linux内核capable源代码分析

Posted 2020-12-29 sky

转自：https://blog.csdn.net/sanwenyublog/article/details/50856849

linux内核里对于进程的权限管理有一个很重要的函数capable，以前看了好多遍，今天下决心搞定他，也在此立下一个碑，以后有谁想搞明白他的话，我还可以提供一些帮助。
capable函数定义在kernel/capability.c，作用是检验当前进程有没有相应的权限，定义如下

1. int capable(int cap)
2. {
3. return __capable(current, cap);
4. }

继续看__capable函数，这个函数也定义在kernel/capability.c，定义如下

1. int __capable(struct task_struct *t, int cap)
2. {
3. /*首先执行security_capable函数检查，如果成功就给进程的flags置位，标志获得超级权限，PF_SUPERPRIV定义如下
4. #define PF_SUPERPRIV 0x00000100 /* used super-user privileges */就是超级用户的意思
5. */
6. if (security_capable(t, cap) == 0) {
7. t->flags |= PF_SUPERPRIV;
8. return 1;
9. }
10. return 0;
11. }

我们继续看security_capable函数，定义在linux/security.h

1. static inline int security_capable(struct task_struct *tsk, int cap)
2. {
3. return cap_capable(tsk, cap);
4. }

继续看cap_capable函数，定义在security/commonncap.c

1. int cap_capable (struct task_struct *tsk, int cap)
2. {
3. /* 权限检查的主要工作函数 */
4. if (cap_raised(tsk->cap_effective, cap))
5. return 0;
6. return -EPERM;
7. }

我们继续看cap_raised，这是一个宏，定义如下
#define CAP_TO_MASK(x) (1 << (x))
#define cap_raise(c, flag)   (cap_t(c) |=  CAP_TO_MASK(flag))
#define cap_lower(c, flag)   (cap_t(c) &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag)  (cap_t(c) & CAP_TO_MASK(flag))
所以可以看出cap_capable函数就是查看task_struct的cap_effective变量，然后与(1<<cap)执行按位与操作。
cap_effective变量就是进程结构体里的一个32位的int变量，每一个位代表一个权限，定义如下

1.  
2.  
3. /**
4. ** POSIX-标准定义的权限能力
5. **/
6.  
7.  
8. #define CAP_CHOWN 0
9.  
10.  
11. /* Override all DAC access, including ACL execute access if
12. [_POSIX_ACL] is defined. Excluding DAC access covered by
13. CAP_LINUX_IMMUTABLE. */
14.  
15.  
16. #define CAP_DAC_OVERRIDE 1
17.  
18.  
19. /* Overrides all DAC restrictions regarding read and search on files
20. and directories, including ACL restrictions if [_POSIX_ACL] is
21. defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
22.  
23.  
24. #define CAP_DAC_READ_SEARCH 2
25.  
26. /* Overrides all restrictions about allowed operations on files, where
27. file owner ID must be equal to the user ID, except where CAP_FSETID
28. is applicable. It doesn‘t override MAC and DAC restrictions. */
29.  
30.  
31. #define CAP_FOWNER 3
32.  
33.  
34. /* Overrides the following restrictions that the effective user ID
35. shall match the file owner ID when setting the S_ISUID and S_ISGID
36. bits on that file; that the effective group ID (or one of the
37. supplementary group IDs) shall match the file owner ID when setting
38. the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
39. cleared on successful return from chown(2) (not implemented). */
40.  
41.  
42. #define CAP_FSETID 4
43.  
44.  
45. /* Used to decide between falling back on the old suser() or fsuser(). */
46.  
47.  
48. #define CAP_FS_MASK 0x1f
49.  
50.  
51. /* Overrides the restriction that the real or effective user ID of a
52. process sending a signal must match the real or effective user ID
53. of the process receiving the signal. */
54.  
55.  
56. #define CAP_KILL 5
57.  
58.  
59. /* Allows setgid(2) manipulation */
60. /* Allows setgroups(2) */
61. /* Allows forged gids on socket credentials passing. */
62.  
63.  
64. #define CAP_SETGID 6
65.  
66.  
67. /* Allows set*uid(2) manipulation (including fsuid). */
68. /* Allows forged pids on socket credentials passing. */
69.  
70.  
71. #define CAP_SETUID 7
72.  
73.  
74.  
75.  
76. /**
77. ** Linux-specific capabilities
78. **/
79.  
80.  
81. /* Transfer any capability in your permitted set to any pid,
82. remove any capability in your permitted set from any pid */
83.  
84.  
85. #define CAP_SETPCAP 8
86.  
87.  
88. /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
89.  
90.  
91. #define CAP_LINUX_IMMUTABLE 9
92.  
93.  
94. /* Allows binding to TCP/UDP sockets below 1024 */
95. /* Allows binding to ATM VCIs below 32 */
96.  
97.  
98. #define CAP_NET_BIND_SERVICE 10
99.  
100.  
101. /* Allow broadcasting, listen to multicast */
102.  
103.  
104. #define CAP_NET_BROADCAST 11
105.  
106.  
107. /* Allow interface configuration */
108. /* Allow administration of IP firewall, masquerading and accounting */
109. /* Allow setting debug option on sockets */
110. /* Allow modification of routing tables */
111. /* Allow setting arbitrary process / process group ownership on
112. sockets */
113. /* Allow binding to any address for transparent proxying */
114. /* Allow setting TOS (type of service) */
115. /* Allow setting promiscuous mode */
116. /* Allow clearing driver statistics */
117. /* Allow multicasting */
118. /* Allow read/write of device-specific registers */
119. /* Allow activation of ATM control sockets */
120.  
121.  
122. #define CAP_NET_ADMIN 12
123.  
124.  
125. /* Allow use of RAW sockets */
126. /* Allow use of PACKET sockets */
127.  
128.  
129. #define CAP_NET_RAW 13
130.  
131.  
132. /* Allow locking of shared memory segments */
133. /* Allow mlock and mlockall (which doesn‘t really have anything to do
134. with IPC) */
135.  
136.  
137. #define CAP_IPC_LOCK 14
138.  
139.  
140. /* Override IPC ownership checks */
141.  
142.  
143. #define CAP_IPC_OWNER 15
144.  
145.  
146. /* Insert and remove kernel modules - modify kernel without limit */
147. /* Modify cap_bset */
148. #define CAP_SYS_MODULE 16
149.  
150.  
151. /* Allow ioperm/iopl access */
152. /* Allow sending USB messages to any device via /proc/bus/usb */
153.  
154.  
155. #define CAP_SYS_RAWIO 17
156.  
157.  
158. /* Allow use of chroot() */
159.  
160.  
161. #define CAP_SYS_CHROOT 18
162.  
163.  
164. /* Allow ptrace() of any process */
165.  
166.  
167. #define CAP_SYS_PTRACE 19
168.  
169.  
170. /* Allow configuration of process accounting */
171.  
172.  
173. #define CAP_SYS_PACCT 20
174.  
175.  
176. /* Allow configuration of the secure attention key */
177. /* Allow administration of the random device */
178. /* Allow examination and configuration of disk quotas */
179. /* Allow configuring the kernel‘s syslog (printk behaviour) */
180. /* Allow setting the domainname */
181. /* Allow setting the hostname */
182. /* Allow calling bdflush() */
183. /* Allow mount() and umount(), setting up new smb connection */
184. /* Allow some autofs root ioctls */
185. /* Allow nfsservctl */
186. /* Allow VM86_REQUEST_IRQ */
187. /* Allow to read/write pci config on alpha */
188. /* Allow irix_prctl on mips (setstacksize) */
189. /* Allow flushing all cache on m68k (sys_cacheflush) */
190. /* Allow removing semaphores */
191. /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
192. and shared memory */
193. /* Allow locking/unlocking of shared memory segment */
194. /* Allow turning swap on/off */
195. /* Allow forged pids on socket credentials passing */
196. /* Allow setting readahead and flushing buffers on block devices */
197. /* Allow setting geometry in floppy driver */
198. /* Allow turning DMA on/off in xd driver */
199. /* Allow administration of md devices (mostly the above, but some
200. extra ioctls) */
201. /* Allow tuning the ide driver */
202. /* Allow access to the nvram device */
203. /* Allow administration of apm_bios, serial and bttv (TV) device */
204. /* Allow manufacturer commands in isdn CAPI support driver */
205. /* Allow reading non-standardized portions of pci configuration space */
206. /* Allow DDI debug ioctl on sbpcd driver */
207. /* Allow setting up serial ports */
208. /* Allow sending raw qic-117 commands */
209. /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
210. arbitrary SCSI commands */
211. /* Allow setting encryption key on loopback filesystem */
212. /* Allow setting zone reclaim policy */
213.  
214.  
215. #define CAP_SYS_ADMIN 21
216.  
217.  
218. /* Allow use of reboot() */
219.  
220.  
221. #define CAP_SYS_BOOT 22
222.  
223.  
224. /* Allow raising priority and setting priority on other (different
225. UID) processes */
226. /* Allow use of FIFO and round-robin (realtime) scheduling on own
227. processes and setting the scheduling algorithm used by another
228. process. */
229. /* Allow setting cpu affinity on other processes */
230.  
231.  
232. #define CAP_SYS_NICE 23
233.  
234.  
235. /* Override resource limits. Set resource limits. */
236. /* Override quota limits. */
237. /* Override reserved space on ext2 filesystem */
238. /* Modify data journaling mode on ext3 filesystem (uses journaling
239. resources) */
240. /* NOTE: ext2 honors fsuid when checking for resource overrides, so
241. you can override using fsuid too */
242. /* Override size restrictions on IPC message queues */
243. /* Allow more than 64hz interrupts from the real-time clock */
244. /* Override max number of consoles on console allocation */
245. /* Override max number of keymaps */
246.  
247.  
248. #define CAP_SYS_RESOURCE 24
249.  
250.  
251. /* Allow manipulation of system clock */
252. /* Allow irix_stime on mips */
253. /* Allow setting the real-time clock */
254.  
255.  
256. #define CAP_SYS_TIME 25
257.  
258.  
259. /* Allow configuration of tty devices */
260. /* Allow vhangup() of tty */
261.  
262.  
263. #define CAP_SYS_TTY_CONFIG 26
264.  
265.  
266. /* Allow the privileged aspects of mknod() */
267.  
268.  
269. #define CAP_MKNOD 27
270.  
271.  
272. /* Allow taking of leases on files */
273.  
274.  
275. #define CAP_LEASE 28
276.  
277.  
278. #define CAP_AUDIT_WRITE 29
279.  
280.  
281. #define CAP_AUDIT_CONTROL 30

检验权限的时候，就检查进程结构体task_struct对应的位是不是1就ok了。

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/lwy313722871/article/details/50856849