commoncap.c 31 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096
  1. /* Common capabilities, needed by capability.o.
  2. *
  3. * This program is free software; you can redistribute it and/or modify
  4. * it under the terms of the GNU General Public License as published by
  5. * the Free Software Foundation; either version 2 of the License, or
  6. * (at your option) any later version.
  7. *
  8. */
  9. #include <linux/capability.h>
  10. #include <linux/audit.h>
  11. #include <linux/module.h>
  12. #include <linux/init.h>
  13. #include <linux/kernel.h>
  14. #include <linux/lsm_hooks.h>
  15. #include <linux/file.h>
  16. #include <linux/mm.h>
  17. #include <linux/mman.h>
  18. #include <linux/pagemap.h>
  19. #include <linux/swap.h>
  20. #include <linux/skbuff.h>
  21. #include <linux/netlink.h>
  22. #include <linux/ptrace.h>
  23. #include <linux/xattr.h>
  24. #include <linux/hugetlb.h>
  25. #include <linux/mount.h>
  26. #include <linux/sched.h>
  27. #include <linux/prctl.h>
  28. #include <linux/securebits.h>
  29. #include <linux/user_namespace.h>
  30. #include <linux/binfmts.h>
  31. #include <linux/personality.h>
  32. /*
  33. * If a non-root user executes a setuid-root binary in
  34. * !secure(SECURE_NOROOT) mode, then we raise capabilities.
  35. * However if fE is also set, then the intent is for only
  36. * the file capabilities to be applied, and the setuid-root
  37. * bit is left on either to change the uid (plausible) or
  38. * to get full privilege on a kernel without file capabilities
  39. * support. So in that case we do not raise capabilities.
  40. *
  41. * Warn if that happens, once per boot.
  42. */
  43. static void warn_setuid_and_fcaps_mixed(const char *fname)
  44. {
  45. static int warned;
  46. if (!warned) {
  47. printk(KERN_INFO "warning: `%s' has both setuid-root and"
  48. " effective capabilities. Therefore not raising all"
  49. " capabilities.\n", fname);
  50. warned = 1;
  51. }
  52. }
  53. /**
  54. * cap_capable - Determine whether a task has a particular effective capability
  55. * @cred: The credentials to use
  56. * @ns: The user namespace in which we need the capability
  57. * @cap: The capability to check for
  58. * @audit: Whether to write an audit message or not
  59. *
  60. * Determine whether the nominated task has the specified capability amongst
  61. * its effective set, returning 0 if it does, -ve if it does not.
  62. *
  63. * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
  64. * and has_capability() functions. That is, it has the reverse semantics:
  65. * cap_has_capability() returns 0 when a task has a capability, but the
  66. * kernel's capable() and has_capability() returns 1 for this case.
  67. */
  68. int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
  69. int cap, int audit)
  70. {
  71. struct user_namespace *ns = targ_ns;
  72. /* See if cred has the capability in the target user namespace
  73. * by examining the target user namespace and all of the target
  74. * user namespace's parents.
  75. */
  76. for (;;) {
  77. /* Do we have the necessary capabilities? */
  78. if (ns == cred->user_ns)
  79. return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
  80. /* Have we tried all of the parent namespaces? */
  81. if (ns == &init_user_ns)
  82. return -EPERM;
  83. /*
  84. * The owner of the user namespace in the parent of the
  85. * user namespace has all caps.
  86. */
  87. if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
  88. return 0;
  89. /*
  90. * If you have a capability in a parent user ns, then you have
  91. * it over all children user namespaces as well.
  92. */
  93. ns = ns->parent;
  94. }
  95. /* We never get here */
  96. }
  97. /**
  98. * cap_settime - Determine whether the current process may set the system clock
  99. * @ts: The time to set
  100. * @tz: The timezone to set
  101. *
  102. * Determine whether the current process may set the system clock and timezone
  103. * information, returning 0 if permission granted, -ve if denied.
  104. */
  105. int cap_settime(const struct timespec *ts, const struct timezone *tz)
  106. {
  107. if (!capable(CAP_SYS_TIME))
  108. return -EPERM;
  109. return 0;
  110. }
  111. /**
  112. * cap_ptrace_access_check - Determine whether the current process may access
  113. * another
  114. * @child: The process to be accessed
  115. * @mode: The mode of attachment.
  116. *
  117. * If we are in the same or an ancestor user_ns and have all the target
  118. * task's capabilities, then ptrace access is allowed.
  119. * If we have the ptrace capability to the target user_ns, then ptrace
  120. * access is allowed.
  121. * Else denied.
  122. *
  123. * Determine whether a process may access another, returning 0 if permission
  124. * granted, -ve if denied.
  125. */
  126. int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
  127. {
  128. int ret = 0;
  129. const struct cred *cred, *child_cred;
  130. const kernel_cap_t *caller_caps;
  131. rcu_read_lock();
  132. cred = current_cred();
  133. child_cred = __task_cred(child);
  134. if (mode & PTRACE_MODE_FSCREDS)
  135. caller_caps = &cred->cap_effective;
  136. else
  137. caller_caps = &cred->cap_permitted;
  138. if (cred->user_ns == child_cred->user_ns &&
  139. cap_issubset(child_cred->cap_permitted, *caller_caps))
  140. goto out;
  141. if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
  142. goto out;
  143. ret = -EPERM;
  144. out:
  145. rcu_read_unlock();
  146. return ret;
  147. }
  148. /**
  149. * cap_ptrace_traceme - Determine whether another process may trace the current
  150. * @parent: The task proposed to be the tracer
  151. *
  152. * If parent is in the same or an ancestor user_ns and has all current's
  153. * capabilities, then ptrace access is allowed.
  154. * If parent has the ptrace capability to current's user_ns, then ptrace
  155. * access is allowed.
  156. * Else denied.
  157. *
  158. * Determine whether the nominated task is permitted to trace the current
  159. * process, returning 0 if permission is granted, -ve if denied.
  160. */
  161. int cap_ptrace_traceme(struct task_struct *parent)
  162. {
  163. int ret = 0;
  164. const struct cred *cred, *child_cred;
  165. rcu_read_lock();
  166. cred = __task_cred(parent);
  167. child_cred = current_cred();
  168. if (cred->user_ns == child_cred->user_ns &&
  169. cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
  170. goto out;
  171. if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
  172. goto out;
  173. ret = -EPERM;
  174. out:
  175. rcu_read_unlock();
  176. return ret;
  177. }
  178. /**
  179. * cap_capget - Retrieve a task's capability sets
  180. * @target: The task from which to retrieve the capability sets
  181. * @effective: The place to record the effective set
  182. * @inheritable: The place to record the inheritable set
  183. * @permitted: The place to record the permitted set
  184. *
  185. * This function retrieves the capabilities of the nominated task and returns
  186. * them to the caller.
  187. */
  188. int cap_capget(struct task_struct *target, kernel_cap_t *effective,
  189. kernel_cap_t *inheritable, kernel_cap_t *permitted)
  190. {
  191. const struct cred *cred;
  192. /* Derived from kernel/capability.c:sys_capget. */
  193. rcu_read_lock();
  194. cred = __task_cred(target);
  195. *effective = cred->cap_effective;
  196. *inheritable = cred->cap_inheritable;
  197. *permitted = cred->cap_permitted;
  198. rcu_read_unlock();
  199. return 0;
  200. }
  201. /*
  202. * Determine whether the inheritable capabilities are limited to the old
  203. * permitted set. Returns 1 if they are limited, 0 if they are not.
  204. */
  205. static inline int cap_inh_is_capped(void)
  206. {
  207. /* they are so limited unless the current task has the CAP_SETPCAP
  208. * capability
  209. */
  210. if (cap_capable(current_cred(), current_cred()->user_ns,
  211. CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
  212. return 0;
  213. return 1;
  214. }
  215. /**
  216. * cap_capset - Validate and apply proposed changes to current's capabilities
  217. * @new: The proposed new credentials; alterations should be made here
  218. * @old: The current task's current credentials
  219. * @effective: A pointer to the proposed new effective capabilities set
  220. * @inheritable: A pointer to the proposed new inheritable capabilities set
  221. * @permitted: A pointer to the proposed new permitted capabilities set
  222. *
  223. * This function validates and applies a proposed mass change to the current
  224. * process's capability sets. The changes are made to the proposed new
  225. * credentials, and assuming no error, will be committed by the caller of LSM.
  226. */
  227. int cap_capset(struct cred *new,
  228. const struct cred *old,
  229. const kernel_cap_t *effective,
  230. const kernel_cap_t *inheritable,
  231. const kernel_cap_t *permitted)
  232. {
  233. if (cap_inh_is_capped() &&
  234. !cap_issubset(*inheritable,
  235. cap_combine(old->cap_inheritable,
  236. old->cap_permitted)))
  237. /* incapable of using this inheritable set */
  238. return -EPERM;
  239. if (!cap_issubset(*inheritable,
  240. cap_combine(old->cap_inheritable,
  241. old->cap_bset)))
  242. /* no new pI capabilities outside bounding set */
  243. return -EPERM;
  244. /* verify restrictions on target's new Permitted set */
  245. if (!cap_issubset(*permitted, old->cap_permitted))
  246. return -EPERM;
  247. /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
  248. if (!cap_issubset(*effective, *permitted))
  249. return -EPERM;
  250. new->cap_effective = *effective;
  251. new->cap_inheritable = *inheritable;
  252. new->cap_permitted = *permitted;
  253. /*
  254. * Mask off ambient bits that are no longer both permitted and
  255. * inheritable.
  256. */
  257. new->cap_ambient = cap_intersect(new->cap_ambient,
  258. cap_intersect(*permitted,
  259. *inheritable));
  260. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  261. return -EINVAL;
  262. return 0;
  263. }
  264. /*
  265. * Clear proposed capability sets for execve().
  266. */
  267. static inline void bprm_clear_caps(struct linux_binprm *bprm)
  268. {
  269. cap_clear(bprm->cred->cap_permitted);
  270. bprm->cap_effective = false;
  271. }
  272. /**
  273. * cap_inode_need_killpriv - Determine if inode change affects privileges
  274. * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
  275. *
  276. * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
  277. * affects the security markings on that inode, and if it is, should
  278. * inode_killpriv() be invoked or the change rejected?
  279. *
  280. * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
  281. * -ve to deny the change.
  282. */
  283. int cap_inode_need_killpriv(struct dentry *dentry)
  284. {
  285. struct inode *inode = d_backing_inode(dentry);
  286. int error;
  287. if (!inode->i_op->getxattr)
  288. return 0;
  289. error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
  290. if (error <= 0)
  291. return 0;
  292. return 1;
  293. }
  294. /**
  295. * cap_inode_killpriv - Erase the security markings on an inode
  296. * @dentry: The inode/dentry to alter
  297. *
  298. * Erase the privilege-enhancing security markings on an inode.
  299. *
  300. * Returns 0 if successful, -ve on error.
  301. */
  302. int cap_inode_killpriv(struct dentry *dentry)
  303. {
  304. struct inode *inode = d_backing_inode(dentry);
  305. if (!inode->i_op->removexattr)
  306. return 0;
  307. return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
  308. }
  309. /*
  310. * Calculate the new process capability sets from the capability sets attached
  311. * to a file.
  312. */
  313. static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
  314. struct linux_binprm *bprm,
  315. bool *effective,
  316. bool *has_cap)
  317. {
  318. struct cred *new = bprm->cred;
  319. unsigned i;
  320. int ret = 0;
  321. if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
  322. *effective = true;
  323. if (caps->magic_etc & VFS_CAP_REVISION_MASK)
  324. *has_cap = true;
  325. CAP_FOR_EACH_U32(i) {
  326. __u32 permitted = caps->permitted.cap[i];
  327. __u32 inheritable = caps->inheritable.cap[i];
  328. /*
  329. * pP' = (X & fP) | (pI & fI)
  330. * The addition of pA' is handled later.
  331. */
  332. new->cap_permitted.cap[i] =
  333. (new->cap_bset.cap[i] & permitted) |
  334. (new->cap_inheritable.cap[i] & inheritable);
  335. if (permitted & ~new->cap_permitted.cap[i])
  336. /* insufficient to execute correctly */
  337. ret = -EPERM;
  338. }
  339. /*
  340. * For legacy apps, with no internal support for recognizing they
  341. * do not have enough capabilities, we return an error if they are
  342. * missing some "forced" (aka file-permitted) capabilities.
  343. */
  344. return *effective ? ret : 0;
  345. }
  346. /*
  347. * Extract the on-exec-apply capability sets for an executable file.
  348. */
  349. int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
  350. {
  351. struct inode *inode = d_backing_inode(dentry);
  352. __u32 magic_etc;
  353. unsigned tocopy, i;
  354. int size;
  355. struct vfs_cap_data caps;
  356. memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
  357. if (!inode || !inode->i_op->getxattr)
  358. return -ENODATA;
  359. size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
  360. XATTR_CAPS_SZ);
  361. if (size == -ENODATA || size == -EOPNOTSUPP)
  362. /* no data, that's ok */
  363. return -ENODATA;
  364. if (size < 0)
  365. return size;
  366. if (size < sizeof(magic_etc))
  367. return -EINVAL;
  368. cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
  369. switch (magic_etc & VFS_CAP_REVISION_MASK) {
  370. case VFS_CAP_REVISION_1:
  371. if (size != XATTR_CAPS_SZ_1)
  372. return -EINVAL;
  373. tocopy = VFS_CAP_U32_1;
  374. break;
  375. case VFS_CAP_REVISION_2:
  376. if (size != XATTR_CAPS_SZ_2)
  377. return -EINVAL;
  378. tocopy = VFS_CAP_U32_2;
  379. break;
  380. default:
  381. return -EINVAL;
  382. }
  383. CAP_FOR_EACH_U32(i) {
  384. if (i >= tocopy)
  385. break;
  386. cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
  387. cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
  388. }
  389. cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
  390. cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
  391. return 0;
  392. }
  393. /*
  394. * Attempt to get the on-exec apply capability sets for an executable file from
  395. * its xattrs and, if present, apply them to the proposed credentials being
  396. * constructed by execve().
  397. */
  398. static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
  399. {
  400. int rc = 0;
  401. struct cpu_vfs_cap_data vcaps;
  402. bprm_clear_caps(bprm);
  403. if (!file_caps_enabled)
  404. return 0;
  405. if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
  406. return 0;
  407. rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
  408. if (rc < 0) {
  409. if (rc == -EINVAL)
  410. printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
  411. __func__, rc, bprm->filename);
  412. else if (rc == -ENODATA)
  413. rc = 0;
  414. goto out;
  415. }
  416. rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
  417. if (rc == -EINVAL)
  418. printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
  419. __func__, rc, bprm->filename);
  420. out:
  421. if (rc)
  422. bprm_clear_caps(bprm);
  423. return rc;
  424. }
  425. /**
  426. * cap_bprm_set_creds - Set up the proposed credentials for execve().
  427. * @bprm: The execution parameters, including the proposed creds
  428. *
  429. * Set up the proposed credentials for a new execution context being
  430. * constructed by execve(). The proposed creds in @bprm->cred is altered,
  431. * which won't take effect immediately. Returns 0 if successful, -ve on error.
  432. */
  433. int cap_bprm_set_creds(struct linux_binprm *bprm)
  434. {
  435. const struct cred *old = current_cred();
  436. struct cred *new = bprm->cred;
  437. bool effective, has_cap = false, is_setid;
  438. int ret;
  439. kuid_t root_uid;
  440. if (WARN_ON(!cap_ambient_invariant_ok(old)))
  441. return -EPERM;
  442. effective = false;
  443. ret = get_file_caps(bprm, &effective, &has_cap);
  444. if (ret < 0)
  445. return ret;
  446. root_uid = make_kuid(new->user_ns, 0);
  447. if (!issecure(SECURE_NOROOT)) {
  448. /*
  449. * If the legacy file capability is set, then don't set privs
  450. * for a setuid root binary run by a non-root user. Do set it
  451. * for a root user just to cause least surprise to an admin.
  452. */
  453. if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
  454. warn_setuid_and_fcaps_mixed(bprm->filename);
  455. goto skip;
  456. }
  457. /*
  458. * To support inheritance of root-permissions and suid-root
  459. * executables under compatibility mode, we override the
  460. * capability sets for the file.
  461. *
  462. * If only the real uid is 0, we do not set the effective bit.
  463. */
  464. if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
  465. /* pP' = (cap_bset & ~0) | (pI & ~0) */
  466. new->cap_permitted = cap_combine(old->cap_bset,
  467. old->cap_inheritable);
  468. }
  469. if (uid_eq(new->euid, root_uid))
  470. effective = true;
  471. }
  472. skip:
  473. /* if we have fs caps, clear dangerous personality flags */
  474. if (!cap_issubset(new->cap_permitted, old->cap_permitted))
  475. bprm->per_clear |= PER_CLEAR_ON_SETID;
  476. /* Don't let someone trace a set[ug]id/setpcap binary with the revised
  477. * credentials unless they have the appropriate permit.
  478. *
  479. * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
  480. */
  481. is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);
  482. if ((is_setid ||
  483. !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
  484. bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
  485. /* downgrade; they get no more than they had, and maybe less */
  486. if (!capable(CAP_SETUID) ||
  487. (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
  488. new->euid = new->uid;
  489. new->egid = new->gid;
  490. }
  491. new->cap_permitted = cap_intersect(new->cap_permitted,
  492. old->cap_permitted);
  493. }
  494. new->suid = new->fsuid = new->euid;
  495. new->sgid = new->fsgid = new->egid;
  496. /* File caps or setid cancels ambient. */
  497. if (has_cap || is_setid)
  498. cap_clear(new->cap_ambient);
  499. /*
  500. * Now that we've computed pA', update pP' to give:
  501. * pP' = (X & fP) | (pI & fI) | pA'
  502. */
  503. new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
  504. /*
  505. * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
  506. * this is the same as pE' = (fE ? pP' : 0) | pA'.
  507. */
  508. if (effective)
  509. new->cap_effective = new->cap_permitted;
  510. else
  511. new->cap_effective = new->cap_ambient;
  512. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  513. return -EPERM;
  514. bprm->cap_effective = effective;
  515. /*
  516. * Audit candidate if current->cap_effective is set
  517. *
  518. * We do not bother to audit if 3 things are true:
  519. * 1) cap_effective has all caps
  520. * 2) we are root
  521. * 3) root is supposed to have all caps (SECURE_NOROOT)
  522. * Since this is just a normal root execing a process.
  523. *
  524. * Number 1 above might fail if you don't have a full bset, but I think
  525. * that is interesting information to audit.
  526. */
  527. if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
  528. if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
  529. !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
  530. issecure(SECURE_NOROOT)) {
  531. ret = audit_log_bprm_fcaps(bprm, new, old);
  532. if (ret < 0)
  533. return ret;
  534. }
  535. }
  536. new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
  537. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  538. return -EPERM;
  539. return 0;
  540. }
  541. /**
  542. * cap_bprm_secureexec - Determine whether a secure execution is required
  543. * @bprm: The execution parameters
  544. *
  545. * Determine whether a secure execution is required, return 1 if it is, and 0
  546. * if it is not.
  547. *
  548. * The credentials have been committed by this point, and so are no longer
  549. * available through @bprm->cred.
  550. */
  551. int cap_bprm_secureexec(struct linux_binprm *bprm)
  552. {
  553. const struct cred *cred = current_cred();
  554. kuid_t root_uid = make_kuid(cred->user_ns, 0);
  555. if (!uid_eq(cred->uid, root_uid)) {
  556. if (bprm->cap_effective)
  557. return 1;
  558. if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
  559. return 1;
  560. }
  561. return (!uid_eq(cred->euid, cred->uid) ||
  562. !gid_eq(cred->egid, cred->gid));
  563. }
  564. /**
  565. * cap_inode_setxattr - Determine whether an xattr may be altered
  566. * @dentry: The inode/dentry being altered
  567. * @name: The name of the xattr to be changed
  568. * @value: The value that the xattr will be changed to
  569. * @size: The size of value
  570. * @flags: The replacement flag
  571. *
  572. * Determine whether an xattr may be altered or set on an inode, returning 0 if
  573. * permission is granted, -ve if denied.
  574. *
  575. * This is used to make sure security xattrs don't get updated or set by those
  576. * who aren't privileged to do so.
  577. */
  578. int cap_inode_setxattr(struct dentry *dentry, const char *name,
  579. const void *value, size_t size, int flags)
  580. {
  581. if (!strcmp(name, XATTR_NAME_CAPS)) {
  582. if (!capable(CAP_SETFCAP))
  583. return -EPERM;
  584. return 0;
  585. }
  586. if (!strncmp(name, XATTR_SECURITY_PREFIX,
  587. sizeof(XATTR_SECURITY_PREFIX) - 1) &&
  588. !capable(CAP_SYS_ADMIN))
  589. return -EPERM;
  590. return 0;
  591. }
  592. /**
  593. * cap_inode_removexattr - Determine whether an xattr may be removed
  594. * @dentry: The inode/dentry being altered
  595. * @name: The name of the xattr to be changed
  596. *
  597. * Determine whether an xattr may be removed from an inode, returning 0 if
  598. * permission is granted, -ve if denied.
  599. *
  600. * This is used to make sure security xattrs don't get removed by those who
  601. * aren't privileged to remove them.
  602. */
  603. int cap_inode_removexattr(struct dentry *dentry, const char *name)
  604. {
  605. if (!strcmp(name, XATTR_NAME_CAPS)) {
  606. if (!capable(CAP_SETFCAP))
  607. return -EPERM;
  608. return 0;
  609. }
  610. if (!strncmp(name, XATTR_SECURITY_PREFIX,
  611. sizeof(XATTR_SECURITY_PREFIX) - 1) &&
  612. !capable(CAP_SYS_ADMIN))
  613. return -EPERM;
  614. return 0;
  615. }
  616. /*
  617. * cap_emulate_setxuid() fixes the effective / permitted capabilities of
  618. * a process after a call to setuid, setreuid, or setresuid.
  619. *
  620. * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
  621. * {r,e,s}uid != 0, the permitted and effective capabilities are
  622. * cleared.
  623. *
  624. * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
  625. * capabilities of the process are cleared.
  626. *
  627. * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
  628. * capabilities are set to the permitted capabilities.
  629. *
  630. * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
  631. * never happen.
  632. *
  633. * -astor
  634. *
  635. * cevans - New behaviour, Oct '99
  636. * A process may, via prctl(), elect to keep its capabilities when it
  637. * calls setuid() and switches away from uid==0. Both permitted and
  638. * effective sets will be retained.
  639. * Without this change, it was impossible for a daemon to drop only some
  640. * of its privilege. The call to setuid(!=0) would drop all privileges!
  641. * Keeping uid 0 is not an option because uid 0 owns too many vital
  642. * files..
  643. * Thanks to Olaf Kirch and Peter Benie for spotting this.
  644. */
  645. static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
  646. {
  647. kuid_t root_uid = make_kuid(old->user_ns, 0);
  648. if ((uid_eq(old->uid, root_uid) ||
  649. uid_eq(old->euid, root_uid) ||
  650. uid_eq(old->suid, root_uid)) &&
  651. (!uid_eq(new->uid, root_uid) &&
  652. !uid_eq(new->euid, root_uid) &&
  653. !uid_eq(new->suid, root_uid))) {
  654. if (!issecure(SECURE_KEEP_CAPS)) {
  655. cap_clear(new->cap_permitted);
  656. cap_clear(new->cap_effective);
  657. }
  658. /*
  659. * Pre-ambient programs expect setresuid to nonroot followed
  660. * by exec to drop capabilities. We should make sure that
  661. * this remains the case.
  662. */
  663. cap_clear(new->cap_ambient);
  664. }
  665. if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
  666. cap_clear(new->cap_effective);
  667. if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
  668. new->cap_effective = new->cap_permitted;
  669. }
  670. /**
  671. * cap_task_fix_setuid - Fix up the results of setuid() call
  672. * @new: The proposed credentials
  673. * @old: The current task's current credentials
  674. * @flags: Indications of what has changed
  675. *
  676. * Fix up the results of setuid() call before the credential changes are
  677. * actually applied, returning 0 to grant the changes, -ve to deny them.
  678. */
  679. int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
  680. {
  681. switch (flags) {
  682. case LSM_SETID_RE:
  683. case LSM_SETID_ID:
  684. case LSM_SETID_RES:
  685. /* juggle the capabilities to follow [RES]UID changes unless
  686. * otherwise suppressed */
  687. if (!issecure(SECURE_NO_SETUID_FIXUP))
  688. cap_emulate_setxuid(new, old);
  689. break;
  690. case LSM_SETID_FS:
  691. /* juggle the capabilties to follow FSUID changes, unless
  692. * otherwise suppressed
  693. *
  694. * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
  695. * if not, we might be a bit too harsh here.
  696. */
  697. if (!issecure(SECURE_NO_SETUID_FIXUP)) {
  698. kuid_t root_uid = make_kuid(old->user_ns, 0);
  699. if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
  700. new->cap_effective =
  701. cap_drop_fs_set(new->cap_effective);
  702. if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
  703. new->cap_effective =
  704. cap_raise_fs_set(new->cap_effective,
  705. new->cap_permitted);
  706. }
  707. break;
  708. default:
  709. return -EINVAL;
  710. }
  711. return 0;
  712. }
  713. /*
  714. * Rationale: code calling task_setscheduler, task_setioprio, and
  715. * task_setnice, assumes that
  716. * . if capable(cap_sys_nice), then those actions should be allowed
  717. * . if not capable(cap_sys_nice), but acting on your own processes,
  718. * then those actions should be allowed
  719. * This is insufficient now since you can call code without suid, but
  720. * yet with increased caps.
  721. * So we check for increased caps on the target process.
  722. */
  723. static int cap_safe_nice(struct task_struct *p)
  724. {
  725. int is_subset, ret = 0;
  726. rcu_read_lock();
  727. is_subset = cap_issubset(__task_cred(p)->cap_permitted,
  728. current_cred()->cap_permitted);
  729. if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
  730. ret = -EPERM;
  731. rcu_read_unlock();
  732. return ret;
  733. }
  734. /**
  735. * cap_task_setscheduler - Detemine if scheduler policy change is permitted
  736. * @p: The task to affect
  737. *
  738. * Detemine if the requested scheduler policy change is permitted for the
  739. * specified task, returning 0 if permission is granted, -ve if denied.
  740. */
  741. int cap_task_setscheduler(struct task_struct *p)
  742. {
  743. return cap_safe_nice(p);
  744. }
  745. /**
  746. * cap_task_ioprio - Detemine if I/O priority change is permitted
  747. * @p: The task to affect
  748. * @ioprio: The I/O priority to set
  749. *
  750. * Detemine if the requested I/O priority change is permitted for the specified
  751. * task, returning 0 if permission is granted, -ve if denied.
  752. */
  753. int cap_task_setioprio(struct task_struct *p, int ioprio)
  754. {
  755. return cap_safe_nice(p);
  756. }
  757. /**
  758. * cap_task_ioprio - Detemine if task priority change is permitted
  759. * @p: The task to affect
  760. * @nice: The nice value to set
  761. *
  762. * Detemine if the requested task priority change is permitted for the
  763. * specified task, returning 0 if permission is granted, -ve if denied.
  764. */
  765. int cap_task_setnice(struct task_struct *p, int nice)
  766. {
  767. return cap_safe_nice(p);
  768. }
  769. /*
  770. * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
  771. * the current task's bounding set. Returns 0 on success, -ve on error.
  772. */
  773. static int cap_prctl_drop(unsigned long cap)
  774. {
  775. struct cred *new;
  776. if (!ns_capable(current_user_ns(), CAP_SETPCAP))
  777. return -EPERM;
  778. if (!cap_valid(cap))
  779. return -EINVAL;
  780. new = prepare_creds();
  781. if (!new)
  782. return -ENOMEM;
  783. cap_lower(new->cap_bset, cap);
  784. return commit_creds(new);
  785. }
  786. /**
  787. * cap_task_prctl - Implement process control functions for this security module
  788. * @option: The process control function requested
  789. * @arg2, @arg3, @arg4, @arg5: The argument data for this function
  790. *
  791. * Allow process control functions (sys_prctl()) to alter capabilities; may
  792. * also deny access to other functions not otherwise implemented here.
  793. *
  794. * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
  795. * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
  796. * modules will consider performing the function.
  797. */
  798. int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  799. unsigned long arg4, unsigned long arg5)
  800. {
  801. const struct cred *old = current_cred();
  802. struct cred *new;
  803. switch (option) {
  804. case PR_CAPBSET_READ:
  805. if (!cap_valid(arg2))
  806. return -EINVAL;
  807. return !!cap_raised(old->cap_bset, arg2);
  808. case PR_CAPBSET_DROP:
  809. return cap_prctl_drop(arg2);
  810. /*
  811. * The next four prctl's remain to assist with transitioning a
  812. * system from legacy UID=0 based privilege (when filesystem
  813. * capabilities are not in use) to a system using filesystem
  814. * capabilities only - as the POSIX.1e draft intended.
  815. *
  816. * Note:
  817. *
  818. * PR_SET_SECUREBITS =
  819. * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
  820. * | issecure_mask(SECURE_NOROOT)
  821. * | issecure_mask(SECURE_NOROOT_LOCKED)
  822. * | issecure_mask(SECURE_NO_SETUID_FIXUP)
  823. * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
  824. *
  825. * will ensure that the current process and all of its
  826. * children will be locked into a pure
  827. * capability-based-privilege environment.
  828. */
  829. case PR_SET_SECUREBITS:
  830. if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
  831. & (old->securebits ^ arg2)) /*[1]*/
  832. || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
  833. || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
  834. || (cap_capable(current_cred(),
  835. current_cred()->user_ns, CAP_SETPCAP,
  836. SECURITY_CAP_AUDIT) != 0) /*[4]*/
  837. /*
  838. * [1] no changing of bits that are locked
  839. * [2] no unlocking of locks
  840. * [3] no setting of unsupported bits
  841. * [4] doing anything requires privilege (go read about
  842. * the "sendmail capabilities bug")
  843. */
  844. )
  845. /* cannot change a locked bit */
  846. return -EPERM;
  847. new = prepare_creds();
  848. if (!new)
  849. return -ENOMEM;
  850. new->securebits = arg2;
  851. return commit_creds(new);
  852. case PR_GET_SECUREBITS:
  853. return old->securebits;
  854. case PR_GET_KEEPCAPS:
  855. return !!issecure(SECURE_KEEP_CAPS);
  856. case PR_SET_KEEPCAPS:
  857. if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
  858. return -EINVAL;
  859. if (issecure(SECURE_KEEP_CAPS_LOCKED))
  860. return -EPERM;
  861. new = prepare_creds();
  862. if (!new)
  863. return -ENOMEM;
  864. if (arg2)
  865. new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
  866. else
  867. new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
  868. return commit_creds(new);
  869. case PR_CAP_AMBIENT:
  870. if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
  871. if (arg3 | arg4 | arg5)
  872. return -EINVAL;
  873. new = prepare_creds();
  874. if (!new)
  875. return -ENOMEM;
  876. cap_clear(new->cap_ambient);
  877. return commit_creds(new);
  878. }
  879. if (((!cap_valid(arg3)) | arg4 | arg5))
  880. return -EINVAL;
  881. if (arg2 == PR_CAP_AMBIENT_IS_SET) {
  882. return !!cap_raised(current_cred()->cap_ambient, arg3);
  883. } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
  884. arg2 != PR_CAP_AMBIENT_LOWER) {
  885. return -EINVAL;
  886. } else {
  887. if (arg2 == PR_CAP_AMBIENT_RAISE &&
  888. (!cap_raised(current_cred()->cap_permitted, arg3) ||
  889. !cap_raised(current_cred()->cap_inheritable,
  890. arg3) ||
  891. issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
  892. return -EPERM;
  893. new = prepare_creds();
  894. if (!new)
  895. return -ENOMEM;
  896. if (arg2 == PR_CAP_AMBIENT_RAISE)
  897. cap_raise(new->cap_ambient, arg3);
  898. else
  899. cap_lower(new->cap_ambient, arg3);
  900. return commit_creds(new);
  901. }
  902. default:
  903. /* No functionality available - continue with default */
  904. return -ENOSYS;
  905. }
  906. }
  907. /**
  908. * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
  909. * @mm: The VM space in which the new mapping is to be made
  910. * @pages: The size of the mapping
  911. *
  912. * Determine whether the allocation of a new virtual mapping by the current
  913. * task is permitted, returning 1 if permission is granted, 0 if not.
  914. */
  915. int cap_vm_enough_memory(struct mm_struct *mm, long pages)
  916. {
  917. int cap_sys_admin = 0;
  918. if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
  919. SECURITY_CAP_NOAUDIT) == 0)
  920. cap_sys_admin = 1;
  921. return cap_sys_admin;
  922. }
  923. /*
  924. * cap_mmap_addr - check if able to map given addr
  925. * @addr: address attempting to be mapped
  926. *
  927. * If the process is attempting to map memory below dac_mmap_min_addr they need
  928. * CAP_SYS_RAWIO. The other parameters to this function are unused by the
  929. * capability security module. Returns 0 if this mapping should be allowed
  930. * -EPERM if not.
  931. */
  932. int cap_mmap_addr(unsigned long addr)
  933. {
  934. int ret = 0;
  935. if (addr < dac_mmap_min_addr) {
  936. ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
  937. SECURITY_CAP_AUDIT);
  938. /* set PF_SUPERPRIV if it turns out we allow the low mmap */
  939. if (ret == 0)
  940. current->flags |= PF_SUPERPRIV;
  941. }
  942. return ret;
  943. }
  944. int cap_mmap_file(struct file *file, unsigned long reqprot,
  945. unsigned long prot, unsigned long flags)
  946. {
  947. return 0;
  948. }
  949. #ifdef CONFIG_SECURITY
  950. struct security_hook_list capability_hooks[] = {
  951. LSM_HOOK_INIT(capable, cap_capable),
  952. LSM_HOOK_INIT(settime, cap_settime),
  953. LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
  954. LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
  955. LSM_HOOK_INIT(capget, cap_capget),
  956. LSM_HOOK_INIT(capset, cap_capset),
  957. LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
  958. LSM_HOOK_INIT(bprm_secureexec, cap_bprm_secureexec),
  959. LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
  960. LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
  961. LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
  962. LSM_HOOK_INIT(mmap_file, cap_mmap_file),
  963. LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
  964. LSM_HOOK_INIT(task_prctl, cap_task_prctl),
  965. LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
  966. LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
  967. LSM_HOOK_INIT(task_setnice, cap_task_setnice),
  968. LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
  969. };
  970. void __init capability_add_hooks(void)
  971. {
  972. security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
  973. }
  974. #endif /* CONFIG_SECURITY */