capset() usage

今天看到一段关于capset()的代码,

struct __user_cap_header_struct header;

struct __user_cap_data_struct cap; header.version = _LINUX_CAPABILITY_VERSION;

header.pid = 0; cap.effective = cap.permitted = (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW);

cap.inheritable = 0;

capset(&header, &cap);

找了下对capset()的描述，如下，

NAME

       capget, capset - set/get capabilities

SYNOPSIS

       #undef _POSIX_SOURCE
       #include <sys/capability.h>

       int capget(cap_user_header_t hdrp, cap_user_data_t datap);

       int capset(cap_user_header_t hdrp, const cap_user_data_t datap);

DESCRIPTION

       As of Linux 2.2, the power of the superuser (root) has been partitioned
       into a set of  discrete  capabilities.   Every  thread  has  a  set  of
       effective  capabilities  identifying which capabilities (if any) it may
       currently exercise.   Every  thread  also  has  a  set  of  inheritable
       capabilities that may be passed through an execve(2) call, and a set of
       permitted capabilities that it can make effective or inheritable.

       These two functions are  the  raw  kernel  interface  for  getting  and
       setting  capabilities.   Not  only  are  these system calls specific to
       Linux, but the kernel  API  is  likely  to  change  and  use  of  these
       functions  (in  particular  the  format  of  the cap_user_*_t types) is
       subject to change with each kernel revision.

       The portable interfaces are  cap_set_proc(3)  and  cap_get_proc(3);  if
       possible  you should use those interfaces in applications.  If you wish
       to use the Linux extensions in applications, you should use the easier-
       to-use interfaces capsetp(3) and capgetp(3).

   Current details
       Now  that  you  have  been  warned,  some  current kernel details.  The
       structs are defined as follows.

           #define _LINUX_CAPABILITY_VERSION  0x19980330

           typedef struct __user_cap_header_struct {
               int version;
               int pid;
           } *cap_user_header_t;

           typedef struct __user_cap_data_struct {
               int effective;
               int permitted;
               int inheritable;
           } *cap_user_data_t;

       The calls will return EINVAL, and set the  version  field  of  hdrp  to
       _LINUX_CAPABILITY_VERSION when another version was specified.

       The  calls  operate  on the capabilities of the thread specified by the
       pid field of hdrp when that is non-zero, or on the capabilities of  the
       calling  thread  if  pid  is  0.   If  pid  refers to a single-threaded
       process, then pid  can  be  specified  as  a  traditional  process  ID;
       operating  on  a thread of a multithreaded process requires a thread ID
       of the type returned by gettid(2).  For capset(), pid can also be:  -1,
       meaning  perform  the  change  on  all  threads  except  the caller and
       init(8); or a value less than -1, in which case the change  is  applied
       to all members of the process group whose ID is -pid.

       For details on the data, see capabilities(7).

RETURN VALUE

       On  success,  zero is returned.  On error, -1 is returned, and errno is
       set appropriately.

ERRORS

       EFAULT Bad memory address.  Neither of hdrp and datap may be NULL.

       EINVAL One of the arguments was invalid.

       EPERM  An attempt was made to add a capability to the Permitted set, or
              to set a capability in the Effective or Inheritable sets that is
              not in the Permitted set.

       EPERM  The caller attempted to use capset() to modify the  capabilities
              of  a thread other than itself, but lacked sufficient privilege;
              the CAP_SETPCAP capability  is  required.   (A  bug  in  kernels
              before 2.6.11 meant that this error could also occur if a thread
              without this capability tried to change its own capabilities  by
              specifying  the  pid  field as a non-zero value (i.e., the value
              returned by getpid(2)) instead of 0.)

       ESRCH  No such thread.

CONFORMING TO

       These system calls are Linux-specific.

NOTES

       The portable interface to the capability querying and setting functions
       is provided by the libcap library and is available here:
       ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs

SEE ALSO

       clone(2), gettid(2), capabilities(7)

 

那么来再看看上面碰到的linux的capabilities的这些属性:

       CAP_NET_ADMIN
              Allow  various   network-related   operations   (e.g.,   setting
              privileged  socket  options,  enabling  multicasting,  interface
              configuration, modifying routing tables).

       CAP_NET_BIND_SERVICE
              Allow binding to Internet domain  reserved  socket  ports  (port
              numbers less than 1024).

       CAP_NET_BROADCAST
              (Unused)  Allow socket broadcasting, and listening multicasts.

       CAP_NET_RAW
              Permit use of RAW and PACKET sockets.


可以man capabilities 查看关于capabilities有一些更多的属性，下面列出其中几个

       CAP_SETPCAP
              Grant  or  remove  any  capability  in  the  caller’s  permitted
              capability set to or from any other process.

       CAP_SETUID
              Allow  arbitrary  manipulations  of  process  UIDs   (setuid(2),
              setreuid(2),  setresuid(2),  setfsuid(2)); allow forged UID when
              passing socket credentials via Unix domain sockets.

       CAP_SYS_ADMIN
              Permit a range of system  administration  operations  including:
              quotactl(2),   mount(2),   umount(2),   swapon(2),   swapoff(2),
              sethostname(2),   setdomainname(2),   IPC_SET    and    IPC_RMID
              operations on arbitrary System V IPC objects; perform operations
              on trusted and security Extended Attributes (see attr(5));  call
              lookup_dcookie(2);  use  ioprio_set(2) to assign IOPRIO_CLASS_RT
              and IOPRIO_CLASS_IDLE I/O scheduling classes; perform  keyctl(2)
              KEYCTL_CHOWN  and  KEYCTL_SETPERM  operations.  allow forged UID
              when passing socket credentials;  exceed  /proc/sys/fs/file-max,
              the  system-wide  limit  on  the number of open files, in system
              calls that open  files  (e.g.,  accept(2),  execve(2),  open(2),
              pipe(2);  without  this  capability these system calls will fail
              with the error ENFILE if  this  limit  is  encountered);  employ
              CLONE_NEWNS   flag   with   clone(2)   and  unshare(2);  perform
              KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations.

       CAP_SYS_BOOT
              Permit calls to reboot(2) and kexec_load(2).

       CAP_SYS_CHROOT
              Permit calls to chroot(2).

       CAP_SYS_MODULE
              Allow  loading  and   unloading   of   kernel   modules;   allow
              modifications to capability bounding set (see init_module(2) and
              delete_module(2)).

       CAP_SYS_NICE
              Allow raising process nice value (nice(2),  setpriority(2))  and
              changing  of  the  nice  value  for  arbitrary  processes; allow
              setting of real-time scheduling policies  for  calling  process,
              and  setting  scheduling  policies  and priorities for arbitrary
              processes (sched_setscheduler(2),  sched_setparam(2));  set  CPU
              affinity for arbitrary processes (sched_setaffinity(2)); set I/O
              scheduling  class   and   priority   for   arbitrary   processes
              (ioprio_set(2));   allow   migrate_pages(2)  to  be  applied  to
              arbitrary processes  and  allow  processes  to  be  migrated  to
              arbitrary  nodes; allow move_pages(2) to be applied to arbitrary
              processes; use  the  MPOL_MF_MOVE_ALL  flag  with  mbind(2)  and
              move_pages(2).