Linux 如何知道是否允许进程发出系统调用？

Question

一般来说，内核会查看进程的能力，看看它是否具有所需的能力。您将在相关系统调用的手册页中找到此信息，其中会注明“进程需要能力 CAP_XYZ”才能执行该操作。例如，查看手册页kill(2)，我们看：

   For  a process to have permission to send a signal, it must either
   be privileged (under Linux: have the CAP_KILL  capability  in  the
   user  namespace  of  the target process), or the real or effective
   user ID of the sending process must equal the real or  saved  set-
   user-ID  of  the  target process.

同样在create_module(2)页面，我们看到：

DESCRIPTION
   create_module()  attempts  to  create  a loadable module entry and
   reserve the kernel memory that will be needed to hold the  module.
   This system call requires privilege.
...
ERRORS
...
   EPERM  The   caller   was   not   privileged  (did  not  have  the
          CAP_SYS_MODULE capability).

内核能够进行这些检查，因为功能是内核在其内部数据结构中记录的每个进程的属性。

Answer 1

一般来说，内核会查看进程的能力，看看它是否具有所需的能力。您将在相关系统调用的手册页中找到此信息，其中会注明“进程需要能力 CAP_XYZ”才能执行该操作。例如，查看手册页kill(2)，我们看：

   For  a process to have permission to send a signal, it must either
   be privileged (under Linux: have the CAP_KILL  capability  in  the
   user  namespace  of  the target process), or the real or effective
   user ID of the sending process must equal the real or  saved  set-
   user-ID  of  the  target process.

同样在create_module(2)页面，我们看到：

DESCRIPTION
   create_module()  attempts  to  create  a loadable module entry and
   reserve the kernel memory that will be needed to hold the  module.
   This system call requires privilege.
...
ERRORS
...
   EPERM  The   caller   was   not   privileged  (did  not  have  the
          CAP_SYS_MODULE capability).

内核能够进行这些检查，因为功能是内核在其内部数据结构中记录的每个进程的属性。

Linux 如何知道是否允许进程发出系统调用？

答案1

相关内容