linux Capability.h 如何对 34 个元素使用 32 位掩码？

发布于 2024-12-23 02:32:25 字数 525 浏览 3 评论 0原文

/usr/include/linux/capability.h 中的文件#定义了 34 种可能的功能。它是这样的：

#define CAP_CHOWN            0

#define CAP_DAC_OVERRIDE     1

.....

#define CAP_MAC_ADMIN        33

#define CAP_LAST_CAP         CAP_MAC_ADMIN

每个进程都有这样定义的功能

typedef struct __user_cap_data_struct {

        __u32 effective;
        __u32 permitted;
        __u32 inheritable;
} * cap_user_data_t;

我很困惑 - 一个进程可以有 32 位的有效功能，但在 Capability.h 中定义的功能总数是 34。如何在一个进程中编码 34 个位置32 位掩码？

原文

The file in /usr/include/linux/capability.h #defines 34 possible capabilities.
It goes like:

#define CAP_CHOWN            0

#define CAP_DAC_OVERRIDE     1

.....

#define CAP_MAC_ADMIN        33

#define CAP_LAST_CAP         CAP_MAC_ADMIN

each process has capabilities defined thusly

typedef struct __user_cap_data_struct {

        __u32 effective;
        __u32 permitted;
        __u32 inheritable;
} * cap_user_data_t;

I'm confused - a process can have 32-bits of effective capabilities, yet the total amount of capabilities defined in capability.h is 34. How is it possible to encode 34 positions in a 32-bit mask?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

流年已逝 2024-12-30 02:32:25

因为你还没有读完说明书。

capget 手册首先说服您不要使用它：

These two functions are the raw kernel interface for getting  and  set‐
ting  thread capabilities.  Not only are these system calls specific to
Linux, but the kernel API is likely to change and use  of  these  func‐
tions  (in  particular the format of the cap_user_*_t types) is subject
to extension with each kernel revision,  but  old  programs  will  keep
working.

The  portable  interfaces  are  cap_set_proc(3) and cap_get_proc(3); if
possible you should use those interfaces in applications.  If you  wish
to use the Linux extensions in applications, you should use the easier-
to-use interfaces capsetp(3) and capgetp(3).

当前详细信息

Now that you have been warned, some current kernel details.  The struc‐
tures are defined as follows.

#define _LINUX_CAPABILITY_VERSION_1  0x19980330
#define _LINUX_CAPABILITY_U32S_1     1

#define _LINUX_CAPABILITY_VERSION_2  0x20071026
#define _LINUX_CAPABILITY_U32S_2     2

[...]
effective,  permitted,  inheritable  are  bitmasks  of the capabilities
defined in capability(7).  Note the CAP_* values are  bit  indexes  and
need to be bit-shifted before ORing into the bit fields.
[...]
Kernels  prior  to  2.6.25  prefer  32-bit  capabilities  with  version
_LINUX_CAPABILITY_VERSION_1, and kernels 2.6.25+ prefer 64-bit capabil‐
ities with version _LINUX_CAPABILITY_VERSION_2.  Note, 64-bit capabili‐
ties  use  datap[0]  and datap[1], whereas 32-bit capabilities only use
datap[0].

，其中 datap 之前被定义为指向 __user_cap_data_struct 的指针。因此，您只需在两个 __user_cap_data_struct 数组中用两个 __u32 表示 64 位值。

仅这一点就告诉我永远不要使用这个 API，所以我没有阅读手册的其余部分。

Because you haven't read all of the manual.

The capget manual starts by convincing you to not use it :

These two functions are the raw kernel interface for getting  and  set‐
ting  thread capabilities.  Not only are these system calls specific to
Linux, but the kernel API is likely to change and use  of  these  func‐
tions  (in  particular the format of the cap_user_*_t types) is subject
to extension with each kernel revision,  but  old  programs  will  keep
working.

The  portable  interfaces  are  cap_set_proc(3) and cap_get_proc(3); if
possible you should use those interfaces in applications.  If you  wish
to use the Linux extensions in applications, you should use the easier-
to-use interfaces capsetp(3) and capgetp(3).

Current details

Now that you have been warned, some current kernel details.  The struc‐
tures are defined as follows.

#define _LINUX_CAPABILITY_VERSION_1  0x19980330
#define _LINUX_CAPABILITY_U32S_1     1

#define _LINUX_CAPABILITY_VERSION_2  0x20071026
#define _LINUX_CAPABILITY_U32S_2     2

[...]
effective,  permitted,  inheritable  are  bitmasks  of the capabilities
defined in capability(7).  Note the CAP_* values are  bit  indexes  and
need to be bit-shifted before ORing into the bit fields.
[...]
Kernels  prior  to  2.6.25  prefer  32-bit  capabilities  with  version
_LINUX_CAPABILITY_VERSION_1, and kernels 2.6.25+ prefer 64-bit capabil‐
ities with version _LINUX_CAPABILITY_VERSION_2.  Note, 64-bit capabili‐
ties  use  datap[0]  and datap[1], whereas 32-bit capabilities only use
datap[0].

where datap is defined earlier as a pointer to a __user_cap_data_struct. So you just represent a 64bit values with two __u32 in an array of two __user_cap_data_struct.

This, alone, tells me to not ever use this API, so i didn't read the rest of the manual.

回复收藏 0 原文