diff --git a/compat/posix/src/map_error.c b/compat/posix/src/map_error.c index 791fc7874253644721f5adfef709bced903ed8d9..d63c80db34dc8f48c081866be3091434790ac094 100644 --- a/compat/posix/src/map_error.c +++ b/compat/posix/src/map_error.c @@ -34,7 +34,7 @@ #include "los_sem.h" #include "los_task.h" - +//错误适配 int map_errno(UINT32 err) { if (err == LOS_OK) { diff --git a/compat/posix/src/semaphore.c b/compat/posix/src/semaphore.c index 71b8f32befe32ccff2db4c37d9ce6aa896446d59..c46eebdd9549cb428d8746f514daf8d7df5ff91a 100644 --- a/compat/posix/src/semaphore.c +++ b/compat/posix/src/semaphore.c @@ -36,7 +36,7 @@ /* Initialize semaphore to value, shared is not supported in Huawei LiteOS. */ -int sem_init(sem_t *sem, int shared, unsigned int value) +int sem_init(sem_t *sem, int shared, unsigned int value)//初始化信号量,Huawei LiteOS 不支持共享 { UINT32 semHandle = 0; UINT32 ret; diff --git a/platform/main.c b/platform/main.c index ba5d4d910bb69b1a2cd6341038e85be0afe0ce54..b6904c2040a627fbac32d38204161e2efe0cdab0 100644 --- a/platform/main.c +++ b/platform/main.c @@ -154,7 +154,7 @@ LITE_OS_SEC_TEXT_INIT INT32 main(VOID)//由主CPU执行,默认0号CPU 为主CPU CPU_MAP_SET(0, OsHwIDGet());//设置CPU映射,参数0 代表0号CPU - OsSchedStart(); + OsSchedStart();//调度开始 while (1) { __asm volatile("wfi");//WFI: wait for Interrupt 等待中断,即下一次中断发生前都在此hold住不干活 diff --git a/security/cap/capability.c b/security/cap/capability.c index 00eb4a42b397f49426ab0d5d04253b01efbab30b..de41058af98f37bc6eadd11b72210ff047b78880 100644 --- a/security/cap/capability.c +++ b/security/cap/capability.c @@ -39,7 +39,7 @@ #define CAPABILITY_GET_CAP_MASK(x) (1 << ((x) & 31)) #define CAPABILITY_MAX 31 #define VALID_CAPS(a, b) (((a) & (~(b))) != 0) - +//是否允许访问 BOOL IsCapPermit(UINT32 capIndex) { UINT32 capability = OsCurrProcessGet()->capability; @@ -50,12 +50,12 @@ BOOL IsCapPermit(UINT32 capIndex) return (capability & (CAPABILITY_GET_CAP_MASK(capIndex))); } - +//初始化进程安全能力 VOID OsInitCapability(LosProcessCB *processCB) { processCB->capability = CAPABILITY_INIT_STAT; } - +//进程间安全能力的拷贝 VOID OsCopyCapability(LosProcessCB *from, LosProcessCB *to) { UINT32 intSave; @@ -64,27 +64,27 @@ VOID OsCopyCapability(LosProcessCB *from, LosProcessCB *to) to->capability = from->capability; SCHEDULER_UNLOCK(intSave); } - +//为进程设置权限项 UINT32 SysCapSet(UINT32 caps) { UINT32 intSave; SCHEDULER_LOCK(intSave); - if (!IsCapPermit(CAP_CAPSET)) { + if (!IsCapPermit(CAP_CAPSET)) {//先检查进程是否有权限 SCHEDULER_UNLOCK(intSave); return -EPERM; } - if (VALID_CAPS(caps, OsCurrProcessGet()->capability)) { + if (VALID_CAPS(caps, OsCurrProcessGet()->capability)) {//验证参数有效性 SCHEDULER_UNLOCK(intSave); return -EPERM; } - OsCurrProcessGet()->capability = caps; + OsCurrProcessGet()->capability = caps;//改变当前进程的权限集,相当于自己给自己加减权限 SCHEDULER_UNLOCK(intSave); return LOS_OK; } - +//获取参数进程的权限集 UINT32 SysCapGet(pid_t pid, UINT32 *caps) { UINT32 intSave; @@ -109,8 +109,8 @@ UINT32 SysCapGet(pid_t pid, UINT32 *caps) kCaps = processCB->capability; SCHEDULER_UNLOCK(intSave); - - if (LOS_ArchCopyToUser(caps, &kCaps, sizeof(UINT32)) != LOS_OK) { + //@note_thinking 感觉这里可以不用 LOS_ArchCopyToUser 直接返回kCaps + if (LOS_ArchCopyToUser(caps, &kCaps, sizeof(UINT32)) != LOS_OK) {//内核空间向用户空间拷贝 return -EFAULT; } diff --git a/security/cap/capability_type.h b/security/cap/capability_type.h index b5163325740ca2f7980464fb361d626049280457..1af2778f0b819cda340035adaec8dd26476736a0 100644 --- a/security/cap/capability_type.h +++ b/security/cap/capability_type.h @@ -28,42 +28,51 @@ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +/* +capabilities 翻译为 权限(集) +Capabilities 机制是在 Linux 内核 2.2 之后引入的,原理很简单,就是将之前与超级用户 root(UID=0) +关联的特权细分为不同的功能组,Capabilites 作为线程(Linux 并不真正区分进程和线程)的属性存在, +每个功能组都可以独立启用和禁用。其本质上就是将内核调用分门别类,具有相似功能的内核调用被分到同一组中。 +这样一来,权限检查的过程就变成了:在执行特权操作时,如果线程的有效身份不是 root, +就去检查其是否具有该特权操作所对应的 capabilities,并以此为依据,决定是否可以执行特权操作。 +capability 作用在进程上,让用户态进程具有内核态进程的某些权限. +https://blog.csdn.net/alex_yangchuansheng/article/details/102796001 +*/ #ifndef CAPABILITY_TYPE_H #define CAPABILITY_TYPE_H // posix capabilities -#define CAP_CHOWN 0 -#define CAP_DAC_EXECUTE 1 -#define CAP_DAC_WRITE 2 -#define CAP_DAC_READ_SEARCH 3 -#define CAP_FOWNER 4 -#define CAP_KILL 5 -#define CAP_SETGID 6 -#define CAP_SETUID 7 +#define CAP_CHOWN 0 //修改文件所有者的权限 +#define CAP_DAC_EXECUTE 1 //具有执行权限 +#define CAP_DAC_WRITE 2 //具有写权限 +#define CAP_DAC_READ_SEARCH 3 //忽略文件读及目录搜索的 DAC 访问限制 +#define CAP_FOWNER 4 //忽略文件属主 ID 必须和进程用户 ID 相匹配的限制 +#define CAP_KILL 5 //允许向其他进程发生信号 +#define CAP_SETGID 6 //允许设置其他进程组ID +#define CAP_SETUID 7 //允许设置其他进程用户ID // socket capabilities -#define CAP_NET_BIND_SERVICE 8 -#define CAP_NET_BROADCAST 9 +#define CAP_NET_BIND_SERVICE 8 //允许绑定端口权限 +#define CAP_NET_BROADCAST 9 //允许广播 #define CAP_NET_ADMIN 10 #define CAP_NET_RAW 11 // fs capabilities -#define CAP_FS_MOUNT 12 -#define CAP_FS_FORMAT 13 +#define CAP_FS_MOUNT 12 //允许挂载 +#define CAP_FS_FORMAT 13 //允许格式化 // process capabilities -#define CAP_SCHED_SETPRIORITY 14 +#define CAP_SCHED_SETPRIORITY 14 //允许设置调度优先级 // time capabilities -#define CAP_SET_TIMEOFDAY 15 +#define CAP_SET_TIMEOFDAY 15 #define CAP_CLOCK_SETTIME 16 // process capabilities -#define CAP_CAPSET 17 +#define CAP_CAPSET 17 //允许改变进程自身的权限集 // reboot capability -#define CAP_REBOOT 18 +#define CAP_REBOOT 18 //允许重新启动系统 // self deined privileged syscalls -#define CAP_SHELL_EXEC 19 +#define CAP_SHELL_EXEC 19 //自我定义的特权系统调用 #endif \ No newline at end of file diff --git a/syscall/misc_syscall.c b/syscall/misc_syscall.c index 29b571d94806959240c0abc144c64dafc341013b..771e8f0c73be04e7f8cac35ea96010668884be0c 100644 --- a/syscall/misc_syscall.c +++ b/syscall/misc_syscall.c @@ -84,7 +84,7 @@ int SysInfo(struct sysinfo *info) } return 0; } - +//重启系统 int SysReboot(int magic, int magic2, int type) { (void)magic; diff --git a/zzz/git/push.sh b/zzz/git/push.sh index ebc71de557710f8eed6795aeea029b9135c0be9f..c03b53d7d72d1264c5496e79321d9825ef1f9b55 100644 --- a/zzz/git/push.sh +++ b/zzz/git/push.sh @@ -1,5 +1,5 @@ git add -A -git commit -m 'posix 接口注解. +git commit -m '进程权限注解. 百万汉字注解 + 百篇博客分析 => 挖透鸿蒙内核源码 国内:https://weharmony.21cloudbox.com 国外:https://weharmony.github.io