From: Rui Li <me@lirui.org> Date: Sat, 22 Oct 2022 12:05:57 +0000 (+0800) Subject: docs/zh_CN: Add userspace-api/no_new_privs Chinese translation X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=72b0ec3543f15ff672ebada5d3f81e3065d17e47;p=linux.git docs/zh_CN: Add userspace-api/no_new_privs Chinese translation Translate the following documents into Chinese: - userspace-api/no_new_privs.rst Signed-off-by: Rui Li <me@lirui.org> Reviewed-by: Yanteng Si <siyanteng@loongson.cn> Link: https://lore.kernel.org/r/20221022120557.381115-1-me@lirui.org Signed-off-by: Jonathan Corbet <corbet@lwn.net> --- diff --git a/Documentation/translations/zh_CN/userspace-api/index.rst b/Documentation/translations/zh_CN/userspace-api/index.rst index 12c63d81c6638..6a7e82ac16b9e 100644 --- a/Documentation/translations/zh_CN/userspace-api/index.rst +++ b/Documentation/translations/zh_CN/userspace-api/index.rst @@ -25,10 +25,10 @@ Linux å æ ¸ç¨æ·ç©ºé´APIæå :maxdepth: 2 ebpf/index + no_new_privs TODOList: -* no_new_privs * seccomp_filter * landlock * unshare diff --git a/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst b/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst new file mode 100644 index 0000000000000..81bd16ce3ad21 --- /dev/null +++ b/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst @@ -0,0 +1,57 @@ +.. SPDX-License-Identifier: GPL-2.0 +.. include:: ../disclaimer-zh_CN.rst + +:Original: Documentation/userspace-api/no_new_privs.rst + +:ç¿»è¯: + + æç¿ Rui Li <me@lirui.org> + +============ +æ æ°æéæ å¿ +============ + +execveç³»ç»è°ç¨å¯ä»¥ç»ä¸ä¸ªæ°å¯å¨çç¨åºæäºå®çç¶ç¨åºæ¬æ²¡æçæéãæææ¾ç两个 +ä¾åå°±æ¯setuid/setgidæ§å¶ç¨åºåæä»¶çè½åã为äºé¿å ç¶ç¨åºä¹è·å¾è¿äºæéï¼å +æ ¸åç¨æ·ä»£ç å¿ é¡»å°å¿é¿å ä»»ä½ç¶ç¨åºå¯ä»¥é¢ è¦åç¨åºçæ åµãæ¯å¦ï¼ + + - ç¨åºå¨setuidåï¼å¨æè£ è½½å¨å¤ç ``LD_*`` ç¯å¢åéçä¸åæ¹å¼ã + + - 对äºéç¹æç¨åºï¼chrootæ¯ä¸å 许çï¼å 为è¿ä¼å 许 ``/etc/passwd`` å¨ç»§æ¿ + chrootçç¨åºç¼ä¸è¢«æ¿æ¢ã + + - æ§è¡ä»£ç 对ptraceæç¹æ®å¤çã + +è¿äºé½æ¯ä¸´æ¶æ§çä¿®å¤ã ``no_new_privs`` ä½ï¼ä» Linux 3.5 èµ·ï¼æ¯ä¸ä¸ªæ°çé +ç¨çæºå¶æ¥ä¿è¯ä¸ä¸ªè¿ç¨å®å ¨å°ä¿®æ¹å ¶æ§è¡ç¯å¢å¹¶è·¨execveæä¹ åãä»»ä½ä»»å¡é½å¯ä»¥è®¾ +ç½® ``no_new_privs`` ã䏿¦è¯¥ä½è¢«è®¾ç½®ï¼å®ä¼å¨forkãcloneåexecveä¸ç»§æ¿ä¸å» +ï¼å¹¶ä¸ä¸è½è¢«æ¤éãå¨ ``no_new_privs`` è¢«è®¾ç½®çæ åµä¸ï¼ ``execve()`` å°ä¿è¯ +ä¸ä¼æäºæéå»å任使²¡æexecveè°ç¨å°±ä¸è½åçäºæ ãæ¯å¦ï¼ setuid å setgid +ä½ä¸ä¼åæ¹å uid æ gidï¼æä»¶è½åä¸ä¼è¢«æ·»å å°ææéåä¸ï¼å¹¶ä¸Linuxå®å ¨æ¨¡åï¼ +LSMï¼ä¸ä¼å¨execveè°ç¨åæ¾æ¾éå¶ã + +设置 ``no_new_privs`` 使ç¨:: + + prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + +ä¸è¿è¦å°å¿ï¼Linuxå®å ¨æ¨¡åï¼LSMï¼ä¹å¯è½ä¸ä¼å¨ ``no_new_privs`` 模å¼ä¸æ¶ç´§çº¦æã +ï¼è¿æå³çä¸ä¸ªä¸è¬çæå¡å¯å¨å¨å¨æ§è¡å®æ¤è¿ç¨åå°±å»è®¾ç½® ``no_new_privs`` å¯è½ +ä¼å¹²æ°åºäºLSMçæ²ç®±ãï¼ + +请注æï¼ ``no_new_privs`` å¹¶ä¸è½é»æ¢ä¸æ¶å ``execve()`` çæéååãä¸ä¸ªæ¥æ +é彿éçä»»å¡ä»ç¶å¯ä»¥è°ç¨ ``setuid(2)`` å¹¶æ¥æ¶ SCM_RIGHTS æ°æ®æ¥ã + +ç®åæ¥è¯´ï¼ ``no_new_privs`` æä¸¤å¤§ä½¿ç¨åºæ¯ï¼ + + - 为seccomp模å¼2æ²ç®±å®è£ çè¿æ»¤å¨ä¼è·¨execveæä¹ åï¼å¹¶è½å¤æ¹åæ°æ§è¡ç¨åºçè¡ä¸ºã + éç¹æç¨æ·å æ¤å¨ ``no_new_privs`` è¢«è®¾ç½®çæ åµä¸åªå 许å®è£ è¿æ ·çè¿æ»¤å¨ã + + - ``no_new_privs`` æ¬èº«å°±è½è¢«ç¨äºåå°éç¹æç¨æ·çæ»å»é¢ã妿ææä»¥æä¸ª uid + è¿è¡çç¨åºé½è®¾ç½®äº ``no_new_privs`` ï¼é£ä¹é£ä¸ª uid å°æ æ³éè¿æ»å» setuidï¼ + setgid åä½¿ç¨æä»¶è½åçäºè¿å¶æ¥ææï¼å®éè¦å æ»å»ä¸äºæ²¡æè¢«è®¾ç½® ``no_new_privs`` + ä½çä¸è¥¿ã + +å°æ¥ï¼å ¶ä»æ½å¨çå±é©çå æ ¸ç¹æ§å¯è½è¢«éç¹æä»»å¡å©ç¨ï¼å³ä½¿ ``no_new_privs`` 被置ä½ã +ååä¸ï¼å½ ``no_new_privs`` è¢«ç½®ä½æ¶ï¼ ``unshare(2)`` å ``clone(2)`` çå 个é +项尿¯å®å ¨çï¼å¹¶ä¸ ``no_new_privs`` å ä¸ ``chroot`` æ¯å¯ä»¥è¢«è®¤ä¸ºæ¯ chrootæ¬èº«å± +驿§å°å¾å¤çã