Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:security\commoncap.c Create Date:2022-07-28 18:37:24
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:ap_task_prctl - Implement process control functions for this security module*@option: The process control function requested*@arg2, @arg3, @arg4, @arg5: The argument data for this function* Allow process control functions (sys_prctl()) to alter

Proto:int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)

Type:int

Parameter:

TypeParameterName
intoption
unsigned longarg2
unsigned longarg3
unsigned longarg4
unsigned longarg5
1170  old = current_cred - Access the current task's subjective credentials* Access the subjective credentials of the current task. RCU-safe,* since nobody else can modify it.()
1174  Case option == Get/set the capability bounding set (as per security/commoncap.c)
1175  If Not cap_valid(arg2) Then Return -EINVAL
1177  Return Not Not cap_raised( capability bounding set , arg2)
1179  Case option == PR_CAPBSET_DROP
1180  Return Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from* the current task's bounding set. Returns 0 on success, -ve on error.
1201  Case option == PR_SET_SECUREBITS
1202  If ( SUID-less security management & SECURE_ALL_LOCKS) >> 1 & ( SUID-less security management ^ arg2) || SUID-less security management & SECURE_ALL_LOCKS & ~arg2 || arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS) || ap_capable - Determine whether a task has a particular effective capability*@cred: The credentials to use*@ns: The user namespace in which we need the capability*@cap: The capability to check for*@opts: Bitmask of options defined in include/linux/security != 0 Then Return -EPERM
1221  new = prepare_creds - Prepare a new set of credentials for modification* Prepare a new set of task credentials for modification
1222  If Not new Then Return -ENOMEM
1224  SUID-less security management = arg2
1225  Return mmit_creds - Install new credentials upon the current task*@new: The credentials to be assigned* Install a new set of credentials to the current task, using RCU to replace* the old set. Both the objective and the subjective credentials pointers are
1227  Case option == Get/set securebits (as per security/commoncap.c)
1228  Return SUID-less security management
1230  Case option == Get/set whether or not to drop capabilities on setuid() away from* uid 0 (as per security/commoncap.c)
1231  Return Not Not issecure(When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)
1233  Case option == PR_SET_KEEPCAPS
1234  If arg2 > 1 Then Return -EINVAL
1236  If issecure(make bit-4 immutable ) Then Return -EPERM
1239  new = prepare_creds - Prepare a new set of credentials for modification* Prepare a new set of task credentials for modification
1240  If Not new Then Return -ENOMEM
1242  If arg2 Then SUID-less security management |= Each securesetting is implemented using two bits. One bit specifieswhether the setting is on or off. The other bit specify whether thesetting is locked or not. A setting which is locked cannot bechanged from user-level. (When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)
1244  Else SUID-less security management &= ~Each securesetting is implemented using two bits. One bit specifieswhether the setting is on or off. The other bit specify whether thesetting is locked or not. A setting which is locked cannot bechanged from user-level. (When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)
1246  Return mmit_creds - Install new credentials upon the current task*@new: The credentials to be assigned* Install a new set of credentials to the current task, using RCU to replace* the old set. Both the objective and the subjective credentials pointers are
1248  Case option == Control the ambient capability set
1249  If arg2 == PR_CAP_AMBIENT_CLEAR_ALL Then
1250  If arg3 | arg4 | arg5 Then Return -EINVAL
1254  If Not new Then Return -ENOMEM
1260  If Not cap_valid(arg3) | arg4 | arg5 Then Return -EINVAL
1263  If arg2 == PR_CAP_AMBIENT_IS_SET Then
1264  Return Not Not cap_raised(cap_ambient, arg3)
1265  Else if arg2 != PR_CAP_AMBIENT_RAISE && arg2 != PR_CAP_AMBIENT_LOWER Then
1267  Return -EINVAL
1268  Else
1277  If Not new Then Return -ENOMEM
1286  Default
1288  Return -ENOSYS