Lines Matching +full:cap +full:- +full:get
1 // SPDX-License-Identifier: GPL-2.0-or-later
31 * If a non-root user executes a setuid-root binary in
34 * the file capabilities to be applied, and the setuid-root
36 * to get full privilege on a kernel without file capabilities
45 printk(KERN_INFO "warning: `%s' has both setuid-root and" in warn_setuid_and_fcaps_mixed()
53 * cap_capable - Determine whether a task has a particular effective capability
56 * @cap: The capability to check for
60 * its effective set, returning 0 if it does, -ve if it does not.
68 int cap, unsigned int opts) in cap_capable()
78 if (ns == cred->user_ns) in cap_capable()
79 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; in cap_capable()
85 if (ns->level <= cred->user_ns->level) in cap_capable()
86 return -EPERM; in cap_capable()
92 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) in cap_capable()
99 ns = ns->parent; in cap_capable()
102 /* We never get here */ in cap_capable()
106 * cap_settime - Determine whether the current process may set the system clock
111 * information, returning 0 if permission granted, -ve if denied.
116 return -EPERM; in cap_settime()
121 * cap_ptrace_access_check - Determine whether the current process may access
133 * granted, -ve if denied.
145 caller_caps = &cred->cap_effective; in cap_ptrace_access_check()
147 caller_caps = &cred->cap_permitted; in cap_ptrace_access_check()
148 if (cred->user_ns == child_cred->user_ns && in cap_ptrace_access_check()
149 cap_issubset(child_cred->cap_permitted, *caller_caps)) in cap_ptrace_access_check()
151 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) in cap_ptrace_access_check()
153 ret = -EPERM; in cap_ptrace_access_check()
160 * cap_ptrace_traceme - Determine whether another process may trace the current
170 * process, returning 0 if permission is granted, -ve if denied.
180 if (cred->user_ns == child_cred->user_ns && in cap_ptrace_traceme()
181 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) in cap_ptrace_traceme()
183 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) in cap_ptrace_traceme()
185 ret = -EPERM; in cap_ptrace_traceme()
192 * cap_capget - Retrieve a task's capability sets
209 *effective = cred->cap_effective; in cap_capget()
210 *inheritable = cred->cap_inheritable; in cap_capget()
211 *permitted = cred->cap_permitted; in cap_capget()
225 if (cap_capable(current_cred(), current_cred()->user_ns, in cap_inh_is_capped()
232 * cap_capset - Validate and apply proposed changes to current's capabilities
251 cap_combine(old->cap_inheritable, in cap_capset()
252 old->cap_permitted))) in cap_capset()
254 return -EPERM; in cap_capset()
257 cap_combine(old->cap_inheritable, in cap_capset()
258 old->cap_bset))) in cap_capset()
260 return -EPERM; in cap_capset()
263 if (!cap_issubset(*permitted, old->cap_permitted)) in cap_capset()
264 return -EPERM; in cap_capset()
268 return -EPERM; in cap_capset()
270 new->cap_effective = *effective; in cap_capset()
271 new->cap_inheritable = *inheritable; in cap_capset()
272 new->cap_permitted = *permitted; in cap_capset()
278 new->cap_ambient = cap_intersect(new->cap_ambient, in cap_capset()
282 return -EINVAL; in cap_capset()
287 * cap_inode_need_killpriv - Determine if inode change affects privileges
307 * cap_inode_killpriv - Erase the security markings on an inode
312 * Erase the privilege-enhancing security markings on an inode.
317 * permissions. On non-idmapped mounts or if permission checking is to be
320 * Return: 0 if successful, -ve on error.
327 if (error == -EOPNOTSUPP) in cap_inode_killpriv()
341 for (ns = current_user_ns();; ns = ns->parent) { in rootid_owns_currentns()
356 static bool is_v2header(int size, const struct vfs_cap_data *cap) in is_v2header() argument
360 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2; in is_v2header()
363 static bool is_v3header(int size, const struct vfs_cap_data *cap) in is_v3header() argument
367 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3; in is_v3header()
374 * This gives us a chance to read the on-disk value and convert it. If we
375 * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
378 * by the integrity subsystem, which really wants the unconverted values -
391 struct vfs_cap_data *cap; in cap_inode_getsecurity() local
397 return -EOPNOTSUPP; in cap_inode_getsecurity()
401 return -EINVAL; in cap_inode_getsecurity()
409 fs_ns = inode->i_sb->s_user_ns; in cap_inode_getsecurity()
410 cap = (struct vfs_cap_data *) tmpbuf; in cap_inode_getsecurity()
411 if (is_v2header(size, cap)) { in cap_inode_getsecurity()
413 } else if (is_v3header(size, cap)) { in cap_inode_getsecurity()
415 root = le32_to_cpu(nscap->rootid); in cap_inode_getsecurity()
417 size = -EINVAL; in cap_inode_getsecurity()
429 if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) { in cap_inode_getsecurity()
433 /* v2 -> v3 conversion */ in cap_inode_getsecurity()
436 size = -ENOMEM; in cap_inode_getsecurity()
440 magic = le32_to_cpu(cap->magic_etc); in cap_inode_getsecurity()
443 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); in cap_inode_getsecurity()
444 nscap->magic_etc = cpu_to_le32(nsmagic); in cap_inode_getsecurity()
449 nscap->rootid = cpu_to_le32(mappedroot); in cap_inode_getsecurity()
456 size = -EOVERFLOW; in cap_inode_getsecurity()
464 /* v3 -> v2 conversion */ in cap_inode_getsecurity()
465 cap = kzalloc(size, GFP_ATOMIC); in cap_inode_getsecurity()
466 if (!cap) { in cap_inode_getsecurity()
467 size = -ENOMEM; in cap_inode_getsecurity()
471 nsmagic = le32_to_cpu(nscap->magic_etc); in cap_inode_getsecurity()
474 memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); in cap_inode_getsecurity()
475 cap->magic_etc = cpu_to_le32(magic); in cap_inode_getsecurity()
480 *buffer = cap; in cap_inode_getsecurity()
488 * rootid_from_xattr - translate root uid of vfs caps
501 rootid = le32_to_cpu(nscap->rootid); in rootid_from_xattr()
506 static bool validheader(size_t size, const struct vfs_cap_data *cap) in validheader() argument
508 return is_v2header(size, cap) || is_v3header(size, cap); in validheader()
512 * cap_convert_nscap - check vfs caps
525 * permissions. On non-idmapped mounts or if permission checking is to be
535 const struct vfs_cap_data *cap = *ivalue; in cap_convert_nscap() local
539 *fs_ns = inode->i_sb->s_user_ns; in cap_convert_nscap()
545 return -EINVAL; in cap_convert_nscap()
546 if (!validheader(size, cap)) in cap_convert_nscap()
547 return -EINVAL; in cap_convert_nscap()
549 return -EPERM; in cap_convert_nscap()
551 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP)) in cap_convert_nscap()
557 return -EINVAL; in cap_convert_nscap()
561 return -EINVAL; in cap_convert_nscap()
564 if (nsrootid == -1) in cap_convert_nscap()
565 return -EINVAL; in cap_convert_nscap()
570 return -ENOMEM; in cap_convert_nscap()
571 nscap->rootid = cpu_to_le32(nsrootid); in cap_convert_nscap()
573 magic = le32_to_cpu(cap->magic_etc); in cap_convert_nscap()
576 nscap->magic_etc = cpu_to_le32(nsmagic); in cap_convert_nscap()
577 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); in cap_convert_nscap()
592 struct cred *new = bprm->cred; in bprm_caps_from_vfs_caps()
595 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) in bprm_caps_from_vfs_caps()
598 if (caps->magic_etc & VFS_CAP_REVISION_MASK) in bprm_caps_from_vfs_caps()
605 new->cap_permitted.val = in bprm_caps_from_vfs_caps()
606 (new->cap_bset.val & caps->permitted.val) | in bprm_caps_from_vfs_caps()
607 (new->cap_inheritable.val & caps->inheritable.val); in bprm_caps_from_vfs_caps()
609 if (caps->permitted.val & ~new->cap_permitted.val) in bprm_caps_from_vfs_caps()
611 ret = -EPERM; in bprm_caps_from_vfs_caps()
616 * missing some "forced" (aka file-permitted) capabilities. in bprm_caps_from_vfs_caps()
622 * get_vfs_caps_from_disk - retrieve vfs caps from disk
628 * Extract the on-exec-apply capability sets for an executable file.
633 * permissions. On non-idmapped mounts or if permission checking is to be
652 return -ENODATA; in get_vfs_caps_from_disk()
654 fs_ns = inode->i_sb->s_user_ns; in get_vfs_caps_from_disk()
657 if (size == -ENODATA || size == -EOPNOTSUPP) in get_vfs_caps_from_disk()
659 return -ENODATA; in get_vfs_caps_from_disk()
665 return -EINVAL; in get_vfs_caps_from_disk()
667 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc); in get_vfs_caps_from_disk()
673 return -EINVAL; in get_vfs_caps_from_disk()
677 return -EINVAL; in get_vfs_caps_from_disk()
681 return -EINVAL; in get_vfs_caps_from_disk()
682 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid)); in get_vfs_caps_from_disk()
686 return -EINVAL; in get_vfs_caps_from_disk()
691 return -ENODATA; in get_vfs_caps_from_disk()
697 return -ENODATA; in get_vfs_caps_from_disk()
699 cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted); in get_vfs_caps_from_disk()
700 cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable); in get_vfs_caps_from_disk()
703 * Rev1 had just a single 32-bit word, later expanded in get_vfs_caps_from_disk()
707 cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32; in get_vfs_caps_from_disk()
708 cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32; in get_vfs_caps_from_disk()
711 cpu_caps->permitted.val &= CAP_VALID_MASK; in get_vfs_caps_from_disk()
712 cpu_caps->inheritable.val &= CAP_VALID_MASK; in get_vfs_caps_from_disk()
714 cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid); in get_vfs_caps_from_disk()
720 * Attempt to get the on-exec apply capability sets for an executable file from
730 cap_clear(bprm->cred->cap_permitted); in get_file_caps()
735 if (!mnt_may_suid(file->f_path.mnt)) in get_file_caps()
743 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns)) in get_file_caps()
747 file->f_path.dentry, &vcaps); in get_file_caps()
749 if (rc == -EINVAL) in get_file_caps()
751 bprm->filename); in get_file_caps()
752 else if (rc == -ENODATA) in get_file_caps()
761 cap_clear(bprm->cred->cap_permitted); in get_file_caps()
769 { return uid_eq(cred->uid, uid); } in __is_real()
772 { return uid_eq(cred->euid, uid); } in __is_eff()
778 * handle_privileged_root - Handle case of privileged root
793 struct cred *new = bprm->cred; in handle_privileged_root()
799 * for a setuid root binary run by a non-root user. Do set it in handle_privileged_root()
803 warn_setuid_and_fcaps_mixed(bprm->filename); in handle_privileged_root()
807 * To support inheritance of root-permissions and suid-root in handle_privileged_root()
813 new->cap_permitted = cap_combine(old->cap_bset, in handle_privileged_root()
814 old->cap_inheritable); in handle_privileged_root()
824 !cap_issubset(target->cap_##field, source->cap_##field)
826 !cap_issubset(cred->cap_##target, cred->cap_##source)
828 cap_issubset(CAP_FULL_SET, cred->cap_##field)
831 { return !uid_eq(new->euid, old->uid); } in __is_setuid()
834 { return !gid_eq(new->egid, old->gid); } in __is_setgid()
837 * 1) Audit candidate if current->cap_effective is set
850 * 3) non-setuid root gets fcaps
851 * 4) non-setuid root gets ambient
876 * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
881 * constructed by execve(). The proposed creds in @bprm->cred is altered,
884 * Return: 0 if successful, -ve on error.
890 struct cred *new = bprm->cred; in cap_bprm_creds_from_file()
896 return -EPERM; in cap_bprm_creds_from_file()
902 root_uid = make_kuid(new->user_ns, 0); in cap_bprm_creds_from_file()
908 bprm->per_clear |= PER_CLEAR_ON_SETID; in cap_bprm_creds_from_file()
913 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. in cap_bprm_creds_from_file()
918 ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) || in cap_bprm_creds_from_file()
919 !ptracer_capable(current, new->user_ns))) { in cap_bprm_creds_from_file()
920 /* downgrade; they get no more than they had, and maybe less */ in cap_bprm_creds_from_file()
921 if (!ns_capable(new->user_ns, CAP_SETUID) || in cap_bprm_creds_from_file()
922 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { in cap_bprm_creds_from_file()
923 new->euid = new->uid; in cap_bprm_creds_from_file()
924 new->egid = new->gid; in cap_bprm_creds_from_file()
926 new->cap_permitted = cap_intersect(new->cap_permitted, in cap_bprm_creds_from_file()
927 old->cap_permitted); in cap_bprm_creds_from_file()
930 new->suid = new->fsuid = new->euid; in cap_bprm_creds_from_file()
931 new->sgid = new->fsgid = new->egid; in cap_bprm_creds_from_file()
935 cap_clear(new->cap_ambient); in cap_bprm_creds_from_file()
941 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient); in cap_bprm_creds_from_file()
948 new->cap_effective = new->cap_permitted; in cap_bprm_creds_from_file()
950 new->cap_effective = new->cap_ambient; in cap_bprm_creds_from_file()
953 return -EPERM; in cap_bprm_creds_from_file()
961 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); in cap_bprm_creds_from_file()
964 return -EPERM; in cap_bprm_creds_from_file()
966 /* Check for privilege-elevated exec. */ in cap_bprm_creds_from_file()
971 bprm->secureexec = 1; in cap_bprm_creds_from_file()
977 * cap_inode_setxattr - Determine whether an xattr may be altered
985 * permission is granted, -ve if denied.
987 * This is used to make sure security xattrs don't get updated or set by those
993 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; in cap_inode_setxattr()
995 /* Ignore non-security xattrs */ in cap_inode_setxattr()
1008 return -EPERM; in cap_inode_setxattr()
1013 * cap_inode_removexattr - Determine whether an xattr may be removed
1020 * permission is granted, -ve if denied.
1025 * permissions. On non-idmapped mounts or if permission checking is to be
1028 * This is used to make sure security xattrs don't get removed by those who
1034 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; in cap_inode_removexattr()
1036 /* Ignore non-security xattrs */ in cap_inode_removexattr()
1045 return -EINVAL; in cap_inode_removexattr()
1047 return -EPERM; in cap_inode_removexattr()
1052 return -EPERM; in cap_inode_removexattr()
1073 * -astor
1075 * cevans - New behaviour, Oct '99
1087 kuid_t root_uid = make_kuid(old->user_ns, 0); in cap_emulate_setxuid()
1089 if ((uid_eq(old->uid, root_uid) || in cap_emulate_setxuid()
1090 uid_eq(old->euid, root_uid) || in cap_emulate_setxuid()
1091 uid_eq(old->suid, root_uid)) && in cap_emulate_setxuid()
1092 (!uid_eq(new->uid, root_uid) && in cap_emulate_setxuid()
1093 !uid_eq(new->euid, root_uid) && in cap_emulate_setxuid()
1094 !uid_eq(new->suid, root_uid))) { in cap_emulate_setxuid()
1096 cap_clear(new->cap_permitted); in cap_emulate_setxuid()
1097 cap_clear(new->cap_effective); in cap_emulate_setxuid()
1101 * Pre-ambient programs expect setresuid to nonroot followed in cap_emulate_setxuid()
1105 cap_clear(new->cap_ambient); in cap_emulate_setxuid()
1107 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid)) in cap_emulate_setxuid()
1108 cap_clear(new->cap_effective); in cap_emulate_setxuid()
1109 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid)) in cap_emulate_setxuid()
1110 new->cap_effective = new->cap_permitted; in cap_emulate_setxuid()
1114 * cap_task_fix_setuid - Fix up the results of setuid() call
1122 * Return: 0 to grant the changes, -ve to deny them.
1140 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? in cap_task_fix_setuid()
1144 kuid_t root_uid = make_kuid(old->user_ns, 0); in cap_task_fix_setuid()
1145 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid)) in cap_task_fix_setuid()
1146 new->cap_effective = in cap_task_fix_setuid()
1147 cap_drop_fs_set(new->cap_effective); in cap_task_fix_setuid()
1149 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid)) in cap_task_fix_setuid()
1150 new->cap_effective = in cap_task_fix_setuid()
1151 cap_raise_fs_set(new->cap_effective, in cap_task_fix_setuid()
1152 new->cap_permitted); in cap_task_fix_setuid()
1157 return -EINVAL; in cap_task_fix_setuid()
1178 is_subset = cap_issubset(__task_cred(p)->cap_permitted, in cap_safe_nice()
1179 current_cred()->cap_permitted); in cap_safe_nice()
1180 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) in cap_safe_nice()
1181 ret = -EPERM; in cap_safe_nice()
1188 * cap_task_setscheduler - Determine if scheduler policy change is permitted
1194 * Return: 0 if permission is granted, -ve if denied.
1202 * cap_task_setioprio - Determine if I/O priority change is permitted
1209 * Return: 0 if permission is granted, -ve if denied.
1217 * cap_task_setnice - Determine if task priority change is permitted
1224 * Return: 0 if permission is granted, -ve if denied.
1233 * the current task's bounding set. Returns 0 on success, -ve on error.
1235 static int cap_prctl_drop(unsigned long cap) in cap_prctl_drop() argument
1240 return -EPERM; in cap_prctl_drop()
1241 if (!cap_valid(cap)) in cap_prctl_drop()
1242 return -EINVAL; in cap_prctl_drop()
1246 return -ENOMEM; in cap_prctl_drop()
1247 cap_lower(new->cap_bset, cap); in cap_prctl_drop()
1252 * cap_task_prctl - Implement process control functions for this security module
1262 * Return: 0 or +ve on success, -ENOSYS if this function is not implemented
1263 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
1275 return -EINVAL; in cap_task_prctl()
1276 return !!cap_raised(old->cap_bset, arg2); in cap_task_prctl()
1285 * capabilities only - as the POSIX.1e draft intended. in cap_task_prctl()
1298 * capability-based-privilege environment. in cap_task_prctl()
1301 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1) in cap_task_prctl()
1302 & (old->securebits ^ arg2)) /*[1]*/ in cap_task_prctl()
1303 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ in cap_task_prctl()
1306 current_cred()->user_ns, in cap_task_prctl()
1318 return -EPERM; in cap_task_prctl()
1322 return -ENOMEM; in cap_task_prctl()
1323 new->securebits = arg2; in cap_task_prctl()
1327 return old->securebits; in cap_task_prctl()
1334 return -EINVAL; in cap_task_prctl()
1336 return -EPERM; in cap_task_prctl()
1340 return -ENOMEM; in cap_task_prctl()
1342 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); in cap_task_prctl()
1344 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); in cap_task_prctl()
1350 return -EINVAL; in cap_task_prctl()
1354 return -ENOMEM; in cap_task_prctl()
1355 cap_clear(new->cap_ambient); in cap_task_prctl()
1360 return -EINVAL; in cap_task_prctl()
1363 return !!cap_raised(current_cred()->cap_ambient, arg3); in cap_task_prctl()
1366 return -EINVAL; in cap_task_prctl()
1369 (!cap_raised(current_cred()->cap_permitted, arg3) || in cap_task_prctl()
1370 !cap_raised(current_cred()->cap_inheritable, in cap_task_prctl()
1373 return -EPERM; in cap_task_prctl()
1377 return -ENOMEM; in cap_task_prctl()
1379 cap_raise(new->cap_ambient, arg3); in cap_task_prctl()
1381 cap_lower(new->cap_ambient, arg3); in cap_task_prctl()
1386 /* No functionality available - continue with default */ in cap_task_prctl()
1387 return -ENOSYS; in cap_task_prctl()
1392 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1408 * cap_mmap_addr - check if able to map given addr
1415 * Return: 0 if this mapping should be allowed or -EPERM if not.
1426 current->flags |= PF_SUPERPRIV; in cap_mmap_addr()