How does Linux knows if a process is allowed to issue a system call?
Clash Royale CLAN TAG#URR8PPP
Let's say that a process wants to issue a system call that can only be issued by a privileged process.
How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?
linux system-calls
add a comment |
Let's say that a process wants to issue a system call that can only be issued by a privileged process.
How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?
linux system-calls
1
Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.
– 炸鱼薯条德里克
Feb 26 at 14:12
add a comment |
Let's say that a process wants to issue a system call that can only be issued by a privileged process.
How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?
linux system-calls
Let's say that a process wants to issue a system call that can only be issued by a privileged process.
How does Linux knows whether to allow the process to issue such system call or not, does Linux looks at the process's fsuid (file system user ID) to see if it is a root process, or does Linux looks at the process's capabilities to see if it has the required capability to issue the system call, or does Linux knows in some other way?
linux system-calls
linux system-calls
asked Feb 26 at 13:09
user338923user338923
1
1
1
Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.
– 炸鱼薯条德里克
Feb 26 at 14:12
add a comment |
1
Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.
– 炸鱼薯条德里克
Feb 26 at 14:12
1
1
Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.
– 炸鱼薯条德里克
Feb 26 at 14:12
Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.
– 炸鱼薯条德里克
Feb 26 at 14:12
add a comment |
1 Answer
1
active
oldest
votes
Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2)
, we see:
For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process.
Similarly in the create_module(2)
page, we see:
DESCRIPTION
create_module() attempts to create a loadable module entry and
reserve the kernel memory that will be needed to hold the module.
This system call requires privilege.
...
ERRORS
...
EPERM The caller was not privileged (did not have the
CAP_SYS_MODULE capability).
The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503130%2fhow-does-linux-knows-if-a-process-is-allowed-to-issue-a-system-call%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2)
, we see:
For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process.
Similarly in the create_module(2)
page, we see:
DESCRIPTION
create_module() attempts to create a loadable module entry and
reserve the kernel memory that will be needed to hold the module.
This system call requires privilege.
...
ERRORS
...
EPERM The caller was not privileged (did not have the
CAP_SYS_MODULE capability).
The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.
add a comment |
Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2)
, we see:
For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process.
Similarly in the create_module(2)
page, we see:
DESCRIPTION
create_module() attempts to create a loadable module entry and
reserve the kernel memory that will be needed to hold the module.
This system call requires privilege.
...
ERRORS
...
EPERM The caller was not privileged (did not have the
CAP_SYS_MODULE capability).
The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.
add a comment |
Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2)
, we see:
For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process.
Similarly in the create_module(2)
page, we see:
DESCRIPTION
create_module() attempts to create a loadable module entry and
reserve the kernel memory that will be needed to hold the module.
This system call requires privilege.
...
ERRORS
...
EPERM The caller was not privileged (did not have the
CAP_SYS_MODULE capability).
The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.
Generally, the kernel looks at the process's capabilities to see if it has the required capability. You will find this information documented in the manual page of the relevant system call, which will note that "the process needs capability CAP_XYZ" in order to perform the operation. For example, looking at the manual page of kill(2)
, we see:
For a process to have permission to send a signal, it must either
be privileged (under Linux: have the CAP_KILL capability in the
user namespace of the target process), or the real or effective
user ID of the sending process must equal the real or saved set-
user-ID of the target process.
Similarly in the create_module(2)
page, we see:
DESCRIPTION
create_module() attempts to create a loadable module entry and
reserve the kernel memory that will be needed to hold the module.
This system call requires privilege.
...
ERRORS
...
EPERM The caller was not privileged (did not have the
CAP_SYS_MODULE capability).
The kernel is able to make these checks because capabilities are per-process attributes that the kernel records in its internal data structures.
answered Feb 27 at 14:12
mtkmtk
27025
27025
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503130%2fhow-does-linux-knows-if-a-process-is-allowed-to-issue-a-system-call%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Any process can issue any syscall, but after you trapped into kernel mode, the corresponding credentials of current thread is checked (in the kernel mode), if privilege doesn't fit, then you get -EPERM or other error value returned. As for what credentials needs to be checked, please check the manpage of that syscall.
– 炸鱼薯条德里克
Feb 26 at 14:12