1 .\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
3 .\" Permission is granted to make and distribute verbatim copies of this
4 .\" manual provided the copyright notice and this permission notice are
5 .\" preserved on all copies.
7 .\" Permission is granted to copy and distribute modified versions of this
8 .\" manual under the conditions for verbatim copying, provided that the
9 .\" entire resulting derived work is distributed under the terms of a
10 .\" permission notice identical to this one.
12 .\" Since the Linux kernel and libraries are constantly changing, this
13 .\" manual page may be incorrect or out-of-date. The author(s) assume no
14 .\" responsibility for errors or omissions, or for damages resulting from
15 .\" the use of the information contained herein. The author(s) may not
16 .\" have taken the same level of care in the production of this manual,
17 .\" which is licensed free of charge, as they might when working
20 .\" Formatted or processed versions of this manual, if unaccompanied by
21 .\" the source, must acknowledge the copyright and authors of this work.
23 .\" 6 Aug 2002 - Initial Creation
24 .\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com>
25 .\" Modified 2004-05-27, Michael Kerrisk, <mtk.manpages@gmail.com>
26 .\" 2004-12-08, mtk Added O_NOATIME for CAP_FOWNER
27 .\" 2005-08-16, mtk, Added CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
28 .\" 2008-07-15, Serge Hallyn <serue@us.bbm.com>
29 .\" Document file capabilities, per-process capability
30 .\" bounding set, changed semantics for CAP_SETPCAP,
31 .\" and other changes in 2.6.2[45].
32 .\" Add CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SETFCAP.
34 .\" Add text describing circumstances in which CAP_SETPCAP
35 .\" (theoretically) permits a thread to change the
36 .\" capability sets of another thread.
37 .\" Add section describing rules for programmatically
38 .\" adjusting thread capability sets.
39 .\" Describe rationale for capability bounding set.
40 .\" Document "securebits" flags.
41 .\" Add text noting that if we set the effective flag for one file
42 .\" capability, then we must also set the effective flag for all
43 .\" other capabilities where the permitted or inheritable bit is set.
45 .\" Japanese Version Copyright (c) 2005 Akihiro MOTOKI all rights reserved.
46 .\" Translated 2005-03-09, Akihiro MOTOKI <amotoki@dd.iij4u.or.jp>
47 .\" Updated 2005-11-04, Akihiro MOTOKI
48 .\" Updated 2006-04-16, Akihiro MOTOKI, LDP v2.29
49 .\" Updated 2006-07-20, Akihiro MOTOKI, LDP v2.34
50 .\" Updated 2007-01-05, Akihiro MOTOKI, LDP v2.43
51 .\" Updated 2008-12-24, Akihiro MOTOKI, LDP v3.15
52 .\" Updated 2009-02-27, Akihiro MOTOKI, LDP v3.19
53 .\" Updated 2010-04-11, Akihiro MOTOKI, LDP v3.24
55 .TH CAPABILITIES 7 2010-01-31 "Linux" "Linux Programmer's Manual"
58 .\"O capabilities \- overview of Linux capabilities
59 capabilities \- Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability) ¤Î³µÍ×
62 .\"O For the purpose of performing permission checks,
63 .\"O traditional Unix implementations distinguish two categories of processes:
65 .\"O processes (whose effective user ID is 0, referred to as superuser or root),
68 .\"O processes (whose effective UID is nonzero).
69 ¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤¦´ÑÅÀ¤«¤é¸«¤ë¤È¡¢ÅÁÅýŪ¤Ê Unix ¤Î¼ÂÁõ¤Ç¤Ï
70 ¥×¥í¥»¥¹¤ÏÆó¤Ä¤Î¥«¥Æ¥´¥ê¤ËʬÎà¤Ç¤¤ë:
72 ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 ¤Î¥×¥í¥»¥¹¡£¥æ¡¼¥¶ID 0 ¤Ï
73 ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤ä root ¤È¸Æ¤Ð¤ì¤ë) ¤È
75 ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹) ¤Ç¤¢¤ë¡£
76 .\"O Privileged processes bypass all kernel permission checks,
77 .\"O while unprivileged processes are subject to full permission
78 .\"O checking based on the process's credentials
79 .\"O (usually: effective UID, effective GID, and supplementary group list).
80 ÈóÆø¢¥×¥í¥»¥¹¤Ç¤Ï¡¢¥×¥í¥»¥¹¤Î»ñ³Ê¾ðÊó (Ä̾ï¤Ï¡¢¼Â¸úUID ¡¢¼Â¸úGID
81 ¤ÈÄɲäΥ°¥ë¡¼¥×¥ê¥¹¥È) ¤Ë´ð¤Å¤¯¸¢¸Â¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ë¤Î¤ËÂФ·¡¢
82 Æø¢¥×¥í¥»¥¹¤Ç¤ÏÁ´¤Æ¤Î¥«¡¼¥Í¥ë¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£
84 .\"O Starting with kernel 2.2, Linux divides the privileges traditionally
85 .\"O associated with superuser into distinct units, known as
86 .\"O .IR capabilities ,
87 .\"O which can be independently enabled and disabled.
88 .\"O Capabilities are a per-thread attribute.
89 ¥Ð¡¼¥¸¥ç¥ó 2.2 °Ê¹ß¤Î Linux ¤Ç¤Ï¡¢
90 ¤³¤ì¤Þ¤Ç¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤Ë·ë¤ÓÉÕ¤±¤é¤ì¤Æ¤¤¿¸¢¸Â¤ò¡¢
91 ¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ³ä¤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥°¥ë¡¼¥×¤Ï
92 .IR ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability)
93 ¤È¸Æ¤Ð¤ì¡¢¥°¥ë¡¼¥×Ëè¤ËÆÈΩ¤Ë͸ú¡¢Ìµ¸ú¤òÀßÄê¤Ç¤¤ë¡£
94 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À¤Ç¤¢¤ë¡£
96 .\"O .SS Capabilities List
97 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥ê¥¹¥È
98 .\"O The following list shows the capabilities implemented on Linux,
99 .\"O and the operations or behaviors that each capability permits:
101 Linux ¤Ç¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È
102 ³Æ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬µö²Ä¤¹¤ëÁàºî¤ÈÆ°ºî¤ò¤Þ¤È¤á¤¿¤â¤Î¤Ç¤¢¤ë¡£
104 .\"O .BR CAP_AUDIT_CONTROL " (since Linux 2.6.11)"
105 .\"O Enable and disable kernel auditing; change auditing filter rules;
106 .\"O retrieve auditing status and filtering rules.
107 .BR CAP_AUDIT_CONTROL " (Linux 2.6.11 °Ê¹ß)"
108 ¥«¡¼¥Í¥ë´Æºº (audit) ¤Î͸ú̵¸ú¤ÎÀÚ¤êÂؤ¨¡¢
109 ´Æºº¤Î¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤ÎÊѹ¹¡¢
110 ´Æºº¤Î¾õ¶·¤ä¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤Î¼èÆÀ¤¬¤Ç¤¤ë¡£
112 .\"O .BR CAP_AUDIT_WRITE " (since Linux 2.6.11)"
113 .BR CAP_AUDIT_WRITE " (Linux 2.6.11 °Ê¹ß)"
114 .\"O Write records to kernel auditing log.
115 ¥«¡¼¥Í¥ë´Æºº¤Î¥í¥°¤Ë¥ì¥³¡¼¥É¤ò½ñ¤¹þ¤à¡£
118 .\"O Make arbitrary changes to file UIDs and GIDs (see
120 ¥Õ¥¡¥¤¥ë¤Î UID ¤ÈGID ¤òǤ°Õ¤ËÊѹ¹¤¹¤ë
125 .\"O Bypass file read, write, and execute permission checks.
126 .\"O (DAC is an abbreviation of "discretionary access control".)
127 ¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¡¢½ñ¤¹þ¤ß¡¢¼Â¹Ô¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
128 (DAC ¤Ï "discretionary access control (Ǥ°Õ¤Î¥¢¥¯¥»¥¹À©¸æ)" ¤Îά¤Ç¤¢¤ë)¡£
130 .B CAP_DAC_READ_SEARCH
131 .\"O Bypass file read permission checks and
132 .\"O directory read and execute permission checks.
133 ¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÆɤ߽Ф·¤È¼Â¹Ô
134 ¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
140 .\"O Bypass permission checks on operations that normally
141 .\"O require the file system UID of the process to match the UID of
145 .\"O excluding those operations covered by
146 .\"O .B CAP_DAC_OVERRIDE
148 .\"O .BR CAP_DAC_READ_SEARCH ;
149 Ä̾¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬¥Õ¥¡¥¤¥ë¤Î UID ¤Ë°ìÃפ¹¤ë¤³¤È¤¬
150 Í׵ᤵ¤ì¤ëÁàºî (Î㤨¤Ð
153 ¤Ë¤ª¤±¤ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
157 .B CAP_DAC_READ_SEARCH
158 ¤Ë¤è¤ê¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ëÁàºî¤Ï½ü¤¯¡£
160 .\"O set extended file attributes (see
162 .\"O on arbitrary files;
163 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ³ÈÄ¥¥Õ¥¡¥¤¥ë°À¤òÀßÄꤹ¤ë
167 .\"O set Access Control Lists (ACLs) on arbitrary files;
168 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È (ACL) ¤òÀßÄꤹ¤ë¡£
170 .\"O ignore directory sticky bit on file deletion;
171 ¥Õ¥¡¥¤¥ë¤Îºï½ü¤ÎºÝ¤Ë¥Ç¥£¥ì¥¯¥È¥ê¤Î¥¹¥Æ¥£¥Ã¥¡¼¥Ó¥Ã¥È¤ò̵»ë¤¹¤ë¡£
175 .\"O for arbitrary files in
182 ¤ÇǤ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
189 .\"O Don't clear set-user-ID and set-group-ID permission
190 .\"O bits when a file is modified;
191 .\"O set the set-group-ID bit for a file whose GID does not match
192 .\"O the file system or any of the supplementary GIDs of the calling process.
193 ¥Õ¥¡¥¤¥ë¤¬Êѹ¹¤µ¤ì¤¿¤È¤¤Ë set-user-ID ¤Èset-group-ID ¤Îµö²Ä¥Ó¥Ã¥È¤ò¥¯¥ê¥¢
194 ¤·¤Ê¤¤¡£¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à GID ¤ÈÄɲäΠGID ¤Î¤¤¤º¤ì¤È¤â
195 GID ¤¬°ìÃפ·¤Ê¤¤¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ set-group-ID ¥Ó¥Ã¥È¤òÀßÄꤹ¤ë¡£
199 .\"O .RB ( mlock (2),
200 .\"O .BR mlockall (2),
202 .\"O .BR shmctl (2)).
211 .\"O Bypass permission checks for operations on System V IPC objects.
212 System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ëÁàºî¤Ë´Ø¤·¤Æ¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
215 .\"O Bypass permission checks for sending signals (see
217 .\"O This includes use of the
221 ¥·¥°¥Ê¥ë¤òÁ÷¿®¤¹¤ëºÝ¤Ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
227 Áàºî¤Î»ÈÍѤâ´Þ¤Þ¤ì¤ë¡£
228 .\" FIXME CAP_KILL also has an effect for threads + setting child
229 .\" termination signal to other than SIGCHLD: without this
230 .\" capability, the termination signal reverts to SIGCHLD
231 .\" if the child does an exec(). What is the rationale
234 .\"O .BR CAP_LEASE " (since Linux 2.4)"
235 .BR CAP_LEASE " (Linux 2.4 °Ê¹ß)"
236 .\"O Establish leases on arbitrary files (see
238 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
239 ¥Õ¥¡¥¤¥ë¥ê¡¼¥¹¤òÀßÄꤹ¤ë
243 .B CAP_LINUX_IMMUTABLE
247 .\"O .B FS_IMMUTABLE_FL
248 .\"O .\" These attributes are now available on ext2, ext3, Reiserfs, XFS, JFS
249 .\"O i-node flags (see
250 .\"O .BR chattr (1)).
258 .\" ¤³¤ì¤é¤Î°À¤Ï ext2, ext3, Reiserfs, XFS, JFS ¤ÇÍøÍѲÄǽ¤Ç¤¢¤ë¡£
260 .\"O .BR CAP_MAC_ADMIN " (since Linux 2.6.25)"
261 .BR CAP_MAC_ADMIN " (Linux 2.6.25 °Ê¹ß)"
262 .\"O Override Mandatory Access Control (MAC).
263 .\"O Implemented for the Smack Linux Security Module (LSM).
264 ¶¯À©¥¢¥¯¥»¥¹À©¸æ (MAC) ¤ò¾å½ñ¤¤¹¤ë¡£
265 Smack Linux Security Module (LSM) ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
267 .\"O .BR CAP_MAC_OVERRIDE " (since Linux 2.6.25)"
268 .BR CAP_MAC_OVERRIDE " (Linux 2.6.25 °Ê¹ß)"
269 .\"O Allow MAC configuration or state changes.
270 .\"O Implemented for the Smack LSM.
271 MAC ¤ÎÀßÄê¤ä¾õÂÖ¤òÊѹ¹¤¹¤ë¡£
272 Smack LSM ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
274 .\"O .BR CAP_MKNOD " (since Linux 2.4)"
275 .BR CAP_MKNOD " (Linux 2.4 °Ê¹ß)"
276 .\"O Create special files using
280 ¤ò»ÈÍѤ·¤Æ¥¹¥Ú¥·¥ã¥ë¡¦¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¡£
283 .\"O Perform various network-related operations
284 .\"O (e.g., setting privileged socket options,
285 .\"O enabling multicasting, interface configuration,
286 .\"O modifying routing tables).
287 ³Æ¼ï¤Î¥Í¥Ã¥È¥ï¡¼¥¯´ØÏ¢¤ÎÁàºî¤ò¼Â¹Ô¤¹¤ë¡£
288 (Î㤨¤Ð¡¢Æø¢¤¬É¬Íפʥ½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤òÀßÄꤹ¤ë¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¤ò͸ú¤Ë¤¹¤ë¡¢
289 ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤òÀßÄꤹ¤ë¡¢¥ë¡¼¥Æ¥£¥ó¥°¥Æ¡¼¥Ö¥ë¤òÊѹ¹¤¹¤ë¤Ê¤É)
291 .B CAP_NET_BIND_SERVICE
292 .\"O Bind a socket to Internet domain privileged ports
293 .\"O (port numbers less than 1024).
294 ¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥É¥á¥¤¥ó¤ÎÆø¢¥Ý¡¼¥È (¥Ý¡¼¥ÈÈֹ椬 1024 ÈÖ̤Ëþ)
298 .\"O (Unused) Make socket broadcasts, and listen to multicasts.
299 (̤»ÈÍÑ) ¥½¥±¥Ã¥È¤Î¥Ö¥í¡¼¥É¥¥ã¥¹¥È¤È¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¤ÎÂÔ¤Á¼õ¤±¤ò¹Ô¤¦¡£
302 .\"O Use RAW and PACKET sockets.
303 .\"O .\" Also various IP options and setsockopt(SO_BINDTODEVICE)
304 RAW ¥½¥±¥Ã¥È¤È PACKET ¥½¥±¥Ã¥È¤ò»ÈÍѤ¹¤ë¡£
305 .\" ¤Þ¤¿¡¢³Æ¼ï¤Î IP ¥ª¥×¥·¥ç¥ó¤È SO_BINDTODEVICE ¥½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤǤ¤ë¡£
308 .\"O Make arbitrary manipulations of process GIDs and supplementary GID list;
309 .\"O forge GID when passing socket credentials via Unix domain sockets.
310 ¥×¥í¥»¥¹¤Î GID ¤ÈÄɲäΠGID ¥ê¥¹¥È¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî¤ò¹Ô¤¦¡£
311 Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
312 µ¶¤Î GID ¤òÅϤ¹¤³¤È¤¬¤Ç¤¤ë¡£
314 .\"O .BR CAP_SETFCAP " (since Linux 2.6.24)"
315 .BR CAP_SETFCAP " (Linux 2.6.24 °Ê¹ß)"
316 .\"O Set file capabilities.
317 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꤹ¤ë¡£
320 .\"O If file capabilities are not supported:
321 .\"O grant or remove any capability in the
322 .\"O caller's permitted capability set to or from any other process.
323 .\"O (This property of
325 .\"O is not available when the kernel is configured to support
326 .\"O file capabilities, since
328 .\"O has entirely different semantics for such kernels.)
329 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç:
330 ¸Æ¤Ó½Ð¤·¸µ¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¡¢
331 ¾¤Î¥×¥í¥»¥¹¤ËÉÕÍ¿¤·¤¿¤ê¡¢ºï½ü¤·¤¿¤ê¤Ç¤¤ë¡£
332 (¥«¡¼¥Í¥ë¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾ì¹ç¡¢
334 ¤Ï¤³¤ÎÌò³ä¤ò»ý¤¿¤Ê¤¤¡£
335 ¤Ê¤¼¤Ê¤é¡¢¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¥«¡¼¥Í¥ë¤Ç¤Ï
337 ¤ÏÁ´¤¯Ê̤ΰÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£)
339 .\"O If file capabilities are supported:
340 .\"O add any capability from the calling thread's bounding set
341 .\"O to its inheritable set;
342 .\"O drop capabilities from the bounding set (via
344 .\"O .BR PR_CAPBSET_DROP );
345 .\"O make changes to the
348 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç:
349 ¸Æ¤Ó½Ð¤·¸µ¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
350 ¼«¿È¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ËÄɲäǤ¤ë¡£
354 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤Ç¤¤ë¡£
359 .\"O Make arbitrary manipulations of process UIDs
360 .\"O .RB ( setuid (2),
361 .\"O .BR setreuid (2),
362 .\"O .BR setresuid (2),
363 .\"O .BR setfsuid (2));
364 .\"O make forged UID when passing socket credentials via Unix domain sockets.
365 ¥×¥í¥»¥¹¤Î UID ¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî
371 Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
372 µ¶¤Î UID ¤òÅϤ¹¤³¤È¤¬¤Ç¤¤ë¡£
373 .\" FIXME CAP_SETUID also an effect in exec(); document this.
379 .\"O Perform a range of system administration operations including:
380 .\"O .BR quotactl (2),
384 .\"O .BR swapoff (2),
385 .\"O .BR sethostname (2),
387 .\"O .BR setdomainname (2);
388 °Ê²¼¤Î¥·¥¹¥Æ¥à´ÉÍýÍѤÎÁàºî¤ò¼Â¹Ô¤¹¤ë:
395 .BR setdomainname (2).
401 .\"O operations on arbitrary System V IPC objects;
402 Ǥ°Õ¤Î System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ë
408 .\"O perform operations on
412 .\"O Extended Attributes (see
418 ¤ËÂФ¹¤ëÁàºî¤ò¼Â¹Ô¤¹¤ë
423 .\"O .BR lookup_dcookie (2);
424 .BR lookup_dcookie (2)
428 .\"O .BR ioprio_set (2)
430 .\"O .B IOPRIO_CLASS_RT
431 .\"O and (before Linux 2.6.25)
432 .\"O .B IOPRIO_CLASS_IDLE
433 .\"O I/O scheduling classes;
435 ¤ò»È¤Ã¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹
436 .BR IOPRIO_CLASS_RT ,
439 .RB ( IOPRIO_CLASS_IDLE
440 ¤Ï Linux 2.6.25 ¤è¤êÁ°¤Î¥Ð¡¼¥¸¥ç¥ó¤Î¤ß)¡£
442 .\"O forge UID when passing socket credentials;
443 ¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ëµ¶¤Î UID ¤òÅϤ¹¡£
446 .\"O .IR /proc/sys/fs/file-max ,
447 .\"O the system-wide limit on the number of open files,
448 .\"O in system calls that open files (e.g.,
453 ¥Õ¥¡¥¤¥ë¤ò¥ª¡¼¥×¥ó¤¹¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë (Î㤨¤Ð
458 ¤Ç¥·¥¹¥Æ¥àÁ´ÂΤǥª¡¼¥×¥ó¤Ç¤¤ë¥Õ¥¡¥¤¥ë¿ô¤Î¾å¸Â
459 .I /proc/sys/fs/file-max
467 .\"O .BR unshare (2);
478 .\"O .B KEYCTL_SETPERM
494 .\"O .BR kexec_load (2).
507 .\"O Load and unload kernel modules
509 .\"O .BR init_module (2)
511 .\"O .BR delete_module (2));
512 .\"O in kernels before 2.6.25:
513 .\"O drop capabilities from the system-wide capability bounding set.
514 ¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¡¢¥¢¥ó¥í¡¼¥É¤ò¹Ô¤¦
515 .RB ( init_module (2)
517 .BR delete_module (2)
519 ¥Ð¡¼¥¸¥ç¥ó 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¡¢
520 ¥·¥¹¥Æ¥àÁ´ÂΤΥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set)
521 ¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³°¤¹¡£
527 .\"O Raise process nice value
529 .\"O .BR setpriority (2))
530 .\"O and change the nice value for arbitrary processes;
531 ¥×¥í¥»¥¹¤Î nice Ãͤΰú¤¾å¤²
534 ¤ä¡¢Ç¤°Õ¤Î¥×¥í¥»¥¹¤Î nice ÃͤÎÊѹ¹¤ò¹Ô¤¦¡£
536 .\"O set real-time scheduling policies for calling process,
537 .\"O and set scheduling policies and priorities for arbitrary processes
538 .\"O .RB ( sched_setscheduler (2),
539 .\"O .BR sched_setparam (2));
540 ¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤ËÂФ¹¤ë¥ê¥¢¥ë¥¿¥¤¥à¡¦¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤È¡¢
541 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤ÈÍ¥ÀèÅÙ¤òÀßÄꤹ¤ë
542 .RB ( sched_setscheduler (2),
543 .BR sched_setparam (2))¡£
545 .\"O set CPU affinity for arbitrary processes
546 .\"O .RB ( sched_setaffinity (2));
547 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë CPU affinity ¤òÀßÄê¤Ç¤¤ë
548 .RB ( sched_setaffinity (2))¡£
550 .\"O set I/O scheduling class and priority for arbitrary processes
551 .\"O .RB ( ioprio_set (2));
552 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹¤ÈÍ¥ÀèÅÙ¤òÀßÄê¤Ç¤¤ë
553 .RB ( ioprio_set (2))¡£
556 .\"O .BR migrate_pages (2)
557 .\"O to arbitrary processes and allow processes
558 .\"O to be migrated to arbitrary nodes;
559 .BR migrate_pages (2)
560 ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËŬÍѤ·¡¢¥×¥í¥»¥¹¤òǤ°Õ¤Î¥Î¡¼¥É¤Ë°ÜÆ°¤¹¤ë¡£
561 .\" FIXME CAP_SYS_NICE also has the following effect for
562 .\" migrate_pages(2):
563 .\" do_migrate_pages(mm, &old, &new,
564 .\" capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
567 .\"O .BR move_pages (2)
568 .\"O to arbitrary processes;
570 ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ¹Ô¤¦¡£
573 .\"O .B MPOL_MF_MOVE_ALL
577 .\"O .BR move_pages (2).
594 .\"O Trace arbitrary processes using
597 ¤ò»È¤Ã¤ÆǤ°Õ¤Î¥×¥í¥»¥¹¤ò¥È¥ì¡¼¥¹¤¹¤ë¡£
600 .\"O Perform I/O port operations
603 .\"O .BR ioperm (2));
605 .\"O .IR /proc/kcore .
606 I/O ¥Ý¡¼¥ÈÁàºî¤ò¼Â¹Ô¤¹¤ë
617 .\"O Use reserved space on ext2 file systems;
618 ext2 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¾å¤ÎͽÌ󤵤ì¤Æ¤¤¤ëÎΰè¤ò»ÈÍѤ¹¤ë¡£
622 .\"O calls controlling ext3 journaling;
623 ext3 ¤Î¥¸¥ã¡¼¥Ê¥ëµ¡Ç½¤òÀ©¸æ¤¹¤ë
627 .\"O override disk quota limits;
628 ¥Ç¥£¥¹¥¯ quota ¤Î¾å¸Â¤ò¾å½ñ¤¤¹¤ë¡£
630 .\"O increase resource limits (see
631 .\"O .BR setrlimit (2));
633 .RB ( setrlimit (2))¡£
639 ¥ê¥½¡¼¥¹À©¸Â¤ò¾å½ñ¤¤¹¤ë¡£
643 .\"O limit for a System V message queue above the limit in
644 .\"O .I /proc/sys/kernel/msgmnb
648 .\"O .BR msgctl (2)).
649 ¥á¥Ã¥»¡¼¥¸¥¥å¡¼¤Ë´Ø¤¹¤ë¾å¸Â
652 .I /proc/sys/kernel/msgmnb
653 ¤Ë»ØÄꤵ¤ì¤Æ¤¤¤ë¾å¸Â¤è¤ê¤âÂ礤¯ÀßÄꤹ¤ë
662 .\"O Set system clock
663 .\"O .RB ( settimeofday (2),
665 .\"O .BR adjtimex (2));
666 .\"O set real-time (hardware) clock.
667 ¥·¥¹¥Æ¥à¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë
668 .RB ( settimeofday (2),
671 ¥ê¥¢¥ë¥¿¥¤¥à (¥Ï¡¼¥É¥¦¥§¥¢) ¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë¡£
673 .B CAP_SYS_TTY_CONFIG
675 .\"O .BR vhangup (2).
679 .\"O .SS Past and Current Implementation
681 .\"O A full implementation of capabilities requires that:
682 ´°Á´¤Ê·Á¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼ÂÁõ¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤ÎÍ×·ï¤òËþ¤¿¤¹É¬Íפ¬¤¢¤ë¡§
684 .\"O For all privileged operations,
685 .\"O the kernel must check whether the thread has the required
686 .\"O capability in its effective set.
687 Á´¤Æ¤ÎÆø¢Áàºî¤Ë¤Ä¤¤¤Æ¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
688 ɬÍפʥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¤¢¤ë¤«¤ò³Îǧ¤¹¤ë¡£
690 .\"O The kernel must provide system calls allowing a thread's capability sets to
691 .\"O be changed and retrieved.
692 ¥«¡¼¥Í¥ë¤Ç¡¢¤¢¤ë¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÊѹ¹¤·¤¿¤ê¡¢
693 ¼èÆÀ¤·¤¿¤ê¤Ç¤¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë¤¬Ä󶡤µ¤ì¤ë¡£
695 .\"O The file system must support attaching capabilities to an executable file,
696 .\"O so that a process gains those capabilities when the file is executed.
697 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤¬¡¢¼Â¹Ô²Äǽ¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÉÕÍ¿¤Ç¤¡¢¥Õ¥¡¥¤¥ë
698 ¼Â¹Ô»þ¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥×¥í¥»¥¹¤¬¼èÆÀ¤Ç¤¤ë¤è¤¦¤Êµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤¹¤ë¡£
700 .\"O Before kernel 2.6.24, only the first two of these requirements are met;
701 .\"O since kernel 2.6.24, all three requirements are met.
702 ¥«¡¼¥Í¥ë 2.6.24 ¤è¤êÁ°¤Ç¤Ï¡¢ºÇ½é¤Î 2¤Ä¤ÎÍ×·ï¤Î¤ß¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
703 ¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢3¤Ä¤ÎÍ׷魯¤Ù¤Æ¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
705 .\"O .SS Thread Capability Sets
706 .SS ¥¹¥ì¥Ã¥É¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
707 .\"O Each thread has three capability sets containing zero or more
708 .\"O of the above capabilities:
709 ³Æ¥¹¥ì¥Ã¥É¤Ï°Ê²¼¤Î 3¼ïÎà¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»ý¤Ä¡£³Æ¡¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
710 ¾åµ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÁȤ߹ç¤ï¤»¤Ç¤¢¤ë (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ç¤â¤è¤¤)¡£
713 .\"O This is a limiting superset for the effective
714 .\"O capabilities that the thread may assume.
715 .\"O It is also a limiting superset for the capabilities that
716 .\"O may be added to the inheritable set by a thread that does not have the
718 .\"O capability in its effective set.
719 .IR "µö²Ä (permitted)" :
720 ¤½¤Î¥¹¥ì¥Ã¥É¤¬»ý¤Ä¤³¤È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î
721 ¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤¢¤ë¡£
722 ¤³¤ì¤Ï¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
724 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¥¹¥ì¥Ã¥É¤¬·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
725 ÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤â¤¢¤ë¡£
727 .\"O If a thread drops a capability from its permitted set,
728 .\"O it can never reacquire that capability (unless it
730 .\"O either a set-user-ID-root program, or
731 .\"O a program whose associated file capabilities grant that capability).
732 µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤Ã¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¡¢
733 (set-user-ID-root ¥×¥í¥°¥é¥à¤«¡¢
734 ¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Çµö²Ä¤·¤Æ¤¤¤ë¥×¥í¥°¥é¥à¤ò
736 ¤·¤Ê¤¤¸Â¤ê¤Ï) ¤â¤¦°ìÅÙ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
738 .\"O .IR Inheritable :
739 .\"O This is a set of capabilities preserved across an
741 .\"O It provides a mechanism for a process to assign capabilities
742 .\"O to the permitted set of the new program during an
744 .IR "·Ñ¾µ²Äǽ (inheritable)" :
746 ¤òÁ°¸å¤ÇÊÝ»ý¤µ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
747 ¤³¤Î»ÅÁȤߤò»È¤¦¤³¤È¤Ç¡¢¤¢¤ë¥×¥í¥»¥¹¤¬
749 ¤ò¹Ô¤¦ºÝ¤Ë¿·¤·¤¤¥×¥í¥°¥é¥à¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ
750 ³ä¤êÅö¤Æ¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
753 .\"O This is the set of capabilities used by the kernel to
754 .\"O perform permission checks for the thread.
755 .IR "¼Â¸ú (effective)" :
756 ¥«¡¼¥Í¥ë¤¬¥¹¥ì¥Ã¥É¤Î¸¢¸Â (permission) ¤ò¥Á¥§¥Ã¥¯¤¹¤ë¤È¤¤Ë
757 »ÈÍѤ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
759 .\"O A child created via
761 .\"O inherits copies of its parent's capability sets.
762 .\"O See below for a discussion of the treatment of capabilities during
765 ¤ÇºîÀ®¤µ¤ì¤ë»Ò¥×¥í¥»¥¹¤Ï¡¢¿Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¥³¥Ô¡¼¤ò·Ñ¾µ¤¹¤ë¡£
767 Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î°·¤¤¤Ë¤Ä¤¤¤Æ¤Ï²¼µ¤ò»²¾È¤Î¤³¤È¡£
771 .\"O a thread may manipulate its own capability sets (see below).
773 ¤ò»È¤¦¤È¡¢¥×¥í¥»¥¹¤Ï¼«Ê¬¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
774 ¤òÁàºî¤¹¤ë¤³¤È¤¬¤Ç¤¤ë (²¼µ»²¾È)¡£
776 .\"O .SS File Capabilities
777 .SS ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
778 .\"O Since kernel 2.6.24, the kernel supports
779 .\"O associating capability sets with an executable file using
781 .\"O The file capability sets are stored in an extended attribute (see
782 .\"O .BR setxattr (2))
784 .\"O .IR "security.capability" .
785 .\"O Writing to this extended attribute requires the
788 ¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢
790 ¤ò»È¤Ã¤Æ¼Â¹Ô¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÂбþÉÕ¤±¤ë¤³¤È¤¬¤Ç¤¤ë¡£
791 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
792 .I "security.capability"
793 ¤È¤¤¤¦Ì¾Á°¤Î³Èĥ°À¤ËÊݸ¤µ¤ì¤ë
795 »²¾È)¡£¤³¤Î³Èĥ°À¤Ø¤Î½ñ¤¹þ¤ß¤Ë¤Ï
797 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
798 .\"O The file capability sets,
799 .\"O in conjunction with the capability sets of the thread,
800 .\"O determine the capabilities of a thread after an
802 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎξÊý¤¬
805 ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬·èÄꤵ¤ì¤ë¡£
807 .\"O The three file capability sets are:
808 3 ¤Ä¤Î¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ë¡£
810 .\"O .IR Permitted " (formerly known as " forced ):
811 .\"O These capabilities are automatically permitted to the thread,
812 .\"O regardless of the thread's inheritable capabilities.
813 .IR "µö²Ä (Permitted)" " (°ÊÁ°¤Î" "¶¯À© (Forced)" "):"
814 ¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤ï¤é¤º¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ë¼«Æ°Åª¤Ë
815 ǧ¤á¤é¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡£
817 .\"O .IR Inheritable " (formerly known as " allowed ):
818 .\"O This set is ANDed with the thread's inheritable set to determine which
819 .\"O inheritable capabilities are enabled in the permitted set of
820 .\"O the thread after the
822 .IR "·Ñ¾µ²Äǽ (Inheritable)" " (°ÊÁ°¤Î " "µöÍÆ (Allowed)" "):"
823 ¤³¤Î¥»¥Ã¥È¤È¡¢¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤Î
824 ÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¡¢
826 ¤Î¸å¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤È¤Ê¤ë
827 ·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬·èÄꤵ¤ì¤ë¡£
830 .IR "¼Â¸ú (Effective)" :
831 .\"O This is not a set, but rather just a single bit.
832 .\"O If this bit is set, then during an
834 .\"O all of the new permitted capabilities for the thread are
835 .\"O also raised in the effective set.
836 .\"O If this bit is not set, then after an
838 .\"O none of the new permitted capabilities is in the new effective set.
839 ¤³¤ì¤Ï½¸¹ç¤Ç¤Ï¤Ê¤¯¡¢1 ¥Ó¥Ã¥È¤Î¾ðÊó¤Ç¤¢¤ë¡£
840 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤È¡¢
842 ¼Â¹ÔÃæ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Î¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Á´¤Æ
843 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç¤Ë¤ª¤¤¤Æ¤â¥»¥Ã¥È¤µ¤ì¤ë¡£
844 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
846 ¸å¤Ë¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤É¤ì¤â¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç
849 .\"O Enabling the file effective capability bit implies
850 .\"O that any file permitted or inheritable capability that causes a
851 .\"O thread to acquire the corresponding permitted capability during an
853 .\"O (see the transformation rules described below) will also acquire that
854 .\"O capability in its effective set.
855 ¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò͸ú¤Ë¤¹¤ë¤È¤¤¤¦¤Î¤Ï¡¢
857 ¼Â¹Ô»þ¤Ë¡¢¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È·Ñ¾µ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂбþ¤¹¤ë¤â¤Î¤¬
858 ¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ¥»¥Ã¥È¤µ¤ì¤ë¤¬¡¢
859 ¤³¤ì¤¬¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¤â¥»¥Ã¥È¤µ¤ì¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë
860 (¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹¥ë¡¼¥ë¤Ï²¼µ»²¾È)¡£
861 .\"O Therefore, when assigning capabilities to a file
862 .\"O .RB ( setcap (8),
863 .\"O .BR cap_set_file (3),
864 .\"O .BR cap_set_fd (3)),
865 .\"O if we specify the effective flag as being enabled for any capability,
866 .\"O then the effective flag must also be specified as enabled
867 .\"O for all other capabilities for which the corresponding permitted or
868 .\"O inheritable flags is enabled.
869 ¤·¤¿¤¬¤Ã¤Æ¡¢¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ä¤êÅö¤Æ¤ëºÝ
871 .BR cap_set_file (3),
872 .BR cap_set_fd (3))¡¢
873 ¤¤¤º¤ì¤«¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ¼Â¸ú¥Õ¥é¥°¤ò͸ú¤È»ØÄꤹ¤ë¾ì¹ç¡¢
874 µö²Ä¥Õ¥é¥°¤ä·Ñ¾µ²Äǽ¥Õ¥é¥°¤ò͸ú¤Ë¤·¤¿Â¾¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
875 ¤Ë¤Ä¤¤¤Æ¤â¼Â¸ú¥Õ¥é¥°¤ò͸ú¤È»ØÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
877 .\"O .SS Transformation of Capabilities During execve()
878 .SS "execve() Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹"
882 .\"O the kernel calculates the new capabilities of
883 .\"O the process using the following algorithm:
885 ¼Â¹Ô»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥×¥í¥»¥¹¤Î¿·¤·¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼¡¤Î
886 ¥¢¥ë¥´¥ê¥º¥à¤òÍѤ¤¤Æ·×»»¤¹¤ë¡§
890 P'(permitted) = (P(inheritable) & F(inheritable)) |
891 (F(permitted) & cap_bset)
893 P'(effective) = F(effective) ? P'(permitted) : 0
895 .\"O P'(inheritable) = P(inheritable) [i.e., unchanged]
896 P'(inheritable) = P(inheritable) [¤Ä¤Þ¤ê¡¢Êѹ¹¤µ¤ì¤Ê¤¤]
901 ³ÆÊÑ¿ô¤Î°ÕÌ£¤Ï°Ê²¼¤ÎÄ̤ê:
904 .\"O denotes the value of a thread capability set before the
907 Á°¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
909 .\"O denotes the value of a capability set after the
912 ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
914 .\"O denotes a file capability set
915 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
917 .\"O is the value of the capability bounding set (described below).
918 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÃÍ (²¼µ»²¾È)
921 .\"O .SS Capabilities and execution of programs by root
922 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô
923 .\"O In order to provide an all-powerful
925 .\"O using capability sets, during an
928 »þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»È¤Ã¤Æ¡¢Á´¤Æ¤Î¸¢¸Â¤ò»ý¤Ã¤¿
930 ¤ò¼Â¸½¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
932 .\"O If a set-user-ID-root program is being executed,
933 .\"O or the real user ID of the process is 0 (root)
934 .\"O then the file inheritable and permitted sets are defined to be all ones
935 .\"O (i.e., all capabilities enabled).
936 set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
937 ¤Þ¤¿¤Ï¥×¥í¥»¥¹¤Î¼Â¥æ¡¼¥¶ ID ¤¬ 0 (root) ¤Î¾ì¹ç¡¢
938 ¥Õ¥¡¥¤¥ë¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤òÁ´¤Æ 1
939 (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú) ¤ËÄêµÁ¤¹¤ë¡£
941 .\"O If a set-user-ID-root program is being executed,
942 .\"O then the file effective bit is defined to be one (enabled).
943 set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
944 ¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò 1 (enabled) ¤ËÄêµÁ¤¹¤ë¡£
946 .\"O The upshot of the above rules,
947 .\"O combined with the capabilities transformations described above,
948 .\"O is that when a process
950 .\"O a set-user-ID-root program, or when a process with an effective UID of 0
953 .\"O it gains all capabilities in its permitted and effective capability sets,
954 .\"O except those masked out by the capability bounding set.
955 .\"O .\" If a process with real UID 0, and nonzero effective UID does an
956 .\"O .\" exec(), then it gets all capabilities in its
957 .\"O .\" permitted set, and no effective capabilities
958 .\"O This provides semantics that are the same as those provided by
959 .\"O traditional Unix systems.
960 ¾åµ¤Î¥ë¡¼¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ÊÑ´¹¤òŬÍѤ·¤¿·ë²Ì¤ò¤Þ¤È¤á¤ë¤È¡¢
961 ¥×¥í¥»¥¹¤¬ set-user-ID-root ¥×¥í¥°¥é¥à¤ò
963 ¤¹¤ë¾ì¹ç¡¢¤Þ¤¿¤Ï¼Â¸ú UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬¥×¥í¥°¥é¥à¤ò
965 ¤¹¤ë¾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
966 (Àµ³Î¤Ë¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë¤è¤ë¥Þ¥¹¥¯¤Ç½ü³°¤µ¤ì¤ë¤â¤Î
967 °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£) ¤ò¼èÆÀ¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
968 .\" ¼Â UID ¤¬ 0 ¤Ç¼Â¸ú UID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹¤¬ exec () ¤ò¹Ô¤¦¤È¡¢
969 .\" µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
970 .\" ¤¬¼èÆÀ¤µ¤ì¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼èÆÀ¤µ¤ì¤Ê¤¤¡£
971 ¤³¤ì¤Ë¤è¤ê¡¢ÅÁÅýŪ¤Ê Unix ¥·¥¹¥Æ¥à¤ÈƱ¤¸¿¶¤ëÉñ¤¤¤¬¤Ç¤¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
972 .\"O .SS Capability bounding set
973 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
974 .\"O The capability bounding set is a security mechanism that can be used
975 .\"O to limit the capabilities that can be gained during an
977 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set) ¤Ï¡¢
979 »þ¤Ë³ÍÆÀ¤Ç¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë
980 ¥»¥¥å¥ê¥Æ¥£µ¡¹½¤Ç¤¢¤ë¡£
981 .\"O The bounding set is used in the following ways:
982 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï°Ê²¼¤Î¤è¤¦¤Ë»ÈÍѤµ¤ì¤ë¡£
986 .\"O the capability bounding set is ANDed with the file permitted
987 .\"O capability set, and the result of this operation is assigned to the
988 .\"O thread's permitted capability set.
989 .\"O The capability bounding set thus places a limit on the permitted
990 .\"O capabilities that may be granted by an executable file.
992 ¼Â¹Ô»þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤È
993 ¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÏÀÍýÏ (AND) ¤ò¼è¤Ã¤¿¤â¤Î¤¬¡¢
994 ¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë³ä¤êÅö¤Æ¤é¤ì¤ë¡£
995 ¤Ä¤Þ¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
996 ¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬Ç§¤á¤Æ¤¤¤ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ
997 À©¸Â¤ò²Ý¤¹Æ¯¤¤ò¤¹¤ë¡£
999 .\"O (Since Linux 2.6.25)
1000 .\"O The capability bounding set acts as a limiting superset for
1001 .\"O the capabilities that a thread can add to its inheritable set using
1002 .\"O .BR capset (2).
1003 .\"O This means that if a capability is not in the bounding set,
1004 .\"O then a thread can't add this capability to its
1005 .\"O inheritable set, even if it was in its permitted capabilities,
1006 .\"O and thereby cannot have this capability preserved in its
1007 .\"O permitted set when it
1008 .\"O .BR execve (2)s
1009 .\"O a file that has the capability in its inheritable set.
1011 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢¥¹¥ì¥Ã¥É¤¬
1013 ¤Ë¤è¤ê¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊ콸ÃĤò
1014 À©¸Â¤¹¤ëÌò³ä¤ò»ý¤Ä¡£
1015 ¥¹¥ì¥Ã¥É¤Ëµö²Ä¤µ¤ì¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤¢¤Ã¤Æ¤â¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
1016 ´Þ¤Þ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë
1017 ÄɲäǤ¤º¡¢¤½¤Î·ë²Ì¡¢·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò´Þ¤à¥Õ¥¡¥¤¥ë¤ò
1019 ¤¹¤ë¾ì¹ç¡¢¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¥»¥Ã¥È¤Ë»ý¤Á³¤±¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡¢
1022 .\"O Note that the bounding set masks the file permitted capabilities,
1023 .\"O but not the inherited capabilities.
1024 .\"O If a thread maintains a capability in its inherited set
1025 .\"O that is not in its bounding set,
1026 .\"O then it can still gain that capability in its permitted set
1027 .\"O by executing a file that has the capability in its inherited set.
1028 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬¥Þ¥¹¥¯¤ò¹Ô¤¦¤Î¤Ï¡¢·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤Ï¤Ê¤¯¡¢
1029 ¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥Þ¥¹¥¯¤ò¹Ô¤¦ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
1030 ¤¢¤ë¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
1031 ¸ºß¤·¤Ê¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¡¢
1032 ·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¥Õ¥¡¥¤¥ë¤ò¼Â¹Ô¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢
1033 µö²Ä¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤â³ÍÆÀ¤Ç¤¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
1035 .\"O Depending on the kernel version, the capability bounding set is either
1036 .\"O a system-wide attribute, or a per-process attribute.
1037 ¥«¡¼¥Í¥ë¤Î¥Ð¡¼¥¸¥ç¥ó¤Ë¤è¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1038 ¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ¤Î¾ì¹ç¤È¡¢¥×¥í¥»¥¹Ã±°Ì¤Î°À¤Î¾ì¹ç¤¬¤¢¤ë¡£
1040 .\"O .B "Capability bounding set prior to Linux 2.6.25"
1041 .B "Linux 2.6.25 ¤è¤êÁ°¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
1043 .\"O In kernels before 2.6.25, the capability bounding set is a system-wide
1044 .\"O attribute that affects all threads on the system.
1045 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1046 ¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ¤Ç¡¢¥·¥¹¥Æ¥à¾å¤ÎÁ´¤Æ¤Î¥¹¥ì¥Ã¥É¤ËŬÍѤµ¤ì¤ë¡£
1047 .\"O The bounding set is accessible via the file
1048 .\"O .IR /proc/sys/kernel/cap-bound .
1049 .\"O motoki: accessible = ¡Ö»²¾È²Äǽ¡×¤Ç¤è¤¤¤«¡¢Ê¸Ì®¤òÍ׳Îǧ
1050 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1051 .I /proc/sys/kernel/cap-bound
1052 ¥Õ¥¡¥¤¥ë·Ðͳ¤Ç»²¾È¤Ç¤¤ë¡£
1053 .\"O (Confusingly, this bit mask parameter is expressed as a
1054 .\"O signed decimal number in
1055 .\"O .IR /proc/sys/kernel/cap-bound .)
1056 (´Ö°ã¤¨¤ä¤¹¤¤¤¬¡¢¤³¤Î¥Ó¥Ã¥È¥Þ¥¹¥¯·Á¼°¤Î¥Ñ¥é¥á¡¼¥¿¤Ï¡¢
1057 .I /proc/sys/kernel/cap-bound
1058 ¤Ç¤ÏÉä¹æÉÕ¤¤Î½½¿Ê¿ô¤Çɽ¸½¤µ¤ì¤ë¡£)
1062 .\"O process may set capabilities in the capability bounding set;
1063 .\"O other than that, the superuser (more precisely: programs with the
1064 .\"O .B CAP_SYS_MODULE
1065 .\"O capability) may only clear capabilities from this set.
1067 ¥×¥í¥»¥¹¤À¤±¤¬¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
1068 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥»¥Ã¥È¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1069 ¤½¤ì°Ê³°¤Ç¤Ï¡¢¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶ (¤è¤êÀµ³Î¤Ë¤Ï¡¢
1071 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à) ¤¬¡¢
1072 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥¯¥ê¥¢¤¬
1075 .\"O On a standard system the capability bounding set always masks out the
1078 .\"O To remove this restriction (dangerous!), modify the definition of
1079 .\"O .B CAP_INIT_EFF_SET
1081 .\"O .I include/linux/capability.h
1082 .\"O and rebuild the kernel.
1083 Ä̾ï¤Î¥·¥¹¥Æ¥à¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
1085 ¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
1086 ¤³¤ÎÀ©¸Â¤ò¼è¤êµî¤ë¤Ë¤Ï (¼è¤êµî¤ë¤Î¤Ï´í¸±!)¡¢
1087 .I include/linux/capability.h
1090 ¤ÎÄêµÁ¤ò½¤Àµ¤·¡¢¥«¡¼¥Í¥ë¤òºÆ¹½ÃÛ¤¹¤ëɬÍפ¬¤¢¤ë¡£
1092 .\"O The system-wide capability bounding set feature was added
1093 .\"O to Linux starting with kernel version 2.2.11.
1094 ¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥Èµ¡Ç½¤Ï¡¢
1095 ¥«¡¼¥Í¥ë 2.2.11 °Ê¹ß¤Ç Linux ¤ËÄɲ䵤줿¡£
1098 .\"O .B "Capability bounding set from Linux 2.6.25 onwards"
1099 .B "Linux 2.6.25 °Ê¹ß¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
1101 .\"O From Linux 2.6.25, the
1102 .\"O .I "capability bounding set"
1103 .\"O is a per-thread attribute.
1104 .\"O (There is no longer a system-wide capability bounding set.)
1105 Linux 2.6.25 °Ê¹ß¤Ç¤Ï¡¢
1106 ¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¡×¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À¤Ç¤¢¤ë
1107 (¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¤â¤Ï¤ä¸ºß¤·¤Ê¤¤)¡£
1109 .\"O The bounding set is inherited at
1111 .\"O from the thread's parent, and is preserved across an
1112 .\"O .BR execve (2).
1113 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
1115 »þ¤Ë¤Ï¥¹¥ì¥Ã¥É¤Î¿Æ¥×¥í¥»¥¹¤«¤é·Ñ¾µ¤µ¤ì¡¢
1117 ¤ÎÁ°¸å¤Ç¤ÏÊÝ»ý¤µ¤ì¤ë¡£
1119 .\"O A thread may remove capabilities from its capability bounding set using the
1121 .\"O .B PR_CAPBSET_DROP
1122 .\"O operation, provided it has the
1125 .\"O Once a capability has been dropped from the bounding set,
1126 .\"O it cannot be restored to that set.
1127 .\"O A thread can determine if a capability is in its bounding set using the
1129 .\"O .B PR_CAPBSET_READ
1133 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï
1137 Áàºî¤ò»È¤Ã¤Æ¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é
1138 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1139 ¤¤¤Ã¤¿¤ó¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤¦¤È¡¢
1140 ¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºÆÅÙ¥»¥Ã¥È¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
1144 Áàºî¤ò»È¤¦¤³¤È¤Ç¡¢¥¹¥ì¥Ã¥É¤¬¤¢¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¼«¿È¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
1145 ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
1147 .\"O Removing capabilities from the bounding set is only supported if file
1148 .\"O capabilities are compiled into the kernel
1149 .\"O (CONFIG_SECURITY_FILE_CAPABILITIES).
1150 .\"O In that case, the
1152 .\"O process (the ancestor of all processes) begins with a full bounding set.
1153 .\"O If file capabilities are not compiled into the kernel, then
1155 .\"O begins with a full bounding set minus
1156 .\"O .BR CAP_SETPCAP ,
1157 .\"O because this capability has a different meaning when there are
1158 .\"O no file capabilities.
1159 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Îºï½ü¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤ë¤Î¤Ï¡¢
1160 ¥«¡¼¥Í¥ë¤Î¥³¥ó¥Ñ¥¤¥ë»þ¤Ë¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç
1161 (CONFIG_SECURITY_FILE_CAPABILITIES) ¤À¤±¤Ç¤¢¤ë¡£
1162 ¤³¤Î¾ì¹ç¤Ë¤Ï¡¢ (Á´¤Æ¤Î¥×¥í¥»¥¹¤ÎÀèÁĤǤ¢¤ë)
1164 ¥×¥í¥»¥¹¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÇÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
1165 ¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
1166 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢
1168 ¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
1170 °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
1171 ¤³¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ï¡¢
1173 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï
1174 °ã¤Ã¤¿°ÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£
1176 .\"O Removing a capability from the bounding set does not remove it
1177 .\"O from the thread's inherited set.
1178 .\"O However it does prevent the capability from being added
1179 .\"O back into the thread's inherited set in the future.
1180 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤·¤Æ¤â¡¢
1181 ¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤«¤é¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ïºï½ü¤µ¤ì¤Ê¤¤¡£
1182 ¤·¤«¤·¤Ê¤¬¤é¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Îºï½ü¤Ë¤è¤ê¡¢
1183 ¤³¤ÎÀ褽¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲ乤뤳¤È
1187 .\"O .SS Effect of User ID Changes on Capabilities
1188 .SS "¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á"
1189 .\"O To preserve the traditional semantics for transitions between
1190 .\"O 0 and nonzero user IDs,
1191 .\"O the kernel makes the following changes to a thread's capability
1192 .\"O sets on changes to the thread's real, effective, saved set,
1193 .\"O and file system user IDs (using
1194 .\"O .BR setuid (2),
1195 .\"O .BR setresuid (2),
1197 ¥æ¡¼¥¶ ID ¤¬ 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÊѲ½¤¹¤ëºÝ¤Î¿¶¤ëÉñ¤¤¤ò½¾Íè¤ÈƱ¤¸¤Ë¤¹¤ë¤¿¤á¡¢
1198 ¥¹¥ì¥Ã¥É¤Î¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID¡¢¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
1201 ¤Ê¤É¤ò»È¤Ã¤Æ) Êѹ¹¤µ¤ì¤¿ºÝ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
1204 .\"O If one or more of the real, effective or saved set user IDs
1205 .\"O was previously 0, and as a result of the UID changes all of these IDs
1206 .\"O have a nonzero value,
1207 .\"O then all capabilities are cleared from the permitted and effective
1208 .\"O capability sets.
1209 UID ¤ÎÊѹ¹Á°¤Ë¤Ï¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤Î¤¦¤Á
1210 ¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¡¢Êѹ¹¸å¤Ë¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤¬
1211 ¤¹¤Ù¤Æ 0 °Ê³°¤ÎÃͤˤʤ俾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
1212 Á´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
1214 .\"O If the effective user ID is changed from 0 to nonzero,
1215 .\"O then all capabilities are cleared from the effective set.
1216 ¼Â¸ú UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
1217 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
1219 .\"O If the effective user ID is changed from nonzero to 0,
1220 .\"O then the permitted set is copied to the effective set.
1221 ¼Â¸ú UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
1222 µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÆâÍƤò¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¥³¥Ô¡¼¤¹¤ë¡£
1224 .\"O If the file system user ID is changed from 0 to nonzero (see
1225 .\"O .BR setfsuid (2))
1226 .\"O then the following capabilities are cleared from the effective set:
1227 .\"O .BR CAP_CHOWN ,
1228 .\"O .BR CAP_DAC_OVERRIDE ,
1229 .\"O .BR CAP_DAC_READ_SEARCH ,
1230 .\"O .BR CAP_FOWNER ,
1231 .\"O .BR CAP_FSETID ,
1232 .\"O .B CAP_LINUX_IMMUTABLE
1233 .\"O (since Linux 2.2.30),
1234 .\"O .BR CAP_MAC_OVERRIDE ,
1237 .\"O (since Linux 2.2.30).
1238 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç
1240 »²¾È)¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î°Ê²¼¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥¯¥ê¥¢¤µ¤ì¤ë:
1242 .BR CAP_DAC_OVERRIDE ,
1243 .BR CAP_DAC_READ_SEARCH ,
1246 .B CAP_LINUX_IMMUTABLE
1247 (Linux 2.2.30 °Ê¹ß),
1248 .BR CAP_MAC_OVERRIDE ,
1250 (Linux 2.2.30 °Ê¹ß)¡£
1251 .\"O If the file system UID is changed from nonzero to 0,
1252 .\"O then any of these capabilities that are enabled in the permitted set
1253 .\"O are enabled in the effective set.
1254 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
1255 ¾åµ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤¦¤Áµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤â¤Î¤¬
1256 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤Ë¤µ¤ì¤ë¡£
1258 .\"O If a thread that has a 0 value for one or more of its user IDs wants
1259 .\"O to prevent its permitted capability set being cleared when it resets
1260 .\"O all of its user IDs to nonzero values, it can do so using the
1262 .\"O .B PR_SET_KEEPCAPS
1264 ³Æ¼ï UID ¤Î¤¦¤Á¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¤¢¤ë¥¹¥ì¥Ã¥É¤¬¡¢
1265 ¤½¤Î UID ¤ÎÁ´¤Æ¤¬ 0 °Ê³°¤Ë¤Ê¤Ã¤¿¤È¤¤Ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬
1266 ¥¯¥ê¥¢¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤¿¤¤¾ì¹ç¤Ë¤Ï¡¢
1272 .\"O .SS Programmatically adjusting capability sets
1273 .SS ¥×¥í¥°¥é¥à¤Ç¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÄ´À°¤¹¤ë
1274 .\"O A thread can retrieve and change its capability sets using the
1279 .\"O However, the use of
1280 .\"O .BR cap_get_proc (3)
1282 .\"O .BR cap_set_proc (3),
1283 .\"O both provided in the
1286 .\"O is preferred for this purpose.
1291 ¤ò»È¤Ã¤Æ¡¢¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¼èÆÀ¤·¤¿¤êÊѹ¹¤·¤¿¤ê¤Ç¤¤ë¡£
1292 ¤¿¤À¤·¡¢¤³¤ì¤ò¹Ô¤¦¤Ë¤Ï¡¢
1294 ¥Ñ¥Ã¥±¡¼¥¸¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë
1295 .BR cap_get_proc (3)
1297 .BR cap_set_proc (3)
1298 ¤ò»È¤¦¤Î¤¬Ë¾¤Þ¤·¤¤¡£
1299 .\"O The following rules govern changes to the thread capability sets:
1300 ¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÊѹ¹¤Ë¤Ï°Ê²¼¤Î¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
1302 .\"O If the caller does not have the
1305 .\"O the new inheritable set must be a subset of the combination
1306 .\"O of the existing inheritable and permitted sets.
1307 .\"O [XXX] motoki: combination ¤Ã¤Æ AND ? OR ?
1310 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢
1311 ´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç
1314 .\"O (Since kernel 2.6.25)
1315 .\"O The new inheritable set must be a subset of the combination of the
1316 .\"O existing inheritable set and the capability bounding set.
1317 .\"O [XXX] motoki: combination ¤Ã¤Æ AND ? OR ?
1318 (¥«¡¼¥Í¥ë 2.6.25 °Ê¹ß)
1319 ¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤È¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦
1320 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1322 .\"O The new permitted set must be a subset of the existing permitted set
1323 .\"O (i.e., it is not possible to acquire permitted capabilities
1324 .\"O that the thread does not currently have).
1325 ¿·¤·¤¤µö²Ä¥»¥Ã¥È¤Ï¡¢´û¸¤Îµö²Ä¥»¥Ã¥È¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤
1326 (¤Ä¤Þ¤ê¡¢¤½¤Î¥¹¥ì¥Ã¥É¤¬¸½ºß»ý¤Ã¤Æ¤¤¤Ê¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
1327 ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤)¡£
1329 .\"O The new effective set must be a subset of the new permitted set.
1330 ¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
1331 Éôʬ½¸¹ç¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1332 .\"O .SS The """securebits"" flags: establishing a capabilities-only environment
1333 .SS securebits ¥Õ¥é¥°: ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤À¤±¤Î´Ä¶¤ò¹½ÃÛ¤¹¤ë
1334 .\" For some background:
1335 .\" see http://lwn.net/Articles/280279/ and
1336 .\" http://article.gmane.org/gmane.linux.kernel.lsm/5476/
1337 .\"O Starting with kernel 2.6.26,
1338 .\"O and with a kernel in which file capabilities are enabled,
1339 .\"O Linux implements a set of per-thread
1341 .\"O flags that can be used to disable special handling of capabilities for UID 0
1343 ¥«¡¼¥Í¥ë 2.6.26 °Ê¹ß¤Ç¡¢
1344 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤¿¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
1347 ¥Õ¥é¥°¤¬¼ÂÁõ¤µ¤ì¤Æ¤ª¤ê¡¢¤³¤Î¥Õ¥é¥°¤ò»È¤¦¤È UID 0
1349 ¤ËÂФ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÆÃÊÌ°·¤¤¤ò̵¸ú¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1350 .\"O These flags are as follows:
1351 °Ê²¼¤Î¤è¤¦¤Ê¥Õ¥é¥°¤¬¤¢¤ë¡£
1354 .\"O Setting this flag allows a thread that has one or more 0 UIDs to retain
1355 .\"O its capabilities when it switches all of its UIDs to a nonzero value.
1356 .\"O If this flag is not set,
1357 .\"O then such a UID switch causes the thread to lose all capabilities.
1358 .\"O This flag is always cleared on an
1359 .\"O .BR execve (2).
1360 .\"O (This flag provides the same functionality as the older
1362 .\"O .B PR_SET_KEEPCAPS
1364 ¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢UID ¤¬ 0 ¤Î¥¹¥ì¥Ã¥É¤Î UID ¤¬ 0 °Ê³°¤ÎÃͤË
1365 ÀÚ¤êÂؤï¤ëºÝ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò°Ý»ý¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1366 ¤³¤Î¥Õ¥é¥°¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ÎÃͤË
1367 ÀÚ¤êÂؤï¤ë¤È¡¢¤½¤Î¥¹¥ì¥Ã¥É¤ÏÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼º¤¦¡£
1370 »þ¤Ë¤ÏÁ´¤Æ¥¯¥ê¥¢¤µ¤ì¤ë
1371 (¤³¤Î¥Õ¥é¥°¤Ï¡¢°ÊÁ°¤Î
1375 Áàºî¤ÈƱ¤¸µ¡Ç½¤òÄ󶡤¹¤ë¤â¤Î¤Ç¤¢¤ë)¡£
1377 .B SECBIT_NO_SETUID_FIXUP
1378 .\"O Setting this flag stops the kernel from adjusting capability sets when
1379 .\"O the threads's effective and file system UIDs are switched between
1380 .\"O zero and nonzero values.
1381 .\"O (See the subsection
1382 .\"O .IR "Effect of User ID Changes on Capabilities" .)
1383 ¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤¹¤ë¤È¡¢¥¹¥ì¥Ã¥É¤Î¼Â¸ú UID ¤È¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
1384 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÀÚ¤êÂؤï¤Ã¤¿¾ì¹ç¤Ë¡¢
1385 ¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÄ´À°¤ò¹Ô¤ï¤Ê¤¯¤Ê¤ë
1386 (¡Ö¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á¡×¤ÎÀá¤ò»²¾È)¡£
1389 .\"O If this bit is set, then the kernel does not grant capabilities
1390 .\"O when a set-user-ID-root program is executed, or when a process with
1391 .\"O an effective or real UID of 0 calls
1392 .\"O .BR execve (2).
1393 .\"O (See the subsection
1394 .\"O .IR "Capabilities and execution of programs by root" .)
1395 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
1396 set-user-ID-root ¥×¥í¥°¥é¥à¤Î¼Â¹Ô»þ¤ä¡¢
1397 ¼Â¸ú UID ¤« ¼Â UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬
1399 ¤ò¸Æ¤Ó½Ð¤·¤¿»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¤·¤Ê¤¤
1400 (¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô¡×¤ÎÀá¤ò»²¾È)¡£
1402 .\"O Each of the above "base" flags has a companion "locked" flag.
1403 .\"O Setting any of the "locked" flags is irreversible,
1404 .\"O and has the effect of preventing further changes to the
1405 .\"O corresponding "base" flag.
1406 .\"O The locked flags are:
1407 .\"O .BR SECBIT_KEEP_CAPS_LOCKED ,
1408 .\"O .BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
1410 .\"O .BR SECBIT_NOROOT_LOCKED .
1411 ¾åµ¤Î "base" ¥Õ¥é¥°¤Î³Æ¡¹¤Ë¤ÏÂбþ¤¹¤ë "locked" ¥Õ¥é¥°¤¬Â¸ºß¤¹¤ë¡£
1412 ¤¤¤º¤ì¤Î "locked" ¥Õ¥é¥°¤â°ìÅÙ¥»¥Ã¥È¤µ¤ì¤ë¤ÈÌ᤹¤³¤È¤Ï¤Ç¤¤º¡¢
1413 ¤½¤ì°Ê¹ß¤ÏÂбþ¤¹¤ë "base" ¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤¯¤Ê¤ë¡£
1415 .BR SECBIT_KEEP_CAPS_LOCKED ,
1416 .BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
1417 .BR SECBIT_NOROOT_LOCKED
1422 .\"O flags can be modified and retrieved using the
1424 .\"O .B PR_SET_SECUREBITS
1426 .\"O .B PR_GET_SECUREBITS
1430 .\"O capability is required to modify the flags.
1435 .B PR_SET_SECUREBITS
1437 .B PR_GET_SECUREBITS
1438 ¤ò»È¤¦¤³¤È¤ÇÊѹ¹¤·¤¿¤ê¼èÆÀ¤·¤¿¤ê¤Ç¤¤ë¡£
1439 ¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤Ë¤Ï
1441 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
1445 .\"O flags are inherited by child processes.
1447 .\"O .BR execve (2),
1448 .\"O all of the flags are preserved, except
1449 .\"O .B SECURE_KEEP_CAPS
1450 .\"O which is always cleared.
1452 ¥Õ¥é¥°¤Ï»Ò¥×¥í¥»¥¹¤Ë·Ñ¾µ¤µ¤ì¤ë¡£
1456 ¤¬¾ï¤Ë¥¯¥ê¥¢¤µ¤ì¤ë°Ê³°¤Ï¡¢Á´¤Æ¤Î¥Õ¥é¥°¤¬ÊÝ»ý¤µ¤ì¤ë¡£
1458 .\"O An application can use the following call to lock itself,
1459 .\"O and all of its descendants,
1460 .\"O into an environment where the only way of gaining capabilities
1461 .\"O is by executing a program with associated file capabilities:
1462 ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ï¡¢°Ê²¼¤Î¸Æ¤Ó½Ð¤·¤ò¹Ô¤¦¤³¤È¤Ë¤è¤ê¡¢
1463 ¼«Ê¬¼«¿È¤ª¤è¤Ó»Ò¹¤È¤Ê¤ë¥×¥í¥»¥¹Á´¤Æ¤ËÂФ·¤Æ¡¢
1464 ɬÍפʥե¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à¤ò¼Â¹Ô¤·¤Ê¤¤¸Â¤ê¡¢
1465 Âбþ¤¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ÍÆÀ¤Ç¤¤Ê¤¤¤è¤¦¤Ê¾õ¶·¤ËÊĤ¸¤³¤á¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1469 prctl(PR_SET_SECUREBITS,
1470 SECBIT_KEEP_CAPS_LOCKED |
1471 SECBIT_NO_SETUID_FIXUP |
1472 SECBIT_NO_SETUID_FIXUP_LOCKED |
1474 SECBIT_NOROOT_LOCKED);
1477 .\"O .SH "CONFORMING TO"
1480 .\"O No standards govern capabilities, but the Linux capability implementation
1481 .\"O is based on the withdrawn POSIX.1e draft standard; see
1482 .\"O .IR http://wt.xpilot.org/publications/posix.1e/ .
1483 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤¹¤ëɸ½à¤Ï¤Ê¤¤¤¬¡¢ Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÇѰƤˤʤä¿
1484 POSIX.1e Áð°Æ¤Ë´ð¤Å¤¤¤Æ¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
1485 .I http://wt.xpilot.org/publications/posix.1e/
1489 .\"O Since kernel 2.5.27, capabilities are an optional kernel component,
1490 .\"O and can be enabled/disabled via the CONFIG_SECURITY_CAPABILITIES
1491 .\"O kernel configuration option.
1492 ¥«¡¼¥Í¥ë 2.5.27 °Ê¹ß¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÁªÂò¼°¤Î¥«¡¼¥Í¥ë¥³¥ó¥Ý¡¼¥Í¥ó¥È
1493 ¤È¤Ê¤Ã¤Æ¤ª¤ê¡¢¥«¡¼¥Í¥ëÀßÄꥪ¥×¥·¥ç¥ó CONFIG_SECURITY_CAPABILITIES
1494 ¤Ë¤è¤ê͸ú/̵¸ú¤òÀÚ¤êÂؤ¨¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1497 .\"O .I /proc/PID/task/TID/status
1498 .\"O file can be used to view the capability sets of a thread.
1500 .\"O .I /proc/PID/status
1501 .\"O file shows the capability sets of a process's main thread.
1502 .I /proc/PID/task/TID/status
1503 ¥Õ¥¡¥¤¥ë¤ò»È¤¦¤È¡¢¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¸«¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1505 ¥Õ¥¡¥¤¥ë¤Ë¤Ï¡¢¥×¥í¥»¥¹¤Î¥á¥¤¥ó¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬É½¼¨¤µ¤ì¤ë¡£
1509 .\"O package provides a suite of routines for setting and
1510 .\"O getting capabilities that is more comfortable and less likely
1511 .\"O to change than the interface provided by
1514 .\"O .BR capget (2).
1516 ¥Ñ¥Ã¥±¡¼¥¸¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꡦ¼èÆÀ¤¹¤ë¤¿¤á¤Î
1517 ¥ë¡¼¥Á¥ó·²¤òÄ󶡤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ï¡¢
1521 ¤¬Ä󶡤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ÈÈæ¤Ù¤Æ¡¢¤è¤ê»È¤¤¤ä¤¹¤¯¡¢Êѹ¹¤µ¤ì¤ë²ÄǽÀ¤¬¾¯¤Ê¤¤¡£
1522 .\"O This package also provides the
1527 .\"O It can be found at
1529 .\"O .IR http://www.kernel.org/pub/linux/libs/security/linux-privs .
1530 ¤³¤Î¥Ñ¥Ã¥±¡¼¥¸¤Ç¤Ï¡¢
1533 ¤È¤¤¤¦¥×¥í¥°¥é¥à¤âÄ󶡤µ¤ì¤Æ¤¤¤ë¡£
1535 .I http://www.kernel.org/pub/linux/libs/security/linux-privs
1538 .\"O Before kernel 2.6.24, and since kernel 2.6.24 if
1539 .\"O file capabilities are not enabled, a thread with the
1541 .\"O capability can manipulate the capabilities of threads other than itself.
1542 .\"O However, this is only theoretically possible,
1543 .\"O since no thread ever has
1544 .\"O .BR CAP_SETPCAP
1545 .\"O in either of these cases:
1546 ¥Ð¡¼¥¸¥ç¥ó 2.6.24 ¤è¤êÁ°¡¢¤ª¤è¤Ó¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
1547 ͸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤2.6.24 °Ê¹ß¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
1549 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥¹¥ì¥Ã¥É¤Ï¼«Ê¬°Ê³°¤Î¥¹¥ì¥Ã¥É¤Î
1550 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÁàºî¤Ç¤¤ë¡£
1551 ¤·¤«¤·¤Ê¤¬¤é¡¢¤³¤ì¤ÏÍýÏÀŪ¤Ë²Äǽ¤È¤¤¤¦¤À¤±¤Ç¤¢¤ë¡£
1552 °Ê²¼¤Î¤¤¤º¤ì¤«¤Î¾ì¹ç¤Ë¤ª¤¤¤Æ¤â¡¢¤É¤Î¥¹¥ì¥Ã¥É¤â
1554 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¤³¤È¤Ï¤Ê¤¤¤«¤é¤Ç¤¢¤ë¡£
1556 .\"O In the pre-2.6.25 implementation the system-wide capability bounding set,
1557 .\"O .IR /proc/sys/kernel/cap-bound ,
1558 .\"O always masks out this capability, and this can not be changed
1559 .\"O without modifying the kernel source and rebuilding.
1560 2.6.25 ¤è¤êÁ°¤Î¼ÂÁõ¤Ç¤Ï¡¢¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
1561 .I /proc/sys/kernel/cap-bound
1562 ¤Ç¤Ï¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¾ï¤Ë̵¸ú¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢
1563 ¥½¡¼¥¹¤òÊѹ¹¤·¤Æ¥«¡¼¥Í¥ë¤òºÆ¥³¥ó¥Ñ¥¤¥ë¤·¤Ê¤¤¸Â¤ê¡¢
1564 ¤³¤ì¤òÊѹ¹¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
1566 .\"O If file capabilities are disabled in the current implementation, then
1568 .\"O starts out with this capability removed from its per-process bounding
1569 .\"O set, and that bounding set is inherited by all other processes
1570 .\"O created on the system.
1571 ¸½ºß¤Î¼ÂÁõ¤Ç¤Ï¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
1572 ¥×¥í¥»¥¹Ëè¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÈ´¤¤¤Æ
1575 ¥·¥¹¥Æ¥à¾å¤ÇÀ¸À®¤µ¤ì¤ë¾¤ÎÁ´¤Æ¤Î¥×¥í¥»¥¹¤Ç¤³¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬
1583 .BR cap_copy_ext (3),
1584 .BR cap_from_text (3),
1585 .BR cap_get_file (3),
1586 .BR cap_get_proc (3),
1590 .BR credentials (7),
1595 .\"O .I include/linux/capability.h
1596 .\"O in the kernel source
1598 .I include/linux/capability.h