1 .\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
3 .\" Permission is granted to make and distribute verbatim copies of this
4 .\" manual provided the copyright notice and this permission notice are
5 .\" preserved on all copies.
7 .\" Permission is granted to copy and distribute modified versions of this
8 .\" manual under the conditions for verbatim copying, provided that the
9 .\" entire resulting derived work is distributed under the terms of a
10 .\" permission notice identical to this one.
12 .\" Since the Linux kernel and libraries are constantly changing, this
13 .\" manual page may be incorrect or out-of-date. The author(s) assume no
14 .\" responsibility for errors or omissions, or for damages resulting from
15 .\" the use of the information contained herein. The author(s) may not
16 .\" have taken the same level of care in the production of this manual,
17 .\" which is licensed free of charge, as they might when working
20 .\" Formatted or processed versions of this manual, if unaccompanied by
21 .\" the source, must acknowledge the copyright and authors of this work.
23 .\" 6 Aug 2002 - Initial Creation
24 .\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com>
25 .\" Modified 2004-05-27, Michael Kerrisk, <mtk.manpages@gmail.com>
26 .\" 2004-12-08, mtk Added O_NOATIME for CAP_FOWNER
27 .\" 2005-08-16, mtk, Added CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
28 .\" 2008-07-15, Serge Hallyn <serue@us.bbm.com>
29 .\" Document file capabilities, per-process capability
30 .\" bounding set, changed semantics for CAP_SETPCAP,
31 .\" and other changes in 2.6.2[45].
32 .\" Add CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SETFCAP.
34 .\" Add text describing circumstances in which CAP_SETPCAP
35 .\" (theoretically) permits a thread to change the
36 .\" capability sets of another thread.
37 .\" Add section describing rules for programmatically
38 .\" adjusting thread capability sets.
39 .\" Describe rationale for capability bounding set.
40 .\" Document "securebits" flags.
41 .\" Add text noting that if we set the effective flag for one file
42 .\" capability, then we must also set the effective flag for all
43 .\" other capabilities where the permitted or inheritable bit is set.
45 .\" Japanese Version Copyright (c) 2005 Akihiro MOTOKI all rights reserved.
46 .\" Translated 2005-03-09, Akihiro MOTOKI <amotoki@dd.iij4u.or.jp>
47 .\" Updated 2005-11-04, Akihiro MOTOKI
48 .\" Updated 2006-04-16, Akihiro MOTOKI, LDP v2.29
49 .\" Updated 2006-07-20, Akihiro MOTOKI, LDP v2.34
50 .\" Updated 2007-01-05, Akihiro MOTOKI, LDP v2.43
51 .\" Updated 2008-12-24, Akihiro MOTOKI, LDP v3.15
52 .\" Updated 2009-02-27, Akihiro MOTOKI, LDP v3.19
53 .\" Updated 2010-04-11, Akihiro MOTOKI, LDP v3.24
55 .TH CAPABILITIES 7 2010-06-19 "Linux" "Linux Programmer's Manual"
58 .\"O capabilities \- overview of Linux capabilities
59 capabilities \- Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability) ¤Î³µÍ×
62 .\"O For the purpose of performing permission checks,
63 .\"O traditional UNIX implementations distinguish two categories of processes:
65 .\"O processes (whose effective user ID is 0, referred to as superuser or root),
68 .\"O processes (whose effective UID is nonzero).
69 ¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤¦´ÑÅÀ¤«¤é¸«¤ë¤È¡¢ÅÁÅýŪ¤Ê UNIX ¤Î¼ÂÁõ¤Ç¤Ï
70 ¥×¥í¥»¥¹¤ÏÆó¤Ä¤Î¥«¥Æ¥´¥ê¤ËʬÎà¤Ç¤¤ë:
72 ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 ¤Î¥×¥í¥»¥¹¡£¥æ¡¼¥¶ID 0 ¤Ï
73 ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤ä root ¤È¸Æ¤Ð¤ì¤ë) ¤È
75 ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹) ¤Ç¤¢¤ë¡£
76 .\"O Privileged processes bypass all kernel permission checks,
77 .\"O while unprivileged processes are subject to full permission
78 .\"O checking based on the process's credentials
79 .\"O (usually: effective UID, effective GID, and supplementary group list).
80 ÈóÆø¢¥×¥í¥»¥¹¤Ç¤Ï¡¢¥×¥í¥»¥¹¤Î»ñ³Ê¾ðÊó (Ä̾ï¤Ï¡¢¼Â¸úUID ¡¢¼Â¸úGID
81 ¤ÈÄɲäΥ°¥ë¡¼¥×¥ê¥¹¥È) ¤Ë´ð¤Å¤¯¸¢¸Â¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ë¤Î¤ËÂФ·¡¢
82 Æø¢¥×¥í¥»¥¹¤Ç¤ÏÁ´¤Æ¤Î¥«¡¼¥Í¥ë¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£
84 .\"O Starting with kernel 2.2, Linux divides the privileges traditionally
85 .\"O associated with superuser into distinct units, known as
86 .\"O .IR capabilities ,
87 .\"O which can be independently enabled and disabled.
88 .\"O Capabilities are a per-thread attribute.
89 ¥Ð¡¼¥¸¥ç¥ó 2.2 °Ê¹ß¤Î Linux ¤Ç¤Ï¡¢
90 ¤³¤ì¤Þ¤Ç¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤Ë·ë¤ÓÉÕ¤±¤é¤ì¤Æ¤¤¿¸¢¸Â¤ò¡¢
91 ¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ³ä¤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥°¥ë¡¼¥×¤Ï
92 .IR ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability)
93 ¤È¸Æ¤Ð¤ì¡¢¥°¥ë¡¼¥×Ëè¤ËÆÈΩ¤Ë͸ú¡¢Ìµ¸ú¤òÀßÄê¤Ç¤¤ë¡£
94 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À¤Ç¤¢¤ë¡£
96 .\"O .SS Capabilities List
97 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥ê¥¹¥È
98 .\"O The following list shows the capabilities implemented on Linux,
99 .\"O and the operations or behaviors that each capability permits:
101 Linux ¤Ç¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È
102 ³Æ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬µö²Ä¤¹¤ëÁàºî¤ÈÆ°ºî¤ò¤Þ¤È¤á¤¿¤â¤Î¤Ç¤¢¤ë¡£
104 .\"O .BR CAP_AUDIT_CONTROL " (since Linux 2.6.11)"
105 .\"O Enable and disable kernel auditing; change auditing filter rules;
106 .\"O retrieve auditing status and filtering rules.
107 .BR CAP_AUDIT_CONTROL " (Linux 2.6.11 °Ê¹ß)"
108 ¥«¡¼¥Í¥ë´Æºº (audit) ¤Î͸ú̵¸ú¤ÎÀÚ¤êÂؤ¨¡¢
109 ´Æºº¤Î¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤ÎÊѹ¹¡¢
110 ´Æºº¤Î¾õ¶·¤ä¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤Î¼èÆÀ¤¬¤Ç¤¤ë¡£
112 .\"O .BR CAP_AUDIT_WRITE " (since Linux 2.6.11)"
113 .BR CAP_AUDIT_WRITE " (Linux 2.6.11 °Ê¹ß)"
114 .\"O Write records to kernel auditing log.
115 ¥«¡¼¥Í¥ë´Æºº¤Î¥í¥°¤Ë¥ì¥³¡¼¥É¤ò½ñ¤¹þ¤à¡£
118 .\"O Make arbitrary changes to file UIDs and GIDs (see
120 ¥Õ¥¡¥¤¥ë¤Î UID ¤ÈGID ¤òǤ°Õ¤ËÊѹ¹¤¹¤ë
125 .\"O Bypass file read, write, and execute permission checks.
126 .\"O (DAC is an abbreviation of "discretionary access control".)
127 ¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¡¢½ñ¤¹þ¤ß¡¢¼Â¹Ô¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
128 (DAC ¤Ï "discretionary access control (Ǥ°Õ¤Î¥¢¥¯¥»¥¹À©¸æ)" ¤Îά¤Ç¤¢¤ë)¡£
130 .B CAP_DAC_READ_SEARCH
131 .\"O Bypass file read permission checks and
132 .\"O directory read and execute permission checks.
133 ¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÆɤ߽Ф·¤È¼Â¹Ô
134 ¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
140 .\"O Bypass permission checks on operations that normally
141 .\"O require the file system UID of the process to match the UID of
145 .\"O excluding those operations covered by
146 .\"O .B CAP_DAC_OVERRIDE
148 .\"O .BR CAP_DAC_READ_SEARCH ;
149 Ä̾¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬¥Õ¥¡¥¤¥ë¤Î UID ¤Ë°ìÃפ¹¤ë¤³¤È¤¬
150 Í׵ᤵ¤ì¤ëÁàºî (Î㤨¤Ð
153 ¤Ë¤ª¤±¤ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
157 .B CAP_DAC_READ_SEARCH
158 ¤Ë¤è¤ê¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ëÁàºî¤Ï½ü¤¯¡£
160 .\"O set extended file attributes (see
162 .\"O on arbitrary files;
163 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ³ÈÄ¥¥Õ¥¡¥¤¥ë°À¤òÀßÄꤹ¤ë
167 .\"O set Access Control Lists (ACLs) on arbitrary files;
168 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È (ACL) ¤òÀßÄꤹ¤ë¡£
170 .\"O ignore directory sticky bit on file deletion;
171 ¥Õ¥¡¥¤¥ë¤Îºï½ü¤ÎºÝ¤Ë¥Ç¥£¥ì¥¯¥È¥ê¤Î¥¹¥Æ¥£¥Ã¥¡¼¥Ó¥Ã¥È¤ò̵»ë¤¹¤ë¡£
175 .\"O for arbitrary files in
182 ¤ÇǤ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
189 .\"O Don't clear set-user-ID and set-group-ID permission
190 .\"O bits when a file is modified;
191 .\"O set the set-group-ID bit for a file whose GID does not match
192 .\"O the file system or any of the supplementary GIDs of the calling process.
193 ¥Õ¥¡¥¤¥ë¤¬Êѹ¹¤µ¤ì¤¿¤È¤¤Ë set-user-ID ¤Èset-group-ID ¤Îµö²Ä¥Ó¥Ã¥È¤ò¥¯¥ê¥¢
194 ¤·¤Ê¤¤¡£¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à GID ¤ÈÄɲäΠGID ¤Î¤¤¤º¤ì¤È¤â
195 GID ¤¬°ìÃפ·¤Ê¤¤¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ set-group-ID ¥Ó¥Ã¥È¤òÀßÄꤹ¤ë¡£
199 .\"O .RB ( mlock (2),
200 .\"O .BR mlockall (2),
202 .\"O .BR shmctl (2)).
211 .\"O Bypass permission checks for operations on System V IPC objects.
212 System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ëÁàºî¤Ë´Ø¤·¤Æ¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
215 .\"O Bypass permission checks for sending signals (see
217 .\"O This includes use of the
221 ¥·¥°¥Ê¥ë¤òÁ÷¿®¤¹¤ëºÝ¤Ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
227 Áàºî¤Î»ÈÍѤâ´Þ¤Þ¤ì¤ë¡£
228 .\" FIXME CAP_KILL also has an effect for threads + setting child
229 .\" termination signal to other than SIGCHLD: without this
230 .\" capability, the termination signal reverts to SIGCHLD
231 .\" if the child does an exec(). What is the rationale
234 .\"O .BR CAP_LEASE " (since Linux 2.4)"
235 .BR CAP_LEASE " (Linux 2.4 °Ê¹ß)"
236 .\"O Establish leases on arbitrary files (see
238 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
239 ¥Õ¥¡¥¤¥ë¥ê¡¼¥¹¤òÀßÄꤹ¤ë
243 .B CAP_LINUX_IMMUTABLE
247 .\"O .B FS_IMMUTABLE_FL
248 .\"O .\" These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS
249 .\"O i-node flags (see
250 .\"O .BR chattr (1)).
258 .\" ¤³¤ì¤é¤Î°À¤Ï ext2, ext3, Reiserfs, XFS, JFS ¤ÇÍøÍѲÄǽ¤Ç¤¢¤ë¡£
260 .\"O .BR CAP_MAC_ADMIN " (since Linux 2.6.25)"
261 .BR CAP_MAC_ADMIN " (Linux 2.6.25 °Ê¹ß)"
262 .\"O Override Mandatory Access Control (MAC).
263 .\"O Implemented for the Smack Linux Security Module (LSM).
264 ¶¯À©¥¢¥¯¥»¥¹À©¸æ (MAC) ¤ò¾å½ñ¤¤¹¤ë¡£
265 Smack Linux Security Module (LSM) ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
267 .\"O .BR CAP_MAC_OVERRIDE " (since Linux 2.6.25)"
268 .BR CAP_MAC_OVERRIDE " (Linux 2.6.25 °Ê¹ß)"
269 .\"O Allow MAC configuration or state changes.
270 .\"O Implemented for the Smack LSM.
271 MAC ¤ÎÀßÄê¤ä¾õÂÖ¤òÊѹ¹¤¹¤ë¡£
272 Smack LSM ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
274 .\"O .BR CAP_MKNOD " (since Linux 2.4)"
275 .BR CAP_MKNOD " (Linux 2.4 °Ê¹ß)"
276 .\"O Create special files using
280 ¤ò»ÈÍѤ·¤Æ¥¹¥Ú¥·¥ã¥ë¡¦¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¡£
283 .\"O Perform various network-related operations
284 .\"O (e.g., setting privileged socket options,
285 .\"O enabling multicasting, interface configuration,
286 .\"O modifying routing tables).
287 ³Æ¼ï¤Î¥Í¥Ã¥È¥ï¡¼¥¯´ØÏ¢¤ÎÁàºî¤ò¼Â¹Ô¤¹¤ë¡£
288 (Î㤨¤Ð¡¢Æø¢¤¬É¬Íפʥ½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤òÀßÄꤹ¤ë¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¤ò͸ú¤Ë¤¹¤ë¡¢
289 ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤òÀßÄꤹ¤ë¡¢¥ë¡¼¥Æ¥£¥ó¥°¥Æ¡¼¥Ö¥ë¤òÊѹ¹¤¹¤ë¤Ê¤É)
291 .B CAP_NET_BIND_SERVICE
292 .\"O Bind a socket to Internet domain privileged ports
293 .\"O (port numbers less than 1024).
294 ¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥É¥á¥¤¥ó¤ÎÆø¢¥Ý¡¼¥È (¥Ý¡¼¥ÈÈֹ椬 1024 ÈÖ̤Ëþ)
298 .\"O (Unused) Make socket broadcasts, and listen to multicasts.
299 (̤»ÈÍÑ) ¥½¥±¥Ã¥È¤Î¥Ö¥í¡¼¥É¥¥ã¥¹¥È¤È¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¤ÎÂÔ¤Á¼õ¤±¤ò¹Ô¤¦¡£
302 .\"O Use RAW and PACKET sockets.
303 .\"O .\" Also various IP options and setsockopt(SO_BINDTODEVICE)
304 RAW ¥½¥±¥Ã¥È¤È PACKET ¥½¥±¥Ã¥È¤ò»ÈÍѤ¹¤ë¡£
305 .\" ¤Þ¤¿¡¢³Æ¼ï¤Î IP ¥ª¥×¥·¥ç¥ó¤È SO_BINDTODEVICE ¥½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤǤ¤ë¡£
308 .\"O Make arbitrary manipulations of process GIDs and supplementary GID list;
309 .\"O forge GID when passing socket credentials via UNIX domain sockets.
310 ¥×¥í¥»¥¹¤Î GID ¤ÈÄɲäΠGID ¥ê¥¹¥È¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî¤ò¹Ô¤¦¡£
311 UNIX ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
312 µ¶¤Î GID ¤òÅϤ¹¤³¤È¤¬¤Ç¤¤ë¡£
314 .\"O .BR CAP_SETFCAP " (since Linux 2.6.24)"
315 .BR CAP_SETFCAP " (Linux 2.6.24 °Ê¹ß)"
316 .\"O Set file capabilities.
317 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꤹ¤ë¡£
320 .\"O If file capabilities are not supported:
321 .\"O grant or remove any capability in the
322 .\"O caller's permitted capability set to or from any other process.
323 .\"O (This property of
325 .\"O is not available when the kernel is configured to support
326 .\"O file capabilities, since
328 .\"O has entirely different semantics for such kernels.)
329 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç:
330 ¸Æ¤Ó½Ð¤·¸µ¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¡¢
331 ¾¤Î¥×¥í¥»¥¹¤ËÉÕÍ¿¤·¤¿¤ê¡¢ºï½ü¤·¤¿¤ê¤Ç¤¤ë¡£
332 (¥«¡¼¥Í¥ë¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾ì¹ç¡¢
334 ¤Ï¤³¤ÎÌò³ä¤ò»ý¤¿¤Ê¤¤¡£
335 ¤Ê¤¼¤Ê¤é¡¢¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¥«¡¼¥Í¥ë¤Ç¤Ï
337 ¤ÏÁ´¤¯Ê̤ΰÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£)
339 .\"O If file capabilities are supported:
340 .\"O add any capability from the calling thread's bounding set
341 .\"O to its inheritable set;
342 .\"O drop capabilities from the bounding set (via
344 .\"O .BR PR_CAPBSET_DROP );
345 .\"O make changes to the
348 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç:
349 ¸Æ¤Ó½Ð¤·¸µ¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
350 ¼«¿È¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ËÄɲäǤ¤ë¡£
354 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤Ç¤¤ë¡£
359 .\"O Make arbitrary manipulations of process UIDs
360 .\"O .RB ( setuid (2),
361 .\"O .BR setreuid (2),
362 .\"O .BR setresuid (2),
363 .\"O .BR setfsuid (2));
364 .\"O make forged UID when passing socket credentials via UNIX domain sockets.
365 ¥×¥í¥»¥¹¤Î UID ¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî
371 UNIX ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
372 µ¶¤Î UID ¤òÅϤ¹¤³¤È¤¬¤Ç¤¤ë¡£
373 .\" FIXME CAP_SETUID also an effect in exec(); document this.
379 .\"O Perform a range of system administration operations including:
380 .\"O .BR quotactl (2),
384 .\"O .BR swapoff (2),
385 .\"O .BR sethostname (2),
387 .\"O .BR setdomainname (2);
388 °Ê²¼¤Î¥·¥¹¥Æ¥à´ÉÍýÍѤÎÁàºî¤ò¼Â¹Ô¤¹¤ë:
395 .BR setdomainname (2).
401 .\"O operations on arbitrary System V IPC objects;
402 Ǥ°Õ¤Î System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ë
408 .\"O perform operations on
412 .\"O Extended Attributes (see
418 ¤ËÂФ¹¤ëÁàºî¤ò¼Â¹Ô¤¹¤ë
423 .\"O .BR lookup_dcookie (2);
424 .BR lookup_dcookie (2)
428 .\"O .BR ioprio_set (2)
430 .\"O .B IOPRIO_CLASS_RT
431 .\"O and (before Linux 2.6.25)
432 .\"O .B IOPRIO_CLASS_IDLE
433 .\"O I/O scheduling classes;
435 ¤ò»È¤Ã¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹
436 .BR IOPRIO_CLASS_RT ,
439 .RB ( IOPRIO_CLASS_IDLE
440 ¤Ï Linux 2.6.25 ¤è¤êÁ°¤Î¥Ð¡¼¥¸¥ç¥ó¤Î¤ß)¡£
442 .\"O forge UID when passing socket credentials;
443 ¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ëµ¶¤Î UID ¤òÅϤ¹¡£
446 .\"O .IR /proc/sys/fs/file-max ,
447 .\"O the system-wide limit on the number of open files,
448 .\"O in system calls that open files (e.g.,
453 ¥Õ¥¡¥¤¥ë¤ò¥ª¡¼¥×¥ó¤¹¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë (Î㤨¤Ð
458 ¤Ç¥·¥¹¥Æ¥àÁ´ÂΤǥª¡¼¥×¥ó¤Ç¤¤ë¥Õ¥¡¥¤¥ë¿ô¤Î¾å¸Â
459 .I /proc/sys/fs/file-max
467 .\"O .BR unshare (2);
478 .\"O .B KEYCTL_SETPERM
490 .\"O .B MADV_HWPOISON
503 .\"O .BR kexec_load (2).
516 .\"O Load and unload kernel modules
518 .\"O .BR init_module (2)
520 .\"O .BR delete_module (2));
521 .\"O in kernels before 2.6.25:
522 .\"O drop capabilities from the system-wide capability bounding set.
523 ¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¡¢¥¢¥ó¥í¡¼¥É¤ò¹Ô¤¦
524 .RB ( init_module (2)
526 .BR delete_module (2)
528 ¥Ð¡¼¥¸¥ç¥ó 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¡¢
529 ¥·¥¹¥Æ¥àÁ´ÂΤΥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set)
530 ¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³°¤¹¡£
536 .\"O Raise process nice value
538 .\"O .BR setpriority (2))
539 .\"O and change the nice value for arbitrary processes;
540 ¥×¥í¥»¥¹¤Î nice Ãͤΰú¤¾å¤²
543 ¤ä¡¢Ç¤°Õ¤Î¥×¥í¥»¥¹¤Î nice ÃͤÎÊѹ¹¤ò¹Ô¤¦¡£
545 .\"O set real-time scheduling policies for calling process,
546 .\"O and set scheduling policies and priorities for arbitrary processes
547 .\"O .RB ( sched_setscheduler (2),
548 .\"O .BR sched_setparam (2));
549 ¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤ËÂФ¹¤ë¥ê¥¢¥ë¥¿¥¤¥à¡¦¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤È¡¢
550 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤ÈÍ¥ÀèÅÙ¤òÀßÄꤹ¤ë
551 .RB ( sched_setscheduler (2),
552 .BR sched_setparam (2))¡£
554 .\"O set CPU affinity for arbitrary processes
555 .\"O .RB ( sched_setaffinity (2));
556 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë CPU affinity ¤òÀßÄê¤Ç¤¤ë
557 .RB ( sched_setaffinity (2))¡£
559 .\"O set I/O scheduling class and priority for arbitrary processes
560 .\"O .RB ( ioprio_set (2));
561 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹¤ÈÍ¥ÀèÅÙ¤òÀßÄê¤Ç¤¤ë
562 .RB ( ioprio_set (2))¡£
565 .\"O .BR migrate_pages (2)
566 .\"O to arbitrary processes and allow processes
567 .\"O to be migrated to arbitrary nodes;
568 .BR migrate_pages (2)
569 ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËŬÍѤ·¡¢¥×¥í¥»¥¹¤òǤ°Õ¤Î¥Î¡¼¥É¤Ë°ÜÆ°¤¹¤ë¡£
570 .\" FIXME CAP_SYS_NICE also has the following effect for
571 .\" migrate_pages(2):
572 .\" do_migrate_pages(mm, &old, &new,
573 .\" capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
576 .\"O .BR move_pages (2)
577 .\"O to arbitrary processes;
579 ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ¹Ô¤¦¡£
582 .\"O .B MPOL_MF_MOVE_ALL
586 .\"O .BR move_pages (2).
603 .\"O Trace arbitrary processes using
606 .\"O .BR get_robust_list (2)
607 .\"O to arbitrary processes.
609 ¤ò»È¤Ã¤ÆǤ°Õ¤Î¥×¥í¥»¥¹¤ò¥È¥ì¡¼¥¹¤¹¤ë¡£
611 .BR get_robust_list (2)
615 .\"O Perform I/O port operations
618 .\"O .BR ioperm (2));
620 .\"O .IR /proc/kcore .
621 I/O ¥Ý¡¼¥ÈÁàºî¤ò¼Â¹Ô¤¹¤ë
632 .\"O Use reserved space on ext2 file systems;
633 ext2 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¾å¤ÎͽÌ󤵤ì¤Æ¤¤¤ëÎΰè¤ò»ÈÍѤ¹¤ë¡£
637 .\"O calls controlling ext3 journaling;
638 ext3 ¤Î¥¸¥ã¡¼¥Ê¥ëµ¡Ç½¤òÀ©¸æ¤¹¤ë
642 .\"O override disk quota limits;
643 ¥Ç¥£¥¹¥¯ quota ¤Î¾å¸Â¤ò¾å½ñ¤¤¹¤ë¡£
645 .\"O increase resource limits (see
646 .\"O .BR setrlimit (2));
648 .RB ( setrlimit (2))¡£
654 ¥ê¥½¡¼¥¹À©¸Â¤ò¾å½ñ¤¤¹¤ë¡£
658 .\"O limit for a System V message queue above the limit in
659 .\"O .I /proc/sys/kernel/msgmnb
663 .\"O .BR msgctl (2)).
664 ¥á¥Ã¥»¡¼¥¸¥¥å¡¼¤Ë´Ø¤¹¤ë¾å¸Â
667 .I /proc/sys/kernel/msgmnb
668 ¤Ë»ØÄꤵ¤ì¤Æ¤¤¤ë¾å¸Â¤è¤ê¤âÂ礤¯ÀßÄꤹ¤ë
675 .\"O .BR F_SETPIPE_SZ
676 .\"O to increase the capacity of a pipe above the limit specified by
677 .\"O .IR /proc/sys/fs/pipe-max-size .
678 .I /proc/sys/fs/pipe-max-size
679 ¤Ë»ØÄꤵ¤ì¤Æ¤¤¤ë¾å¸Â¤òĶ¤¨¤Æ¥Ñ¥¤¥×¤ÎÍÆÎ̤òÁý¤ä¤¹¤Î¤Ë
686 .\"O Set system clock
687 .\"O .RB ( settimeofday (2),
689 .\"O .BR adjtimex (2));
690 .\"O set real-time (hardware) clock.
691 ¥·¥¹¥Æ¥à¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë
692 .RB ( settimeofday (2),
695 ¥ê¥¢¥ë¥¿¥¤¥à (¥Ï¡¼¥É¥¦¥§¥¢) ¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë¡£
697 .B CAP_SYS_TTY_CONFIG
699 .\"O .BR vhangup (2).
703 .\"O .SS Past and Current Implementation
705 .\"O A full implementation of capabilities requires that:
706 ´°Á´¤Ê·Á¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼ÂÁõ¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤ÎÍ×·ï¤òËþ¤¿¤¹É¬Íפ¬¤¢¤ë¡§
708 .\"O For all privileged operations,
709 .\"O the kernel must check whether the thread has the required
710 .\"O capability in its effective set.
711 Á´¤Æ¤ÎÆø¢Áàºî¤Ë¤Ä¤¤¤Æ¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
712 ɬÍפʥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¤¢¤ë¤«¤ò³Îǧ¤¹¤ë¡£
714 .\"O The kernel must provide system calls allowing a thread's capability sets to
715 .\"O be changed and retrieved.
716 ¥«¡¼¥Í¥ë¤Ç¡¢¤¢¤ë¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÊѹ¹¤·¤¿¤ê¡¢
717 ¼èÆÀ¤·¤¿¤ê¤Ç¤¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë¤¬Ä󶡤µ¤ì¤ë¡£
719 .\"O The file system must support attaching capabilities to an executable file,
720 .\"O so that a process gains those capabilities when the file is executed.
721 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤¬¡¢¼Â¹Ô²Äǽ¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÉÕÍ¿¤Ç¤¡¢¥Õ¥¡¥¤¥ë
722 ¼Â¹Ô»þ¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥×¥í¥»¥¹¤¬¼èÆÀ¤Ç¤¤ë¤è¤¦¤Êµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤¹¤ë¡£
724 .\"O Before kernel 2.6.24, only the first two of these requirements are met;
725 .\"O since kernel 2.6.24, all three requirements are met.
726 ¥«¡¼¥Í¥ë 2.6.24 ¤è¤êÁ°¤Ç¤Ï¡¢ºÇ½é¤Î 2¤Ä¤ÎÍ×·ï¤Î¤ß¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
727 ¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢3¤Ä¤ÎÍ׷魯¤Ù¤Æ¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
729 .\"O .SS Thread Capability Sets
730 .SS ¥¹¥ì¥Ã¥É¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
731 .\"O Each thread has three capability sets containing zero or more
732 .\"O of the above capabilities:
733 ³Æ¥¹¥ì¥Ã¥É¤Ï°Ê²¼¤Î 3¼ïÎà¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»ý¤Ä¡£³Æ¡¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
734 ¾åµ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÁȤ߹ç¤ï¤»¤Ç¤¢¤ë (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ç¤â¤è¤¤)¡£
737 .\"O This is a limiting superset for the effective
738 .\"O capabilities that the thread may assume.
739 .\"O It is also a limiting superset for the capabilities that
740 .\"O may be added to the inheritable set by a thread that does not have the
742 .\"O capability in its effective set.
743 .IR "µö²Ä (permitted)" :
744 ¤½¤Î¥¹¥ì¥Ã¥É¤¬»ý¤Ä¤³¤È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î
745 ¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤¢¤ë¡£
746 ¤³¤ì¤Ï¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
748 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¥¹¥ì¥Ã¥É¤¬·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
749 ÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤â¤¢¤ë¡£
751 .\"O If a thread drops a capability from its permitted set,
752 .\"O it can never reacquire that capability (unless it
754 .\"O either a set-user-ID-root program, or
755 .\"O a program whose associated file capabilities grant that capability).
756 µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤Ã¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¡¢
757 (set-user-ID-root ¥×¥í¥°¥é¥à¤«¡¢
758 ¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Çµö²Ä¤·¤Æ¤¤¤ë¥×¥í¥°¥é¥à¤ò
760 ¤·¤Ê¤¤¸Â¤ê¤Ï) ¤â¤¦°ìÅÙ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
762 .\"O .IR Inheritable :
763 .\"O This is a set of capabilities preserved across an
765 .\"O It provides a mechanism for a process to assign capabilities
766 .\"O to the permitted set of the new program during an
768 .IR "·Ñ¾µ²Äǽ (inheritable)" :
770 ¤òÁ°¸å¤ÇÊÝ»ý¤µ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
771 ¤³¤Î»ÅÁȤߤò»È¤¦¤³¤È¤Ç¡¢¤¢¤ë¥×¥í¥»¥¹¤¬
773 ¤ò¹Ô¤¦ºÝ¤Ë¿·¤·¤¤¥×¥í¥°¥é¥à¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ
774 ³ä¤êÅö¤Æ¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
777 .\"O This is the set of capabilities used by the kernel to
778 .\"O perform permission checks for the thread.
779 .IR "¼Â¸ú (effective)" :
780 ¥«¡¼¥Í¥ë¤¬¥¹¥ì¥Ã¥É¤Î¸¢¸Â (permission) ¤ò¥Á¥§¥Ã¥¯¤¹¤ë¤È¤¤Ë
781 »ÈÍѤ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
783 .\"O A child created via
785 .\"O inherits copies of its parent's capability sets.
786 .\"O See below for a discussion of the treatment of capabilities during
789 ¤ÇºîÀ®¤µ¤ì¤ë»Ò¥×¥í¥»¥¹¤Ï¡¢¿Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¥³¥Ô¡¼¤ò·Ñ¾µ¤¹¤ë¡£
791 Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î°·¤¤¤Ë¤Ä¤¤¤Æ¤Ï²¼µ¤ò»²¾È¤Î¤³¤È¡£
795 .\"O a thread may manipulate its own capability sets (see below).
797 ¤ò»È¤¦¤È¡¢¥×¥í¥»¥¹¤Ï¼«Ê¬¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
798 ¤òÁàºî¤¹¤ë¤³¤È¤¬¤Ç¤¤ë (²¼µ»²¾È)¡£
800 .\"O .SS File Capabilities
801 .SS ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
802 .\"O Since kernel 2.6.24, the kernel supports
803 .\"O associating capability sets with an executable file using
805 .\"O The file capability sets are stored in an extended attribute (see
806 .\"O .BR setxattr (2))
808 .\"O .IR "security.capability" .
809 .\"O Writing to this extended attribute requires the
812 ¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢
814 ¤ò»È¤Ã¤Æ¼Â¹Ô¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÂбþÉÕ¤±¤ë¤³¤È¤¬¤Ç¤¤ë¡£
815 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
816 .I "security.capability"
817 ¤È¤¤¤¦Ì¾Á°¤Î³Èĥ°À¤ËÊݸ¤µ¤ì¤ë
819 »²¾È)¡£¤³¤Î³Èĥ°À¤Ø¤Î½ñ¤¹þ¤ß¤Ë¤Ï
821 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
822 .\"O The file capability sets,
823 .\"O in conjunction with the capability sets of the thread,
824 .\"O determine the capabilities of a thread after an
826 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎξÊý¤¬
829 ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬·èÄꤵ¤ì¤ë¡£
831 .\"O The three file capability sets are:
832 3 ¤Ä¤Î¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ë¡£
834 .\"O .IR Permitted " (formerly known as " forced ):
835 .\"O These capabilities are automatically permitted to the thread,
836 .\"O regardless of the thread's inheritable capabilities.
837 .IR "µö²Ä (Permitted)" " (°ÊÁ°¤Î" "¶¯À© (Forced)" "):"
838 ¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤ï¤é¤º¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ë¼«Æ°Åª¤Ë
839 ǧ¤á¤é¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡£
841 .\"O .IR Inheritable " (formerly known as " allowed ):
842 .\"O This set is ANDed with the thread's inheritable set to determine which
843 .\"O inheritable capabilities are enabled in the permitted set of
844 .\"O the thread after the
846 .IR "·Ñ¾µ²Äǽ (Inheritable)" " (°ÊÁ°¤Î " "µöÍÆ (Allowed)" "):"
847 ¤³¤Î¥»¥Ã¥È¤È¡¢¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤Î
848 ÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¡¢
850 ¤Î¸å¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤È¤Ê¤ë
851 ·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬·èÄꤵ¤ì¤ë¡£
854 .IR "¼Â¸ú (Effective)" :
855 .\"O This is not a set, but rather just a single bit.
856 .\"O If this bit is set, then during an
858 .\"O all of the new permitted capabilities for the thread are
859 .\"O also raised in the effective set.
860 .\"O If this bit is not set, then after an
862 .\"O none of the new permitted capabilities is in the new effective set.
863 ¤³¤ì¤Ï½¸¹ç¤Ç¤Ï¤Ê¤¯¡¢1 ¥Ó¥Ã¥È¤Î¾ðÊó¤Ç¤¢¤ë¡£
864 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤È¡¢
866 ¼Â¹ÔÃæ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Î¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Á´¤Æ
867 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç¤Ë¤ª¤¤¤Æ¤â¥»¥Ã¥È¤µ¤ì¤ë¡£
868 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
870 ¸å¤Ë¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤É¤ì¤â¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç
873 .\"O Enabling the file effective capability bit implies
874 .\"O that any file permitted or inheritable capability that causes a
875 .\"O thread to acquire the corresponding permitted capability during an
877 .\"O (see the transformation rules described below) will also acquire that
878 .\"O capability in its effective set.
879 ¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò͸ú¤Ë¤¹¤ë¤È¤¤¤¦¤Î¤Ï¡¢
881 ¼Â¹Ô»þ¤Ë¡¢¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È·Ñ¾µ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂбþ¤¹¤ë¤â¤Î¤¬
882 ¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ¥»¥Ã¥È¤µ¤ì¤ë¤¬¡¢
883 ¤³¤ì¤¬¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¤â¥»¥Ã¥È¤µ¤ì¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë
884 (¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹¥ë¡¼¥ë¤Ï²¼µ»²¾È)¡£
885 .\"O Therefore, when assigning capabilities to a file
886 .\"O .RB ( setcap (8),
887 .\"O .BR cap_set_file (3),
888 .\"O .BR cap_set_fd (3)),
889 .\"O if we specify the effective flag as being enabled for any capability,
890 .\"O then the effective flag must also be specified as enabled
891 .\"O for all other capabilities for which the corresponding permitted or
892 .\"O inheritable flags is enabled.
893 ¤·¤¿¤¬¤Ã¤Æ¡¢¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ä¤êÅö¤Æ¤ëºÝ
895 .BR cap_set_file (3),
896 .BR cap_set_fd (3))¡¢
897 ¤¤¤º¤ì¤«¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ¼Â¸ú¥Õ¥é¥°¤ò͸ú¤È»ØÄꤹ¤ë¾ì¹ç¡¢
898 µö²Ä¥Õ¥é¥°¤ä·Ñ¾µ²Äǽ¥Õ¥é¥°¤ò͸ú¤Ë¤·¤¿Â¾¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
899 ¤Ë¤Ä¤¤¤Æ¤â¼Â¸ú¥Õ¥é¥°¤ò͸ú¤È»ØÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
901 .\"O .SS Transformation of Capabilities During execve()
902 .SS "execve() Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹"
906 .\"O the kernel calculates the new capabilities of
907 .\"O the process using the following algorithm:
909 ¼Â¹Ô»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥×¥í¥»¥¹¤Î¿·¤·¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼¡¤Î
910 ¥¢¥ë¥´¥ê¥º¥à¤òÍѤ¤¤Æ·×»»¤¹¤ë¡§
914 P'(permitted) = (P(inheritable) & F(inheritable)) |
915 (F(permitted) & cap_bset)
917 P'(effective) = F(effective) ? P'(permitted) : 0
919 .\"O P'(inheritable) = P(inheritable) [i.e., unchanged]
920 P'(inheritable) = P(inheritable) [¤Ä¤Þ¤ê¡¢Êѹ¹¤µ¤ì¤Ê¤¤]
925 ³ÆÊÑ¿ô¤Î°ÕÌ£¤Ï°Ê²¼¤ÎÄ̤ê:
928 .\"O denotes the value of a thread capability set before the
931 Á°¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
933 .\"O denotes the value of a capability set after the
936 ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
938 .\"O denotes a file capability set
939 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
941 .\"O is the value of the capability bounding set (described below).
942 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÃÍ (²¼µ»²¾È)
945 .\"O .SS Capabilities and execution of programs by root
946 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô
947 .\"O In order to provide an all-powerful
949 .\"O using capability sets, during an
952 »þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»È¤Ã¤Æ¡¢Á´¤Æ¤Î¸¢¸Â¤ò»ý¤Ã¤¿
954 ¤ò¼Â¸½¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
956 .\"O If a set-user-ID-root program is being executed,
957 .\"O or the real user ID of the process is 0 (root)
958 .\"O then the file inheritable and permitted sets are defined to be all ones
959 .\"O (i.e., all capabilities enabled).
960 set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
961 ¤Þ¤¿¤Ï¥×¥í¥»¥¹¤Î¼Â¥æ¡¼¥¶ ID ¤¬ 0 (root) ¤Î¾ì¹ç¡¢
962 ¥Õ¥¡¥¤¥ë¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤òÁ´¤Æ 1
963 (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú) ¤ËÄêµÁ¤¹¤ë¡£
965 .\"O If a set-user-ID-root program is being executed,
966 .\"O then the file effective bit is defined to be one (enabled).
967 set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
968 ¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò 1 (enabled) ¤ËÄêµÁ¤¹¤ë¡£
970 .\"O The upshot of the above rules,
971 .\"O combined with the capabilities transformations described above,
972 .\"O is that when a process
974 .\"O a set-user-ID-root program, or when a process with an effective UID of 0
977 .\"O it gains all capabilities in its permitted and effective capability sets,
978 .\"O except those masked out by the capability bounding set.
979 .\"O .\" If a process with real UID 0, and nonzero effective UID does an
980 .\"O .\" exec(), then it gets all capabilities in its
981 .\"O .\" permitted set, and no effective capabilities
982 .\"O This provides semantics that are the same as those provided by
983 .\"O traditional UNIX systems.
984 ¾åµ¤Î¥ë¡¼¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ÊÑ´¹¤òŬÍѤ·¤¿·ë²Ì¤ò¤Þ¤È¤á¤ë¤È¡¢
985 ¥×¥í¥»¥¹¤¬ set-user-ID-root ¥×¥í¥°¥é¥à¤ò
987 ¤¹¤ë¾ì¹ç¡¢¤Þ¤¿¤Ï¼Â¸ú UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬¥×¥í¥°¥é¥à¤ò
989 ¤¹¤ë¾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
990 (Àµ³Î¤Ë¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë¤è¤ë¥Þ¥¹¥¯¤Ç½ü³°¤µ¤ì¤ë¤â¤Î
991 °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£) ¤ò¼èÆÀ¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
992 .\" ¼Â UID ¤¬ 0 ¤Ç¼Â¸ú UID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹¤¬ exec () ¤ò¹Ô¤¦¤È¡¢
993 .\" µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
994 .\" ¤¬¼èÆÀ¤µ¤ì¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼èÆÀ¤µ¤ì¤Ê¤¤¡£
995 ¤³¤ì¤Ë¤è¤ê¡¢ÅÁÅýŪ¤Ê UNIX ¥·¥¹¥Æ¥à¤ÈƱ¤¸¿¶¤ëÉñ¤¤¤¬¤Ç¤¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
996 .\"O .SS Capability bounding set
997 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
998 .\"O The capability bounding set is a security mechanism that can be used
999 .\"O to limit the capabilities that can be gained during an
1000 .\"O .BR execve (2).
1001 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set) ¤Ï¡¢
1003 »þ¤Ë³ÍÆÀ¤Ç¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë
1004 ¥»¥¥å¥ê¥Æ¥£µ¡¹½¤Ç¤¢¤ë¡£
1005 .\"O The bounding set is used in the following ways:
1006 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï°Ê²¼¤Î¤è¤¦¤Ë»ÈÍѤµ¤ì¤ë¡£
1009 .\"O .BR execve (2),
1010 .\"O the capability bounding set is ANDed with the file permitted
1011 .\"O capability set, and the result of this operation is assigned to the
1012 .\"O thread's permitted capability set.
1013 .\"O The capability bounding set thus places a limit on the permitted
1014 .\"O capabilities that may be granted by an executable file.
1016 ¼Â¹Ô»þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤È
1017 ¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÏÀÍýÏ (AND) ¤ò¼è¤Ã¤¿¤â¤Î¤¬¡¢
1018 ¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë³ä¤êÅö¤Æ¤é¤ì¤ë¡£
1019 ¤Ä¤Þ¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
1020 ¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬Ç§¤á¤Æ¤¤¤ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ
1021 À©¸Â¤ò²Ý¤¹Æ¯¤¤ò¤¹¤ë¡£
1023 .\"O (Since Linux 2.6.25)
1024 .\"O The capability bounding set acts as a limiting superset for
1025 .\"O the capabilities that a thread can add to its inheritable set using
1026 .\"O .BR capset (2).
1027 .\"O This means that if a capability is not in the bounding set,
1028 .\"O then a thread can't add this capability to its
1029 .\"O inheritable set, even if it was in its permitted capabilities,
1030 .\"O and thereby cannot have this capability preserved in its
1031 .\"O permitted set when it
1032 .\"O .BR execve (2)s
1033 .\"O a file that has the capability in its inheritable set.
1035 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢¥¹¥ì¥Ã¥É¤¬
1037 ¤Ë¤è¤ê¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊ콸ÃĤò
1038 À©¸Â¤¹¤ëÌò³ä¤ò»ý¤Ä¡£
1039 ¥¹¥ì¥Ã¥É¤Ëµö²Ä¤µ¤ì¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤¢¤Ã¤Æ¤â¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
1040 ´Þ¤Þ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë
1041 ÄɲäǤ¤º¡¢¤½¤Î·ë²Ì¡¢·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò´Þ¤à¥Õ¥¡¥¤¥ë¤ò
1043 ¤¹¤ë¾ì¹ç¡¢¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¥»¥Ã¥È¤Ë»ý¤Á³¤±¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡¢
1046 .\"O Note that the bounding set masks the file permitted capabilities,
1047 .\"O but not the inherited capabilities.
1048 .\"O If a thread maintains a capability in its inherited set
1049 .\"O that is not in its bounding set,
1050 .\"O then it can still gain that capability in its permitted set
1051 .\"O by executing a file that has the capability in its inherited set.
1052 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬¥Þ¥¹¥¯¤ò¹Ô¤¦¤Î¤Ï¡¢·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤Ï¤Ê¤¯¡¢
1053 ¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥Þ¥¹¥¯¤ò¹Ô¤¦ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
1054 ¤¢¤ë¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
1055 ¸ºß¤·¤Ê¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¡¢
1056 ·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¥Õ¥¡¥¤¥ë¤ò¼Â¹Ô¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢
1057 µö²Ä¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤â³ÍÆÀ¤Ç¤¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
1059 .\"O Depending on the kernel version, the capability bounding set is either
1060 .\"O a system-wide attribute, or a per-process attribute.
1061 ¥«¡¼¥Í¥ë¤Î¥Ð¡¼¥¸¥ç¥ó¤Ë¤è¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1062 ¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ¤Î¾ì¹ç¤È¡¢¥×¥í¥»¥¹Ã±°Ì¤Î°À¤Î¾ì¹ç¤¬¤¢¤ë¡£
1064 .\"O .B "Capability bounding set prior to Linux 2.6.25"
1065 .B "Linux 2.6.25 ¤è¤êÁ°¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
1067 .\"O In kernels before 2.6.25, the capability bounding set is a system-wide
1068 .\"O attribute that affects all threads on the system.
1069 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1070 ¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ¤Ç¡¢¥·¥¹¥Æ¥à¾å¤ÎÁ´¤Æ¤Î¥¹¥ì¥Ã¥É¤ËŬÍѤµ¤ì¤ë¡£
1071 .\"O The bounding set is accessible via the file
1072 .\"O .IR /proc/sys/kernel/cap-bound .
1073 .\"O motoki: accessible = ¡Ö»²¾È²Äǽ¡×¤Ç¤è¤¤¤«¡¢Ê¸Ì®¤òÍ׳Îǧ
1074 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1075 .I /proc/sys/kernel/cap-bound
1076 ¥Õ¥¡¥¤¥ë·Ðͳ¤Ç»²¾È¤Ç¤¤ë¡£
1077 .\"O (Confusingly, this bit mask parameter is expressed as a
1078 .\"O signed decimal number in
1079 .\"O .IR /proc/sys/kernel/cap-bound .)
1080 (´Ö°ã¤¨¤ä¤¹¤¤¤¬¡¢¤³¤Î¥Ó¥Ã¥È¥Þ¥¹¥¯·Á¼°¤Î¥Ñ¥é¥á¡¼¥¿¤Ï¡¢
1081 .I /proc/sys/kernel/cap-bound
1082 ¤Ç¤ÏÉä¹æÉÕ¤¤Î½½¿Ê¿ô¤Çɽ¸½¤µ¤ì¤ë¡£)
1086 .\"O process may set capabilities in the capability bounding set;
1087 .\"O other than that, the superuser (more precisely: programs with the
1088 .\"O .B CAP_SYS_MODULE
1089 .\"O capability) may only clear capabilities from this set.
1091 ¥×¥í¥»¥¹¤À¤±¤¬¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
1092 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥»¥Ã¥È¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1093 ¤½¤ì°Ê³°¤Ç¤Ï¡¢¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶ (¤è¤êÀµ³Î¤Ë¤Ï¡¢
1095 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à) ¤¬¡¢
1096 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥¯¥ê¥¢¤¬
1099 .\"O On a standard system the capability bounding set always masks out the
1102 .\"O To remove this restriction (dangerous!), modify the definition of
1103 .\"O .B CAP_INIT_EFF_SET
1105 .\"O .I include/linux/capability.h
1106 .\"O and rebuild the kernel.
1107 Ä̾ï¤Î¥·¥¹¥Æ¥à¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
1109 ¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
1110 ¤³¤ÎÀ©¸Â¤ò¼è¤êµî¤ë¤Ë¤Ï (¼è¤êµî¤ë¤Î¤Ï´í¸±!)¡¢
1111 .I include/linux/capability.h
1114 ¤ÎÄêµÁ¤ò½¤Àµ¤·¡¢¥«¡¼¥Í¥ë¤òºÆ¹½ÃÛ¤¹¤ëɬÍפ¬¤¢¤ë¡£
1116 .\"O The system-wide capability bounding set feature was added
1117 .\"O to Linux starting with kernel version 2.2.11.
1118 ¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥Èµ¡Ç½¤Ï¡¢
1119 ¥«¡¼¥Í¥ë 2.2.11 °Ê¹ß¤Ç Linux ¤ËÄɲ䵤줿¡£
1122 .\"O .B "Capability bounding set from Linux 2.6.25 onward"
1123 .B "Linux 2.6.25 °Ê¹ß¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
1125 .\"O From Linux 2.6.25, the
1126 .\"O .I "capability bounding set"
1127 .\"O is a per-thread attribute.
1128 .\"O (There is no longer a system-wide capability bounding set.)
1129 Linux 2.6.25 °Ê¹ß¤Ç¤Ï¡¢
1130 ¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¡×¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À¤Ç¤¢¤ë
1131 (¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¤â¤Ï¤ä¸ºß¤·¤Ê¤¤)¡£
1133 .\"O The bounding set is inherited at
1135 .\"O from the thread's parent, and is preserved across an
1136 .\"O .BR execve (2).
1137 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1139 »þ¤Ë¤Ï¥¹¥ì¥Ã¥É¤Î¿Æ¥×¥í¥»¥¹¤«¤é·Ñ¾µ¤µ¤ì¡¢
1141 ¤ÎÁ°¸å¤Ç¤ÏÊÝ»ý¤µ¤ì¤ë¡£
1143 .\"O A thread may remove capabilities from its capability bounding set using the
1145 .\"O .B PR_CAPBSET_DROP
1146 .\"O operation, provided it has the
1149 .\"O Once a capability has been dropped from the bounding set,
1150 .\"O it cannot be restored to that set.
1151 .\"O A thread can determine if a capability is in its bounding set using the
1153 .\"O .B PR_CAPBSET_READ
1157 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï
1161 Áàºî¤ò»È¤Ã¤Æ¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é
1162 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1163 ¤¤¤Ã¤¿¤ó¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤¦¤È¡¢
1164 ¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºÆÅÙ¥»¥Ã¥È¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
1168 Áàºî¤ò»È¤¦¤³¤È¤Ç¡¢¥¹¥ì¥Ã¥É¤¬¤¢¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¼«¿È¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
1169 ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
1171 .\"O Removing capabilities from the bounding set is only supported if file
1172 .\"O capabilities are compiled into the kernel
1173 .\"O (CONFIG_SECURITY_FILE_CAPABILITIES).
1174 .\"O In that case, the
1176 .\"O process (the ancestor of all processes) begins with a full bounding set.
1177 .\"O If file capabilities are not compiled into the kernel, then
1179 .\"O begins with a full bounding set minus
1180 .\"O .BR CAP_SETPCAP ,
1181 .\"O because this capability has a different meaning when there are
1182 .\"O no file capabilities.
1183 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Îºï½ü¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤ë¤Î¤Ï¡¢
1184 ¥«¡¼¥Í¥ë¤Î¥³¥ó¥Ñ¥¤¥ë»þ¤Ë¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç
1185 (CONFIG_SECURITY_FILE_CAPABILITIES) ¤À¤±¤Ç¤¢¤ë¡£
1186 ¤³¤Î¾ì¹ç¤Ë¤Ï¡¢ (Á´¤Æ¤Î¥×¥í¥»¥¹¤ÎÀèÁĤǤ¢¤ë)
1188 ¥×¥í¥»¥¹¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÇÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
1189 ¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
1190 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢
1192 ¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
1194 °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
1195 ¤³¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ï¡¢
1197 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï
1198 °ã¤Ã¤¿°ÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£
1200 .\"O Removing a capability from the bounding set does not remove it
1201 .\"O from the thread's inherited set.
1202 .\"O However it does prevent the capability from being added
1203 .\"O back into the thread's inherited set in the future.
1204 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤·¤Æ¤â¡¢
1205 ¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤«¤é¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ïºï½ü¤µ¤ì¤Ê¤¤¡£
1206 ¤·¤«¤·¤Ê¤¬¤é¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Îºï½ü¤Ë¤è¤ê¡¢
1207 ¤³¤ÎÀ褽¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲ乤뤳¤È
1211 .\"O .SS Effect of User ID Changes on Capabilities
1212 .SS "¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á"
1213 .\"O To preserve the traditional semantics for transitions between
1214 .\"O 0 and nonzero user IDs,
1215 .\"O the kernel makes the following changes to a thread's capability
1216 .\"O sets on changes to the thread's real, effective, saved set,
1217 .\"O and file system user IDs (using
1218 .\"O .BR setuid (2),
1219 .\"O .BR setresuid (2),
1221 ¥æ¡¼¥¶ ID ¤¬ 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÊѲ½¤¹¤ëºÝ¤Î¿¶¤ëÉñ¤¤¤ò½¾Íè¤ÈƱ¤¸¤Ë¤¹¤ë¤¿¤á¡¢
1222 ¥¹¥ì¥Ã¥É¤Î¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID¡¢¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
1225 ¤Ê¤É¤ò»È¤Ã¤Æ) Êѹ¹¤µ¤ì¤¿ºÝ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
1228 .\"O If one or more of the real, effective or saved set user IDs
1229 .\"O was previously 0, and as a result of the UID changes all of these IDs
1230 .\"O have a nonzero value,
1231 .\"O then all capabilities are cleared from the permitted and effective
1232 .\"O capability sets.
1233 UID ¤ÎÊѹ¹Á°¤Ë¤Ï¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤Î¤¦¤Á
1234 ¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¡¢Êѹ¹¸å¤Ë¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤¬
1235 ¤¹¤Ù¤Æ 0 °Ê³°¤ÎÃͤˤʤ俾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
1236 Á´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
1238 .\"O If the effective user ID is changed from 0 to nonzero,
1239 .\"O then all capabilities are cleared from the effective set.
1240 ¼Â¸ú UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
1241 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
1243 .\"O If the effective user ID is changed from nonzero to 0,
1244 .\"O then the permitted set is copied to the effective set.
1245 ¼Â¸ú UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
1246 µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÆâÍƤò¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¥³¥Ô¡¼¤¹¤ë¡£
1248 .\"O If the file system user ID is changed from 0 to nonzero (see
1249 .\"O .BR setfsuid (2))
1250 .\"O then the following capabilities are cleared from the effective set:
1251 .\"O .BR CAP_CHOWN ,
1252 .\"O .BR CAP_DAC_OVERRIDE ,
1253 .\"O .BR CAP_DAC_READ_SEARCH ,
1254 .\"O .BR CAP_FOWNER ,
1255 .\"O .BR CAP_FSETID ,
1256 .\"O .B CAP_LINUX_IMMUTABLE
1257 .\"O (since Linux 2.2.30),
1258 .\"O .BR CAP_MAC_OVERRIDE ,
1261 .\"O (since Linux 2.2.30).
1262 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç
1264 »²¾È)¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î°Ê²¼¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥¯¥ê¥¢¤µ¤ì¤ë:
1266 .BR CAP_DAC_OVERRIDE ,
1267 .BR CAP_DAC_READ_SEARCH ,
1270 .B CAP_LINUX_IMMUTABLE
1271 (Linux 2.2.30 °Ê¹ß),
1272 .BR CAP_MAC_OVERRIDE ,
1274 (Linux 2.2.30 °Ê¹ß)¡£
1275 .\"O If the file system UID is changed from nonzero to 0,
1276 .\"O then any of these capabilities that are enabled in the permitted set
1277 .\"O are enabled in the effective set.
1278 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
1279 ¾åµ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤¦¤Áµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤â¤Î¤¬
1280 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤Ë¤µ¤ì¤ë¡£
1282 .\"O If a thread that has a 0 value for one or more of its user IDs wants
1283 .\"O to prevent its permitted capability set being cleared when it resets
1284 .\"O all of its user IDs to nonzero values, it can do so using the
1286 .\"O .B PR_SET_KEEPCAPS
1288 ³Æ¼ï UID ¤Î¤¦¤Á¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¤¢¤ë¥¹¥ì¥Ã¥É¤¬¡¢
1289 ¤½¤Î UID ¤ÎÁ´¤Æ¤¬ 0 °Ê³°¤Ë¤Ê¤Ã¤¿¤È¤¤Ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬
1290 ¥¯¥ê¥¢¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤¿¤¤¾ì¹ç¤Ë¤Ï¡¢
1296 .\"O .SS Programmatically adjusting capability sets
1297 .SS ¥×¥í¥°¥é¥à¤Ç¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÄ´À°¤¹¤ë
1298 .\"O A thread can retrieve and change its capability sets using the
1303 .\"O However, the use of
1304 .\"O .BR cap_get_proc (3)
1306 .\"O .BR cap_set_proc (3),
1307 .\"O both provided in the
1310 .\"O is preferred for this purpose.
1315 ¤ò»È¤Ã¤Æ¡¢¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¼èÆÀ¤·¤¿¤êÊѹ¹¤·¤¿¤ê¤Ç¤¤ë¡£
1316 ¤¿¤À¤·¡¢¤³¤ì¤ò¹Ô¤¦¤Ë¤Ï¡¢
1318 ¥Ñ¥Ã¥±¡¼¥¸¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë
1319 .BR cap_get_proc (3)
1321 .BR cap_set_proc (3)
1322 ¤ò»È¤¦¤Î¤¬Ë¾¤Þ¤·¤¤¡£
1323 .\"O The following rules govern changes to the thread capability sets:
1324 ¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÊѹ¹¤Ë¤Ï°Ê²¼¤Î¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
1326 .\"O If the caller does not have the
1329 .\"O the new inheritable set must be a subset of the combination
1330 .\"O of the existing inheritable and permitted sets.
1331 .\"O [XXX] motoki: combination ¤Ã¤Æ AND ? OR ?
1334 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢
1335 ´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç
1338 .\"O (Since kernel 2.6.25)
1339 .\"O The new inheritable set must be a subset of the combination of the
1340 .\"O existing inheritable set and the capability bounding set.
1341 .\"O [XXX] motoki: combination ¤Ã¤Æ AND ? OR ?
1342 (¥«¡¼¥Í¥ë 2.6.25 °Ê¹ß)
1343 ¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤È¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦
1344 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1346 .\"O The new permitted set must be a subset of the existing permitted set
1347 .\"O (i.e., it is not possible to acquire permitted capabilities
1348 .\"O that the thread does not currently have).
1349 ¿·¤·¤¤µö²Ä¥»¥Ã¥È¤Ï¡¢´û¸¤Îµö²Ä¥»¥Ã¥È¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤
1350 (¤Ä¤Þ¤ê¡¢¤½¤Î¥¹¥ì¥Ã¥É¤¬¸½ºß»ý¤Ã¤Æ¤¤¤Ê¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
1351 ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤)¡£
1353 .\"O The new effective set must be a subset of the new permitted set.
1354 ¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
1355 Éôʬ½¸¹ç¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1356 .\"O .SS The """securebits"" flags: establishing a capabilities-only environment
1357 .SS securebits ¥Õ¥é¥°: ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤À¤±¤Î´Ä¶¤ò¹½ÃÛ¤¹¤ë
1358 .\" For some background:
1359 .\" see http://lwn.net/Articles/280279/ and
1360 .\" http://article.gmane.org/gmane.linux.kernel.lsm/5476/
1361 .\"O Starting with kernel 2.6.26,
1362 .\"O and with a kernel in which file capabilities are enabled,
1363 .\"O Linux implements a set of per-thread
1365 .\"O flags that can be used to disable special handling of capabilities for UID 0
1367 ¥«¡¼¥Í¥ë 2.6.26 °Ê¹ß¤Ç¡¢
1368 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤¿¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
1371 ¥Õ¥é¥°¤¬¼ÂÁõ¤µ¤ì¤Æ¤ª¤ê¡¢¤³¤Î¥Õ¥é¥°¤ò»È¤¦¤È UID 0
1373 ¤ËÂФ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÆÃÊÌ°·¤¤¤ò̵¸ú¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1374 .\"O These flags are as follows:
1375 °Ê²¼¤Î¤è¤¦¤Ê¥Õ¥é¥°¤¬¤¢¤ë¡£
1378 .\"O Setting this flag allows a thread that has one or more 0 UIDs to retain
1379 .\"O its capabilities when it switches all of its UIDs to a nonzero value.
1380 .\"O If this flag is not set,
1381 .\"O then such a UID switch causes the thread to lose all capabilities.
1382 .\"O This flag is always cleared on an
1383 .\"O .BR execve (2).
1384 .\"O (This flag provides the same functionality as the older
1386 .\"O .B PR_SET_KEEPCAPS
1388 ¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢UID ¤¬ 0 ¤Î¥¹¥ì¥Ã¥É¤Î UID ¤¬ 0 °Ê³°¤ÎÃͤË
1389 ÀÚ¤êÂؤï¤ëºÝ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò°Ý»ý¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1390 ¤³¤Î¥Õ¥é¥°¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ÎÃͤË
1391 ÀÚ¤êÂؤï¤ë¤È¡¢¤½¤Î¥¹¥ì¥Ã¥É¤ÏÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼º¤¦¡£
1394 »þ¤Ë¤ÏÁ´¤Æ¥¯¥ê¥¢¤µ¤ì¤ë
1395 (¤³¤Î¥Õ¥é¥°¤Ï¡¢°ÊÁ°¤Î
1399 Áàºî¤ÈƱ¤¸µ¡Ç½¤òÄ󶡤¹¤ë¤â¤Î¤Ç¤¢¤ë)¡£
1401 .B SECBIT_NO_SETUID_FIXUP
1402 .\"O Setting this flag stops the kernel from adjusting capability sets when
1403 .\"O the threads's effective and file system UIDs are switched between
1404 .\"O zero and nonzero values.
1405 .\"O (See the subsection
1406 .\"O .IR "Effect of User ID Changes on Capabilities" .)
1407 ¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤¹¤ë¤È¡¢¥¹¥ì¥Ã¥É¤Î¼Â¸ú UID ¤È¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
1408 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÀÚ¤êÂؤï¤Ã¤¿¾ì¹ç¤Ë¡¢
1409 ¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÄ´À°¤ò¹Ô¤ï¤Ê¤¯¤Ê¤ë
1410 (¡Ö¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á¡×¤ÎÀá¤ò»²¾È)¡£
1413 .\"O If this bit is set, then the kernel does not grant capabilities
1414 .\"O when a set-user-ID-root program is executed, or when a process with
1415 .\"O an effective or real UID of 0 calls
1416 .\"O .BR execve (2).
1417 .\"O (See the subsection
1418 .\"O .IR "Capabilities and execution of programs by root" .)
1419 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
1420 set-user-ID-root ¥×¥í¥°¥é¥à¤Î¼Â¹Ô»þ¤ä¡¢
1421 ¼Â¸ú UID ¤« ¼Â UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬
1423 ¤ò¸Æ¤Ó½Ð¤·¤¿»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¤·¤Ê¤¤
1424 (¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô¡×¤ÎÀá¤ò»²¾È)¡£
1426 .\"O Each of the above "base" flags has a companion "locked" flag.
1427 .\"O Setting any of the "locked" flags is irreversible,
1428 .\"O and has the effect of preventing further changes to the
1429 .\"O corresponding "base" flag.
1430 .\"O The locked flags are:
1431 .\"O .BR SECBIT_KEEP_CAPS_LOCKED ,
1432 .\"O .BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
1434 .\"O .BR SECBIT_NOROOT_LOCKED .
1435 ¾åµ¤Î "base" ¥Õ¥é¥°¤Î³Æ¡¹¤Ë¤ÏÂбþ¤¹¤ë "locked" ¥Õ¥é¥°¤¬Â¸ºß¤¹¤ë¡£
1436 ¤¤¤º¤ì¤Î "locked" ¥Õ¥é¥°¤â°ìÅÙ¥»¥Ã¥È¤µ¤ì¤ë¤ÈÌ᤹¤³¤È¤Ï¤Ç¤¤º¡¢
1437 ¤½¤ì°Ê¹ß¤ÏÂбþ¤¹¤ë "base" ¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤¯¤Ê¤ë¡£
1439 .BR SECBIT_KEEP_CAPS_LOCKED ,
1440 .BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
1441 .BR SECBIT_NOROOT_LOCKED
1446 .\"O flags can be modified and retrieved using the
1448 .\"O .B PR_SET_SECUREBITS
1450 .\"O .B PR_GET_SECUREBITS
1454 .\"O capability is required to modify the flags.
1459 .B PR_SET_SECUREBITS
1461 .B PR_GET_SECUREBITS
1462 ¤ò»È¤¦¤³¤È¤ÇÊѹ¹¤·¤¿¤ê¼èÆÀ¤·¤¿¤ê¤Ç¤¤ë¡£
1463 ¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤Ë¤Ï
1465 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
1469 .\"O flags are inherited by child processes.
1471 .\"O .BR execve (2),
1472 .\"O all of the flags are preserved, except
1473 .\"O .B SECURE_KEEP_CAPS
1474 .\"O which is always cleared.
1476 ¥Õ¥é¥°¤Ï»Ò¥×¥í¥»¥¹¤Ë·Ñ¾µ¤µ¤ì¤ë¡£
1480 ¤¬¾ï¤Ë¥¯¥ê¥¢¤µ¤ì¤ë°Ê³°¤Ï¡¢Á´¤Æ¤Î¥Õ¥é¥°¤¬ÊÝ»ý¤µ¤ì¤ë¡£
1482 .\"O An application can use the following call to lock itself,
1483 .\"O and all of its descendants,
1484 .\"O into an environment where the only way of gaining capabilities
1485 .\"O is by executing a program with associated file capabilities:
1486 ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ï¡¢°Ê²¼¤Î¸Æ¤Ó½Ð¤·¤ò¹Ô¤¦¤³¤È¤Ë¤è¤ê¡¢
1487 ¼«Ê¬¼«¿È¤ª¤è¤Ó»Ò¹¤È¤Ê¤ë¥×¥í¥»¥¹Á´¤Æ¤ËÂФ·¤Æ¡¢
1488 ɬÍפʥե¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à¤ò¼Â¹Ô¤·¤Ê¤¤¸Â¤ê¡¢
1489 Âбþ¤¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ÍÆÀ¤Ç¤¤Ê¤¤¤è¤¦¤Ê¾õ¶·¤ËÊĤ¸¤³¤á¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1493 prctl(PR_SET_SECUREBITS,
1494 SECBIT_KEEP_CAPS_LOCKED |
1495 SECBIT_NO_SETUID_FIXUP |
1496 SECBIT_NO_SETUID_FIXUP_LOCKED |
1498 SECBIT_NOROOT_LOCKED);
1501 .\"O .SH "CONFORMING TO"
1504 .\"O No standards govern capabilities, but the Linux capability implementation
1505 .\"O is based on the withdrawn POSIX.1e draft standard; see
1506 .\"O .IR http://wt.xpilot.org/publications/posix.1e/ .
1507 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤¹¤ëɸ½à¤Ï¤Ê¤¤¤¬¡¢ Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÇѰƤˤʤä¿
1508 POSIX.1e Áð°Æ¤Ë´ð¤Å¤¤¤Æ¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
1509 .I http://wt.xpilot.org/publications/posix.1e/
1513 .\"O Since kernel 2.5.27, capabilities are an optional kernel component,
1514 .\"O and can be enabled/disabled via the CONFIG_SECURITY_CAPABILITIES
1515 .\"O kernel configuration option.
1516 ¥«¡¼¥Í¥ë 2.5.27 °Ê¹ß¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÁªÂò¼°¤Î¥«¡¼¥Í¥ë¥³¥ó¥Ý¡¼¥Í¥ó¥È
1517 ¤È¤Ê¤Ã¤Æ¤ª¤ê¡¢¥«¡¼¥Í¥ëÀßÄꥪ¥×¥·¥ç¥ó CONFIG_SECURITY_CAPABILITIES
1518 ¤Ë¤è¤ê͸ú/̵¸ú¤òÀÚ¤êÂؤ¨¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1521 .\"O .I /proc/PID/task/TID/status
1522 .\"O file can be used to view the capability sets of a thread.
1524 .\"O .I /proc/PID/status
1525 .\"O file shows the capability sets of a process's main thread.
1526 .I /proc/PID/task/TID/status
1527 ¥Õ¥¡¥¤¥ë¤ò»È¤¦¤È¡¢¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¸«¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1529 ¥Õ¥¡¥¤¥ë¤Ë¤Ï¡¢¥×¥í¥»¥¹¤Î¥á¥¤¥ó¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬É½¼¨¤µ¤ì¤ë¡£
1533 .\"O package provides a suite of routines for setting and
1534 .\"O getting capabilities that is more comfortable and less likely
1535 .\"O to change than the interface provided by
1538 .\"O .BR capget (2).
1540 ¥Ñ¥Ã¥±¡¼¥¸¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꡦ¼èÆÀ¤¹¤ë¤¿¤á¤Î
1541 ¥ë¡¼¥Á¥ó·²¤òÄ󶡤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ï¡¢
1545 ¤¬Ä󶡤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ÈÈæ¤Ù¤Æ¡¢¤è¤ê»È¤¤¤ä¤¹¤¯¡¢Êѹ¹¤µ¤ì¤ë²ÄǽÀ¤¬¾¯¤Ê¤¤¡£
1546 .\"O This package also provides the
1551 .\"O It can be found at
1553 .\"O .IR http://www.kernel.org/pub/linux/libs/security/linux-privs .
1554 ¤³¤Î¥Ñ¥Ã¥±¡¼¥¸¤Ç¤Ï¡¢
1557 ¤È¤¤¤¦¥×¥í¥°¥é¥à¤âÄ󶡤µ¤ì¤Æ¤¤¤ë¡£
1559 .I http://www.kernel.org/pub/linux/libs/security/linux-privs
1562 .\"O Before kernel 2.6.24, and since kernel 2.6.24 if
1563 .\"O file capabilities are not enabled, a thread with the
1565 .\"O capability can manipulate the capabilities of threads other than itself.
1566 .\"O However, this is only theoretically possible,
1567 .\"O since no thread ever has
1568 .\"O .BR CAP_SETPCAP
1569 .\"O in either of these cases:
1570 ¥Ð¡¼¥¸¥ç¥ó 2.6.24 ¤è¤êÁ°¡¢¤ª¤è¤Ó¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
1571 ͸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤2.6.24 °Ê¹ß¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
1573 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥¹¥ì¥Ã¥É¤Ï¼«Ê¬°Ê³°¤Î¥¹¥ì¥Ã¥É¤Î
1574 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÁàºî¤Ç¤¤ë¡£
1575 ¤·¤«¤·¤Ê¤¬¤é¡¢¤³¤ì¤ÏÍýÏÀŪ¤Ë²Äǽ¤È¤¤¤¦¤À¤±¤Ç¤¢¤ë¡£
1576 °Ê²¼¤Î¤¤¤º¤ì¤«¤Î¾ì¹ç¤Ë¤ª¤¤¤Æ¤â¡¢¤É¤Î¥¹¥ì¥Ã¥É¤â
1578 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¤³¤È¤Ï¤Ê¤¤¤«¤é¤Ç¤¢¤ë¡£
1580 .\"O In the pre-2.6.25 implementation the system-wide capability bounding set,
1581 .\"O .IR /proc/sys/kernel/cap-bound ,
1582 .\"O always masks out this capability, and this can not be changed
1583 .\"O without modifying the kernel source and rebuilding.
1584 2.6.25 ¤è¤êÁ°¤Î¼ÂÁõ¤Ç¤Ï¡¢¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
1585 .I /proc/sys/kernel/cap-bound
1586 ¤Ç¤Ï¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¾ï¤Ë̵¸ú¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢
1587 ¥½¡¼¥¹¤òÊѹ¹¤·¤Æ¥«¡¼¥Í¥ë¤òºÆ¥³¥ó¥Ñ¥¤¥ë¤·¤Ê¤¤¸Â¤ê¡¢
1588 ¤³¤ì¤òÊѹ¹¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
1590 .\"O If file capabilities are disabled in the current implementation, then
1592 .\"O starts out with this capability removed from its per-process bounding
1593 .\"O set, and that bounding set is inherited by all other processes
1594 .\"O created on the system.
1595 ¸½ºß¤Î¼ÂÁõ¤Ç¤Ï¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
1596 ¥×¥í¥»¥¹Ëè¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÈ´¤¤¤Æ
1599 ¥·¥¹¥Æ¥à¾å¤ÇÀ¸À®¤µ¤ì¤ë¾¤ÎÁ´¤Æ¤Î¥×¥í¥»¥¹¤Ç¤³¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬
1607 .BR cap_copy_ext (3),
1608 .BR cap_from_text (3),
1609 .BR cap_get_file (3),
1610 .BR cap_get_proc (3),
1614 .BR credentials (7),
1619 .\"O .I include/linux/capability.h
1620 .\"O in the kernel source
1622 .I include/linux/capability.h