€•¶H      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒEnglish”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ/userspace-api/no_new_privs”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ./translations/zh_TW/userspace-api/no_new_privs”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ./translations/it_IT/userspace-api/no_new_privs”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ./translations/ja_JP/userspace-api/no_new_privs”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ./translations/ko_KR/userspace-api/no_new_privs”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ./translations/sp_SP/userspace-api/no_new_privs”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒChinese (Simplified)”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒ[/var/lib/git/docbuild/linux/Documentation/translations/zh_CN/userspace-api/no_new_privs.rst”h KubhŒnote”“”)”}”(hX{  æ­¤æ–‡ä»¶çš„ç›®çš„æ˜¯ä¸ºè®©ä¸­æ–‡è¯»è€…æ›´å®¹æ˜“é˜…è¯»å’Œç†è§£ï¼Œè€Œä¸æ˜¯ä½œä¸ºä¸€ä¸ªåˆ†æ”¯ã€‚ å› æ­¤ï¼Œ
å¦‚æžœæ‚¨å¯¹æ­¤æ–‡ä»¶æœ‰ä»»ä½•æ„è§æˆ–æ›´æ–°ï¼Œè¯·å…ˆå°è¯•æ›´æ–°åŽŸå§‹è‹±æ–‡æ–‡ä»¶ã€‚
å¦‚æžœæ‚¨å‘çŽ°æœ¬æ–‡æ¡£ä¸ŽåŽŸå§‹æ–‡ä»¶æœ‰ä»»ä½•ä¸åŒæˆ–è€…æœ‰ç¿»è¯‘é—®é¢˜ï¼Œè¯·å‘å»ºè®®æˆ–è€…è¡¥ä¸ç»™
è¯¥æ–‡ä»¶çš„è¯‘è€…ï¼Œæˆ–è€…è¯·æ±‚ä¸­æ–‡æ–‡æ¡£ç»´æŠ¤è€…å’Œå®¡é˜…è€…çš„å¸®åŠ©ã€‚”h]”hŒ	paragraph”“”)”}”(hX{  æ­¤æ–‡ä»¶çš„ç›®çš„æ˜¯ä¸ºè®©ä¸­æ–‡è¯»è€…æ›´å®¹æ˜“é˜…è¯»å’Œç†è§£ï¼Œè€Œä¸æ˜¯ä½œä¸ºä¸€ä¸ªåˆ†æ”¯ã€‚ å› æ­¤ï¼Œ
å¦‚æžœæ‚¨å¯¹æ­¤æ–‡ä»¶æœ‰ä»»ä½•æ„è§æˆ–æ›´æ–°ï¼Œè¯·å…ˆå°è¯•æ›´æ–°åŽŸå§‹è‹±æ–‡æ–‡ä»¶ã€‚
å¦‚æžœæ‚¨å‘çŽ°æœ¬æ–‡æ¡£ä¸ŽåŽŸå§‹æ–‡ä»¶æœ‰ä»»ä½•ä¸åŒæˆ–è€…æœ‰ç¿»è¯‘é—®é¢˜ï¼Œè¯·å‘å»ºè®®æˆ–è€…è¡¥ä¸ç»™
è¯¥æ–‡ä»¶çš„è¯‘è€…ï¼Œæˆ–è€…è¯·æ±‚ä¸­æ–‡æ–‡æ¡£ç»´æŠ¤è€…å’Œå®¡é˜…è€…çš„å¸®åŠ©ã€‚”h]”hX{  æ­¤æ–‡ä»¶çš„ç›®çš„æ˜¯ä¸ºè®©ä¸­æ–‡è¯»è€…æ›´å®¹æ˜“é˜…è¯»å’Œç†è§£ï¼Œè€Œä¸æ˜¯ä½œä¸ºä¸€ä¸ªåˆ†æ”¯ã€‚ å› æ­¤ï¼Œ
å¦‚æžœæ‚¨å¯¹æ­¤æ–‡ä»¶æœ‰ä»»ä½•æ„è§æˆ–æ›´æ–°ï¼Œè¯·å…ˆå°è¯•æ›´æ–°åŽŸå§‹è‹±æ–‡æ–‡ä»¶ã€‚
å¦‚æžœæ‚¨å‘çŽ°æœ¬æ–‡æ¡£ä¸ŽåŽŸå§‹æ–‡ä»¶æœ‰ä»»ä½•ä¸åŒæˆ–è€…æœ‰ç¿»è¯‘é—®é¢˜ï¼Œè¯·å‘å»ºè®®æˆ–è€…è¡¥ä¸ç»™
è¯¥æ–‡ä»¶çš„è¯‘è€…ï¼Œæˆ–è€…è¯·æ±‚ä¸­æ–‡æ–‡æ¡£ç»´æŠ¤è€…å’Œå®¡é˜…è€…çš„å¸®åŠ©ã€‚”…””}”(hh¼hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸŒ5Documentation/translations/zh_CN/disclaimer-zh_CN.rst”h Khh¶ubah}”(h]”h ]”h"]”h$]”h&]”uh1h´hhhžhhŸhÊh NubhŒ
field_list”“”)”}”(hhh]”(hŒfield”“”)”}”(hhh]”(hŒ
field_name”“”)”}”(hŒOriginal”h]”hŒOriginal”…””}”(hhÝhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÛhhØhŸh³h K ubhŒ
field_body”“”)”}”(hŒ-Documentation/userspace-api/no_new_privs.rst
”h]”h»)”}”(hŒ,Documentation/userspace-api/no_new_privs.rst”h]”hŒ,Documentation/userspace-api/no_new_privs.rst”…””}”(hhñhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h Khhíubah}”(h]”h ]”h"]”h$]”h&]”uh1hëhhØubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÖhŸh³h KhhÓhžhubh×)”}”(hhh]”(hÜ)”}”(hŒç¿»è¯‘”h]”hŒç¿»è¯‘”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÛhj  hŸh³h K ubhì)”}”(hŒæŽç¿ Rui Li <me@lirui.org>
”h]”h»)”}”(hŒæŽç¿ Rui Li <me@lirui.org>”h]”(hŒæŽç¿ Rui Li <”…””}”(hj   hžhhŸNh NubhŒ	reference”“”)”}”(hŒme@lirui.org”h]”hŒme@lirui.org”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:me@lirui.org”uh1j(  hj   ubhŒ>”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h Khj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hëhj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÖhŸh³h KhhÓhžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÑhhhžhhŸh³h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒæ— æ–°æƒé™æ ‡å¿—”h]”hŒæ— æ–°æƒé™æ ‡å¿—”…””}”(hj]  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j[  hjX  hžhhŸh³h Kubh»)”}”(hX8  execveç³»ç»Ÿè°ƒç”¨å¯ä»¥ç»™ä¸€ä¸ªæ–°å¯åŠ¨çš„ç¨‹åºæŽˆäºˆå®ƒçš„çˆ¶ç¨‹åºæœ¬æ²¡æœ‰çš„æƒé™ã€‚æœ€æ˜Žæ˜¾çš„ä¸¤ä¸ª
ä¾‹å­å°±æ˜¯setuid/setgidæŽ§åˆ¶ç¨‹åºå’Œæ–‡ä»¶çš„èƒ½åŠ›ã€‚ä¸ºäº†é¿å…çˆ¶ç¨‹åºä¹ŸèŽ·å¾—è¿™äº›æƒé™ï¼Œå†…
æ ¸å’Œç”¨æˆ·ä»£ç å¿…é¡»å°å¿ƒé¿å…ä»»ä½•çˆ¶ç¨‹åºå¯ä»¥é¢ è¦†å­ç¨‹åºçš„æƒ…å†µã€‚æ¯”å¦‚ï¼š”h]”hX8  execveç³»ç»Ÿè°ƒç”¨å¯ä»¥ç»™ä¸€ä¸ªæ–°å¯åŠ¨çš„ç¨‹åºæŽˆäºˆå®ƒçš„çˆ¶ç¨‹åºæœ¬æ²¡æœ‰çš„æƒé™ã€‚æœ€æ˜Žæ˜¾çš„ä¸¤ä¸ª
ä¾‹å­å°±æ˜¯setuid/setgidæŽ§åˆ¶ç¨‹åºå’Œæ–‡ä»¶çš„èƒ½åŠ›ã€‚ä¸ºäº†é¿å…çˆ¶ç¨‹åºä¹ŸèŽ·å¾—è¿™äº›æƒé™ï¼Œå†…
æ ¸å’Œç”¨æˆ·ä»£ç å¿…é¡»å°å¿ƒé¿å…ä»»ä½•çˆ¶ç¨‹åºå¯ä»¥é¢ è¦†å­ç¨‹åºçš„æƒ…å†µã€‚æ¯”å¦‚ï¼š”…””}”(hjk  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h KhjX  hžhubhŒblock_quote”“”)”}”(hX  - ç¨‹åºåœ¨setuidåŽï¼ŒåŠ¨æ€è£…è½½å™¨å¤„ç† ``LD_*`` çŽ¯å¢ƒå˜é‡çš„ä¸åŒæ–¹å¼ã€‚

- å¯¹äºŽéžç‰¹æƒç¨‹åºï¼Œchrootæ˜¯ä¸å…è®¸çš„ï¼Œå› ä¸ºè¿™ä¼šå…è®¸ ``/etc/passwd`` åœ¨ç»§æ‰¿
  chrootçš„ç¨‹åºçœ¼ä¸­è¢«æ›¿æ¢ã€‚

- æ‰§è¡Œä»£ç å¯¹ptraceæœ‰ç‰¹æ®Šå¤„ç†ã€‚
”h]”hŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒSç¨‹åºåœ¨setuidåŽï¼ŒåŠ¨æ€è£…è½½å™¨å¤„ç† ``LD_*`` çŽ¯å¢ƒå˜é‡çš„ä¸åŒæ–¹å¼ã€‚
”h]”h»)”}”(hŒRç¨‹åºåœ¨setuidåŽï¼ŒåŠ¨æ€è£…è½½å™¨å¤„ç† ``LD_*`` çŽ¯å¢ƒå˜é‡çš„ä¸åŒæ–¹å¼ã€‚”h]”(hŒ+ç¨‹åºåœ¨setuidåŽï¼ŒåŠ¨æ€è£…è½½å™¨å¤„ç† ”…””}”(hjŠ  hžhhŸNh NubhŒliteral”“”)”}”(hŒ``LD_*``”h]”hŒLD_*”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjŠ  ubhŒ çŽ¯å¢ƒå˜é‡çš„ä¸åŒæ–¹å¼ã€‚”…””}”(hjŠ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h Khj†  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  ubj…  )”}”(hŒå¯¹äºŽéžç‰¹æƒç¨‹åºï¼Œchrootæ˜¯ä¸å…è®¸çš„ï¼Œå› ä¸ºè¿™ä¼šå…è®¸ ``/etc/passwd`` åœ¨ç»§æ‰¿
chrootçš„ç¨‹åºçœ¼ä¸­è¢«æ›¿æ¢ã€‚
”h]”h»)”}”(hŒ~å¯¹äºŽéžç‰¹æƒç¨‹åºï¼Œchrootæ˜¯ä¸å…è®¸çš„ï¼Œå› ä¸ºè¿™ä¼šå…è®¸ ``/etc/passwd`` åœ¨ç»§æ‰¿
chrootçš„ç¨‹åºçœ¼ä¸­è¢«æ›¿æ¢ã€‚”h]”(hŒCå¯¹äºŽéžç‰¹æƒç¨‹åºï¼Œchrootæ˜¯ä¸å…è®¸çš„ï¼Œå› ä¸ºè¿™ä¼šå…è®¸ ”…””}”(hj¶  hžhhŸNh Nubj“  )”}”(hŒ``/etc/passwd``”h]”hŒ/etc/passwd”…””}”(hj¾  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¶  ubhŒ, åœ¨ç»§æ‰¿
chrootçš„ç¨‹åºçœ¼ä¸­è¢«æ›¿æ¢ã€‚”…””}”(hj¶  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h Khj²  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  ubj…  )”}”(hŒ(æ‰§è¡Œä»£ç å¯¹ptraceæœ‰ç‰¹æ®Šå¤„ç†ã€‚
”h]”h»)”}”(hŒ'æ‰§è¡Œä»£ç å¯¹ptraceæœ‰ç‰¹æ®Šå¤„ç†ã€‚”h]”hŒ'æ‰§è¡Œä»£ç å¯¹ptraceæœ‰ç‰¹æ®Šå¤„ç†ã€‚”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h KhjÜ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j  hŸh³h Khj{  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hŸh³h KhjX  hžhubh»)”}”(hX‹  è¿™äº›éƒ½æ˜¯ä¸´æ—¶æ€§çš„ä¿®å¤ã€‚ ``no_new_privs`` ä½ï¼ˆä»Ž Linux 3.5 èµ·ï¼‰æ˜¯ä¸€ä¸ªæ–°çš„é€š
ç”¨çš„æœºåˆ¶æ¥ä¿è¯ä¸€ä¸ªè¿›ç¨‹å®‰å…¨åœ°ä¿®æ”¹å…¶æ‰§è¡ŒçŽ¯å¢ƒå¹¶è·¨execveæŒä¹…åŒ–ã€‚ä»»ä½•ä»»åŠ¡éƒ½å¯ä»¥è®¾
ç½® ``no_new_privs`` ã€‚ä¸€æ—¦è¯¥ä½è¢«è®¾ç½®ï¼Œå®ƒä¼šåœ¨forkã€cloneå’Œexecveä¸­ç»§æ‰¿ä¸‹åŽ»
ï¼Œå¹¶ä¸”ä¸èƒ½è¢«æ’¤é”€ã€‚åœ¨ ``no_new_privs`` è¢«è®¾ç½®çš„æƒ…å†µä¸‹ï¼Œ ``execve()`` å°†ä¿è¯
ä¸ä¼šæŽˆäºˆæƒé™åŽ»åšä»»ä½•æ²¡æœ‰execveè°ƒç”¨å°±ä¸èƒ½åšçš„äº‹æƒ…ã€‚æ¯”å¦‚ï¼Œ setuid å’Œ setgid
ä½ä¸ä¼šå†æ”¹å˜ uid æˆ– gidï¼›æ–‡ä»¶èƒ½åŠ›ä¸ä¼šè¢«æ·»åŠ åˆ°æŽˆæƒé›†åˆä¸­ï¼Œå¹¶ä¸”Linuxå®‰å…¨æ¨¡å—ï¼ˆ
LSMï¼‰ä¸ä¼šåœ¨execveè°ƒç”¨åŽæ”¾æ¾é™åˆ¶ã€‚”h]”(hŒ"è¿™äº›éƒ½æ˜¯ä¸´æ—¶æ€§çš„ä¿®å¤ã€‚ ”…””}”(hj  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj  ubhŒ¢ ä½ï¼ˆä»Ž Linux 3.5 èµ·ï¼‰æ˜¯ä¸€ä¸ªæ–°çš„é€š
ç”¨çš„æœºåˆ¶æ¥ä¿è¯ä¸€ä¸ªè¿›ç¨‹å®‰å…¨åœ°ä¿®æ”¹å…¶æ‰§è¡ŒçŽ¯å¢ƒå¹¶è·¨execveæŒä¹…åŒ–ã€‚ä»»ä½•ä»»åŠ¡éƒ½å¯ä»¥è®¾
ç½® ”…””}”(hj  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj  ubhŒi ã€‚ä¸€æ—¦è¯¥ä½è¢«è®¾ç½®ï¼Œå®ƒä¼šåœ¨forkã€cloneå’Œexecveä¸­ç»§æ‰¿ä¸‹åŽ»
ï¼Œå¹¶ä¸”ä¸èƒ½è¢«æ’¤é”€ã€‚åœ¨ ”…””}”(hj  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj.  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj  ubhŒ è¢«è®¾ç½®çš„æƒ…å†µä¸‹ï¼Œ ”…””}”(hj  hžhhŸNh Nubj“  )”}”(hŒ``execve()``”h]”hŒexecve()”…””}”(hj@  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj  ubhX   å°†ä¿è¯
ä¸ä¼šæŽˆäºˆæƒé™åŽ»åšä»»ä½•æ²¡æœ‰execveè°ƒç”¨å°±ä¸èƒ½åšçš„äº‹æƒ…ã€‚æ¯”å¦‚ï¼Œ setuid å’Œ setgid
ä½ä¸ä¼šå†æ”¹å˜ uid æˆ– gidï¼›æ–‡ä»¶èƒ½åŠ›ä¸ä¼šè¢«æ·»åŠ åˆ°æŽˆæƒé›†åˆä¸­ï¼Œå¹¶ä¸”Linuxå®‰å…¨æ¨¡å—ï¼ˆ
LSMï¼‰ä¸ä¼šåœ¨execveè°ƒç”¨åŽæ”¾æ¾é™åˆ¶ã€‚”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h KhjX  hžhubh»)”}”(hŒ è®¾ç½® ``no_new_privs`` ä½¿ç”¨::”h]”(hŒè®¾ç½® ”…””}”(hjX  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjX  ubhŒ ä½¿ç”¨:”…””}”(hjX  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K!hjX  hžhubhŒliteral_block”“”)”}”(hŒ'prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);”h]”hŒ'prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);”…””}”hjz  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1jx  hŸh³h K#hjX  hžhubh»)”}”(hŒôä¸è¿‡è¦å°å¿ƒï¼ŒLinuxå®‰å…¨æ¨¡å—ï¼ˆLSMï¼‰ä¹Ÿå¯èƒ½ä¸ä¼šåœ¨ ``no_new_privs`` æ¨¡å¼ä¸‹æ”¶ç´§çº¦æŸã€‚
ï¼ˆè¿™æ„å‘³ç€ä¸€ä¸ªä¸€èˆ¬çš„æœåŠ¡å¯åŠ¨å™¨åœ¨æ‰§è¡Œå®ˆæŠ¤è¿›ç¨‹å‰å°±åŽ»è®¾ç½® ``no_new_privs`` å¯èƒ½
ä¼šå¹²æ‰°åŸºäºŽLSMçš„æ²™ç®±ã€‚ï¼‰”h]”(hŒ?ä¸è¿‡è¦å°å¿ƒï¼ŒLinuxå®‰å…¨æ¨¡å—ï¼ˆLSMï¼‰ä¹Ÿå¯èƒ½ä¸ä¼šåœ¨ ”…””}”(hjˆ  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjˆ  ubhŒl æ¨¡å¼ä¸‹æ”¶ç´§çº¦æŸã€‚
ï¼ˆè¿™æ„å‘³ç€ä¸€ä¸ªä¸€èˆ¬çš„æœåŠ¡å¯åŠ¨å™¨åœ¨æ‰§è¡Œå®ˆæŠ¤è¿›ç¨‹å‰å°±åŽ»è®¾ç½® ”…””}”(hjˆ  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj¢  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjˆ  ubhŒ) å¯èƒ½
ä¼šå¹²æ‰°åŸºäºŽLSMçš„æ²™ç®±ã€‚ï¼‰”…””}”(hjˆ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K%hjX  hžhubh»)”}”(hŒºè¯·æ³¨æ„ï¼Œ ``no_new_privs`` å¹¶ä¸èƒ½é˜»æ­¢ä¸æ¶‰åŠ ``execve()`` çš„æƒé™å˜åŒ–ã€‚ä¸€ä¸ªæ‹¥æœ‰
é€‚å½“æƒé™çš„ä»»åŠ¡ä»ç„¶å¯ä»¥è°ƒç”¨ ``setuid(2)`` å¹¶æŽ¥æ”¶ SCM_RIGHTS æ•°æ®æŠ¥ã€‚”h]”(hŒè¯·æ³¨æ„ï¼Œ ”…””}”(hjº  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hjÂ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjº  ubhŒ å¹¶ä¸èƒ½é˜»æ­¢ä¸æ¶‰åŠ ”…””}”(hjº  hžhhŸNh Nubj“  )”}”(hŒ``execve()``”h]”hŒexecve()”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjº  ubhŒH çš„æƒé™å˜åŒ–ã€‚ä¸€ä¸ªæ‹¥æœ‰
é€‚å½“æƒé™çš„ä»»åŠ¡ä»ç„¶å¯ä»¥è°ƒç”¨ ”…””}”(hjº  hžhhŸNh Nubj“  )”}”(hŒ``setuid(2)``”h]”hŒ	setuid(2)”…””}”(hjæ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjº  ubhŒ" å¹¶æŽ¥æ”¶ SCM_RIGHTS æ•°æ®æŠ¥ã€‚”…””}”(hjº  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K)hjX  hžhubh»)”}”(hŒ9ç›®å‰æ¥è¯´ï¼Œ ``no_new_privs`` æœ‰ä¸¤å¤§ä½¿ç”¨åœºæ™¯ï¼š”h]”(hŒç›®å‰æ¥è¯´ï¼Œ ”…””}”(hjþ  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjþ  ubhŒ æœ‰ä¸¤å¤§ä½¿ç”¨åœºæ™¯ï¼š”…””}”(hjþ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K,hjX  hžhubjz  )”}”(hX  - ä¸ºseccompæ¨¡å¼2æ²™ç®±å®‰è£…çš„è¿‡æ»¤å™¨ä¼šè·¨execveæŒä¹…åŒ–ï¼Œå¹¶èƒ½å¤Ÿæ”¹å˜æ–°æ‰§è¡Œç¨‹åºçš„è¡Œä¸ºã€‚
  éžç‰¹æƒç”¨æˆ·å› æ­¤åœ¨ ``no_new_privs`` è¢«è®¾ç½®çš„æƒ…å†µä¸‹åªå…è®¸å®‰è£…è¿™æ ·çš„è¿‡æ»¤å™¨ã€‚

- ``no_new_privs`` æœ¬èº«å°±èƒ½è¢«ç”¨äºŽå‡å°‘éžç‰¹æƒç”¨æˆ·çš„æ”»å‡»é¢ã€‚å¦‚æžœæ‰€æœ‰ä»¥æŸä¸ª uid
  è¿è¡Œçš„ç¨‹åºéƒ½è®¾ç½®äº† ``no_new_privs`` ï¼Œé‚£ä¹ˆé‚£ä¸ª uid å°†æ— æ³•é€šè¿‡æ”»å‡» setuidï¼Œ
  setgid å’Œä½¿ç”¨æ–‡ä»¶èƒ½åŠ›çš„äºŒè¿›åˆ¶æ¥ææƒï¼›å®ƒéœ€è¦å…ˆæ”»å‡»ä¸€äº›æ²¡æœ‰è¢«è®¾ç½® ``no_new_privs``
  ä½çš„ä¸œè¥¿ã€‚
”h]”j€  )”}”(hhh]”(j…  )”}”(hŒÐä¸ºseccompæ¨¡å¼2æ²™ç®±å®‰è£…çš„è¿‡æ»¤å™¨ä¼šè·¨execveæŒä¹…åŒ–ï¼Œå¹¶èƒ½å¤Ÿæ”¹å˜æ–°æ‰§è¡Œç¨‹åºçš„è¡Œä¸ºã€‚
éžç‰¹æƒç”¨æˆ·å› æ­¤åœ¨ ``no_new_privs`` è¢«è®¾ç½®çš„æƒ…å†µä¸‹åªå…è®¸å®‰è£…è¿™æ ·çš„è¿‡æ»¤å™¨ã€‚
”h]”h»)”}”(hŒÏä¸ºseccompæ¨¡å¼2æ²™ç®±å®‰è£…çš„è¿‡æ»¤å™¨ä¼šè·¨execveæŒä¹…åŒ–ï¼Œå¹¶èƒ½å¤Ÿæ”¹å˜æ–°æ‰§è¡Œç¨‹åºçš„è¡Œä¸ºã€‚
éžç‰¹æƒç”¨æˆ·å› æ­¤åœ¨ ``no_new_privs`` è¢«è®¾ç½®çš„æƒ…å†µä¸‹åªå…è®¸å®‰è£…è¿™æ ·çš„è¿‡æ»¤å™¨ã€‚”h]”(hŒ…ä¸ºseccompæ¨¡å¼2æ²™ç®±å®‰è£…çš„è¿‡æ»¤å™¨ä¼šè·¨execveæŒä¹…åŒ–ï¼Œå¹¶èƒ½å¤Ÿæ”¹å˜æ–°æ‰§è¡Œç¨‹åºçš„è¡Œä¸ºã€‚
éžç‰¹æƒç”¨æˆ·å› æ­¤åœ¨ ”…””}”(hj)  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj)  ubhŒ: è¢«è®¾ç½®çš„æƒ…å†µä¸‹åªå…è®¸å®‰è£…è¿™æ ·çš„è¿‡æ»¤å™¨ã€‚”…””}”(hj)  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K.hj%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj"  ubj…  )”}”(hXB  ``no_new_privs`` æœ¬èº«å°±èƒ½è¢«ç”¨äºŽå‡å°‘éžç‰¹æƒç”¨æˆ·çš„æ”»å‡»é¢ã€‚å¦‚æžœæ‰€æœ‰ä»¥æŸä¸ª uid
è¿è¡Œçš„ç¨‹åºéƒ½è®¾ç½®äº† ``no_new_privs`` ï¼Œé‚£ä¹ˆé‚£ä¸ª uid å°†æ— æ³•é€šè¿‡æ”»å‡» setuidï¼Œ
setgid å’Œä½¿ç”¨æ–‡ä»¶èƒ½åŠ›çš„äºŒè¿›åˆ¶æ¥ææƒï¼›å®ƒéœ€è¦å…ˆæ”»å‡»ä¸€äº›æ²¡æœ‰è¢«è®¾ç½® ``no_new_privs``
ä½çš„ä¸œè¥¿ã€‚
”h]”h»)”}”(hXA  ``no_new_privs`` æœ¬èº«å°±èƒ½è¢«ç”¨äºŽå‡å°‘éžç‰¹æƒç”¨æˆ·çš„æ”»å‡»é¢ã€‚å¦‚æžœæ‰€æœ‰ä»¥æŸä¸ª uid
è¿è¡Œçš„ç¨‹åºéƒ½è®¾ç½®äº† ``no_new_privs`` ï¼Œé‚£ä¹ˆé‚£ä¸ª uid å°†æ— æ³•é€šè¿‡æ”»å‡» setuidï¼Œ
setgid å’Œä½¿ç”¨æ–‡ä»¶èƒ½åŠ›çš„äºŒè¿›åˆ¶æ¥ææƒï¼›å®ƒéœ€è¦å…ˆæ”»å‡»ä¸€äº›æ²¡æœ‰è¢«è®¾ç½® ``no_new_privs``
ä½çš„ä¸œè¥¿ã€‚”h]”(j“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hjW  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjS  ubhŒp æœ¬èº«å°±èƒ½è¢«ç”¨äºŽå‡å°‘éžç‰¹æƒç”¨æˆ·çš„æ”»å‡»é¢ã€‚å¦‚æžœæ‰€æœ‰ä»¥æŸä¸ª uid
è¿è¡Œçš„ç¨‹åºéƒ½è®¾ç½®äº† ”…””}”(hjS  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hji  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjS  ubhŒ‘ ï¼Œé‚£ä¹ˆé‚£ä¸ª uid å°†æ— æ³•é€šè¿‡æ”»å‡» setuidï¼Œ
setgid å’Œä½¿ç”¨æ–‡ä»¶èƒ½åŠ›çš„äºŒè¿›åˆ¶æ¥ææƒï¼›å®ƒéœ€è¦å…ˆæ”»å‡»ä¸€äº›æ²¡æœ‰è¢«è®¾ç½® ”…””}”(hjS  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj{  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hjS  ubhŒ
ä½çš„ä¸œè¥¿ã€‚”…””}”(hjS  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K1hjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j„  hj"  ubeh}”(h]”h ]”h"]”h$]”h&]”jú  jû  uh1j  hŸh³h K.hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jy  hŸh³h K.hjX  hžhubh»)”}”(hXK  å°†æ¥ï¼Œå…¶ä»–æ½œåœ¨çš„å±é™©çš„å†…æ ¸ç‰¹æ€§å¯èƒ½è¢«éžç‰¹æƒä»»åŠ¡åˆ©ç”¨ï¼Œå³ä½¿ ``no_new_privs`` è¢«ç½®ä½ã€‚
åŽŸåˆ™ä¸Šï¼Œå½“ ``no_new_privs`` è¢«ç½®ä½æ—¶ï¼Œ ``unshare(2)`` å’Œ ``clone(2)`` çš„å‡ ä¸ªé€‰
é¡¹å°†æ˜¯å®‰å…¨çš„ï¼Œå¹¶ä¸” ``no_new_privs`` åŠ ä¸Š ``chroot`` æ˜¯å¯ä»¥è¢«è®¤ä¸ºæ¯” chrootæœ¬èº«å±
é™©æ€§å°å¾—å¤šçš„ã€‚”h]”(hŒUå°†æ¥ï¼Œå…¶ä»–æ½œåœ¨çš„å±é™©çš„å†…æ ¸ç‰¹æ€§å¯èƒ½è¢«éžç‰¹æƒä»»åŠ¡åˆ©ç”¨ï¼Œå³ä½¿ ”…””}”(hj¥  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¥  ubhŒ è¢«ç½®ä½ã€‚
åŽŸåˆ™ä¸Šï¼Œå½“ ”…””}”(hj¥  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hj¿  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¥  ubhŒ è¢«ç½®ä½æ—¶ï¼Œ ”…””}”(hj¥  hžhhŸNh Nubj“  )”}”(hŒ``unshare(2)``”h]”hŒ
unshare(2)”…””}”(hjÑ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¥  ubhŒ å’Œ ”…””}”(hj¥  hžhhŸNh Nubj“  )”}”(hŒ``clone(2)``”h]”hŒclone(2)”…””}”(hjã  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¥  ubhŒ* çš„å‡ ä¸ªé€‰
é¡¹å°†æ˜¯å®‰å…¨çš„ï¼Œå¹¶ä¸” ”…””}”(hj¥  hžhhŸNh Nubj“  )”}”(hŒ``no_new_privs``”h]”hŒno_new_privs”…””}”(hjõ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¥  ubhŒ åŠ ä¸Š ”…””}”(hj¥  hžhhŸNh Nubj“  )”}”(hŒ
``chroot``”h]”hŒchroot”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j’  hj¥  ubhŒ< æ˜¯å¯ä»¥è¢«è®¤ä¸ºæ¯” chrootæœ¬èº«å±
é™©æ€§å°å¾—å¤šçš„ã€‚”…””}”(hj¥  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hºhŸh³h K6hjX  hžhubeh}”(h]”Œid1”ah ]”h"]”Œæ— æ–°æƒé™æ ‡å¿—”ah$]”h&]”uh1jV  hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(j[  NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jJ  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”j$  j!  sŒ	nametypes”}”j$  ‰sh}”j!  jX  sŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”jX  Ks…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ?Documentation/translations/zh_CN/userspace-api/no_new_privs.rst”(NNNNt”†”aŒ
decoration”Nhžhub.