@[TOC

参考

https://man7.org/linux/man-pages/man2/prctl.2.html

简介

#include <sys/prctl.h>
int prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5);
最终调用的是内核的
kernel/sys.c:SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,

PR_CAP_AMBIENT_RAISE

使用时需要注意的问题；
如果是非root用户执行的程序需要特殊的权限才能执行。kernel代码会从下面多个设置选项做检查。

如果碰到EPERM错误
if (arg2 == PR_CAP_AMBIENT_RAISE &&
(!cap_raised(current_cred()->cap_permitted, arg3) || //看允许集里是否有
!cap_raised(current_cred()->cap_inheritable, //看继承集里是否有
arg3) ||
issecure(SECURE_NO_CAP_AMBIENT_RAISE))) // 看对应的安全位是否被disable
return -EPERM;

SECURE_NO_CAP_AMBIENT_RAISE

commit 746bf6d64275be0c65b0631d8a72b16f1454cfa1
Author: Andy Lutomirski luto@kernel.org
Date: Fri Sep 4 15:42:51 2015 -0700

capabilities: add a securebit to disable PR_CAP_AMBIENT_RAISE

Per Andrew Morgan's request, add a securebit to allow admins to disable
PR_CAP_AMBIENT_RAISE.  This securebit will prevent processes from adding
capabilities to their ambient set.

For simplicity, this disables PR_CAP_AMBIENT_RAISE entirely rather than
just disabling setting previously cleared bits.

注意事项

需要注意的是，如果需要设置多个能力，需要单个执行不能合并执行。
if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW,0, 0)!=0)
if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_ADMIN, 0, 0)!=0)

if(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW|CAP_NET_ADMIN,0, 0)!=0) ；； 这个执行会有问题。

prctl 相关的单元测试

tools/testing/selftests/syscall_user_dispatch/sud_test.c