cap_task_prctl

Name:ap_task_prctl - Implement process control functions for this security module*@option: The process control function requested*@arg2, @arg3, @arg4, @arg5: The argument data for this function* Allow process control functions (sys_prctl()) to alter

Proto:int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)

Type:int

Parameter:

Type	Parameter	Name
int	option
unsigned long	arg2
unsigned long	arg3
unsigned long	arg4
unsigned long	arg5

1170

old = current_cred - Access the current task's subjective credentials* Access the subjective credentials of the current task. RCU-safe,* since nobody else can modify it.()

1174

Case option == Get/set the capability bounding set (as per security/commoncap.c)

1175

If Not cap_valid(arg2) Then Return -EINVAL

1177

Return Not Not cap_raised( capability bounding set , arg2)

1179

Case option == PR_CAPBSET_DROP

1180

Return Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from* the current task's bounding set. Returns 0 on success, -ve on error.

1201

Case option == PR_SET_SECUREBITS

1202

If ( SUID-less security management & SECURE_ALL_LOCKS) >> 1 & ( SUID-less security management ^ arg2) || SUID-less security management & SECURE_ALL_LOCKS & ~arg2 || arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS) || ap_capable - Determine whether a task has a particular effective capability*@cred: The credentials to use*@ns: The user namespace in which we need the capability*@cap: The capability to check for*@opts: Bitmask of options defined in include/linux/security != 0 Then Return -EPERM

1221

new = prepare_creds - Prepare a new set of credentials for modification* Prepare a new set of task credentials for modification

1222

If Not new Then Return -ENOMEM

1224

SUID-less security management = arg2

1225

Return mmit_creds - Install new credentials upon the current task*@new: The credentials to be assigned* Install a new set of credentials to the current task, using RCU to replace* the old set. Both the objective and the subjective credentials pointers are

1227

Case option == Get/set securebits (as per security/commoncap.c)

1228

Return SUID-less security management

1230

Case option == Get/set whether or not to drop capabilities on setuid() away from* uid 0 (as per security/commoncap.c)

1231

Return Not Not issecure(When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)

1233

Case option == PR_SET_KEEPCAPS

1234

If arg2 > 1 Then Return -EINVAL

1236

If issecure(make bit-4 immutable ) Then Return -EPERM

1239

new = prepare_creds - Prepare a new set of credentials for modification* Prepare a new set of task credentials for modification

1240

If Not new Then Return -ENOMEM

1242

If arg2 Then SUID-less security management |= Each securesetting is implemented using two bits. One bit specifieswhether the setting is on or off. The other bit specify whether thesetting is locked or not. A setting which is locked cannot bechanged from user-level. (When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)

1244

Else SUID-less security management &= ~Each securesetting is implemented using two bits. One bit specifieswhether the setting is on or off. The other bit specify whether thesetting is locked or not. A setting which is locked cannot bechanged from user-level. (When set, a process can retain its capabilities even aftertransitioning to a non-root user (the set-uid fixup suppressed bybit 2). Bit-4 is cleared when a process calls exec(); setting bothbit 4 and 5 will create a barrier through exec that no exec()'d)

1246

Return mmit_creds - Install new credentials upon the current task*@new: The credentials to be assigned* Install a new set of credentials to the current task, using RCU to replace* the old set. Both the objective and the subjective credentials pointers are

1248

Case option == Control the ambient capability set

1249

If arg2 == PR_CAP_AMBIENT_CLEAR_ALL Then

1250

If arg3 | arg4 | arg5 Then Return -EINVAL

1253

new = prepare_creds - Prepare a new set of credentials for modification* Prepare a new set of task credentials for modification

1254

If Not new Then Return -ENOMEM

1256

cap_clear( Ambient capability set )

1257

Return mmit_creds - Install new credentials upon the current task*@new: The credentials to be assigned* Install a new set of credentials to the current task, using RCU to replace* the old set. Both the objective and the subjective credentials pointers are

1260

If Not cap_valid(arg3) | arg4 | arg5 Then Return -EINVAL

1263

If arg2 == PR_CAP_AMBIENT_IS_SET Then

1264

Return Not Not cap_raised(cap_ambient, arg3)

1265

Else if arg2 != PR_CAP_AMBIENT_RAISE && arg2 != PR_CAP_AMBIENT_LOWER Then

1267

Return -EINVAL

1268

Else

1269

If arg2 == PR_CAP_AMBIENT_RAISE && ( Not cap_raised(cap_permitted, arg3) || Not cap_raised(cap_inheritable, arg3) || issecure(When set, a process cannot add new capabilities to its ambient set. )) Then Return -EPERM

1276

new = prepare_creds - Prepare a new set of credentials for modification* Prepare a new set of task credentials for modification

1277

If Not new Then Return -ENOMEM

1279

If arg2 == PR_CAP_AMBIENT_RAISE Then cap_raise( Ambient capability set , arg3)

1281

Else cap_lower( Ambient capability set , arg3)

1283

Return mmit_creds - Install new credentials upon the current task*@new: The credentials to be assigned* Install a new set of credentials to the current task, using RCU to replace* the old set. Both the objective and the subjective credentials pointers are

1286

Default

1288

Return -ENOSYS

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion