From: Rui Li <me@lirui.org>
Date: Sat, 22 Oct 2022 12:05:57 +0000 (+0800)
Subject: docs/zh_CN: Add userspace-api/no_new_privs Chinese translation
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=72b0ec3543f15ff672ebada5d3f81e3065d17e47;p=linux.git
docs/zh_CN: Add userspace-api/no_new_privs Chinese translation
Translate the following documents into Chinese:
- userspace-api/no_new_privs.rst
Signed-off-by: Rui Li <me@lirui.org>
Reviewed-by: Yanteng Si <siyanteng@loongson.cn>
Link: https://lore.kernel.org/r/20221022120557.381115-1-me@lirui.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
---
diff --git a/Documentation/translations/zh_CN/userspace-api/index.rst b/Documentation/translations/zh_CN/userspace-api/index.rst
index 12c63d81c6638..6a7e82ac16b9e 100644
--- a/Documentation/translations/zh_CN/userspace-api/index.rst
+++ b/Documentation/translations/zh_CN/userspace-api/index.rst
@@ -25,10 +25,10 @@ Linux å
æ ¸ç¨æ·ç©ºé´APIæå
:maxdepth: 2
ebpf/index
+ no_new_privs
TODOList:
-* no_new_privs
* seccomp_filter
* landlock
* unshare
diff --git a/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst b/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst
new file mode 100644
index 0000000000000..81bd16ce3ad21
--- /dev/null
+++ b/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst
@@ -0,0 +1,57 @@
+.. SPDX-License-Identifier: GPL-2.0
+.. include:: ../disclaimer-zh_CN.rst
+
+:Original: Documentation/userspace-api/no_new_privs.rst
+
+:ç¿»è¯:
+
+ æç¿ Rui Li <me@lirui.org>
+
+============
+æ æ°æéæ å¿
+============
+
+execveç³»ç»è°ç¨å¯ä»¥ç»ä¸ä¸ªæ°å¯å¨çç¨åºæäºå®çç¶ç¨åºæ¬æ²¡æçæéãæææ¾ç两个
+ä¾åå°±æ¯setuid/setgidæ§å¶ç¨åºåæ件çè½åã为äºé¿å
ç¶ç¨åºä¹è·å¾è¿äºæéï¼å
+æ ¸åç¨æ·ä»£ç å¿
é¡»å°å¿é¿å
ä»»ä½ç¶ç¨åºå¯ä»¥é¢ è¦åç¨åºçæ
åµãæ¯å¦ï¼
+
+ - ç¨åºå¨setuidåï¼å¨æè£
è½½å¨å¤ç ``LD_*`` ç¯å¢åéçä¸åæ¹å¼ã
+
+ - 对äºéç¹æç¨åºï¼chrootæ¯ä¸å
许çï¼å 为è¿ä¼å
许 ``/etc/passwd`` å¨ç»§æ¿
+ chrootçç¨åºç¼ä¸è¢«æ¿æ¢ã
+
+ - æ§è¡ä»£ç 对ptraceæç¹æ®å¤çã
+
+è¿äºé½æ¯ä¸´æ¶æ§çä¿®å¤ã ``no_new_privs`` ä½ï¼ä» Linux 3.5 èµ·ï¼æ¯ä¸ä¸ªæ°çé
+ç¨çæºå¶æ¥ä¿è¯ä¸ä¸ªè¿ç¨å®å
¨å°ä¿®æ¹å
¶æ§è¡ç¯å¢å¹¶è·¨execveæä¹
åãä»»ä½ä»»å¡é½å¯ä»¥è®¾
+ç½® ``no_new_privs`` ãä¸æ¦è¯¥ä½è¢«è®¾ç½®ï¼å®ä¼å¨forkãcloneåexecveä¸ç»§æ¿ä¸å»
+ï¼å¹¶ä¸ä¸è½è¢«æ¤éãå¨ ``no_new_privs`` 被设置çæ
åµä¸ï¼ ``execve()`` å°ä¿è¯
+ä¸ä¼æäºæéå»åä»»ä½æ²¡æexecveè°ç¨å°±ä¸è½åçäºæ
ãæ¯å¦ï¼ setuid å setgid
+ä½ä¸ä¼åæ¹å uid æ gidï¼æ件è½åä¸ä¼è¢«æ·»å å°ææéåä¸ï¼å¹¶ä¸Linuxå®å
¨æ¨¡åï¼
+LSMï¼ä¸ä¼å¨execveè°ç¨åæ¾æ¾éå¶ã
+
+设置 ``no_new_privs`` 使ç¨::
+
+ prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+
+ä¸è¿è¦å°å¿ï¼Linuxå®å
¨æ¨¡åï¼LSMï¼ä¹å¯è½ä¸ä¼å¨ ``no_new_privs`` 模å¼ä¸æ¶ç´§çº¦æã
+ï¼è¿æå³çä¸ä¸ªä¸è¬çæå¡å¯å¨å¨å¨æ§è¡å®æ¤è¿ç¨åå°±å»è®¾ç½® ``no_new_privs`` å¯è½
+ä¼å¹²æ°åºäºLSMçæ²ç®±ãï¼
+
+请注æï¼ ``no_new_privs`` 并ä¸è½é»æ¢ä¸æ¶å ``execve()`` çæéååãä¸ä¸ªæ¥æ
+éå½æéçä»»å¡ä»ç¶å¯ä»¥è°ç¨ ``setuid(2)`` 并æ¥æ¶ SCM_RIGHTS æ°æ®æ¥ã
+
+ç®åæ¥è¯´ï¼ ``no_new_privs`` æ两大使ç¨åºæ¯ï¼
+
+ - 为seccomp模å¼2æ²ç®±å®è£
çè¿æ»¤å¨ä¼è·¨execveæä¹
åï¼å¹¶è½å¤æ¹åæ°æ§è¡ç¨åºçè¡ä¸ºã
+ éç¹æç¨æ·å æ¤å¨ ``no_new_privs`` 被设置çæ
åµä¸åªå
许å®è£
è¿æ ·çè¿æ»¤å¨ã
+
+ - ``no_new_privs`` æ¬èº«å°±è½è¢«ç¨äºåå°éç¹æç¨æ·çæ»å»é¢ãå¦æææ以æ个 uid
+ è¿è¡çç¨åºé½è®¾ç½®äº ``no_new_privs`` ï¼é£ä¹é£ä¸ª uid å°æ æ³éè¿æ»å» setuidï¼
+ setgid å使ç¨æ件è½åçäºè¿å¶æ¥ææï¼å®éè¦å
æ»å»ä¸äºæ²¡æ被设置 ``no_new_privs``
+ ä½çä¸è¥¿ã
+
+å°æ¥ï¼å
¶ä»æ½å¨çå±é©çå
æ ¸ç¹æ§å¯è½è¢«éç¹æä»»å¡å©ç¨ï¼å³ä½¿ ``no_new_privs`` 被置ä½ã
+ååä¸ï¼å½ ``no_new_privs`` 被置ä½æ¶ï¼ ``unshare(2)`` å ``clone(2)`` çå 个é
+项å°æ¯å®å
¨çï¼å¹¶ä¸ ``no_new_privs`` å ä¸ ``chroot`` æ¯å¯ä»¥è¢«è®¤ä¸ºæ¯ chrootæ¬èº«å±
+é©æ§å°å¾å¤çã