linux能力集机制,Linux能力(capability)机制的继承

xlzh@cmos:~/code/capability$ gcc child.c -o child

xlzh@cmos:~/code/capability$ gcc father.c -o father -lcap

xlzh@cmos:~/code/capability$ sudo setcap cap_dac_override,cap_sys_time+ei child

xlzh@cmos:~/code/capability$ sudo setcap cap_dac_override,cap_sys_time+ip father

/* 单独执行，child文件有E(effective)I(inheritable)的能力，执行child的终端没有任何能力, 套用公式(cap_bset默认全1)

* P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset)  // P'(permitted) = (0x0 & 0x2000002) | (0x0 & 全1)，结果为0

* P'(effective) = F(effective) ? P'(permitted) : 0                               // P'(effective) = 1 ? P'(permitted) : 0， 结果为P'(permitted)，即0

* P'(inheritable) = P(inheritable)                                               // P'(inheritable) = 0

* 执行结果如下所示

*/

xlzh@cmos:~/code/capability$ ./child

child Cap data permitted: 0x0, effective: 0x0, inheritable 0x0

/* 单独执行，child文件有E(effective)I(inheritable)的能力，执行child的father文件有E(inheritable)和P(permitted)能力, 套用公式

* P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset)  // P'(permitted) = (0x2000002 & 0x2000002) | (0x2000002 & 全1)，结果为0

* P'(effective) = F(effective) ? P'(permitted) : 0                               // P'(effective) = 1 ? P'(permitted) : 0, 结果为P'(permitted)，即0x2000002

* P'(inheritable) = P(inheritable)                                               // P'(inheritable) = 0x2000002

* 执行结果如下所示

*/

xlzh@cmos:~/code/capability$ ./father

father Cap data permitted: 0x2000002, effective: 0x0, inheritable: 0x2000002

child Cap data permitted: 0x2000002, effective: 0x2000002, inheritable 0x2000002