 20199329《Linux内核原理与分析》第十一周作业
<Linux内核原理与分析>第十一周作业 一.本周内容概述: 学习linux安全防护方面的知识 完成实验楼上的<ShellShock 攻击实验> 二.本周学习内容: 1.学习& ...
- 2019-2020-1 20199329《Linux内核原理与分析》第九周作业
<Linux内核原理与分析>第九周作业 一.本周内容概述: 阐释linux操作系统的整体构架 理解linux系统的一般执行过程和进程调度的时机 理解linux系统的中断和进程上下文切换 二 ...
- 2019-2020-1 20199329《Linux内核原理与分析》第四周作业
<Linux内核原理与分析>第四周作业 一.上周问题总结: 虚拟机环境缺少部分库文件 书本知识使用不够熟练 二.本周学习内容: 1.实验楼环境使用gdb跟踪调试内核 1.1 在该环境下输入 ...
- 20169212《Linux内核原理与分析》课程总结
20169212<Linux内核原理与分析>课程总结 每周作业链接汇总 第一周作业:完成linux基础入门实验,了解一些基础的命令操作. 第二周作业:学习MOOC课程--计算机是如何工作的 ...
随机推荐
- 【翻译】go memory model
https://studygolang.com/articles/819 原文链接 Introduction The Go memory model specifies the conditions ...
- ReactNative系列组件用法(一)
首先我们来认识view 改变一些特性,再来看看项目的变化 我们新增flex布局的一些属性,再来看看项目的变化 接下来我们来看看如果获取屏幕的分辨率 关于图片的用法,reactNative这里也是很神奇 ...
- (stripTrailingZeros)A == B hdu2054
A == B ? Time Limit: 1000/1000 MS (Java/Others) Memory Limit: 32768/32768 K (Java/Others) Total S ...
- memcache、redis原理对比
一.问题: 数据库表数据量极大(千万条),要求让服务器更加快速地响应用户的需求. 二.解决方案: 1.通过高速服务器Cache缓存数据库数据 2.内存数据库 ( ...
- Nvivo
sklearn实战-乳腺癌细胞数据挖掘(博客主亲自录制视频教程) https://study.163.com/course/introduction.htm?courseId=1005269003&a ...
- pandas使用
一.pd.cut()与pd.qcut()的区别 假设有一组人员数据,而你希望将它们划分为不同的年龄组 ages = [18,20,22,25,27,21,23,37,31,61,45,32] bins ...
- my phone blackberry classic / passport / priv / keyone
smy blackberry classic PIN: 2BF66A72 / 查看手机位置https://protect.blackberry.com/protect/mydevice#BlackBe ...
- 网络编程基础【day09】:解决socket粘包之大数据(七)
本节内容 概述 linux下运行效果 sleep解决粘包 服务端插入交互解决粘包问题 一.概述 刚刚我们在window的操作系统上,很完美的解决了,大数据量的数据传输出现的问题,但是在Linux环境下 ...
- ACPI:Memory错误解决办法
Linux系统装在vmware12中,打开虚拟机时报错,报错内容大概如下: ACPI:memory_hp:Memory online failed for 0x100000000 - 0x400000 ...
- 6、Python-元组
定义 # Python的元组与列表类似,不同之处在于元组的元素不能修改.元组使用小括号,列表使用方括号. aTuple = ('et',77,99.9) print(aTuple) 元组的操作 aTu ...