linux内核capable源代码分析【转】
转自:https://blog.csdn.net/sanwenyublog/article/details/50856849
capable函数定义在kernel/capability.c,作用是检验当前进程有没有相应的权限,定义如下
- int capable(int cap)
- {
- return __capable(current, cap);
- }
继续看__capable函数,这个函数也定义在kernel/capability.c,定义如下
- int __capable(struct task_struct *t, int cap)
- {
- /*首先执行security_capable函数检查,如果成功就给进程的flags置位,标志获得超级权限,PF_SUPERPRIV定义如下
- #define PF_SUPERPRIV 0x00000100 /* used super-user privileges */就是超级用户的意思
- */
- if (security_capable(t, cap) == 0) {
- t->flags |= PF_SUPERPRIV;
- return 1;
- }
- return 0;
- }
我们继续看security_capable函数,定义在linux/security.h
- static inline int security_capable(struct task_struct *tsk, int cap)
- {
- return cap_capable(tsk, cap);
- }
继续看cap_capable函数,定义在security/commonncap.c
- int cap_capable (struct task_struct *tsk, int cap)
- {
- /* 权限检查的主要工作函数 */
- if (cap_raised(tsk->cap_effective, cap))
- return 0;
- return -EPERM;
- }
我们继续看cap_raised,这是一个宏,定义如下
#define CAP_TO_MASK(x) (1 << (x))
#define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag))
#define cap_lower(c, flag) (cap_t(c) &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
所以可以看出cap_capable函数就是查看task_struct的cap_effective变量,然后与(1<<cap)执行按位与操作。
cap_effective变量就是进程结构体里的一个32位的int变量,每一个位代表一个权限,定义如下
- /**
- ** POSIX-标准定义的权限能力
- **/
- #define CAP_CHOWN 0
- /* Override all DAC access, including ACL execute access if
- [_POSIX_ACL] is defined. Excluding DAC access covered by
- CAP_LINUX_IMMUTABLE. */
- #define CAP_DAC_OVERRIDE 1
- /* Overrides all DAC restrictions regarding read and search on files
- and directories, including ACL restrictions if [_POSIX_ACL] is
- defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
- #define CAP_DAC_READ_SEARCH 2
- /* Overrides all restrictions about allowed operations on files, where
- file owner ID must be equal to the user ID, except where CAP_FSETID
- is applicable. It doesn't override MAC and DAC restrictions. */
- #define CAP_FOWNER 3
- /* Overrides the following restrictions that the effective user ID
- shall match the file owner ID when setting the S_ISUID and S_ISGID
- bits on that file; that the effective group ID (or one of the
- supplementary group IDs) shall match the file owner ID when setting
- the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
- cleared on successful return from chown(2) (not implemented). */
- #define CAP_FSETID 4
- /* Used to decide between falling back on the old suser() or fsuser(). */
- #define CAP_FS_MASK 0x1f
- /* Overrides the restriction that the real or effective user ID of a
- process sending a signal must match the real or effective user ID
- of the process receiving the signal. */
- #define CAP_KILL 5
- /* Allows setgid(2) manipulation */
- /* Allows setgroups(2) */
- /* Allows forged gids on socket credentials passing. */
- #define CAP_SETGID 6
- /* Allows set*uid(2) manipulation (including fsuid). */
- /* Allows forged pids on socket credentials passing. */
- #define CAP_SETUID 7
- /**
- ** Linux-specific capabilities
- **/
- /* Transfer any capability in your permitted set to any pid,
- remove any capability in your permitted set from any pid */
- #define CAP_SETPCAP 8
- /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
- #define CAP_LINUX_IMMUTABLE 9
- /* Allows binding to TCP/UDP sockets below 1024 */
- /* Allows binding to ATM VCIs below 32 */
- #define CAP_NET_BIND_SERVICE 10
- /* Allow broadcasting, listen to multicast */
- #define CAP_NET_BROADCAST 11
- /* Allow interface configuration */
- /* Allow administration of IP firewall, masquerading and accounting */
- /* Allow setting debug option on sockets */
- /* Allow modification of routing tables */
- /* Allow setting arbitrary process / process group ownership on
- sockets */
- /* Allow binding to any address for transparent proxying */
- /* Allow setting TOS (type of service) */
- /* Allow setting promiscuous mode */
- /* Allow clearing driver statistics */
- /* Allow multicasting */
- /* Allow read/write of device-specific registers */
- /* Allow activation of ATM control sockets */
- #define CAP_NET_ADMIN 12
- /* Allow use of RAW sockets */
- /* Allow use of PACKET sockets */
- #define CAP_NET_RAW 13
- /* Allow locking of shared memory segments */
- /* Allow mlock and mlockall (which doesn't really have anything to do
- with IPC) */
- #define CAP_IPC_LOCK 14
- /* Override IPC ownership checks */
- #define CAP_IPC_OWNER 15
- /* Insert and remove kernel modules - modify kernel without limit */
- /* Modify cap_bset */
- #define CAP_SYS_MODULE 16
- /* Allow ioperm/iopl access */
- /* Allow sending USB messages to any device via /proc/bus/usb */
- #define CAP_SYS_RAWIO 17
- /* Allow use of chroot() */
- #define CAP_SYS_CHROOT 18
- /* Allow ptrace() of any process */
- #define CAP_SYS_PTRACE 19
- /* Allow configuration of process accounting */
- #define CAP_SYS_PACCT 20
- /* Allow configuration of the secure attention key */
- /* Allow administration of the random device */
- /* Allow examination and configuration of disk quotas */
- /* Allow configuring the kernel's syslog (printk behaviour) */
- /* Allow setting the domainname */
- /* Allow setting the hostname */
- /* Allow calling bdflush() */
- /* Allow mount() and umount(), setting up new smb connection */
- /* Allow some autofs root ioctls */
- /* Allow nfsservctl */
- /* Allow VM86_REQUEST_IRQ */
- /* Allow to read/write pci config on alpha */
- /* Allow irix_prctl on mips (setstacksize) */
- /* Allow flushing all cache on m68k (sys_cacheflush) */
- /* Allow removing semaphores */
- /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
- and shared memory */
- /* Allow locking/unlocking of shared memory segment */
- /* Allow turning swap on/off */
- /* Allow forged pids on socket credentials passing */
- /* Allow setting readahead and flushing buffers on block devices */
- /* Allow setting geometry in floppy driver */
- /* Allow turning DMA on/off in xd driver */
- /* Allow administration of md devices (mostly the above, but some
- extra ioctls) */
- /* Allow tuning the ide driver */
- /* Allow access to the nvram device */
- /* Allow administration of apm_bios, serial and bttv (TV) device */
- /* Allow manufacturer commands in isdn CAPI support driver */
- /* Allow reading non-standardized portions of pci configuration space */
- /* Allow DDI debug ioctl on sbpcd driver */
- /* Allow setting up serial ports */
- /* Allow sending raw qic-117 commands */
- /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
- arbitrary SCSI commands */
- /* Allow setting encryption key on loopback filesystem */
- /* Allow setting zone reclaim policy */
- #define CAP_SYS_ADMIN 21
- /* Allow use of reboot() */
- #define CAP_SYS_BOOT 22
- /* Allow raising priority and setting priority on other (different
- UID) processes */
- /* Allow use of FIFO and round-robin (realtime) scheduling on own
- processes and setting the scheduling algorithm used by another
- process. */
- /* Allow setting cpu affinity on other processes */
- #define CAP_SYS_NICE 23
- /* Override resource limits. Set resource limits. */
- /* Override quota limits. */
- /* Override reserved space on ext2 filesystem */
- /* Modify data journaling mode on ext3 filesystem (uses journaling
- resources) */
- /* NOTE: ext2 honors fsuid when checking for resource overrides, so
- you can override using fsuid too */
- /* Override size restrictions on IPC message queues */
- /* Allow more than 64hz interrupts from the real-time clock */
- /* Override max number of consoles on console allocation */
- /* Override max number of keymaps */
- #define CAP_SYS_RESOURCE 24
- /* Allow manipulation of system clock */
- /* Allow irix_stime on mips */
- /* Allow setting the real-time clock */
- #define CAP_SYS_TIME 25
- /* Allow configuration of tty devices */
- /* Allow vhangup() of tty */
- #define CAP_SYS_TTY_CONFIG 26
- /* Allow the privileged aspects of mknod() */
- #define CAP_MKNOD 27
- /* Allow taking of leases on files */
- #define CAP_LEASE 28
- #define CAP_AUDIT_WRITE 29
- #define CAP_AUDIT_CONTROL 30
检验权限的时候,就检查进程结构体task_struct对应的位是不是1就ok了。
linux内核capable源代码分析【转】的更多相关文章
- 20169212《Linux内核原理与分析》第二周作业
<Linux内核原理与分析>第二周作业 这一周学习了MOOCLinux内核分析的第一讲,计算机是如何工作的?由于本科对相关知识的不熟悉,所以感觉有的知识理解起来了有一定的难度,不过多查查资 ...
- 2018-2019-1 20189221《Linux内核原理与分析》第四周作业
2018-2019-1 20189221<Linux内核原理与分析>第四周作业 教材学习:<庖丁解牛Linux内核分析> 第 3 章 MenuOS的构造 计算机三大法宝:存储程 ...
- Linux内核源码分析方法_转
Linux内核源码分析方法 转自:http://www.cnblogs.com/fanzhidongyzby/archive/2013/03/20/2970624.html 一.内核源码之我见 Lin ...
- 2019-2020-1 20199308《Linux内核原理与分析》第三周作业
<Linux内核分析> 第二章 操作系统是如何工作的 2.1 函数调用堆栈 3个关键性的方法机制(3个法宝) 存储程序计算机 函数调用堆栈机制 中断 堆栈相关的寄存器 ESP:堆栈指针(s ...
- 2019-2020-1 20199310《Linux内核原理与分析》第三周作业
1.问题描述 计算机的3大法宝是存储程序计算机,函数调用堆栈和中断机制,存储程序计算机已经在上一个博客中进行具体描述,本文将在剩下两方面出发对操作系统是如何工作的进行学习和探讨. 2.解决过程 2.1 ...
- 2019-2020-1 20199329《Linux内核原理与分析》第十一周作业
<Linux内核原理与分析>第十一周作业 一.本周内容概述: 学习linux安全防护方面的知识 完成实验楼上的<ShellShock 攻击实验> 二.本周学习内容: 1.学习& ...
- 2019-2020-1 20199329《Linux内核原理与分析》第九周作业
<Linux内核原理与分析>第九周作业 一.本周内容概述: 阐释linux操作系统的整体构架 理解linux系统的一般执行过程和进程调度的时机 理解linux系统的中断和进程上下文切换 二 ...
- 2019-2020-1 20199329《Linux内核原理与分析》第四周作业
<Linux内核原理与分析>第四周作业 一.上周问题总结: 虚拟机环境缺少部分库文件 书本知识使用不够熟练 二.本周学习内容: 1.实验楼环境使用gdb跟踪调试内核 1.1 在该环境下输入 ...
- 20169212《Linux内核原理与分析》课程总结
20169212<Linux内核原理与分析>课程总结 每周作业链接汇总 第一周作业:完成linux基础入门实验,了解一些基础的命令操作. 第二周作业:学习MOOC课程--计算机是如何工作的 ...
随机推荐
- Python基础之控制流
介绍一些Python的基本的东西,你会发现,Python真的很简单.我也尽可能说得简单一些,因为我理解的也很简单. 在到目前为止我们所见到的程序中,总是有一系列的语句,Python忠实地按照它们的顺序 ...
- # BZOJ5300 [CQOI2018]九连环 题解 | 高精度 FFT
今天做了传说中的CQOI六道板子题--有了一种自己很巨的错觉(雾 题面 求n连环的最少步数,n <= 1e5. 题解 首先--我不会玩九连环-- 通过找规律(其实是百度搜索)可知,\(n\)连环 ...
- 【loj3044】【zjoi2019】Minimax
题目 描述 给出一颗树,定义根节点1的深度为1,其他点深度为父亲深度+1: 如下定义一个点的点权: 1.叶子:为其编号:2.奇数深度:为其儿子编号最大值:3.偶数深度:为其儿子编号最小值: ...
- 【洛谷P1379】八数码难题 状压bfs
对于这道题来说,每个时刻的状态是整个棋盘所有棋子的位置,即:任何一个棋子位置发生了移动,都会使得状态转移. 因此,需要采取将整个状态作为广搜的搜索对象,进行状态压缩.采用哈希得到每个状态的对应的数值, ...
- javascript面向对象精要第四章构造函数和原型对象整理精要
- 支持向量机(SVM)的推导(线性SVM、软间隔SVM、Kernel Trick)
线性可分支持向量机 给定线性可分的训练数据集,通过间隔最大化或等价地求解相应的凸二次规划问题学习到的分离超平面为 \[w^{\ast }x+b^{\ast }=0\] 以及相应的决策函数 \[f\le ...
- QQ企业邮箱+Spring+Javamail+ActiveMQ(发送企业邮件)
原来有个教程是关于Javamail的,但是那个是自己写Javamail的发送过程,这次不同的是:使用Spring的Mail功能,使用了消息队列. 先看一下设想的场景 不过本文重点不是消息队列,而是使用 ...
- CalISBN.java
/****************************************************************************** * Compilation: javac ...
- Docker:搭建RabbitMQ集群
RabbitMQ原理介绍(一) RabbitMQ安装使用(二) RabbitMQ添加新用户并支持远程访问(三) RabbitMQ管理命令rabbitmqctl详解(四) RabbitMQ两种集群模式配 ...
- 搭建 zookeeper + dubbo-admin + dubbo-monitor 环境
一.单机安装 1.1.下载 下载地址:官网或其他镜像 https://zookeeper.apache.org/ http://archive.apache.org/dist/zookeeper/ 命 ...