Linux????(capability)???????

???????????? ???????[ 2016/3/29 11:24:01 ] ?????????????? Linux

????1??Linux???????????
????????????UNIX????????????????????飬??????????????????(??Ч???ID??0)??????????(??Ч???ID???0)?????????????????????е?????飬????????????????????????????(??ЧID????Ч?鼰?????????)???С?
??????linux???2.2?????Linux???????????????????????????????????????????????(capability)????????????????????????????????root??????????????顣
???????????????????????????????????????y???????????????????????????????y?????????????иò??????????????統(tǒng)???????????????????y?????????????????(CAP_SYS_TIME)????????????????????ID????0??
???????Linux???й???37???????????/usr/include/linux/capability.h????в?
????2??Linux????????????
????????????????????????????????????????:
????1?????????????????????linux????????y???ò????????λ???????
????2??Linux?????????????????????????????????????
????3??????????????????????????????????????????????????????????????????????????С?
??????linux???汾2.6.24??????????????1??2??????????linux???2.6.24?????????3???????????????????
?????????????????????????????????￡?
????Permitted: ????effective capabilities??Inheritable capability???????????????????Permitted?????ж???????????????????β?????λ????????(????????????θ?????)
????Inheritable: ????????y?????????execve??и?????????????
????Effecitive: Linux???????????????????
??????2.6.24?????Linux????????????????????????????????????????????????????￡?
????Permitted:?????????????????????????????????У?????Inhertiable capability??
????Inheritable:????????Inheritable????????????????????execve????????Permitted?????
????Effective: ?????Effective?????????????????????????λ????????????????Effective?????
???????????????????Linux???е?????????????????????????????????????????????????Linux??????????????????е?Effective?????????????????????е???????????????????????С???????????????
????3??Linux???????????
??????linux????capabilities??man????????м?й?????????
????P'(permitted) = (P(inheritable) & F(inheritable)) |
????(F(permitted) & cap_bset)              //??????permitted???????????????inheritable???????????permitted??cap_bset??????.
????P'(effective) = F(effective) ? P'(permitted) : 0            //??????effective??????????????effectiveλ??????????????permitted????????????
????P'(inheritable) = P(inheritable)    [i.e.?? unchanged]       //??????inheritable???????????Inheritable
???????:
????P   ?????execve????????????????
????P' ?????execve???????????????
????F   ??????????????
????cap_bset ??????????????????????1
?????в??????????:
father.c
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/capability.h>
#include <errno.h>
void list_capability()
{
struct __user_cap_header_struct cap_header_data;
cap_user_header_t cap_header = &cap_header_data;
struct __user_cap_data_struct cap_data_data;
cap_user_data_t cap_data = &cap_data_data;
cap_header->pid = getpid();
cap_header->version = _LINUX_CAPABILITY_VERSION_1;
if (capget(cap_header?? cap_data) < 0) {
perror("Failed capget");
exit(1);
}
printf("Cap data permitted: 0x%x?? effective: 0x%x?? inheritable:0x%x "??
cap_data->permitted?? cap_data->effective??cap_data->inheritable);
}
int main(void)
{
cap_t caps = cap_init();
cap_value_t capList[2] = {CAP_DAC_OVERRIDE?? CAP_SYS_TIME};
unsigned num_caps = 2;
//cap_set_flag(caps?? CAP_EFFECTIVE?? num_caps?? capList?? CAP_SET);
cap_set_flag(caps?? CAP_INHERITABLE?? num_caps?? capList?? CAP_SET);
cap_set_flag(caps?? CAP_PERMITTED?? num_caps?? capList?? CAP_SET);
if(cap_set_proc(caps))
{
perror("cap_set_proc");
}
list_capability();
execl("/home/xlzh/code/capability/child"?? NULL);
sleep(1000);
}
child.c
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/capability.h>
#include <errno.h>
void list_capability()
{
struct __user_cap_header_struct cap_header_data;
cap_user_header_t cap_header = &cap_header_data;
struct __user_cap_data_struct cap_data_data;
cap_user_data_t cap_data = &cap_data_data;
cap_header->pid = getpid();
cap_header->version = _LINUX_CAPABILITY_VERSION_1;
if (capget(cap_header?? cap_data) < 0) {
perror("Failed capget");
exit(1);
}
printf("child Cap data permitted: 0x%x?? effective: 0x%x?? inheritable:0x%x "?? cap_data->permitted?? cap_data->effective??cap_data->inheritable);
}
int main(void)
{
list_capability();
sleep(1000);
}