The Linux Programming Interface > Capabilities > Transformation of Process Capabilities During exec() - Pg. : Safari Books Online

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

The Linux Programming Interface

The Linux Programming Interface

Search

Contents

Praise for The Linux Programming Interface

Ch. 1. History and Standards

Ch. 2. Fundamental Concepts

Ch. 3. System Programming Concepts

Ch. 4. File I/O: The Universal I/O Model

Ch. 5. File I/O: Further Details

Ch. 6. Processes

Ch. 7. Memory Allocation

Ch. 8. Users and Groups

Ch. 9. Process Credentials

Ch. 11. System Limits and Options

Ch. 12. System and Process Information

Ch. 13. File I/O Buffering

Ch. 14. File Systems

Ch. 15. File Attributes

Ch. 16. Extended Attributes

Ch. 17. Access Control Lists

Ch. 18. Directories and Links

Ch. 19. Monitoring File Events

Ch. 20. Signals: Fundamental Concepts

Ch. 21. Signals: Signal Handlers

Ch. 22. Signals: Advanced Features

Ch. 23. Timers and Sleeping

Ch. 24. Process Creation

Ch. 25. Process Termination

Ch. 26. Monitoring Child Processes

Ch. 27. Program Execution

Ch. 28. Process Creation and Program Execution in More Detail

Ch. 29. Threads: Introduction

Ch. 30. Threads: Thread Synchronization

Ch. 31. Threads: Thread Safety and Per-Thread Storage

Ch. 32. Threads: Thread Cancellation

Ch. 33. Threads: Further Details

Ch. 34. Process Groups, Sessions, and Job Control

Ch. 35. Process Priorities and Scheduling

Ch. 36. Process Resources

Ch. 37. Daemons

Ch. 38. Writing Secure Privileged Programs

Ch. 39. Capabilities

Rationale for Capabilities

The Linux Capabilities

Process and File Capabilities

The Modern Capabilities Implementation

Transformation of Process Capabilities During exec()

Effect on Process Capabilities of Changing User IDs

Changing Process Capabilities Programmatically

Creating Capabilities-Only Environments

Discovering the Capabilities Required by a Program

Older Kernels and Systems Without File Capabilities

Ch. 40. Login Accounting

Ch. 41. Fundamentals of Shared Libraries

Ch. 42. Advanced Features of Shared Libraries

Ch. 43. Interprocess Communication Overview

Ch. 44. Pipes and FIFOs

Ch. 45. Introduction to System V IPC

Ch. 46. System V Message Queues

Ch. 47. System V Semaphores

Ch. 48. System V Shared Memory

Ch. 49. Memory Mappings

Ch. 50. Virtual Memory Operations

Ch. 51. Introduction to POSIX IPC

Ch. 52. POSIX Message Queues

Ch. 53. POSIX Semaphores

Ch. 54. POSIX Shared Memory

Ch. 55. File Locking

Ch. 56. Sockets: Introduction

Ch. 57. Sockets: UNIX Domain

Ch. 58. Sockets: Fundamentals of TCP/IP Networks

Ch. 59. Sockets: Internet Domains

Ch. 60. Sockets: Server Design

Ch. 61. Sockets: Advanced Topics

Ch. 62. Terminals

Ch. 63. Alternative I/O Models

Ch. 64. Pseudoterminals

Appx. A. Tracing System Calls

Appx. B. Parsing Command-Line Options

Appx. C. Casting the NULL Pointer

Appx. D. Kernel Configuration

Appx. E. Further Sources of Information

Appx. F. Solutions to Selected Exercises

Appx. G. Updates

URL

Help

39.5. Transformation of Process Capabilities During exec()

During an exec(), the kernel sets new capabilities for the process based on the process’s current capabilities and the capability sets of the file being executed. The kernel calculates the new capabilities of the process using the following rules:

Code View: Scroll / Show All

P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset)

P'(effective) = F(effective) ? P'(permitted) : 0

P'(inheritable) = P(inheritable)

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial