我们的一个系统中使用了一个旧的 Linux 内核,它使用旧的上限机制(修改/proc/sys/kernel/cap-bound
)来限制系统的功能。这是在引导时通过rc.linux
文件完成的。
看http://man7.org/linux/man-pages/man7/capability.7.html
我们正在更新内核,这个功能已经不存在了,到目前为止,我们还无法找到如何在新内核下模拟这个功能。
如果存在,上限机制的替代品是什么?
答案1
从手册中:
P'(ambient) = (file is privileged) ? 0 : P(ambient)
进程有可能从其父进程获得特权。
P'(permitted) = (P(inheritable) & F(inheritable)) |
(F(permitted) & cap_bset) | P'(ambient)
如果进程的可继承集具有这些权限,或者它的 cap_bset 具有这些权限,则进程有可能从文件获取权限。
P'(effective) = F(effective) ? P'(permitted) : P'(ambient)
P'(inheritable) = P(inheritable) [i.e., unchanged]
它从父母那里获得继承集
where:
P denotes the value of a thread capability set before the
execve(2)
P' denotes the value of a thread capability set after the
execve(2)
F denotes a file capability set
cap_bset is the value of the capability bounding set (described
below).
…
Note that the bounding set masks the file permitted capabilities, but
not the inheritable capabilities. If a thread maintains a capability
in its inheritable set that is not in its bounding set, then it can
still gain that capability in its permitted set by executing a file
that has the capability in its inheritable set.
您还需要从inheritable
集合中删除
因此,从根进程 ( ) 中删除权限:从、、和init
中删除权限。cap_bset
inheritable
permitted
effective