From 7a03be035e7926e8750817b39a4a79d590f2a24e Mon Sep 17 00:00:00 2001
From: Lvwenxuan <1666510747@qq.com>
Date: Tue, 31 Dec 2024 18:25:42 +0800
Subject: [PATCH] =?UTF-8?q?/*=20=20*=20Copyright=20(c)=202013-2019=20Huawe?=
 =?UTF-8?q?i=20Technologies=20Co.,=20Ltd.=20All=20rights=20reserved.=20=20?=
 =?UTF-8?q?*=20Copyright=20(c)=202020-2021=20Huawei=20Device=20Co.,=20Ltd.?=
 =?UTF-8?q?=20All=20rights=20reserved.=20=20*=20=20*=20Redistribution=20an?=
 =?UTF-8?q?d=20use=20in=20source=20and=20binary=20forms,=20with=20or=20wit?=
 =?UTF-8?q?hout=20modification,=20=20*=20are=20permitted=20provided=20that?=
 =?UTF-8?q?=20the=20following=20conditions=20are=20met:=20=20*=20=20*=201.?=
 =?UTF-8?q?=20Redistributions=20of=20source=20code=20must=20retain=20the?=
 =?UTF-8?q?=20above=20copyright=20notice,=20this=20list=20of=20=20*=20=20?=
 =?UTF-8?q?=20=20conditions=20and=20the=20following=20disclaimer.=20=20*?=
 =?UTF-8?q?=20=20*=202.=20Redistributions=20in=20binary=20form=20must=20re?=
 =?UTF-8?q?produce=20the=20above=20copyright=20notice,=20this=20list=20=20?=
 =?UTF-8?q?*=20=20=20=20of=20conditions=20and=20the=20following=20disclaim?=
 =?UTF-8?q?er=20in=20the=20documentation=20and/or=20other=20materials=20?=
 =?UTF-8?q?=20*=20=20=20=20provided=20with=20the=20distribution.=20=20*=20?=
 =?UTF-8?q?=20*=203.=20Neither=20the=20name=20of=20the=20copyright=20holde?=
 =?UTF-8?q?r=20nor=20the=20names=20of=20its=20contributors=20may=20be=20us?=
 =?UTF-8?q?ed=20=20*=20=20=20=20to=20endorse=20or=20promote=20products=20d?=
 =?UTF-8?q?erived=20from=20this=20software=20without=20specific=20prior=20?=
 =?UTF-8?q?written=20=20*=20=20=20=20permission.=20=20*=20=20*=20THIS=20SO?=
 =?UTF-8?q?FTWARE=20IS=20PROVIDED=20BY=20THE=20COPYRIGHT=20HOLDERS=20AND?=
 =?UTF-8?q?=20CONTRIBUTORS=20=20*=20"AS=20IS"=20AND=20ANY=20EXPRESS=20OR?=
 =?UTF-8?q?=20IMPLIED=20WARRANTIES,=20INCLUDING,=20BUT=20NOT=20LIMITED=20T?=
 =?UTF-8?q?O,=20=20*=20THE=20IMPLIED=20WARRANTIES=20OF=20MERCHANTABILITY?=
 =?UTF-8?q?=20AND=20FITNESS=20FOR=20A=20PARTICULAR=20=20*=20PURPOSE=20ARE?=
 =?UTF-8?q?=20DISCLAIMED.=20IN=20NO=20EVENT=20SHALL=20THE=20COPYRIGHT=20HO?=
 =?UTF-8?q?LDER=20OR=20=20*=20CONTRIBUTORS=20BE=20LIABLE=20FOR=20ANY=20DIR?=
 =?UTF-8?q?ECT,=20INDIRECT,=20INCIDENTAL,=20SPECIAL,=20=20*=20EXEMPLARY,?=
 =?UTF-8?q?=20OR=20CONSEQUENTIAL=20DAMAGES=20(INCLUDING,=20BUT=20NOT=20LIM?=
 =?UTF-8?q?ITED=20TO,=20=20*=20PROCUREMENT=20OF=20SUBSTITUTE=20GOODS=20OR?=
 =?UTF-8?q?=20SERVICES;=20LOSS=20OF=20USE,=20DATA,=20OR=20PROFITS;=20=20*?=
 =?UTF-8?q?=20OR=20BUSINESS=20INTERRUPTION)=20HOWEVER=20CAUSED=20AND=20ON?=
 =?UTF-8?q?=20ANY=20THEORY=20OF=20LIABILITY,=20=20*=20WHETHER=20IN=20CONTR?=
 =?UTF-8?q?ACT,=20STRICT=20LIABILITY,=20OR=20TORT=20(INCLUDING=20NEGLIGENC?=
 =?UTF-8?q?E=20OR=20=20*=20OTHERWISE)=20ARISING=20IN=20ANY=20WAY=20OUT=20O?=
 =?UTF-8?q?F=20THE=20USE=20OF=20THIS=20SOFTWARE,=20EVEN=20IF=20=20*=20ADVI?=
 =?UTF-8?q?SED=20OF=20THE=20POSSIBILITY=20OF=20SUCH=20DAMAGE.=20=20*/=20#i?=
 =?UTF-8?q?nclude=20"pthread.h"=20//=20=E5=BC=95=E5=85=A5POSIX=E7=BA=BF?=
 =?UTF-8?q?=E7=A8=8B=E5=BA=93=EF=BC=8C=E7=94=A8=E4=BA=8E=E5=A4=9A=E7=BA=BF?=
 =?UTF-8?q?=E7=A8=8B=E7=BC=96=E7=A8=8B=20#include=20"linux/capability.h"?=
 =?UTF-8?q?=20//=20=E5=BC=95=E5=85=A5Linux=E8=83=BD=E5=8A=9B=EF=BC=88capab?=
 =?UTF-8?q?ilities=EF=BC=89=E5=AE=9A=E4=B9=89=EF=BC=8C=E7=94=A8=E4=BA=8E?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E6=8E=A7=E5=88=B6=20#include=20<sys/capabili?=
 =?UTF-8?q?ty.h>=20//=20=E5=BC=95=E5=85=A5=E7=B3=BB=E7=BB=9F=E8=83=BD?=
 =?UTF-8?q?=E5=8A=9B=E6=8E=A5=E5=8F=A3=20#include=20"it=5Ftest=5Fcapabilit?=
 =?UTF-8?q?y.h"=20//=20=E5=81=87=E8=AE=BE=E6=98=AF=E6=B5=8B=E8=AF=95?=
 =?UTF-8?q?=E6=A1=86=E6=9E=B6=E6=88=96=E6=B5=8B=E8=AF=95=E7=9B=B8=E5=85=B3?=
 =?UTF-8?q?=E7=9A=84=E5=A4=B4=E6=96=87=E4=BB=B6=20#include=20<signal.h>=20?=
 =?UTF-8?q?//=20=E5=BC=95=E5=85=A5=E4=BF=A1=E5=8F=B7=E5=A4=84=E7=90=86?=
 =?UTF-8?q?=E5=87=BD=E6=95=B0=20#include=20<sys/types.h>=20//=20=E5=BC=95?=
 =?UTF-8?q?=E5=85=A5=E5=9F=BA=E6=9C=AC=E6=95=B0=E6=8D=AE=E7=B1=BB=E5=9E=8B?=
 =?UTF-8?q?=20#include=20<time.h>=20//=20=E5=BC=95=E5=85=A5=E6=97=B6?=
 =?UTF-8?q?=E9=97=B4=E5=A4=84=E7=90=86=E5=87=BD=E6=95=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#define CAP_NUM 2 // å®šä¹‰èƒ½åŠ›æ•°ç»„çš„å¤§å°
#define INVAILD_PID 65535 // å®šä¹‰ä¸€ä¸ªæ— æ•ˆçš„è¿›ç¨‹ID
#define CHANGE_CHILD_UID 1000 // å®šä¹‰å­è¿›ç¨‹è¦æ›´æ”¹çš„ç”¨æˆ·ID

// ä¿¡å·å¤„ç†å‡½æ•°ï¼Œå½“å‰ä¸ºç©ºå®žçŽ°
static void Sigac(int param)
{
    return;
}

// å­è¿›ç¨‹å‡½æ•°
static void Child()
{
    int i = 10; // å¾ªçŽ¯è®¡æ•°å™¨
    signal(25, Sigac); // è®¾ç½®ä¿¡å·25çš„å¤„ç†å‡½æ•°ä¸ºSigac

    while (i--) { // å¾ªçŽ¯10æ¬¡ï¼Œæ¯æ¬¡ç¡çœ 1ç§’
        sleep(1);
    }
    // ç¡çœ 10ç§’åŽé€€å‡º
    exit(0);
}

// æµ‹è¯•å­è¿›ç¨‹çš„å‡½æ•°
static int TestChild(VOID)
{
    struct __user_cap_header_struct capheader; // å®šä¹‰èƒ½åŠ›å¤´éƒ¨ç»“æž„ä½“
    struct __user_cap_data_struct capdata[CAP_NUM]; // å®šä¹‰èƒ½åŠ›æ•°æ®ç»“æž„ä½“æ•°ç»„
    struct __user_cap_data_struct capdatac[CAP_NUM]; // å®šä¹‰å¦ä¸€ä¸ªèƒ½åŠ›æ•°æ®ç»“æž„ä½“æ•°ç»„ï¼Œç”¨äºŽèŽ·å–å½“å‰èƒ½åŠ›
    struct timespec tp; // å®šä¹‰æ—¶é—´ç»“æž„ä½“
    int ret; // å®šä¹‰è¿”å›žå€¼å˜é‡ï¼Œæ­¤å¤„æ¼å†™äº†åˆå§‹åŒ–
    // åˆå§‹åŒ–ç»“æž„ä½“
    (void)memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, sizeof(struct __user_cap_header_struct)); // æ¸…é›¶èƒ½åŠ›å¤´éƒ¨ç»“æž„ä½“
    (void)memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); // æ¸…é›¶èƒ½åŠ›æ•°æ®ç»“æž„ä½“æ•°ç»„
    capdata[0].permitted = 0xffffffff; // è®¾ç½®å…è®¸çš„æ‰€æœ‰èƒ½åŠ›ä¸ºå…¨å¼€
    capdata[1].permitted = 0xffffffff; // åŒä¸Šï¼Œç¬¬äºŒä¸ªæ•°æ®ç»“æž„ä½“ä¹Ÿå…¨å¼€ï¼ˆè™½ç„¶åªç”¨ä¸€ä¸ªï¼‰
    capheader.version = _LINUX_CAPABILITY_VERSION_3; // è®¾ç½®èƒ½åŠ›ç‰ˆæœ¬
    // è®¾ç½®èƒ½åŠ›çš„æœ‰æ•ˆä½
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SETPCAP); // å…è®¸ä¿®æ”¹è¿›ç¨‹èƒ½åŠ›
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SETUID); // å…è®¸æ”¹å˜ç”¨æˆ·ID
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_KILL); // å…è®¸å‘é€ä¿¡å·
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SYS_TIME); // å…è®¸æ”¹å˜ç³»ç»Ÿæ—¶é—´
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SYS_NICE); // å…è®¸æ”¹å˜è°ƒåº¦ä¼˜å…ˆçº§
    // ä½¿ç”¨capsetè®¾ç½®èƒ½åŠ›å¹¶æ£€æŸ¥è¿”å›žå€¼
	ret = capset(&capheader, &capdata[0]);
    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€capsetè¿”å›ž0ï¼Œè¡¨ç¤ºæˆåŠŸ
    ret = capget(&capheader, &capdatac[0]); // èŽ·å–å½“å‰èƒ½åŠ›
    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€capgetè¿”å›ž0ï¼Œè¡¨ç¤ºæˆåŠŸ
    capheader.pid = INVAILD_PID; // è®¾ç½®ä¸€ä¸ªæ— æ•ˆçš„PID
    ret = capget(&capheader, &capdatac[0]); // å°è¯•èŽ·å–æ— æ•ˆPIDçš„èƒ½åŠ›
    ICUNIT_ASSERT_EQUAL(ret, -1, ret); // æ–­è¨€è¿”å›ž-1ï¼Œè¡¨ç¤ºå¤±è´¥
    errno = 0; // é‡ç½®errno
    capheader.pid = 3; // è®¾ç½®PIDä¸º3
    kill(capheader.pid, 0); // æ£€æŸ¥PIDæ˜¯å¦å­˜åœ¨
    if (errno != ESRCH) { // å¦‚æžœPIDå­˜åœ¨
        ret = capget(&capheader, &capdatac[0]); // èŽ·å–èƒ½åŠ›
        ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€æˆåŠŸ
        printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted); // æ‰“å°æœ‰æ•ˆå’Œå…è®¸çš„èƒ½åŠ›
    }
    // ç±»ä¼¼åœ°ï¼Œæ£€æŸ¥PID 4, 5, 6
    errno = 0;
    capheader.pid = 4;
    kill(capheader.pid, 0);
    if (errno != ESRCH) {
        ret = capget(&capheader, &capdatac[0]);
        ICUNIT_ASSERT_EQUAL(ret, 0, ret);
        printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted);
    }
    errno = 0;
    capheader.pid = 5;
    kill(capheader.pid, 0);
    if (errno != ESRCH) {
        ret = capget(&capheader, &capdatac[0]);
        ICUNIT_ASSERT_EQUAL(ret, 0, ret);
        printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted);
    }
    errno = 0;
    capheader.pid = 6;
    kill(capheader.pid, 0);
    if (errno != ESRCH) {
        ret = capget(&capheader, &capdatac[0]);
        ICUNIT_ASSERT_EQUAL(ret, 0, ret);
        printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted);
    }
    capheader.pid = 0; // é‡ç½®PIDä¸º0ï¼ˆå½“å‰è¿›ç¨‹ï¼‰
    // å°è¯•é‡ç½®å­è¿›ç¨‹çš„UID
    int pid = fork(); // åˆ›å»ºå­è¿›ç¨‹
    if (pid == 0) { // å¦‚æžœæ˜¯å­è¿›ç¨‹
        ret = setuid(CHANGE_CHILD_UID); // å°è¯•æ”¹å˜ç”¨æˆ·ID
        ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€æˆåŠŸ
        Child(); // æ‰§è¡Œå­è¿›ç¨‹å‡½æ•°
    }
    sleep(1); // çˆ¶è¿›ç¨‹ç­‰å¾…1ç§’
    ret = kill(pid, SIGXFSZ); // å°è¯•å‘é€SIGXFSZä¿¡å·ç»™å­è¿›ç¨‹
    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€æˆåŠŸ
    // ç§»é™¤KILLèƒ½åŠ›å¹¶å†æ¬¡å°è¯•å‘é€ä¿¡å·ï¼Œåº”è¯¥å¤±è´¥
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_KILL);
    ret = capset(&capheader, &capdata[0]); // æ›´æ–°èƒ½åŠ›
    ret = kill(pid, SIGXFSZ); // å†æ¬¡å°è¯•å‘é€ä¿¡å·
    ICUNIT_ASSERT_EQUAL(ret, -1, ret); // æ–­è¨€å¤±è´¥

    // å°è¯•è®¾ç½®ç³»ç»Ÿæ—¶é—´ï¼Œåº”è¯¥æˆåŠŸç„¶åŽå¤±è´¥ï¼ˆç§»é™¤SYS_TIMEèƒ½åŠ›ï¼‰
    tp.tv_sec = 0; // è®¾ç½®æ—¶é—´ä¸º0
    tp.tv_nsec = 0; // çº³ç§’éƒ¨åˆ†ä¹Ÿè®¾ç½®ä¸º0
    ret = clock_settime(CLOCK_REALTIME, &tp); // å°è¯•è®¾ç½®æ—¶é—´
    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€æˆåŠŸ
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_TIME); // ç§»é™¤SYS_TIMEèƒ½åŠ›
    ret = capset(&capheader, &capdata[0]); // æ›´æ–°èƒ½åŠ›
    ret = clock_settime(CLOCK_REALTIME, &tp); // å†æ¬¡å°è¯•è®¾ç½®æ—¶é—´
    ICUNIT_ASSERT_EQUAL(ret, -1, ret); // æ–­è¨€å¤±è´¥

    // å°è¯•æ”¹å˜å­è¿›ç¨‹çš„è°ƒåº¦ä¼˜å…ˆçº§ï¼Œåº”è¯¥æˆåŠŸç„¶åŽå¤±è´¥ï¼ˆç§»é™¤SYS_NICEèƒ½åŠ›ï¼‰
    struct sched_param param = { 0 }; // å®šä¹‰è°ƒåº¦å‚æ•°ç»“æž„ä½“
    ret = sched_getparam(pid, &param); // èŽ·å–å½“å‰è°ƒåº¦å‚æ•°
    param.sched_priority--; // é™ä½Žä¼˜å…ˆçº§
    ret = sched_setparam(pid, &param); // å°è¯•è®¾ç½®æ–°çš„è°ƒåº¦å‚æ•°
    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // æ–­è¨€æˆåŠŸ
    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_NICE); // ç§»é™¤SYS_NICEèƒ½åŠ›
    ret = capset(&capheader, &capdata[0]); // æ›´æ–°èƒ½åŠ›
    ret = sched_setparam(pid, &param); // å†æ¬¡å°è¯•è®¾ç½®è°ƒåº¦å‚æ•°
    ICUNIT_ASSERT_EQUAL(ret, -1, ret);
    wait(nullptr);
    exit(92);

    return 0;
}

static int TestCase(VOID)
{
    int ret;
    int status = 0;
    pid_t pid = fork();
    ICUNIT_GOTO_WITHIN_EQUAL(pid, 0, 100000, pid, EXIT);

    if (pid == 0) {
        ret = TestChild();
        exit(__LINE__);
    }

    ret = waitpid(pid, &status, 0);
    ICUNIT_GOTO_EQUAL(ret, pid, ret, EXIT);
    status = WEXITSTATUS(status);
    ICUNIT_GOTO_EQUAL(status, 92, status, EXIT);

    return 0;

EXIT:
    return 1;
}

void ItTestCap001(void)
{
    TEST_ADD_CASE("IT_SEC_CAP_001", TestCase, TEST_POSIX, TEST_SEC, TEST_LEVEL0, TEST_FUNCTION);
}
---
 .../capability/smoke/cap_test_001.cpp         | 170 +++++++++---------
 1 file changed, 88 insertions(+), 82 deletions(-)

diff --git a/kernel_liteos_a-master/testsuites/unittest/security/capability/smoke/cap_test_001.cpp b/kernel_liteos_a-master/testsuites/unittest/security/capability/smoke/cap_test_001.cpp
index 26a9303..f4ba2e2 100644
--- a/kernel_liteos_a-master/testsuites/unittest/security/capability/smoke/cap_test_001.cpp
+++ b/kernel_liteos_a-master/testsuites/unittest/security/capability/smoke/cap_test_001.cpp
@@ -28,71 +28,74 @@
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#include "pthread.h"
-#include "linux/capability.h"
-#include <sys/capability.h>
-#include "it_test_capability.h"
-#include <signal.h>
-#include <sys/types.h>
-#include <time.h>
-
-#define CAP_NUM 2
-#define INVAILD_PID 65535
-#define CHANGE_CHILD_UID 1000
-
+#include "pthread.h" // ÒýÈëPOSIXÏß³Ì¿â£¬ÓÃÓÚ¶àÏß³Ì±à³Ì
+#include "linux/capability.h" // ÒýÈëLinuxÄÜÁ¦£¨capabilities£©¶¨Òå£¬ÓÃÓÚÈ¨ÏÞ¿ØÖÆ
+#include <sys/capability.h> // ÒýÈëÏµÍ³ÄÜÁ¦½Ó¿Ú
+#include "it_test_capability.h" // ¼ÙÉèÊÇ²âÊÔ¿ò¼Ü»ò²âÊÔÏà¹ØµÄÍ·ÎÄ¼þ
+#include <signal.h> // ÒýÈëÐÅºÅ´¦Àíº¯Êý
+#include <sys/types.h> // ÒýÈë»ù±¾Êý¾ÝÀàÐÍ
+#include <time.h> // ÒýÈëÊ±¼ä´¦Àíº¯Êý
+ 
+#define CAP_NUM 2 // ¶¨ÒåÄÜÁ¦Êý×éµÄ´óÐ¡
+#define INVAILD_PID 65535 // ¶¨ÒåÒ»¸öÎÞÐ§µÄ½ø³ÌID
+#define CHANGE_CHILD_UID 1000 // ¶¨Òå×Ó½ø³ÌÒª¸ü¸ÄµÄÓÃ»§ID
+ 
+// ÐÅºÅ´¦Àíº¯Êý£¬µ±Ç°Îª¿ÕÊµÏÖ
 static void Sigac(int param)
 {
     return;
 }
-
+ 
+// ×Ó½ø³Ìº¯Êý
 static void Child()
 {
-    int i = 10;
-    signal(25, Sigac);
-
-    while (i--) {
+    int i = 10; // Ñ­»·¼ÆÊýÆ÷
+    signal(25, Sigac); // ÉèÖÃÐÅºÅ25µÄ´¦Àíº¯ÊýÎªSigac
+ 
+    while (i--) { // Ñ­»·10´Î£¬Ã¿´ÎË¯Ãß1Ãë
         sleep(1);
     }
-    //sleep for 10 second and exit; 
+    // Ë¯Ãß10ÃëºóÍË³ö
     exit(0);
 }
-
+ 
+// ²âÊÔ×Ó½ø³ÌµÄº¯Êý
 static int TestChild(VOID)
 {
-    struct __user_cap_header_struct capheader;
-    struct __user_cap_data_struct capdata[CAP_NUM];
-    struct __user_cap_data_struct capdatac[CAP_NUM];
-    struct timespec tp;
-    int ret
-    //originalize struct
-    (void)memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, sizeof(struct __user_cap_header_struct));
-    (void)memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), 0,
-        CAP_NUM * sizeof(struct __user_cap_data_struct));
-    capdata[0].permitted = 0xffffffff;
-    capdata[1].permitted = 0xffffffff;
-    capheader.version = _LINUX_CAPABILITY_VERSION_3;
-    //set capbility to effective
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SETPCAP);
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SETUID);
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_KILL);
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SYS_TIME);
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SYS_NICE);
-    //use capset to check and get info
+    struct __user_cap_header_struct capheader; // ¶¨ÒåÄÜÁ¦Í·²¿½á¹¹Ìå
+    struct __user_cap_data_struct capdata[CAP_NUM]; // ¶¨ÒåÄÜÁ¦Êý¾Ý½á¹¹ÌåÊý×é
+    struct __user_cap_data_struct capdatac[CAP_NUM]; // ¶¨ÒåÁíÒ»¸öÄÜÁ¦Êý¾Ý½á¹¹ÌåÊý×é£¬ÓÃÓÚ»ñÈ¡µ±Ç°ÄÜÁ¦
+    struct timespec tp; // ¶¨ÒåÊ±¼ä½á¹¹Ìå
+    int ret; // ¶¨Òå·µ»ØÖµ±äÁ¿£¬´Ë´¦Â©Ð´ÁË³õÊ¼»¯
+    // ³õÊ¼»¯½á¹¹Ìå
+    (void)memset_s(&capheader, sizeof(struct __user_cap_header_struct), 0, sizeof(struct __user_cap_header_struct)); // ÇåÁãÄÜÁ¦Í·²¿½á¹¹Ìå
+    (void)memset_s(capdata, CAP_NUM * sizeof(struct __user_cap_data_struct), 0, CAP_NUM * sizeof(struct __user_cap_data_struct)); // ÇåÁãÄÜÁ¦Êý¾Ý½á¹¹ÌåÊý×é
+    capdata[0].permitted = 0xffffffff; // ÉèÖÃÔÊÐíµÄËùÓÐÄÜÁ¦ÎªÈ«¿ª
+    capdata[1].permitted = 0xffffffff; // Í¬ÉÏ£¬µÚ¶þ¸öÊý¾Ý½á¹¹ÌåÒ²È«¿ª£¨ËäÈ»Ö»ÓÃÒ»¸ö£©
+    capheader.version = _LINUX_CAPABILITY_VERSION_3; // ÉèÖÃÄÜÁ¦°æ±¾
+    // ÉèÖÃÄÜÁ¦µÄÓÐÐ§Î»
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SETPCAP); // ÔÊÐíÐÞ¸Ä½ø³ÌÄÜÁ¦
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SETUID); // ÔÊÐí¸Ä±äÓÃ»§ID
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_KILL); // ÔÊÐí·¢ËÍÐÅºÅ
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SYS_TIME); // ÔÊÐí¸Ä±äÏµÍ³Ê±¼ä
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective |= CAP_TO_MASK(CAP_SYS_NICE); // ÔÊÐí¸Ä±äµ÷¶ÈÓÅÏÈ¼¶
+    // Ê¹ÓÃcapsetÉèÖÃÄÜÁ¦²¢¼ì²é·µ»ØÖµ
 	ret = capset(&capheader, &capdata[0]);
-    ICUNIT_ASSERT_EQUAL(ret, 0, ret);
-    ret = capget(&capheader, &capdatac[0]);
-    ICUNIT_ASSERT_EQUAL(ret, 0, ret);
-    capheader.pid = INVAILD_PID;
-    ret = capget(&capheader, &capdatac[0]);
-    ICUNIT_ASSERT_EQUAL(ret, -1, ret);
-    errno = 0;
-    capheader.pid = 3;
-    kill(capheader.pid, 0);
-    if (errno != ESRCH) {
-        ret = capget(&capheader, &capdatac[0]);
-        ICUNIT_ASSERT_EQUAL(ret, 0, ret);
-        printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted);
+    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔcapset·µ»Ø0£¬±íÊ¾³É¹¦
+    ret = capget(&capheader, &capdatac[0]); // »ñÈ¡µ±Ç°ÄÜÁ¦
+    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔcapget·µ»Ø0£¬±íÊ¾³É¹¦
+    capheader.pid = INVAILD_PID; // ÉèÖÃÒ»¸öÎÞÐ§µÄPID
+    ret = capget(&capheader, &capdatac[0]); // ³¢ÊÔ»ñÈ¡ÎÞÐ§PIDµÄÄÜÁ¦
+    ICUNIT_ASSERT_EQUAL(ret, -1, ret); // ¶ÏÑÔ·µ»Ø-1£¬±íÊ¾Ê§°Ü
+    errno = 0; // ÖØÖÃerrno
+    capheader.pid = 3; // ÉèÖÃPIDÎª3
+    kill(capheader.pid, 0); // ¼ì²éPIDÊÇ·ñ´æÔÚ
+    if (errno != ESRCH) { // Èç¹ûPID´æÔÚ
+        ret = capget(&capheader, &capdatac[0]); // »ñÈ¡ÄÜÁ¦
+        ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔ³É¹¦
+        printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted); // ´òÓ¡ÓÐÐ§ºÍÔÊÐíµÄÄÜÁ¦
     }
+    // ÀàËÆµØ£¬¼ì²éPID 4, 5, 6
     errno = 0;
     capheader.pid = 4;
     kill(capheader.pid, 0);
@@ -117,39 +120,42 @@ static int TestChild(VOID)
         ICUNIT_ASSERT_EQUAL(ret, 0, ret);
         printf("e %d,p %d\n", capdatac[0].effective, capdatac[0].permitted);
     }
-    capheader.pid = 0;
-    //try reset UID
-    int pid = fork(); 
-    if (pid == 0) {
-        ret = setuid(CHANGE_CHILD_UID);
-        ICUNIT_ASSERT_EQUAL(ret, 0, ret);
-        Child();
+    capheader.pid = 0; // ÖØÖÃPIDÎª0£¨µ±Ç°½ø³Ì£©
+    // ³¢ÊÔÖØÖÃ×Ó½ø³ÌµÄUID
+    int pid = fork(); // ´´½¨×Ó½ø³Ì
+    if (pid == 0) { // Èç¹ûÊÇ×Ó½ø³Ì
+        ret = setuid(CHANGE_CHILD_UID); // ³¢ÊÔ¸Ä±äÓÃ»§ID
+        ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔ³É¹¦
+        Child(); // Ö´ÐÐ×Ó½ø³Ìº¯Êý
     }
-    sleep(1);
-    ret = kill(pid, SIGXFSZ);
-    ICUNIT_ASSERT_EQUAL(ret, 0, ret);
+    sleep(1); // ¸¸½ø³ÌµÈ´ý1Ãë
+    ret = kill(pid, SIGXFSZ); // ³¢ÊÔ·¢ËÍSIGXFSZÐÅºÅ¸ø×Ó½ø³Ì
+    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔ³É¹¦
+    // ÒÆ³ýKILLÄÜÁ¦²¢ÔÙ´Î³¢ÊÔ·¢ËÍÐÅºÅ£¬Ó¦¸ÃÊ§°Ü
     capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_KILL);
-    ret = capset(&capheader, &capdata[0]);
-    ret = kill(pid, SIGXFSZ);
-    ICUNIT_ASSERT_EQUAL(ret, -1, ret);
-
-    tp.tv_sec = 0;
-    tp.tv_nsec = 0;
-    ret = clock_settime(CLOCK_REALTIME, &tp);
-    ICUNIT_ASSERT_EQUAL(ret, 0, ret);
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_TIME);
-    ret = capset(&capheader, &capdata[0]);
-    ret = clock_settime(CLOCK_REALTIME, &tp);
-    ICUNIT_ASSERT_EQUAL(ret, -1, ret);
-
-    struct sched_param param = { 0 };
-    ret = sched_getparam(pid, &param);
-    param.sched_priority--;
-    ret = sched_setparam(pid, &param);
-    ICUNIT_ASSERT_EQUAL(ret, 0, ret);
-    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_NICE);
-    ret = capset(&capheader, &capdata[0]);
-    ret = sched_setparam(pid, &param);
+    ret = capset(&capheader, &capdata[0]); // ¸üÐÂÄÜÁ¦
+    ret = kill(pid, SIGXFSZ); // ÔÙ´Î³¢ÊÔ·¢ËÍÐÅºÅ
+    ICUNIT_ASSERT_EQUAL(ret, -1, ret); // ¶ÏÑÔÊ§°Ü
+ 
+    // ³¢ÊÔÉèÖÃÏµÍ³Ê±¼ä£¬Ó¦¸Ã³É¹¦È»ºóÊ§°Ü£¨ÒÆ³ýSYS_TIMEÄÜÁ¦£©
+    tp.tv_sec = 0; // ÉèÖÃÊ±¼äÎª0
+    tp.tv_nsec = 0; // ÄÉÃë²¿·ÖÒ²ÉèÖÃÎª0
+    ret = clock_settime(CLOCK_REALTIME, &tp); // ³¢ÊÔÉèÖÃÊ±¼ä
+    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔ³É¹¦
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_TIME); // ÒÆ³ýSYS_TIMEÄÜÁ¦
+    ret = capset(&capheader, &capdata[0]); // ¸üÐÂÄÜÁ¦
+    ret = clock_settime(CLOCK_REALTIME, &tp); // ÔÙ´Î³¢ÊÔÉèÖÃÊ±¼ä
+    ICUNIT_ASSERT_EQUAL(ret, -1, ret); // ¶ÏÑÔÊ§°Ü
+ 
+    // ³¢ÊÔ¸Ä±ä×Ó½ø³ÌµÄµ÷¶ÈÓÅÏÈ¼¶£¬Ó¦¸Ã³É¹¦È»ºóÊ§°Ü£¨ÒÆ³ýSYS_NICEÄÜÁ¦£©
+    struct sched_param param = { 0 }; // ¶¨Òåµ÷¶È²ÎÊý½á¹¹Ìå
+    ret = sched_getparam(pid, &param); // »ñÈ¡µ±Ç°µ÷¶È²ÎÊý
+    param.sched_priority--; // ½µµÍÓÅÏÈ¼¶
+    ret = sched_setparam(pid, &param); // ³¢ÊÔÉèÖÃÐÂµÄµ÷¶È²ÎÊý
+    ICUNIT_ASSERT_EQUAL(ret, 0, ret); // ¶ÏÑÔ³É¹¦
+    capdata[CAP_TO_INDEX(CAP_SYS_NICE)].effective &= ~CAP_TO_MASK(CAP_SYS_NICE); // ÒÆ³ýSYS_NICEÄÜÁ¦
+    ret = capset(&capheader, &capdata[0]); // ¸üÐÂÄÜÁ¦
+    ret = sched_setparam(pid, &param); // ÔÙ´Î³¢ÊÔÉèÖÃµ÷¶È²ÎÊý
     ICUNIT_ASSERT_EQUAL(ret, -1, ret);
     wait(nullptr);
     exit(92);