今天看到一段关于capset()的代码,
struct __user_cap_header_struct header;
struct __user_cap_data_struct cap; header.version = _LINUX_CAPABILITY_VERSION;
header.pid = 0; cap.effective = cap.permitted = (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);
cap.inheritable = 0;
capset(&header, &cap);
找了下对capset()的描述,如下,
NAME
capget, capset - set/get capabilities
SYNOPSIS
#undef _POSIX_SOURCE #include <sys/capability.h> int capget(cap_user_header_t hdrp, cap_user_data_t datap); int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
DESCRIPTION
As of Linux 2.2, the power of the superuser (root) has been partitioned into a set of discrete capabilities. Every thread has a set of effective capabilities identifying which capabilities (if any) it may currently exercise. Every thread also has a set of inheritable capabilities that may be passed through an execve(2) call, and a set of permitted capabilities that it can make effective or inheritable. These two functions are the raw kernel interface for getting and setting capabilities. Not only are these system calls specific to Linux, but the kernel API is likely to change and use of these functions (in particular the format of the cap_user_*_t types) is subject to change with each kernel revision. The portable interfaces are cap_set_proc(3) and cap_get_proc(3); if possible you should use those interfaces in applications. If you wish to use the Linux extensions in applications, you should use the easier- to-use interfaces capsetp(3) and capgetp(3). Current details Now that you have been warned, some current kernel details. The structs are defined as follows. #define _LINUX_CAPABILITY_VERSION 0x19980330 typedef struct __user_cap_header_struct { int version; int pid; } *cap_user_header_t; typedef struct __user_cap_data_struct { int effective; int permitted; int inheritable; } *cap_user_data_t; The calls will return EINVAL, and set the version field of hdrp to _LINUX_CAPABILITY_VERSION when another version was specified. The calls operate on the capabilities of the thread specified by the pid field of hdrp when that is non-zero, or on the capabilities of the calling thread if pid is 0. If pid refers to a single-threaded process, then pid can be specified as a traditional process ID; operating on a thread of a multithreaded process requires a thread ID of the type returned by gettid(2). For capset(), pid can also be: -1, meaning perform the change on all threads except the caller and init(8); or a value less than -1, in which case the change is applied to all members of the process group whose ID is -pid. For details on the data, see capabilities(7).
RETURN VALUE
On success, zero is returned. On error, -1 is returned, and errno is
set appropriately.
ERRORS
EFAULT Bad memory address. Neither of hdrp and datap may be NULL. EINVAL One of the arguments was invalid. EPERM An attempt was made to add a capability to the Permitted set, or to set a capability in the Effective or Inheritable sets that is not in the Permitted set. EPERM The caller attempted to use capset() to modify the capabilities of a thread other than itself, but lacked sufficient privilege; the CAP_SETPCAP capability is required. (A bug in kernels before 2.6.11 meant that this error could also occur if a thread without this capability tried to change its own capabilities by specifying the pid field as a non-zero value (i.e., the value returned by getpid(2)) instead of 0.) ESRCH No such thread.
CONFORMING TO
These system calls are Linux-specific.
NOTES
The portable interface to the capability querying and setting functions is provided by the libcap library and is available here: ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs
SEE ALSO
clone(2), gettid(2), capabilities(7)
那么来再看看上面碰到的linux的capabilities的这些属性:
CAP_NET_ADMIN Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). CAP_NET_BIND_SERVICE Allow binding to Internet domain reserved socket ports (port numbers less than 1024). CAP_NET_BROADCAST (Unused) Allow socket broadcasting, and listening multicasts. CAP_NET_RAW Permit use of RAW and PACKET sockets.
可以man capabilities 查看关于capabilities有一些更多的属性,下面列出其中几个
CAP_SETPCAP Grant or remove any capability in the caller’s permitted capability set to or from any other process. CAP_SETUID Allow arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)); allow forged UID when passing socket credentials via Unix domain sockets. CAP_SYS_ADMIN Permit a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), setdomainname(2), IPC_SET and IPC_RMID operations on arbitrary System V IPC objects; perform operations on trusted and security Extended Attributes (see attr(5)); call lookup_dcookie(2); use ioprio_set(2) to assign IOPRIO_CLASS_RT and IOPRIO_CLASS_IDLE I/O scheduling classes; perform keyctl(2) KEYCTL_CHOWN and KEYCTL_SETPERM operations. allow forged UID when passing socket credentials; exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2); without this capability these system calls will fail with the error ENFILE if this limit is encountered); employ CLONE_NEWNS flag with clone(2) and unshare(2); perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations. CAP_SYS_BOOT Permit calls to reboot(2) and kexec_load(2). CAP_SYS_CHROOT Permit calls to chroot(2). CAP_SYS_MODULE Allow loading and unloading of kernel modules; allow modifications to capability bounding set (see init_module(2) and delete_module(2)). CAP_SYS_NICE Allow raising process nice value (nice(2), setpriority(2)) and changing of the nice value for arbitrary processes; allow setting of real-time scheduling policies for calling process, and setting scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2)); set CPU affinity for arbitrary processes (sched_setaffinity(2)); set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)); allow migrate_pages(2) to be applied to arbitrary processes and allow processes to be migrated to arbitrary nodes; allow move_pages(2) to be applied to arbitrary processes; use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).