函数逻辑报告

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\commoncap.c Create Date:2022-07-27 20:10:42
Last Modify:2020-03-12 14:18:49 Copyright©Brick
首页 函数Tree
注解内核,赢得工具下载SCCTEnglish

函数名称:ap_bprm_set_creds - Set up the proposed credentials for execve().*@bprm: The execution parameters, including the proposed creds* Set up the proposed credentials for a new execution context being* constructed by execve()

函数原型:int cap_bprm_set_creds(struct linux_binprm *bprm)

返回类型:int

参数:

类型参数名称
struct linux_binprm *bprm
809  old等于current_cred - Access the current task's subjective credentials* Access the subjective credentials of the current task. RCU-safe,* since nobody else can modify it.()
810  new等于w credentials
811  effective等于TSC's on different sockets may be reset asynchronously.* This may cause the TSC ADJUST value on socket 0 to be NOT 0., has_fcap等于TSC's on different sockets may be reset asynchronously.* This may cause the TSC ADJUST value on socket 0 to be NOT 0.
815  如果WARN_ON(!cap_ambient_invariant_ok(old))则返回:负EPERM
818  ret等于Attempt to get the on-exec apply capability sets for an executable file from* its xattrs and, if present, apply them to the proposed credentials being* constructed by execve().
819  如果ret小于0则返回:ret
822  root_uid等于make_kuid - Map a user-namespace uid pair into a kuid
824  handle_privileged_root - Handle case of privileged root*@bprm: The execution parameters, including the proposed creds*@has_fcap: Are any file capabilities set?*@effective: Do we have effective root privilege?*@root_uid: This namespace' root UID WRT
827  如果__cap_gained(permitted, new, old)则s to clear in current->personality 或等于Security-relevant compatibility flags that must be* cleared upon setuid or setgid exec:
835  is_setid等于__is_setuid(new, old)或__is_setgid(new, old)
837  如果is_setid__cap_gained(permitted, new, old)的值且how unsafe this exec is (mask of LSM_UNSAFE_*) 按位与LSM_UNSAFE_PTRACE的反或非ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace*@tsk: The task that may be ptraced*@ns: The user namespace to search for CAP_SYS_PTRACE in* Return true if the task that is ptracing the current task had CAP_SYS_PTRACE的值则
841  如果非ns_capable( user_ns the caps and keyrings are relative to. , Allows forged pids on socket credentials passing. )或how unsafe this exec is (mask of LSM_UNSAFE_*) 按位与LSM_UNSAFE_NO_NEW_PRIVS
843  有效uid等于进程uid
844  有效gid等于进程gid
846  caps we're permitted 等于cap_intersect( caps we're permitted , caps we're permitted )
850  保留uid等于 UID for VFS ops 等于有效uid
851  保留gid等于 GID for VFS ops 等于有效gid
854  如果has_fcapis_setidcap_clear( Ambient capability set )
861  caps we're permitted 等于cap_combine( caps we're permitted , Ambient capability set )
867  如果effective caps we can actually use 等于 caps we're permitted
869  否则 caps we can actually use 等于 Ambient capability set
872  如果WARN_ON(!cap_ambient_invariant_ok(new))则返回:负EPERM
875  如果1) Audit candidate if current->cap_effective is set* We do not bother to audit if 3 things are true:* 1) cap_effective has all caps* 2) we became root *OR* are were already root* 3) root is supposed to have all caps (SECURE_NOROOT)
876  ret等于audit_log_bprm_fcaps(bprm, new, old)
877  如果ret小于0则返回:ret
881  安全管理与等于Each securesetting is implemented using two bits. One bit specifieswhether the setting is on or off. The other bit specify whether thesetting is locked or not. A setting which is locked cannot bechanged from user-level. (When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)的反
883  如果WARN_ON(!cap_ambient_invariant_ok(new))则返回:负EPERM
887  cap_elevated等于0
888  如果is_setid或非__is_real(root_uid, new)且effective__cap_grew(permitted, ambient, new)的值则cap_elevated等于1
894  返回:0