更换瓶盖

更换瓶盖

我们的一个系统中使用了一个旧的 Linux 内核,它使用旧的上限机制(修改/proc/sys/kernel/cap-bound)来限制系统的功能。这是在引导时通过rc.linux文件完成的。

http://man7.org/linux/man-pages/man7/capability.7.html

我们正在更新内核,这个功能已经不存在了,到目前为止,我们还无法找到如何在新内核下模拟这个功能。

如果存在,上限机制的替代品是什么?

答案1

从手册中:

       P'(ambient)     = (file is privileged) ? 0 : P(ambient)

进程有可能从其父进程获得特权。

       P'(permitted)   = (P(inheritable) & F(inheritable)) |
                         (F(permitted) & cap_bset) | P'(ambient)

如果进程的可继承集具有这些权限,或者它的 cap_bset 具有这些权限,则进程有可能从文件获取权限。

       P'(effective)   = F(effective) ? P'(permitted) : P'(ambient)

       P'(inheritable) = P(inheritable)    [i.e., unchanged]

它从父母那里获得继承集

   where:

       P         denotes the value of a thread capability set before the
                 execve(2)

       P'        denotes the value of a thread capability set after the
                 execve(2)

       F         denotes a file capability set

       cap_bset  is the value of the capability bounding set (described
                 below).


   Note that the bounding set masks the file permitted capabilities, but
   not the inheritable capabilities.  If a thread maintains a capability
   in its inheritable set that is not in its bounding set, then it can
   still gain that capability in its permitted set by executing a file
   that has the capability in its inheritable set.

您还需要从inheritable集合中删除

因此,从根进程 ( ) 中删除权限:从、、和init中删除权限。cap_bsetinheritablepermittedeffective

相关内容