@[TOC
https://man7.org/linux/man-pages/man2/prctl.2.html
#include
int prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5);
最终调用的是内核的
kernel/sys.c:SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
使用时需要注意的问题;
如果是非root用户执行的程序需要特殊的权限才能执行。kernel代码会从下面多个设置选项做检查。
如果碰到EPERM错误
if (arg2 == PR_CAP_AMBIENT_RAISE &&
(!cap_raised(current_cred()->cap_permitted, arg3) || //看允许集里是否有
!cap_raised(current_cred()->cap_inheritable, //看继承集里是否有
arg3) ||
issecure(SECURE_NO_CAP_AMBIENT_RAISE))) // 看对应的安全位是否被disable
return -EPERM;
commit 746bf6d64275be0c65b0631d8a72b16f1454cfa1
Author: Andy Lutomirski luto@kernel.org
Date: Fri Sep 4 15:42:51 2015 -0700
capabilities: add a securebit to disable PR_CAP_AMBIENT_RAISE
Per Andrew Morgan's request, add a securebit to allow admins to disable
PR_CAP_AMBIENT_RAISE. This securebit will prevent processes from adding
capabilities to their ambient set.
For simplicity, this disables PR_CAP_AMBIENT_RAISE entirely rather than
just disabling setting previously cleared bits.
需要注意的是,如果需要设置多个能力,需要单个执行不能合并执行。
if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW,0, 0)!=0)
if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_ADMIN, 0, 0)!=0)
if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW|CAP_NET_ADMIN,0, 0)!=0) ;; 这个执行会有问题。
tools/testing/selftests/syscall_user_dispatch/sud_test.c