commoncap.c 30 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060
  1. /* Common capabilities, needed by capability.o.
  2. *
  3. * This program is free software; you can redistribute it and/or modify
  4. * it under the terms of the GNU General Public License as published by
  5. * the Free Software Foundation; either version 2 of the License, or
  6. * (at your option) any later version.
  7. *
  8. */
  9. #include <linux/capability.h>
  10. #include <linux/audit.h>
  11. #include <linux/module.h>
  12. #include <linux/init.h>
  13. #include <linux/kernel.h>
  14. #include <linux/security.h>
  15. #include <linux/file.h>
  16. #include <linux/mm.h>
  17. #include <linux/mman.h>
  18. #include <linux/pagemap.h>
  19. #include <linux/swap.h>
  20. #include <linux/skbuff.h>
  21. #include <linux/netlink.h>
  22. #include <linux/ptrace.h>
  23. #include <linux/xattr.h>
  24. #include <linux/hugetlb.h>
  25. #include <linux/mount.h>
  26. #include <linux/sched.h>
  27. #include <linux/prctl.h>
  28. #include <linux/securebits.h>
  29. #include <linux/user_namespace.h>
  30. #include <linux/binfmts.h>
  31. #include <linux/personality.h>
  32. #ifdef CONFIG_ANDROID_PARANOID_NETWORK
  33. #include <linux/android_aid.h>
  34. #endif
  35. /*
  36. * If a non-root user executes a setuid-root binary in
  37. * !secure(SECURE_NOROOT) mode, then we raise capabilities.
  38. * However if fE is also set, then the intent is for only
  39. * the file capabilities to be applied, and the setuid-root
  40. * bit is left on either to change the uid (plausible) or
  41. * to get full privilege on a kernel without file capabilities
  42. * support. So in that case we do not raise capabilities.
  43. *
  44. * Warn if that happens, once per boot.
  45. */
  46. static void warn_setuid_and_fcaps_mixed(const char *fname)
  47. {
  48. static int warned;
  49. if (!warned) {
  50. printk(KERN_INFO "warning: `%s' has both setuid-root and"
  51. " effective capabilities. Therefore not raising all"
  52. " capabilities.\n", fname);
  53. warned = 1;
  54. }
  55. }
  56. int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
  57. {
  58. return 0;
  59. }
  60. /**
  61. * cap_capable - Determine whether a task has a particular effective capability
  62. * @cred: The credentials to use
  63. * @ns: The user namespace in which we need the capability
  64. * @cap: The capability to check for
  65. * @audit: Whether to write an audit message or not
  66. *
  67. * Determine whether the nominated task has the specified capability amongst
  68. * its effective set, returning 0 if it does, -ve if it does not.
  69. *
  70. * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
  71. * and has_capability() functions. That is, it has the reverse semantics:
  72. * cap_has_capability() returns 0 when a task has a capability, but the
  73. * kernel's capable() and has_capability() returns 1 for this case.
  74. */
  75. int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
  76. int cap, int audit)
  77. {
  78. #ifdef CONFIG_ANDROID_PARANOID_NETWORK
  79. if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW))
  80. return 0;
  81. if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN))
  82. return 0;
  83. #endif
  84. for (;;) {
  85. /* The owner of the user namespace has all caps. */
  86. if (targ_ns != &init_user_ns && uid_eq(targ_ns->owner, cred->euid))
  87. return 0;
  88. /* Do we have the necessary capabilities? */
  89. if (targ_ns == cred->user_ns)
  90. return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
  91. /* Have we tried all of the parent namespaces? */
  92. if (targ_ns == &init_user_ns)
  93. return -EPERM;
  94. /*
  95. *If you have a capability in a parent user ns, then you have
  96. * it over all children user namespaces as well.
  97. */
  98. targ_ns = targ_ns->parent;
  99. }
  100. /* We never get here */
  101. }
  102. /**
  103. * cap_settime - Determine whether the current process may set the system clock
  104. * @ts: The time to set
  105. * @tz: The timezone to set
  106. *
  107. * Determine whether the current process may set the system clock and timezone
  108. * information, returning 0 if permission granted, -ve if denied.
  109. */
  110. int cap_settime(const struct timespec *ts, const struct timezone *tz)
  111. {
  112. if (!capable(CAP_SYS_TIME))
  113. return -EPERM;
  114. return 0;
  115. }
  116. /**
  117. * cap_ptrace_access_check - Determine whether the current process may access
  118. * another
  119. * @child: The process to be accessed
  120. * @mode: The mode of attachment.
  121. *
  122. * If we are in the same or an ancestor user_ns and have all the target
  123. * task's capabilities, then ptrace access is allowed.
  124. * If we have the ptrace capability to the target user_ns, then ptrace
  125. * access is allowed.
  126. * Else denied.
  127. *
  128. * Determine whether a process may access another, returning 0 if permission
  129. * granted, -ve if denied.
  130. */
  131. int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
  132. {
  133. int ret = 0;
  134. const struct cred *cred, *child_cred;
  135. rcu_read_lock();
  136. cred = current_cred();
  137. child_cred = __task_cred(child);
  138. if (cred->user_ns == child_cred->user_ns &&
  139. cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
  140. goto out;
  141. if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
  142. goto out;
  143. ret = -EPERM;
  144. out:
  145. rcu_read_unlock();
  146. return ret;
  147. }
  148. /**
  149. * cap_ptrace_traceme - Determine whether another process may trace the current
  150. * @parent: The task proposed to be the tracer
  151. *
  152. * If parent is in the same or an ancestor user_ns and has all current's
  153. * capabilities, then ptrace access is allowed.
  154. * If parent has the ptrace capability to current's user_ns, then ptrace
  155. * access is allowed.
  156. * Else denied.
  157. *
  158. * Determine whether the nominated task is permitted to trace the current
  159. * process, returning 0 if permission is granted, -ve if denied.
  160. */
  161. int cap_ptrace_traceme(struct task_struct *parent)
  162. {
  163. int ret = 0;
  164. const struct cred *cred, *child_cred;
  165. rcu_read_lock();
  166. cred = __task_cred(parent);
  167. child_cred = current_cred();
  168. if (cred->user_ns == child_cred->user_ns &&
  169. cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
  170. goto out;
  171. if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
  172. goto out;
  173. ret = -EPERM;
  174. out:
  175. rcu_read_unlock();
  176. return ret;
  177. }
  178. /**
  179. * cap_capget - Retrieve a task's capability sets
  180. * @target: The task from which to retrieve the capability sets
  181. * @effective: The place to record the effective set
  182. * @inheritable: The place to record the inheritable set
  183. * @permitted: The place to record the permitted set
  184. *
  185. * This function retrieves the capabilities of the nominated task and returns
  186. * them to the caller.
  187. */
  188. int cap_capget(struct task_struct *target, kernel_cap_t *effective,
  189. kernel_cap_t *inheritable, kernel_cap_t *permitted)
  190. {
  191. const struct cred *cred;
  192. /* Derived from kernel/capability.c:sys_capget. */
  193. rcu_read_lock();
  194. cred = __task_cred(target);
  195. *effective = cred->cap_effective;
  196. *inheritable = cred->cap_inheritable;
  197. *permitted = cred->cap_permitted;
  198. rcu_read_unlock();
  199. return 0;
  200. }
  201. /*
  202. * Determine whether the inheritable capabilities are limited to the old
  203. * permitted set. Returns 1 if they are limited, 0 if they are not.
  204. */
  205. static inline int cap_inh_is_capped(void)
  206. {
  207. /* they are so limited unless the current task has the CAP_SETPCAP
  208. * capability
  209. */
  210. if (cap_capable(current_cred(), current_cred()->user_ns,
  211. CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
  212. return 0;
  213. return 1;
  214. }
  215. /**
  216. * cap_capset - Validate and apply proposed changes to current's capabilities
  217. * @new: The proposed new credentials; alterations should be made here
  218. * @old: The current task's current credentials
  219. * @effective: A pointer to the proposed new effective capabilities set
  220. * @inheritable: A pointer to the proposed new inheritable capabilities set
  221. * @permitted: A pointer to the proposed new permitted capabilities set
  222. *
  223. * This function validates and applies a proposed mass change to the current
  224. * process's capability sets. The changes are made to the proposed new
  225. * credentials, and assuming no error, will be committed by the caller of LSM.
  226. */
  227. int cap_capset(struct cred *new,
  228. const struct cred *old,
  229. const kernel_cap_t *effective,
  230. const kernel_cap_t *inheritable,
  231. const kernel_cap_t *permitted)
  232. {
  233. if (cap_inh_is_capped() &&
  234. !cap_issubset(*inheritable,
  235. cap_combine(old->cap_inheritable,
  236. old->cap_permitted)))
  237. /* incapable of using this inheritable set */
  238. return -EPERM;
  239. if (!cap_issubset(*inheritable,
  240. cap_combine(old->cap_inheritable,
  241. old->cap_bset)))
  242. /* no new pI capabilities outside bounding set */
  243. return -EPERM;
  244. /* verify restrictions on target's new Permitted set */
  245. if (!cap_issubset(*permitted, old->cap_permitted))
  246. return -EPERM;
  247. /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
  248. if (!cap_issubset(*effective, *permitted))
  249. return -EPERM;
  250. new->cap_effective = *effective;
  251. new->cap_inheritable = *inheritable;
  252. new->cap_permitted = *permitted;
  253. /*
  254. * Mask off ambient bits that are no longer both permitted and
  255. * inheritable.
  256. */
  257. new->cap_ambient = cap_intersect(new->cap_ambient,
  258. cap_intersect(*permitted,
  259. *inheritable));
  260. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  261. return -EINVAL;
  262. return 0;
  263. }
  264. /*
  265. * Clear proposed capability sets for execve().
  266. */
  267. static inline void bprm_clear_caps(struct linux_binprm *bprm)
  268. {
  269. cap_clear(bprm->cred->cap_permitted);
  270. bprm->cap_effective = false;
  271. }
  272. /**
  273. * cap_inode_need_killpriv - Determine if inode change affects privileges
  274. * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
  275. *
  276. * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
  277. * affects the security markings on that inode, and if it is, should
  278. * inode_killpriv() be invoked or the change rejected?
  279. *
  280. * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
  281. * -ve to deny the change.
  282. */
  283. int cap_inode_need_killpriv(struct dentry *dentry)
  284. {
  285. struct inode *inode = dentry->d_inode;
  286. int error;
  287. if (!inode->i_op->getxattr)
  288. return 0;
  289. error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
  290. if (error <= 0)
  291. return 0;
  292. return 1;
  293. }
  294. /**
  295. * cap_inode_killpriv - Erase the security markings on an inode
  296. * @dentry: The inode/dentry to alter
  297. *
  298. * Erase the privilege-enhancing security markings on an inode.
  299. *
  300. * Returns 0 if successful, -ve on error.
  301. */
  302. int cap_inode_killpriv(struct dentry *dentry)
  303. {
  304. struct inode *inode = dentry->d_inode;
  305. if (!inode->i_op->removexattr)
  306. return 0;
  307. return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
  308. }
  309. /*
  310. * Calculate the new process capability sets from the capability sets attached
  311. * to a file.
  312. */
  313. static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
  314. struct linux_binprm *bprm,
  315. bool *effective,
  316. bool *has_cap)
  317. {
  318. struct cred *new = bprm->cred;
  319. unsigned i;
  320. int ret = 0;
  321. if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
  322. *effective = true;
  323. if (caps->magic_etc & VFS_CAP_REVISION_MASK)
  324. *has_cap = true;
  325. CAP_FOR_EACH_U32(i) {
  326. __u32 permitted = caps->permitted.cap[i];
  327. __u32 inheritable = caps->inheritable.cap[i];
  328. /*
  329. * pP' = (X & fP) | (pI & fI)
  330. * The addition of pA' is handled later.
  331. */
  332. new->cap_permitted.cap[i] =
  333. (new->cap_bset.cap[i] & permitted) |
  334. (new->cap_inheritable.cap[i] & inheritable);
  335. if (permitted & ~new->cap_permitted.cap[i])
  336. /* insufficient to execute correctly */
  337. ret = -EPERM;
  338. }
  339. /*
  340. * For legacy apps, with no internal support for recognizing they
  341. * do not have enough capabilities, we return an error if they are
  342. * missing some "forced" (aka file-permitted) capabilities.
  343. */
  344. return *effective ? ret : 0;
  345. }
  346. /*
  347. * Extract the on-exec-apply capability sets for an executable file.
  348. */
  349. int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
  350. {
  351. struct inode *inode = dentry->d_inode;
  352. __u32 magic_etc;
  353. unsigned tocopy, i;
  354. int size;
  355. struct vfs_cap_data caps;
  356. memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
  357. if (!inode || !inode->i_op->getxattr)
  358. return -ENODATA;
  359. size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
  360. XATTR_CAPS_SZ);
  361. if (size == -ENODATA || size == -EOPNOTSUPP)
  362. /* no data, that's ok */
  363. return -ENODATA;
  364. if (size < 0)
  365. return size;
  366. if (size < sizeof(magic_etc))
  367. return -EINVAL;
  368. cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
  369. switch (magic_etc & VFS_CAP_REVISION_MASK) {
  370. case VFS_CAP_REVISION_1:
  371. if (size != XATTR_CAPS_SZ_1)
  372. return -EINVAL;
  373. tocopy = VFS_CAP_U32_1;
  374. break;
  375. case VFS_CAP_REVISION_2:
  376. if (size != XATTR_CAPS_SZ_2)
  377. return -EINVAL;
  378. tocopy = VFS_CAP_U32_2;
  379. break;
  380. default:
  381. return -EINVAL;
  382. }
  383. CAP_FOR_EACH_U32(i) {
  384. if (i >= tocopy)
  385. break;
  386. cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
  387. cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
  388. }
  389. cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
  390. cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
  391. return 0;
  392. }
  393. /*
  394. * Attempt to get the on-exec apply capability sets for an executable file from
  395. * its xattrs and, if present, apply them to the proposed credentials being
  396. * constructed by execve().
  397. */
  398. static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
  399. {
  400. struct dentry *dentry;
  401. int rc = 0;
  402. struct cpu_vfs_cap_data vcaps;
  403. bprm_clear_caps(bprm);
  404. if (!file_caps_enabled)
  405. return 0;
  406. if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
  407. return 0;
  408. dentry = dget(bprm->file->f_dentry);
  409. rc = get_vfs_caps_from_disk(dentry, &vcaps);
  410. if (rc < 0) {
  411. if (rc == -EINVAL)
  412. printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
  413. __func__, rc, bprm->filename);
  414. else if (rc == -ENODATA)
  415. rc = 0;
  416. goto out;
  417. }
  418. rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
  419. if (rc == -EINVAL)
  420. printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
  421. __func__, rc, bprm->filename);
  422. out:
  423. dput(dentry);
  424. if (rc)
  425. bprm_clear_caps(bprm);
  426. return rc;
  427. }
  428. /**
  429. * cap_bprm_set_creds - Set up the proposed credentials for execve().
  430. * @bprm: The execution parameters, including the proposed creds
  431. *
  432. * Set up the proposed credentials for a new execution context being
  433. * constructed by execve(). The proposed creds in @bprm->cred is altered,
  434. * which won't take effect immediately. Returns 0 if successful, -ve on error.
  435. */
  436. int cap_bprm_set_creds(struct linux_binprm *bprm)
  437. {
  438. const struct cred *old = current_cred();
  439. struct cred *new = bprm->cred;
  440. bool effective, has_cap = false, is_setid;
  441. int ret;
  442. if (WARN_ON(!cap_ambient_invariant_ok(old)))
  443. return -EPERM;
  444. effective = false;
  445. ret = get_file_caps(bprm, &effective, &has_cap);
  446. if (ret < 0)
  447. return ret;
  448. if (!issecure(SECURE_NOROOT)) {
  449. /*
  450. * If the legacy file capability is set, then don't set privs
  451. * for a setuid root binary run by a non-root user. Do set it
  452. * for a root user just to cause least surprise to an admin.
  453. */
  454. if (has_cap && new->uid != 0 && new->euid == 0) {
  455. warn_setuid_and_fcaps_mixed(bprm->filename);
  456. goto skip;
  457. }
  458. /*
  459. * To support inheritance of root-permissions and suid-root
  460. * executables under compatibility mode, we override the
  461. * capability sets for the file.
  462. *
  463. * If only the real uid is 0, we do not set the effective bit.
  464. */
  465. if (new->euid == 0 || new->uid == 0) {
  466. /* pP' = (cap_bset & ~0) | (pI & ~0) */
  467. new->cap_permitted = cap_combine(old->cap_bset,
  468. old->cap_inheritable);
  469. }
  470. if (new->euid == 0)
  471. effective = true;
  472. }
  473. skip:
  474. /* if we have fs caps, clear dangerous personality flags */
  475. if (!cap_issubset(new->cap_permitted, old->cap_permitted))
  476. bprm->per_clear |= PER_CLEAR_ON_SETID;
  477. /* Don't let someone trace a set[ug]id/setpcap binary with the revised
  478. * credentials unless they have the appropriate permit.
  479. *
  480. * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
  481. */
  482. is_setid = new->euid != old->uid || new->egid != old->gid;
  483. if ((is_setid ||
  484. !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
  485. bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
  486. /* downgrade; they get no more than they had, and maybe less */
  487. if (!capable(CAP_SETUID) ||
  488. (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
  489. new->euid = new->uid;
  490. new->egid = new->gid;
  491. }
  492. new->cap_permitted = cap_intersect(new->cap_permitted,
  493. old->cap_permitted);
  494. }
  495. new->suid = new->fsuid = new->euid;
  496. new->sgid = new->fsgid = new->egid;
  497. /* File caps or setid cancels ambient. */
  498. if (has_cap || is_setid)
  499. cap_clear(new->cap_ambient);
  500. /*
  501. * Now that we've computed pA', update pP' to give:
  502. * pP' = (X & fP) | (pI & fI) | pA'
  503. */
  504. new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
  505. /*
  506. * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
  507. * this is the same as pE' = (fE ? pP' : 0) | pA'.
  508. */
  509. if (effective)
  510. new->cap_effective = new->cap_permitted;
  511. else
  512. new->cap_effective = new->cap_ambient;
  513. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  514. return -EPERM;
  515. bprm->cap_effective = effective;
  516. /*
  517. * Audit candidate if current->cap_effective is set
  518. *
  519. * We do not bother to audit if 3 things are true:
  520. * 1) cap_effective has all caps
  521. * 2) we are root
  522. * 3) root is supposed to have all caps (SECURE_NOROOT)
  523. * Since this is just a normal root execing a process.
  524. *
  525. * Number 1 above might fail if you don't have a full bset, but I think
  526. * that is interesting information to audit.
  527. */
  528. if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
  529. if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
  530. new->euid != 0 || new->uid != 0 ||
  531. issecure(SECURE_NOROOT)) {
  532. ret = audit_log_bprm_fcaps(bprm, new, old);
  533. if (ret < 0)
  534. return ret;
  535. }
  536. }
  537. new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
  538. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  539. return -EPERM;
  540. return 0;
  541. }
  542. /**
  543. * cap_bprm_secureexec - Determine whether a secure execution is required
  544. * @bprm: The execution parameters
  545. *
  546. * Determine whether a secure execution is required, return 1 if it is, and 0
  547. * if it is not.
  548. *
  549. * The credentials have been committed by this point, and so are no longer
  550. * available through @bprm->cred.
  551. */
  552. int cap_bprm_secureexec(struct linux_binprm *bprm)
  553. {
  554. const struct cred *cred = current_cred();
  555. if (cred->uid != 0) {
  556. if (bprm->cap_effective)
  557. return 1;
  558. if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
  559. return 1;
  560. }
  561. return (cred->euid != cred->uid ||
  562. cred->egid != cred->gid);
  563. }
  564. /**
  565. * cap_inode_setxattr - Determine whether an xattr may be altered
  566. * @dentry: The inode/dentry being altered
  567. * @name: The name of the xattr to be changed
  568. * @value: The value that the xattr will be changed to
  569. * @size: The size of value
  570. * @flags: The replacement flag
  571. *
  572. * Determine whether an xattr may be altered or set on an inode, returning 0 if
  573. * permission is granted, -ve if denied.
  574. *
  575. * This is used to make sure security xattrs don't get updated or set by those
  576. * who aren't privileged to do so.
  577. */
  578. int cap_inode_setxattr(struct dentry *dentry, const char *name,
  579. const void *value, size_t size, int flags)
  580. {
  581. if (!strcmp(name, XATTR_NAME_CAPS)) {
  582. if (!capable(CAP_SETFCAP))
  583. return -EPERM;
  584. return 0;
  585. }
  586. if (!strncmp(name, XATTR_SECURITY_PREFIX,
  587. sizeof(XATTR_SECURITY_PREFIX) - 1) &&
  588. !capable(CAP_SYS_ADMIN))
  589. return -EPERM;
  590. return 0;
  591. }
  592. /**
  593. * cap_inode_removexattr - Determine whether an xattr may be removed
  594. * @dentry: The inode/dentry being altered
  595. * @name: The name of the xattr to be changed
  596. *
  597. * Determine whether an xattr may be removed from an inode, returning 0 if
  598. * permission is granted, -ve if denied.
  599. *
  600. * This is used to make sure security xattrs don't get removed by those who
  601. * aren't privileged to remove them.
  602. */
  603. int cap_inode_removexattr(struct dentry *dentry, const char *name)
  604. {
  605. if (!strcmp(name, XATTR_NAME_CAPS)) {
  606. if (!capable(CAP_SETFCAP))
  607. return -EPERM;
  608. return 0;
  609. }
  610. if (!strncmp(name, XATTR_SECURITY_PREFIX,
  611. sizeof(XATTR_SECURITY_PREFIX) - 1) &&
  612. !capable(CAP_SYS_ADMIN))
  613. return -EPERM;
  614. return 0;
  615. }
  616. /*
  617. * cap_emulate_setxuid() fixes the effective / permitted capabilities of
  618. * a process after a call to setuid, setreuid, or setresuid.
  619. *
  620. * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
  621. * {r,e,s}uid != 0, the permitted and effective capabilities are
  622. * cleared.
  623. *
  624. * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
  625. * capabilities of the process are cleared.
  626. *
  627. * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
  628. * capabilities are set to the permitted capabilities.
  629. *
  630. * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
  631. * never happen.
  632. *
  633. * -astor
  634. *
  635. * cevans - New behaviour, Oct '99
  636. * A process may, via prctl(), elect to keep its capabilities when it
  637. * calls setuid() and switches away from uid==0. Both permitted and
  638. * effective sets will be retained.
  639. * Without this change, it was impossible for a daemon to drop only some
  640. * of its privilege. The call to setuid(!=0) would drop all privileges!
  641. * Keeping uid 0 is not an option because uid 0 owns too many vital
  642. * files..
  643. * Thanks to Olaf Kirch and Peter Benie for spotting this.
  644. */
  645. static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
  646. {
  647. if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
  648. (new->uid != 0 && new->euid != 0 && new->suid != 0)) {
  649. if (!issecure(SECURE_KEEP_CAPS)) {
  650. cap_clear(new->cap_permitted);
  651. cap_clear(new->cap_effective);
  652. }
  653. /*
  654. * Pre-ambient programs expect setresuid to nonroot followed
  655. * by exec to drop capabilities. We should make sure that
  656. * this remains the case.
  657. */
  658. cap_clear(new->cap_ambient);
  659. }
  660. if (old->euid == 0 && new->euid != 0)
  661. cap_clear(new->cap_effective);
  662. if (old->euid != 0 && new->euid == 0)
  663. new->cap_effective = new->cap_permitted;
  664. }
  665. /**
  666. * cap_task_fix_setuid - Fix up the results of setuid() call
  667. * @new: The proposed credentials
  668. * @old: The current task's current credentials
  669. * @flags: Indications of what has changed
  670. *
  671. * Fix up the results of setuid() call before the credential changes are
  672. * actually applied, returning 0 to grant the changes, -ve to deny them.
  673. */
  674. int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
  675. {
  676. switch (flags) {
  677. case LSM_SETID_RE:
  678. case LSM_SETID_ID:
  679. case LSM_SETID_RES:
  680. /* juggle the capabilities to follow [RES]UID changes unless
  681. * otherwise suppressed */
  682. if (!issecure(SECURE_NO_SETUID_FIXUP))
  683. cap_emulate_setxuid(new, old);
  684. break;
  685. case LSM_SETID_FS:
  686. /* juggle the capabilties to follow FSUID changes, unless
  687. * otherwise suppressed
  688. *
  689. * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
  690. * if not, we might be a bit too harsh here.
  691. */
  692. if (!issecure(SECURE_NO_SETUID_FIXUP)) {
  693. if (old->fsuid == 0 && new->fsuid != 0)
  694. new->cap_effective =
  695. cap_drop_fs_set(new->cap_effective);
  696. if (old->fsuid != 0 && new->fsuid == 0)
  697. new->cap_effective =
  698. cap_raise_fs_set(new->cap_effective,
  699. new->cap_permitted);
  700. }
  701. break;
  702. default:
  703. return -EINVAL;
  704. }
  705. return 0;
  706. }
  707. /*
  708. * Rationale: code calling task_setscheduler, task_setioprio, and
  709. * task_setnice, assumes that
  710. * . if capable(cap_sys_nice), then those actions should be allowed
  711. * . if not capable(cap_sys_nice), but acting on your own processes,
  712. * then those actions should be allowed
  713. * This is insufficient now since you can call code without suid, but
  714. * yet with increased caps.
  715. * So we check for increased caps on the target process.
  716. */
  717. static int cap_safe_nice(struct task_struct *p)
  718. {
  719. int is_subset;
  720. rcu_read_lock();
  721. is_subset = cap_issubset(__task_cred(p)->cap_permitted,
  722. current_cred()->cap_permitted);
  723. rcu_read_unlock();
  724. if (!is_subset && !capable(CAP_SYS_NICE))
  725. return -EPERM;
  726. return 0;
  727. }
  728. /**
  729. * cap_task_setscheduler - Detemine if scheduler policy change is permitted
  730. * @p: The task to affect
  731. *
  732. * Detemine if the requested scheduler policy change is permitted for the
  733. * specified task, returning 0 if permission is granted, -ve if denied.
  734. */
  735. int cap_task_setscheduler(struct task_struct *p)
  736. {
  737. return cap_safe_nice(p);
  738. }
  739. /**
  740. * cap_task_ioprio - Detemine if I/O priority change is permitted
  741. * @p: The task to affect
  742. * @ioprio: The I/O priority to set
  743. *
  744. * Detemine if the requested I/O priority change is permitted for the specified
  745. * task, returning 0 if permission is granted, -ve if denied.
  746. */
  747. int cap_task_setioprio(struct task_struct *p, int ioprio)
  748. {
  749. return cap_safe_nice(p);
  750. }
  751. /**
  752. * cap_task_ioprio - Detemine if task priority change is permitted
  753. * @p: The task to affect
  754. * @nice: The nice value to set
  755. *
  756. * Detemine if the requested task priority change is permitted for the
  757. * specified task, returning 0 if permission is granted, -ve if denied.
  758. */
  759. int cap_task_setnice(struct task_struct *p, int nice)
  760. {
  761. return cap_safe_nice(p);
  762. }
  763. /*
  764. * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
  765. * the current task's bounding set. Returns 0 on success, -ve on error.
  766. */
  767. static int cap_prctl_drop(unsigned long cap)
  768. {
  769. struct cred *new;
  770. if (!ns_capable(current_user_ns(), CAP_SETPCAP))
  771. return -EPERM;
  772. if (!cap_valid(cap))
  773. return -EINVAL;
  774. new = prepare_creds();
  775. if (!new)
  776. return -ENOMEM;
  777. cap_lower(new->cap_bset, cap);
  778. return commit_creds(new);
  779. }
  780. /**
  781. * cap_task_prctl - Implement process control functions for this security module
  782. * @option: The process control function requested
  783. * @arg2, @arg3, @arg4, @arg5: The argument data for this function
  784. *
  785. * Allow process control functions (sys_prctl()) to alter capabilities; may
  786. * also deny access to other functions not otherwise implemented here.
  787. *
  788. * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
  789. * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
  790. * modules will consider performing the function.
  791. */
  792. int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  793. unsigned long arg4, unsigned long arg5)
  794. {
  795. const struct cred *old = current_cred();
  796. struct cred *new;
  797. switch (option) {
  798. case PR_CAPBSET_READ:
  799. if (!cap_valid(arg2))
  800. return -EINVAL;
  801. return !!cap_raised(old->cap_bset, arg2);
  802. case PR_CAPBSET_DROP:
  803. return cap_prctl_drop(arg2);
  804. /*
  805. * The next four prctl's remain to assist with transitioning a
  806. * system from legacy UID=0 based privilege (when filesystem
  807. * capabilities are not in use) to a system using filesystem
  808. * capabilities only - as the POSIX.1e draft intended.
  809. *
  810. * Note:
  811. *
  812. * PR_SET_SECUREBITS =
  813. * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
  814. * | issecure_mask(SECURE_NOROOT)
  815. * | issecure_mask(SECURE_NOROOT_LOCKED)
  816. * | issecure_mask(SECURE_NO_SETUID_FIXUP)
  817. * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
  818. *
  819. * will ensure that the current process and all of its
  820. * children will be locked into a pure
  821. * capability-based-privilege environment.
  822. */
  823. case PR_SET_SECUREBITS:
  824. if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
  825. & (old->securebits ^ arg2)) /*[1]*/
  826. || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
  827. || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
  828. || (cap_capable(current_cred(),
  829. current_cred()->user_ns, CAP_SETPCAP,
  830. SECURITY_CAP_AUDIT) != 0) /*[4]*/
  831. /*
  832. * [1] no changing of bits that are locked
  833. * [2] no unlocking of locks
  834. * [3] no setting of unsupported bits
  835. * [4] doing anything requires privilege (go read about
  836. * the "sendmail capabilities bug")
  837. */
  838. )
  839. /* cannot change a locked bit */
  840. return -EPERM;
  841. new = prepare_creds();
  842. if (!new)
  843. return -ENOMEM;
  844. new->securebits = arg2;
  845. return commit_creds(new);
  846. case PR_GET_SECUREBITS:
  847. return old->securebits;
  848. case PR_GET_KEEPCAPS:
  849. return !!issecure(SECURE_KEEP_CAPS);
  850. case PR_SET_KEEPCAPS:
  851. if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
  852. return -EINVAL;
  853. if (issecure(SECURE_KEEP_CAPS_LOCKED))
  854. return -EPERM;
  855. new = prepare_creds();
  856. if (!new)
  857. return -ENOMEM;
  858. if (arg2)
  859. new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
  860. else
  861. new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
  862. return commit_creds(new);
  863. case PR_CAP_AMBIENT:
  864. if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
  865. if (arg3 | arg4 | arg5)
  866. return -EINVAL;
  867. new = prepare_creds();
  868. if (!new)
  869. return -ENOMEM;
  870. cap_clear(new->cap_ambient);
  871. return commit_creds(new);
  872. }
  873. if (((!cap_valid(arg3)) | arg4 | arg5))
  874. return -EINVAL;
  875. if (arg2 == PR_CAP_AMBIENT_IS_SET) {
  876. return !!cap_raised(current_cred()->cap_ambient, arg3);
  877. } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
  878. arg2 != PR_CAP_AMBIENT_LOWER) {
  879. return -EINVAL;
  880. } else {
  881. if (arg2 == PR_CAP_AMBIENT_RAISE &&
  882. (!cap_raised(current_cred()->cap_permitted, arg3) ||
  883. !cap_raised(current_cred()->cap_inheritable,
  884. arg3)))
  885. return -EPERM;
  886. new = prepare_creds();
  887. if (!new)
  888. return -ENOMEM;
  889. if (arg2 == PR_CAP_AMBIENT_RAISE)
  890. cap_raise(new->cap_ambient, arg3);
  891. else
  892. cap_lower(new->cap_ambient, arg3);
  893. return commit_creds(new);
  894. }
  895. default:
  896. /* No functionality available - continue with default */
  897. return -ENOSYS;
  898. }
  899. }
  900. /**
  901. * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
  902. * @mm: The VM space in which the new mapping is to be made
  903. * @pages: The size of the mapping
  904. *
  905. * Determine whether the allocation of a new virtual mapping by the current
  906. * task is permitted, returning 0 if permission is granted, -ve if not.
  907. */
  908. int cap_vm_enough_memory(struct mm_struct *mm, long pages)
  909. {
  910. int cap_sys_admin = 0;
  911. if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
  912. SECURITY_CAP_NOAUDIT) == 0)
  913. cap_sys_admin = 1;
  914. return __vm_enough_memory(mm, pages, cap_sys_admin);
  915. }
  916. /*
  917. * cap_mmap_addr - check if able to map given addr
  918. * @addr: address attempting to be mapped
  919. *
  920. * If the process is attempting to map memory below dac_mmap_min_addr they need
  921. * CAP_SYS_RAWIO. The other parameters to this function are unused by the
  922. * capability security module. Returns 0 if this mapping should be allowed
  923. * -EPERM if not.
  924. */
  925. int cap_mmap_addr(unsigned long addr)
  926. {
  927. int ret = 0;
  928. if (addr < dac_mmap_min_addr) {
  929. ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
  930. SECURITY_CAP_AUDIT);
  931. /* set PF_SUPERPRIV if it turns out we allow the low mmap */
  932. if (ret == 0)
  933. current->flags |= PF_SUPERPRIV;
  934. }
  935. return ret;
  936. }
  937. int cap_mmap_file(struct file *file, unsigned long reqprot,
  938. unsigned long prot, unsigned long flags)
  939. {
  940. return 0;
  941. }