本文整理汇总了C++中cap_clear函数的典型用法代码示例。如果您正苦于以下问题:C++ cap_clear函数的具体用法?C++ cap_clear怎么用?C++ cap_clear使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了cap_clear函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的C++代码示例。
示例1: give_capabilities
static int give_capabilities (pid_t pid)
{
cap_t caps = cap_init();
const unsigned caps_size = 4;
cap_value_t cap_list[] =
{ CAP_SETPCAP, CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_IPC_LOCK} ;
if (caps == NULL) {
fprintf (stderr, "jackstart: could not allocate capability working storage\n");
return -1;
}
cap_clear(caps);
if (capgetp (pid, caps)) {
fprintf (stderr, "jackstart: could not get capabilities for process %d\n", pid);
cap_clear(caps);
}
cap_set_flag(caps, CAP_EFFECTIVE, caps_size, cap_list , CAP_SET);
cap_set_flag(caps, CAP_INHERITABLE, caps_size, cap_list , CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, caps_size, cap_list , CAP_SET);
if (capsetp (pid, caps)) {
fprintf (stderr, "jackstart: could not give capabilities: %s\n", strerror (errno));
cap_free (caps);
return -1;
}
cap_free (caps);
return 0;
}
开发者ID:Llefjord,项目名称:jack1,代码行数:27,代码来源:jackstart.c
示例2: cap_bprm_set_security
int cap_bprm_set_security (struct linux_binprm *bprm)
{
/* Copied from fs/exec.c:prepare_binprm. */
/* We don't have VFS support for capabilities yet */
cap_clear (bprm->cap_inheritable);
cap_clear (bprm->cap_permitted);
cap_clear (bprm->cap_effective);
/* To support inheritance of root-permissions and suid-root
* executables under compatibility mode, we raise all three
* capability sets for the file.
*
* If only the real uid is 0, we only raise the inheritable
* and permitted sets of the executable file.
*/
if (!issecure (SECURE_NOROOT)) {
if (bprm->e_uid == 0 || current->uid == 0) {
cap_set_full (bprm->cap_inheritable);
cap_set_full (bprm->cap_permitted);
}
if (bprm->e_uid == 0)
cap_set_full (bprm->cap_effective);
}
return 0;
}
开发者ID:BackupTheBerlios,项目名称:tuxap,代码行数:27,代码来源:commoncap.c
示例3: qCritical
void UnixMurmur::finalcap() {
#ifdef Q_OS_LINUX
cap_value_t caps[] = {CAP_SYS_RESOURCE};
struct rlimit r;
if (! bRoot)
return;
if (getrlimit(RLIMIT_RTPRIO, &r) != 0) {
qCritical("Failed to get priority limits.");
} else {
qWarning("Resource limits were %ld %ld", r.rlim_cur, r.rlim_max);
r.rlim_cur = r.rlim_max = 1;
if (setrlimit(RLIMIT_RTPRIO, &r) != 0) {
qCritical("Failed to set priority limits.");
}
}
int ncap = sizeof(caps)/sizeof(cap_value_t);
cap_t c = cap_init();
cap_clear(c);
cap_set_flag(c, CAP_EFFECTIVE, ncap, caps, CAP_SET);
cap_set_flag(c, CAP_PERMITTED, ncap, caps, CAP_SET);
if (cap_set_proc(c) != 0) {
qCritical("Failed to set final capabilities");
} else {
qWarning("Successfully dropped capabilities");
}
cap_free(c);
#endif
}
开发者ID:ashurta,项目名称:mumble,代码行数:32,代码来源:UnixMurmur.cpp
示例4: limit_capabilities
int limit_capabilities(void)
{
cap_t cap_p;
const cap_value_t caps[] = {
CAP_NET_ADMIN,
CAP_NET_RAW,
};
int i;
cap_p = cap_init();
if (!cap_p) {
perror("cap_get_proc");
return -1;
}
for (i = 0; i < ARRAY_SIZE(caps); i++) {
if (cap_clear(cap_p) < 0) {
perror("cap_clear");
return -1;
}
if (cap_set_flag(cap_p, CAP_PERMITTED, ARRAY_SIZE(caps) - i, caps + i, CAP_SET) < 0) {
perror("cap_set_flag");
return -1;
}
if (cap_set_proc(cap_p) < 0)
continue;
break;
}
if (i == ARRAY_SIZE(caps)) {
perror("cap_set_proc");
if (errno != EPERM)
return -1;
}
if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
perror("prctl");
return -1;
}
if (setuid(getuid()) < 0) {
perror("setuid");
return -1;
}
if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
perror("prctl");
return -1;
}
cap_free(cap_p);
uid = getuid();
euid = geteuid();
return 0;
}
开发者ID:DipSwitch,项目名称:RplIcmp,代码行数:60,代码来源:caplib.c
示例5: cap_emulate_setxuid
/*
* cap_emulate_setxuid() fixes the effective / permitted capabilities of
* a process after a call to setuid, setreuid, or setresuid.
*
* 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
* {r,e,s}uid != 0, the permitted and effective capabilities are
* cleared.
*
* 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
* capabilities of the process are cleared.
*
* 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
* capabilities are set to the permitted capabilities.
*
* fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
* never happen.
*
* -astor
*
* cevans - New behaviour, Oct '99
* A process may, via prctl(), elect to keep its capabilities when it
* calls setuid() and switches away from uid==0. Both permitted and
* effective sets will be retained.
* Without this change, it was impossible for a daemon to drop only some
* of its privilege. The call to setuid(!=0) would drop all privileges!
* Keeping uid 0 is not an option because uid 0 owns too many vital
* files..
* Thanks to Olaf Kirch and Peter Benie for spotting this.
*/
static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
int old_suid)
{
if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) &&
(current->uid != 0 && current->euid != 0 && current->suid != 0) &&
!current->keep_capabilities) {
cap_clear (current->cap_permitted);
cap_clear (current->cap_effective);
}
if (old_euid == 0 && current->euid != 0) {
cap_clear (current->cap_effective);
}
if (old_euid != 0 && current->euid == 0) {
current->cap_effective = current->cap_permitted;
}
}
开发者ID:BackupTheBerlios,项目名称:tuxap,代码行数:45,代码来源:commoncap.c
示例6: issueReinit
static int issueReinit() {
cap_t caps = cap_init();
(void)cap_clear(caps);
(void)cap_set_proc(caps);
(void)cap_free(caps);
int sock = TEMP_FAILURE_RETRY(socket_local_client(
"logd", ANDROID_SOCKET_NAMESPACE_RESERVED, SOCK_STREAM));
if (sock < 0) return -errno;
static const char reinitStr[] = "reinit";
ssize_t ret = TEMP_FAILURE_RETRY(write(sock, reinitStr, sizeof(reinitStr)));
if (ret < 0) return -errno;
struct pollfd p;
memset(&p, 0, sizeof(p));
p.fd = sock;
p.events = POLLIN;
ret = TEMP_FAILURE_RETRY(poll(&p, 1, 1000));
if (ret < 0) return -errno;
if ((ret == 0) || !(p.revents & POLLIN)) return -ETIME;
static const char success[] = "success";
char buffer[sizeof(success) - 1];
memset(buffer, 0, sizeof(buffer));
ret = TEMP_FAILURE_RETRY(read(sock, buffer, sizeof(buffer)));
if (ret < 0) return -errno;
return strncmp(buffer, success, sizeof(success) - 1) != 0;
}
开发者ID:BenzoRoms,项目名称:system_core,代码行数:30,代码来源:main.cpp
示例7: avahi_caps_reduce2
int avahi_caps_reduce2(void) {
int ret = 0;
cap_t caps;
static cap_value_t cap_values[] = { CAP_SYS_CHROOT };
/* Reduce our caps to the bare minimum and tell Linux not to keep
* them across setuid(). This is called after we drop
* privileges. */
/* No longer retain caps across setuid() */
if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
avahi_log_error("prctl(PR_SET_KEEPCAPS) failed: %s", strerror(errno));
ret = -1;
}
caps = cap_init();
assert(caps);
cap_clear(caps);
/* setuid() zeroed our effective caps, let's get them back */
cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_values, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 1, cap_values, CAP_SET);
if (cap_set_proc(caps) < 0) {
avahi_log_error("cap_set_proc() failed: %s", strerror(errno));
ret = -1;
}
cap_free(caps);
return ret;
}
开发者ID:sunilghai,项目名称:avahi-clone,代码行数:31,代码来源:caps.c
示例8: avahi_caps_reduce
int avahi_caps_reduce(void) {
int ret = 0;
cap_t caps;
static cap_value_t cap_values[] = { CAP_SYS_CHROOT, CAP_SETUID, CAP_SETGID };
/* Let's reduce our caps to the minimum set and tell Linux to keep
* them across setuid(). This is called before we drop
* privileges. */
caps = cap_init();
assert(caps);
cap_clear(caps);
cap_set_flag(caps, CAP_EFFECTIVE, 3, cap_values, CAP_SET);
cap_set_flag(caps, CAP_PERMITTED, 3, cap_values, CAP_SET);
if (cap_set_proc(caps) < 0) {
avahi_log_error("cap_set_proc() failed: %s", strerror(errno));
ret = -1;
}
cap_free(caps);
/* Retain capabilities across setuid() */
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
avahi_log_error("prctl(PR_SET_KEEPCAPS) failed: %s", strerror(errno));
ret = -1;
}
return ret;
}
开发者ID:sunilghai,项目名称:avahi-clone,代码行数:30,代码来源:caps.c
示例9: setCapabilities
// Setting linux capabilities (permitted, effective and inheritable) for the current process.
// Permitted set indicates the capabilities what could be set for the process.
// Effective set is a subset of permitted set, they are actually effective.
// Inheritable set indicates the capabilities what the children will inherit from the current process.
static bool setCapabilities(cap_value_t* capabilityList, int length)
{
// Capabilities should be initialized without flags.
cap_t capabilities = cap_init();
if (!capabilities) {
fprintf(stderr, "Failed to initialize process capabilities: %s.\n", strerror(errno));
return false;
}
if (cap_clear(capabilities) == -1) {
fprintf(stderr, "Failed to clear process capabilities: %s.\n", strerror(errno));
return false;
}
if (capabilityList && length) {
if (cap_set_flag(capabilities, CAP_EFFECTIVE, length, capabilityList, CAP_SET) == -1
|| cap_set_flag(capabilities, CAP_INHERITABLE, length, capabilityList, CAP_SET) == -1
|| cap_set_flag(capabilities, CAP_PERMITTED, length, capabilityList, CAP_SET) == -1) {
fprintf(stderr, "Failed to set process capability flags: %s.\n", strerror(errno));
cap_free(capabilities);
return false;
}
}
if (cap_set_proc(capabilities) == -1) {
fprintf(stderr, "Failed to set process capabilities: %s.\n", strerror(errno));
cap_free(capabilities);
return false;
}
cap_free(capabilities);
return true;
}
开发者ID:3163504123,项目名称:phantomjs,代码行数:37,代码来源:SandboxEnvironmentLinux.cpp
示例10: setMinimalCapabilities
static bool setMinimalCapabilities() {
cap_t cap_d = cap_init();
if (cap_d != nullptr) {
cap_value_t cap_list[] = {CAP_NET_BIND_SERVICE, CAP_SYS_RESOURCE,
CAP_SYS_NICE};
cap_clear(cap_d);
if (cap_set_flag(cap_d, CAP_PERMITTED, 3, cap_list, CAP_SET) < 0 ||
cap_set_flag(cap_d, CAP_EFFECTIVE, 3, cap_list, CAP_SET) < 0) {
Logger::Error("cap_set_flag failed");
return false;
}
if (cap_set_proc(cap_d) == -1) {
Logger::Error("cap_set_proc failed");
return false;
}
if (cap_free(cap_d) == -1) {
Logger::Error("cap_free failed");
return false;
}
prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
return true;
}
return false;
}
开发者ID:AlecChou,项目名称:hhvm,代码行数:30,代码来源:capability.cpp
示例11: sizeof
void UnixMurmur::initialcap() {
#ifdef Q_OS_LINUX
cap_value_t caps[] = {CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID, CAP_CHOWN, CAP_SYS_RESOURCE, CAP_DAC_OVERRIDE };
if (! bRoot)
return;
int ncap = sizeof(caps)/sizeof(cap_value_t);
if (geteuid() != 0)
ncap--;
cap_t c = cap_init();
cap_clear(c);
cap_set_flag(c, CAP_EFFECTIVE, ncap, caps, CAP_SET);
cap_set_flag(c, CAP_INHERITABLE, ncap, caps, CAP_SET);
cap_set_flag(c, CAP_PERMITTED, ncap, caps, CAP_SET);
if (cap_set_proc(c) != 0) {
qCritical("Failed to set initial capabilities");
} else {
prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
}
cap_free(c);
#endif
}
开发者ID:ashurta,项目名称:mumble,代码行数:25,代码来源:UnixMurmur.cpp
示例12: krg_cap_prepare_binprm
int krg_cap_prepare_binprm(struct linux_binprm *bprm)
{
/* The model needs changes with filesystem support ... */
#if 0
cap_clear(bprm->krg_cap_forced);
cap_set_full(bprm->krg_cap_permitted);
cap_set_full(bprm->krg_cap_effective);
#endif /* 0 */
return 0;
}
开发者ID:jeanparpaillon,项目名称:kerrighed-kernel,代码行数:10,代码来源:capability.c
示例13: dummy_capget
static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
if (target->euid == 0) {
cap_set_full(*permitted);
cap_set_init_eff(*effective);
} else {
cap_clear(*permitted);
cap_clear(*effective);
}
cap_clear(*inheritable);
if (target->fsuid != 0) {
*permitted = cap_drop_fs_set(*permitted);
*effective = cap_drop_fs_set(*effective);
}
return 0;
}
开发者ID:mobilipia,项目名称:iods,代码行数:19,代码来源:dummy.c
示例14: SYSCALL_DEFINE3
SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
{
const struct cred *old_cred;
struct cred *override_cred;
struct path path;
struct inode *inode;
int res;
if (mode & ~S_IRWXO)
return -EINVAL;
override_cred = prepare_creds();
if (!override_cred)
return -ENOMEM;
override_cred->fsuid = override_cred->uid;
override_cred->fsgid = override_cred->gid;
if (!issecure(SECURE_NO_SETUID_FIXUP)) {
if (override_cred->uid)
cap_clear(override_cred->cap_effective);
else
override_cred->cap_effective =
override_cred->cap_permitted;
}
old_cred = override_creds(override_cred);
res = user_path_at(dfd, filename, LOOKUP_FOLLOW, &path);
if (res)
goto out;
inode = path.dentry->d_inode;
if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
res = -EACCES;
if (path.mnt->mnt_flags & MNT_NOEXEC)
goto out_path_release;
}
res = inode_permission(inode, mode | MAY_ACCESS);
if (res || !(mode & S_IWOTH) || special_file(inode->i_mode))
goto out_path_release;
if (__mnt_is_readonly(path.mnt))
res = -EROFS;
out_path_release:
path_put(&path);
out:
revert_creds(old_cred);
put_cred(override_cred);
return res;
}
开发者ID:kuzetsa,项目名称:B1RB_htc_msm8974,代码行数:55,代码来源:open.c
示例15: avahi_caps_drop_all
int avahi_caps_drop_all(void) {
cap_t caps;
int ret = 0;
/* Drop all capabilities and turn ourselves into a normal user process */
caps = cap_init();
assert(caps);
cap_clear(caps);
if (cap_set_proc(caps) < 0) {
avahi_log_error("cap_set_proc() failed: %s", strerror(errno));
ret = -1;
}
cap_free(caps);
return ret;
}
开发者ID:sunilghai,项目名称:avahi-clone,代码行数:18,代码来源:caps.c
示例16: drop_cap
void drop_cap(void)
{
#ifdef HAVE_LIBCAP
/* don't harmstring root/sudo */
if (getuid() != 0 && geteuid() != 0) {
cap_t capabilities;
capabilities = cap_get_proc();
if (!capabilities)
exit(EXIT_FAILURE);
if (cap_clear(capabilities) != 0)
exit(EXIT_FAILURE);
if (cap_set_proc(capabilities) != 0)
exit(EXIT_FAILURE);
cap_free(capabilities);
}
#endif
}
开发者ID:dtaht,项目名称:tc-adv,代码行数:18,代码来源:utils.c
示例17: check_capabilities
static int check_capabilities (void)
{
cap_t caps = cap_init();
cap_flag_value_t cap;
pid_t pid;
int have_all_caps = 1;
if (caps == NULL) {
fprintf (stderr, "jackstart: could not allocate capability working storage\n");
return 0;
}
pid = getpid ();
cap_clear (caps);
if (capgetp (pid, caps)) {
fprintf (stderr, "jackstart: could not get capabilities for process %d\n", pid);
return 0;
}
/* check that we are able to give capabilites to other processes */
cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
/* check that we have the capabilities we want to transfer */
cap_get_flag(caps, CAP_SYS_NICE, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
cap_get_flag(caps, CAP_SYS_RESOURCE, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
cap_get_flag(caps, CAP_IPC_LOCK, CAP_EFFECTIVE, &cap);
if (cap == CAP_CLEAR) {
have_all_caps = 0;
goto done;
}
done:
cap_free (caps);
return have_all_caps;
}
开发者ID:Llefjord,项目名称:jack1,代码行数:43,代码来源:jackstart.c
示例18: sys_access
/*
* access() needs to use the real uid/gid, not the effective uid/gid.
* We do this by temporarily clearing all FS-related capabilities and
* switching the fsuid/fsgid around to the real ones.
*/
asmlinkage long sys_access(const char * filename, int mode)
{
struct nameidata nd;
int old_fsuid, old_fsgid;
kernel_cap_t old_cap;
int res;
if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */
return -EINVAL;
old_fsuid = current->fsuid;
old_fsgid = current->fsgid;
old_cap = current->cap_effective;
current->fsuid = current->uid;
current->fsgid = current->gid;
/* Clear the capabilities if we switch to a non-root user */
if (current->uid)
cap_clear(current->cap_effective);
else
current->cap_effective = current->cap_permitted;
res = user_path_walk(filename, &nd);
if (!res) {
res = permission(nd.dentry->d_inode, mode);
/* SuS v2 requires we report a read only fs too */
if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode)
&& !special_file(nd.dentry->d_inode->i_mode))
res = -EROFS;
path_release(&nd);
}
current->fsuid = old_fsuid;
current->fsgid = old_fsgid;
current->cap_effective = old_cap;
return res;
}
开发者ID:EmbolismSoil,项目名称:Linux-2.4.0-,代码行数:44,代码来源:open.c
示例19: drop_elevated_permissions
/* Drop SUID privileges. To be used after accquiring raw sockets. */
static
int drop_elevated_permissions(
void)
{
#ifdef HAVE_LIBCAP
cap_t cap;
#endif
/* Drop any suid permissions granted */
if (setgid(getgid()) || setuid(getuid())) {
return -1;
}
if (geteuid() != getuid() || getegid() != getgid()) {
return -1;
}
/*
Drop all process capabilities.
This will revoke anything granted by a commandline 'setcap'
*/
#ifdef HAVE_LIBCAP
cap = cap_get_proc();
if (cap == NULL) {
return -1;
}
if (cap_clear(cap)) {
return -1;
}
if (cap_set_proc(cap)) {
return -1;
}
#endif
return 0;
}
开发者ID:russor,项目名称:mtr,代码行数:37,代码来源:packet.c
示例20: drop_capabilities
void drop_capabilities(void)
{
/* the capabilities that we *need* in order to operate */
static cap_value_t suidcaps[] = {
CAP_CHOWN,
CAP_KILL,
CAP_SYS_CHROOT,
CAP_SETUID,
CAP_SETGID,
CAP_NET_BIND_SERVICE,
/* we may want to open any config/log files */
CAP_DAC_OVERRIDE
};
cap_t caps;
caps = cap_init();
cap_clear(caps);
cap_set_flag(caps, CAP_PERMITTED,
N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
cap_set_flag(caps, CAP_EFFECTIVE,
N_ELEMENTS(suidcaps), suidcaps, CAP_SET);
cap_set_proc(caps);
cap_free(caps);
}
开发者ID:dhultin,项目名称:dovecot-pop-uidl-proxy,代码行数:24,代码来源:capabilities-posix.c
注:本文中的cap_clear函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
请发表评论