How does Linux knows if a process is allowed to issue a system call?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















Let's say that a process wants to issue a system call that can only be issued by a privileged process.



How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?










share|improve this question

















  • 1





    Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.

    – 炸鱼薯条德里克
    Feb 26 at 14:12















0















Let's say that a process wants to issue a system call that can only be issued by a privileged process.



How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?










share|improve this question

















  • 1





    Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.

    – 炸鱼薯条德里克
    Feb 26 at 14:12













0












0








0








Let's say that a process wants to issue a system call that can only be issued by a privileged process.



How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?










share|improve this question














Let's say that a process wants to issue a system call that can only be issued by a privileged process.



How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?







linux system-calls






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 26 at 13:09









user338923user338923

1




1







  • 1





    Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.

    – 炸鱼薯条德里克
    Feb 26 at 14:12












  • 1





    Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.

    – 炸鱼薯条德里克
    Feb 26 at 14:12







1




1





Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.

– 炸鱼薯条德里克
Feb 26 at 14:12





Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.

– 炸鱼薯条德里克
Feb 26 at 14:12










1 Answer
1






active

oldest

votes


















1














Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2), we see:



 For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process.


Similarly in the create_module(2) page, we see:



DESCRIPTION
create_module() attempts to create a loadable module entry and
reserve the kernel memory that will be needed to hold the module.
This system call requires privilege.
...
ERRORS
...
EPERM The caller was not privileged (did not have the
CAP_SYS_MODULE capability).


The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503130%2fhow-does-linux-knows-if-a-process-is-allowed-to-issue-a-system-call%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2), we see:



     For a process to have permission to send a signal, it must either
    be privileged (under Linux: have the CAP_KILL capability in the
    user namespace of the target process), or the real or effective
    user ID of the sending process must equal the real or saved set-
    user-ID of the target process.


    Similarly in the create_module(2) page, we see:



    DESCRIPTION
    create_module() attempts to create a loadable module entry and
    reserve the kernel memory that will be needed to hold the module.
    This system call requires privilege.
    ...
    ERRORS
    ...
    EPERM The caller was not privileged (did not have the
    CAP_SYS_MODULE capability).


    The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.






    share|improve this answer



























      1














      Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2), we see:



       For a process to have permission to send a signal, it must either
      be privileged (under Linux: have the CAP_KILL capability in the
      user namespace of the target process), or the real or effective
      user ID of the sending process must equal the real or saved set-
      user-ID of the target process.


      Similarly in the create_module(2) page, we see:



      DESCRIPTION
      create_module() attempts to create a loadable module entry and
      reserve the kernel memory that will be needed to hold the module.
      This system call requires privilege.
      ...
      ERRORS
      ...
      EPERM The caller was not privileged (did not have the
      CAP_SYS_MODULE capability).


      The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.






      share|improve this answer

























        1












        1








        1







        Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2), we see:



         For a process to have permission to send a signal, it must either
        be privileged (under Linux: have the CAP_KILL capability in the
        user namespace of the target process), or the real or effective
        user ID of the sending process must equal the real or saved set-
        user-ID of the target process.


        Similarly in the create_module(2) page, we see:



        DESCRIPTION
        create_module() attempts to create a loadable module entry and
        reserve the kernel memory that will be needed to hold the module.
        This system call requires privilege.
        ...
        ERRORS
        ...
        EPERM The caller was not privileged (did not have the
        CAP_SYS_MODULE capability).


        The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.






        share|improve this answer













        Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2), we see:



         For a process to have permission to send a signal, it must either
        be privileged (under Linux: have the CAP_KILL capability in the
        user namespace of the target process), or the real or effective
        user ID of the sending process must equal the real or saved set-
        user-ID of the target process.


        Similarly in the create_module(2) page, we see:



        DESCRIPTION
        create_module() attempts to create a loadable module entry and
        reserve the kernel memory that will be needed to hold the module.
        This system call requires privilege.
        ...
        ERRORS
        ...
        EPERM The caller was not privileged (did not have the
        CAP_SYS_MODULE capability).


        The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 27 at 14:12









        mtkmtk

        27025




        27025



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503130%2fhow-does-linux-knows-if-a-process-is-allowed-to-issue-a-system-call%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?