[Linux] Process (11)--Process power

Introduction to process Empowerment
An example of process competence

The user layer corresponding system call is the Prctl () function, click the Open link

1, Basic concept
The access control model of traditional UNIX is very simple, that is, "super User to ordinary user" model. In this model, a process or account can either do everything with full system permissions, or almost nothing can be done with only a small permission, depending on the UID of the process. For example, if a process requires operations such as loading/unloading kernel modules and managing file systems, full root privileges are required. It is clear that this is a serious threat to system security.
2, Process competence
How does Linux use POSIX capabilities instead of traditional trust-like models? Each process has three bitmap-related bitmaps: inheritable (I), permitted (P), and effective (E), corresponding to the process descriptor Task_ struct (include/linux/sched.h) inside the cap_effective, cap_inheritable, cap_permitted. Each ability is represented by one, 1 indicates a certain ability, and 0 means no.
? Cap_effective. When a process is to perform a privileged operation, the operating system checks that the corresponding bit of the cap_effective is valid, and no longer checks whether the valid UID of the process is 0. For example, if a process is to set the clock for a system, the Linux kernel will check if the cap_effective cap_sys_time bit (25th bit) is valid.
? Cap_permitted represents the ability of a process to be used. In cap_permitted, you can include capabilities that are not available in cap_effective, which are temporarily discarded by the process itself, or that cap_effective is a subset of cap_permitted. The process of abandoning the unnecessary capacity is a great help in improving security. For example, ping only needs to be cap_net_raw, and if it abandons other capabilities beyond this capability, it will not cause too much damage to the system, even if there is a security flaw.
? Cap_inheritable represents the ability to inherit from a program executed by the current process.
Capacity number explanation
Cap_chown 0 allows you to change the ownership of a file
Cap_dac_override 1 ignores all DAC access restrictions to a file
Cap_dac_read_search 2 ignores all restrictions on read and search operations
Cap_fowner 3 If the file belongs to the UID of the process, the file limit is canceled
Cap_fsetid 4 allows setting setuid bit
Cap_kill 5 allows a signal to be sent to a process that does not belong to itself
Cap_setgid 6 allows changing the group ID
Cap_setuid 7 allows changing the user ID
Cap_setpcap 8 8 allow the ability to transfer to other processes and remove any other processes
Cap_linux_immutable 9 allows you to modify the non-modifiable (immutable) and add-only (Append-only) properties of a file
Cap_net_bind_service 10 allows binding to ports less than 1024
Cap_net_broadcast 11 Allow webcasts and multicast access
Cap_net_admin 12 allows network management tasks to be performed: interfaces, firewalls, and routes, see/usr/src/linux/include/linux/capability.h file for details
Cap_net_raw 13 allows the use of raw (raw) sockets
Cap_ipc_lock 14 allows locking of shared memory fragments
Cap_ipc_owner 15 ignoring IPC ownership checks
Cap_sys_module 16 inserting and removing kernel modules
Cap_sys_rawio 17 allows access to IOPERM/IOPL
Cap_sys_chroot 18 allows the use of CHROOT () system calls
Cap_sys_ptrace 19 allows tracking of any process
CAP_SYS_PACCT 20 allows configuration process accounting (processes accounting)
Cap_sys_admin 21 allows system administration tasks to be performed: Load/unload the file system, set disk quotas, switch devices and files on/off, and so on. Please refer to the/usr/src/linux/include/linux/capability.h file for details.
Cap_sys_boot 22 allows system reboot
Cap_sys_nice 23 allows elevation of priority, set priority for other processes//
Cap_sys_resource 24 Ignoring resource limits
Cap_sys_time 25 allows changing the system clock
Cap_sys_tty_config 26 allows the configuration of TTY devices
Cap_mknod 27 allows the use of MKNOD () system calls
Cap_lease taking of leases on files

[Linux] Process (11)--Process power