1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Common capabilities, needed by capability.o.
3 */
4
5 #include <linux/capability.h>
6 #include <linux/audit.h>
7 #include <linux/init.h>
8 #include <linux/kernel.h>
9 #include <linux/lsm_hooks.h>
10 #include <linux/file.h>
11 #include <linux/mm.h>
12 #include <linux/mman.h>
13 #include <linux/pagemap.h>
14 #include <linux/swap.h>
15 #include <linux/skbuff.h>
16 #include <linux/netlink.h>
17 #include <linux/ptrace.h>
18 #include <linux/xattr.h>
19 #include <linux/hugetlb.h>
20 #include <linux/mount.h>
21 #include <linux/sched.h>
22 #include <linux/prctl.h>
23 #include <linux/securebits.h>
24 #include <linux/user_namespace.h>
25 #include <linux/binfmts.h>
26 #include <linux/personality.h>
27 #include <linux/mnt_idmapping.h>
28 #include <uapi/linux/lsm.h>
29
30 #define CREATE_TRACE_POINTS
31 #include <trace/events/capability.h>
32
33 /*
34 * If a non-root user executes a setuid-root binary in
35 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
36 * However if fE is also set, then the intent is for only
37 * the file capabilities to be applied, and the setuid-root
38 * bit is left on either to change the uid (plausible) or
39 * to get full privilege on a kernel without file capabilities
40 * support. So in that case we do not raise capabilities.
41 *
42 * Warn if that happens, once per boot.
43 */
warn_setuid_and_fcaps_mixed(const char * fname)44 static void warn_setuid_and_fcaps_mixed(const char *fname)
45 {
46 static int warned;
47 if (!warned) {
48 printk(KERN_INFO "warning: `%s' has both setuid-root and"
49 " effective capabilities. Therefore not raising all"
50 " capabilities.\n", fname);
51 warned = 1;
52 }
53 }
54
55 /**
56 * cap_capable_helper - Determine whether a task has a particular effective
57 * capability.
58 * @cred: The credentials to use
59 * @target_ns: The user namespace of the resource being accessed
60 * @cred_ns: The user namespace of the credentials
61 * @cap: The capability to check for
62 *
63 * Determine whether the nominated task has the specified capability amongst
64 * its effective set, returning 0 if it does, -ve if it does not.
65 *
66 * See cap_capable for more details.
67 */
cap_capable_helper(const struct cred * cred,struct user_namespace * target_ns,const struct user_namespace * cred_ns,int cap)68 static inline int cap_capable_helper(const struct cred *cred,
69 struct user_namespace *target_ns,
70 const struct user_namespace *cred_ns,
71 int cap)
72 {
73 struct user_namespace *ns = target_ns;
74
75 /* See if cred has the capability in the target user namespace
76 * by examining the target user namespace and all of the target
77 * user namespace's parents.
78 */
79 for (;;) {
80 /* Do we have the necessary capabilities? */
81 if (likely(ns == cred_ns))
82 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
83
84 /*
85 * If we're already at a lower level than we're looking for,
86 * we're done searching.
87 */
88 if (ns->level <= cred_ns->level)
89 return -EPERM;
90
91 /*
92 * The owner of the user namespace in the parent of the
93 * user namespace has all caps.
94 */
95 if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
96 return 0;
97
98 /*
99 * If you have a capability in a parent user ns, then you have
100 * it over all children user namespaces as well.
101 */
102 ns = ns->parent;
103 }
104
105 /* We never get here */
106 }
107
108 /**
109 * cap_capable - Determine whether a task has a particular effective capability
110 * @cred: The credentials to use
111 * @target_ns: The user namespace of the resource being accessed
112 * @cap: The capability to check for
113 * @opts: Bitmask of options defined in include/linux/security.h (unused)
114 *
115 * Determine whether the nominated task has the specified capability amongst
116 * its effective set, returning 0 if it does, -ve if it does not.
117 *
118 * NOTE WELL: cap_capable() has reverse semantics to the capable() call
119 * and friends. That is cap_capable() returns an int 0 when a task has
120 * a capability, while the kernel's capable(), has_ns_capability(),
121 * has_ns_capability_noaudit(), and has_capability_noaudit() return a
122 * bool true (1) for this case.
123 */
cap_capable(const struct cred * cred,struct user_namespace * target_ns,int cap,unsigned int opts)124 int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
125 int cap, unsigned int opts)
126 {
127 const struct user_namespace *cred_ns = cred->user_ns;
128 int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
129
130 trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
131 return ret;
132 }
133
134 /**
135 * cap_settime - Determine whether the current process may set the system clock
136 * @ts: The time to set
137 * @tz: The timezone to set
138 *
139 * Determine whether the current process may set the system clock and timezone
140 * information, returning 0 if permission granted, -ve if denied.
141 */
cap_settime(const struct timespec64 * ts,const struct timezone * tz)142 int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
143 {
144 if (!capable(CAP_SYS_TIME))
145 return -EPERM;
146 return 0;
147 }
148
149 /**
150 * cap_ptrace_access_check - Determine whether the current process may access
151 * another
152 * @child: The process to be accessed
153 * @mode: The mode of attachment.
154 *
155 * If we are in the same or an ancestor user_ns and have all the target
156 * task's capabilities, then ptrace access is allowed.
157 * If we have the ptrace capability to the target user_ns, then ptrace
158 * access is allowed.
159 * Else denied.
160 *
161 * Determine whether a process may access another, returning 0 if permission
162 * granted, -ve if denied.
163 */
cap_ptrace_access_check(struct task_struct * child,unsigned int mode)164 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
165 {
166 int ret = 0;
167 const struct cred *cred, *child_cred;
168 const kernel_cap_t *caller_caps;
169
170 rcu_read_lock();
171 cred = current_cred();
172 child_cred = __task_cred(child);
173 if (mode & PTRACE_MODE_FSCREDS)
174 caller_caps = &cred->cap_effective;
175 else
176 caller_caps = &cred->cap_permitted;
177 if (cred->user_ns == child_cred->user_ns &&
178 cap_issubset(child_cred->cap_permitted, *caller_caps))
179 goto out;
180 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
181 goto out;
182 ret = -EPERM;
183 out:
184 rcu_read_unlock();
185 return ret;
186 }
187
188 /**
189 * cap_ptrace_traceme - Determine whether another process may trace the current
190 * @parent: The task proposed to be the tracer
191 *
192 * If parent is in the same or an ancestor user_ns and has all current's
193 * capabilities, then ptrace access is allowed.
194 * If parent has the ptrace capability to current's user_ns, then ptrace
195 * access is allowed.
196 * Else denied.
197 *
198 * Determine whether the nominated task is permitted to trace the current
199 * process, returning 0 if permission is granted, -ve if denied.
200 */
cap_ptrace_traceme(struct task_struct * parent)201 int cap_ptrace_traceme(struct task_struct *parent)
202 {
203 int ret = 0;
204 const struct cred *cred, *child_cred;
205
206 rcu_read_lock();
207 cred = __task_cred(parent);
208 child_cred = current_cred();
209 if (cred->user_ns == child_cred->user_ns &&
210 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
211 goto out;
212 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
213 goto out;
214 ret = -EPERM;
215 out:
216 rcu_read_unlock();
217 return ret;
218 }
219
220 /**
221 * cap_capget - Retrieve a task's capability sets
222 * @target: The task from which to retrieve the capability sets
223 * @effective: The place to record the effective set
224 * @inheritable: The place to record the inheritable set
225 * @permitted: The place to record the permitted set
226 *
227 * This function retrieves the capabilities of the nominated task and returns
228 * them to the caller.
229 */
cap_capget(const struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)230 int cap_capget(const struct task_struct *target, kernel_cap_t *effective,
231 kernel_cap_t *inheritable, kernel_cap_t *permitted)
232 {
233 const struct cred *cred;
234
235 /* Derived from kernel/capability.c:sys_capget. */
236 rcu_read_lock();
237 cred = __task_cred(target);
238 *effective = cred->cap_effective;
239 *inheritable = cred->cap_inheritable;
240 *permitted = cred->cap_permitted;
241 rcu_read_unlock();
242 return 0;
243 }
244
245 /*
246 * Determine whether the inheritable capabilities are limited to the old
247 * permitted set. Returns 1 if they are limited, 0 if they are not.
248 */
cap_inh_is_capped(void)249 static inline int cap_inh_is_capped(void)
250 {
251 /* they are so limited unless the current task has the CAP_SETPCAP
252 * capability
253 */
254 if (cap_capable(current_cred(), current_cred()->user_ns,
255 CAP_SETPCAP, CAP_OPT_NONE) == 0)
256 return 0;
257 return 1;
258 }
259
260 /**
261 * cap_capset - Validate and apply proposed changes to current's capabilities
262 * @new: The proposed new credentials; alterations should be made here
263 * @old: The current task's current credentials
264 * @effective: A pointer to the proposed new effective capabilities set
265 * @inheritable: A pointer to the proposed new inheritable capabilities set
266 * @permitted: A pointer to the proposed new permitted capabilities set
267 *
268 * This function validates and applies a proposed mass change to the current
269 * process's capability sets. The changes are made to the proposed new
270 * credentials, and assuming no error, will be committed by the caller of LSM.
271 */
cap_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)272 int cap_capset(struct cred *new,
273 const struct cred *old,
274 const kernel_cap_t *effective,
275 const kernel_cap_t *inheritable,
276 const kernel_cap_t *permitted)
277 {
278 if (cap_inh_is_capped() &&
279 !cap_issubset(*inheritable,
280 cap_combine(old->cap_inheritable,
281 old->cap_permitted)))
282 /* incapable of using this inheritable set */
283 return -EPERM;
284
285 if (!cap_issubset(*inheritable,
286 cap_combine(old->cap_inheritable,
287 old->cap_bset)))
288 /* no new pI capabilities outside bounding set */
289 return -EPERM;
290
291 /* verify restrictions on target's new Permitted set */
292 if (!cap_issubset(*permitted, old->cap_permitted))
293 return -EPERM;
294
295 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
296 if (!cap_issubset(*effective, *permitted))
297 return -EPERM;
298
299 new->cap_effective = *effective;
300 new->cap_inheritable = *inheritable;
301 new->cap_permitted = *permitted;
302
303 /*
304 * Mask off ambient bits that are no longer both permitted and
305 * inheritable.
306 */
307 new->cap_ambient = cap_intersect(new->cap_ambient,
308 cap_intersect(*permitted,
309 *inheritable));
310 if (WARN_ON(!cap_ambient_invariant_ok(new)))
311 return -EINVAL;
312 return 0;
313 }
314
315 /**
316 * cap_inode_need_killpriv - Determine if inode change affects privileges
317 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
318 *
319 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
320 * affects the security markings on that inode, and if it is, should
321 * inode_killpriv() be invoked or the change rejected.
322 *
323 * Return: 1 if security.capability has a value, meaning inode_killpriv()
324 * is required, 0 otherwise, meaning inode_killpriv() is not required.
325 */
cap_inode_need_killpriv(struct dentry * dentry)326 int cap_inode_need_killpriv(struct dentry *dentry)
327 {
328 struct inode *inode = d_backing_inode(dentry);
329 int error;
330
331 error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
332 return error > 0;
333 }
334
335 /**
336 * cap_inode_killpriv - Erase the security markings on an inode
337 *
338 * @idmap: idmap of the mount the inode was found from
339 * @dentry: The inode/dentry to alter
340 *
341 * Erase the privilege-enhancing security markings on an inode.
342 *
343 * If the inode has been found through an idmapped mount the idmap of
344 * the vfsmount must be passed through @idmap. This function will then
345 * take care to map the inode according to @idmap before checking
346 * permissions. On non-idmapped mounts or if permission checking is to be
347 * performed on the raw inode simply pass @nop_mnt_idmap.
348 *
349 * Return: 0 if successful, -ve on error.
350 */
cap_inode_killpriv(struct mnt_idmap * idmap,struct dentry * dentry)351 int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry)
352 {
353 int error;
354
355 error = __vfs_removexattr(idmap, dentry, XATTR_NAME_CAPS);
356 if (error == -EOPNOTSUPP)
357 error = 0;
358 return error;
359 }
360
361 /**
362 * kuid_root_in_ns - check whether the given kuid is root in the given ns
363 * @kuid: the kuid to be tested
364 * @ns: the user namespace to test against
365 *
366 * Returns true if @kuid represents the root user in @ns, false otherwise.
367 */
kuid_root_in_ns(kuid_t kuid,struct user_namespace * ns)368 static bool kuid_root_in_ns(kuid_t kuid, struct user_namespace *ns)
369 {
370 for (;; ns = ns->parent) {
371 if (from_kuid(ns, kuid) == 0)
372 return true;
373 if (ns == &init_user_ns)
374 break;
375 }
376
377 return false;
378 }
379
vfsuid_root_in_currentns(vfsuid_t vfsuid)380 static bool vfsuid_root_in_currentns(vfsuid_t vfsuid)
381 {
382 kuid_t kuid;
383
384 if (!vfsuid_valid(vfsuid))
385 return false;
386 kuid = vfsuid_into_kuid(vfsuid);
387 return kuid_root_in_ns(kuid, current_user_ns());
388 }
389
sansflags(__u32 m)390 static __u32 sansflags(__u32 m)
391 {
392 return m & ~VFS_CAP_FLAGS_EFFECTIVE;
393 }
394
is_v2header(int size,const struct vfs_cap_data * cap)395 static bool is_v2header(int size, const struct vfs_cap_data *cap)
396 {
397 if (size != XATTR_CAPS_SZ_2)
398 return false;
399 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
400 }
401
is_v3header(int size,const struct vfs_cap_data * cap)402 static bool is_v3header(int size, const struct vfs_cap_data *cap)
403 {
404 if (size != XATTR_CAPS_SZ_3)
405 return false;
406 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
407 }
408
409 /*
410 * getsecurity: We are called for security.* before any attempt to read the
411 * xattr from the inode itself.
412 *
413 * This gives us a chance to read the on-disk value and convert it. If we
414 * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
415 *
416 * Note we are not called by vfs_getxattr_alloc(), but that is only called
417 * by the integrity subsystem, which really wants the unconverted values -
418 * so that's good.
419 */
cap_inode_getsecurity(struct mnt_idmap * idmap,struct inode * inode,const char * name,void ** buffer,bool alloc)420 int cap_inode_getsecurity(struct mnt_idmap *idmap,
421 struct inode *inode, const char *name, void **buffer,
422 bool alloc)
423 {
424 int size;
425 kuid_t kroot;
426 vfsuid_t vfsroot;
427 u32 nsmagic, magic;
428 uid_t root, mappedroot;
429 char *tmpbuf = NULL;
430 struct vfs_cap_data *cap;
431 struct vfs_ns_cap_data *nscap = NULL;
432 struct dentry *dentry;
433 struct user_namespace *fs_ns;
434
435 if (strcmp(name, "capability") != 0)
436 return -EOPNOTSUPP;
437
438 dentry = d_find_any_alias(inode);
439 if (!dentry)
440 return -EINVAL;
441 size = vfs_getxattr_alloc(idmap, dentry, XATTR_NAME_CAPS, &tmpbuf,
442 sizeof(struct vfs_ns_cap_data), GFP_NOFS);
443 dput(dentry);
444 /* gcc11 complains if we don't check for !tmpbuf */
445 if (size < 0 || !tmpbuf)
446 goto out_free;
447
448 fs_ns = inode->i_sb->s_user_ns;
449 cap = (struct vfs_cap_data *) tmpbuf;
450 if (is_v2header(size, cap)) {
451 root = 0;
452 } else if (is_v3header(size, cap)) {
453 nscap = (struct vfs_ns_cap_data *) tmpbuf;
454 root = le32_to_cpu(nscap->rootid);
455 } else {
456 size = -EINVAL;
457 goto out_free;
458 }
459
460 kroot = make_kuid(fs_ns, root);
461
462 /* If this is an idmapped mount shift the kuid. */
463 vfsroot = make_vfsuid(idmap, fs_ns, kroot);
464
465 /* If the root kuid maps to a valid uid in current ns, then return
466 * this as a nscap. */
467 mappedroot = from_kuid(current_user_ns(), vfsuid_into_kuid(vfsroot));
468 if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
469 size = sizeof(struct vfs_ns_cap_data);
470 if (alloc) {
471 if (!nscap) {
472 /* v2 -> v3 conversion */
473 nscap = kzalloc(size, GFP_ATOMIC);
474 if (!nscap) {
475 size = -ENOMEM;
476 goto out_free;
477 }
478 nsmagic = VFS_CAP_REVISION_3;
479 magic = le32_to_cpu(cap->magic_etc);
480 if (magic & VFS_CAP_FLAGS_EFFECTIVE)
481 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
482 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
483 nscap->magic_etc = cpu_to_le32(nsmagic);
484 } else {
485 /* use allocated v3 buffer */
486 tmpbuf = NULL;
487 }
488 nscap->rootid = cpu_to_le32(mappedroot);
489 *buffer = nscap;
490 }
491 goto out_free;
492 }
493
494 if (!vfsuid_root_in_currentns(vfsroot)) {
495 size = -EOVERFLOW;
496 goto out_free;
497 }
498
499 /* This comes from a parent namespace. Return as a v2 capability */
500 size = sizeof(struct vfs_cap_data);
501 if (alloc) {
502 if (nscap) {
503 /* v3 -> v2 conversion */
504 cap = kzalloc(size, GFP_ATOMIC);
505 if (!cap) {
506 size = -ENOMEM;
507 goto out_free;
508 }
509 magic = VFS_CAP_REVISION_2;
510 nsmagic = le32_to_cpu(nscap->magic_etc);
511 if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
512 magic |= VFS_CAP_FLAGS_EFFECTIVE;
513 memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
514 cap->magic_etc = cpu_to_le32(magic);
515 } else {
516 /* use unconverted v2 */
517 tmpbuf = NULL;
518 }
519 *buffer = cap;
520 }
521 out_free:
522 kfree(tmpbuf);
523 return size;
524 }
525
526 /**
527 * rootid_from_xattr - translate root uid of vfs caps
528 *
529 * @value: vfs caps value which may be modified by this function
530 * @size: size of @ivalue
531 * @task_ns: user namespace of the caller
532 */
rootid_from_xattr(const void * value,size_t size,struct user_namespace * task_ns)533 static vfsuid_t rootid_from_xattr(const void *value, size_t size,
534 struct user_namespace *task_ns)
535 {
536 const struct vfs_ns_cap_data *nscap = value;
537 uid_t rootid = 0;
538
539 if (size == XATTR_CAPS_SZ_3)
540 rootid = le32_to_cpu(nscap->rootid);
541
542 return VFSUIDT_INIT(make_kuid(task_ns, rootid));
543 }
544
validheader(size_t size,const struct vfs_cap_data * cap)545 static bool validheader(size_t size, const struct vfs_cap_data *cap)
546 {
547 return is_v2header(size, cap) || is_v3header(size, cap);
548 }
549
550 /**
551 * cap_convert_nscap - check vfs caps
552 *
553 * @idmap: idmap of the mount the inode was found from
554 * @dentry: used to retrieve inode to check permissions on
555 * @ivalue: vfs caps value which may be modified by this function
556 * @size: size of @ivalue
557 *
558 * User requested a write of security.capability. If needed, update the
559 * xattr to change from v2 to v3, or to fixup the v3 rootid.
560 *
561 * If the inode has been found through an idmapped mount the idmap of
562 * the vfsmount must be passed through @idmap. This function will then
563 * take care to map the inode according to @idmap before checking
564 * permissions. On non-idmapped mounts or if permission checking is to be
565 * performed on the raw inode simply pass @nop_mnt_idmap.
566 *
567 * Return: On success, return the new size; on error, return < 0.
568 */
cap_convert_nscap(struct mnt_idmap * idmap,struct dentry * dentry,const void ** ivalue,size_t size)569 int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry,
570 const void **ivalue, size_t size)
571 {
572 struct vfs_ns_cap_data *nscap;
573 uid_t nsrootid;
574 const struct vfs_cap_data *cap = *ivalue;
575 __u32 magic, nsmagic;
576 struct inode *inode = d_backing_inode(dentry);
577 struct user_namespace *task_ns = current_user_ns(),
578 *fs_ns = inode->i_sb->s_user_ns;
579 kuid_t rootid;
580 vfsuid_t vfsrootid;
581 size_t newsize;
582
583 if (!*ivalue)
584 return -EINVAL;
585 if (!validheader(size, cap))
586 return -EINVAL;
587 if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
588 return -EPERM;
589 if (size == XATTR_CAPS_SZ_2 && (idmap == &nop_mnt_idmap))
590 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
591 /* user is privileged, just write the v2 */
592 return size;
593
594 vfsrootid = rootid_from_xattr(*ivalue, size, task_ns);
595 if (!vfsuid_valid(vfsrootid))
596 return -EINVAL;
597
598 rootid = from_vfsuid(idmap, fs_ns, vfsrootid);
599 if (!uid_valid(rootid))
600 return -EINVAL;
601
602 nsrootid = from_kuid(fs_ns, rootid);
603 if (nsrootid == -1)
604 return -EINVAL;
605
606 newsize = sizeof(struct vfs_ns_cap_data);
607 nscap = kmalloc(newsize, GFP_ATOMIC);
608 if (!nscap)
609 return -ENOMEM;
610 nscap->rootid = cpu_to_le32(nsrootid);
611 nsmagic = VFS_CAP_REVISION_3;
612 magic = le32_to_cpu(cap->magic_etc);
613 if (magic & VFS_CAP_FLAGS_EFFECTIVE)
614 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
615 nscap->magic_etc = cpu_to_le32(nsmagic);
616 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
617
618 *ivalue = nscap;
619 return newsize;
620 }
621
622 /*
623 * Calculate the new process capability sets from the capability sets attached
624 * to a file.
625 */
bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data * caps,struct linux_binprm * bprm,bool * effective,bool * has_fcap)626 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
627 struct linux_binprm *bprm,
628 bool *effective,
629 bool *has_fcap)
630 {
631 struct cred *new = bprm->cred;
632 int ret = 0;
633
634 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
635 *effective = true;
636
637 if (caps->magic_etc & VFS_CAP_REVISION_MASK)
638 *has_fcap = true;
639
640 /*
641 * pP' = (X & fP) | (pI & fI)
642 * The addition of pA' is handled later.
643 */
644 new->cap_permitted.val =
645 (new->cap_bset.val & caps->permitted.val) |
646 (new->cap_inheritable.val & caps->inheritable.val);
647
648 if (caps->permitted.val & ~new->cap_permitted.val)
649 /* insufficient to execute correctly */
650 ret = -EPERM;
651
652 /*
653 * For legacy apps, with no internal support for recognizing they
654 * do not have enough capabilities, we return an error if they are
655 * missing some "forced" (aka file-permitted) capabilities.
656 */
657 return *effective ? ret : 0;
658 }
659
660 /**
661 * get_vfs_caps_from_disk - retrieve vfs caps from disk
662 *
663 * @idmap: idmap of the mount the inode was found from
664 * @dentry: dentry from which @inode is retrieved
665 * @cpu_caps: vfs capabilities
666 *
667 * Extract the on-exec-apply capability sets for an executable file.
668 *
669 * If the inode has been found through an idmapped mount the idmap of
670 * the vfsmount must be passed through @idmap. This function will then
671 * take care to map the inode according to @idmap before checking
672 * permissions. On non-idmapped mounts or if permission checking is to be
673 * performed on the raw inode simply pass @nop_mnt_idmap.
674 */
get_vfs_caps_from_disk(struct mnt_idmap * idmap,const struct dentry * dentry,struct cpu_vfs_cap_data * cpu_caps)675 int get_vfs_caps_from_disk(struct mnt_idmap *idmap,
676 const struct dentry *dentry,
677 struct cpu_vfs_cap_data *cpu_caps)
678 {
679 struct inode *inode = d_backing_inode(dentry);
680 __u32 magic_etc;
681 int size;
682 struct vfs_ns_cap_data data, *nscaps = &data;
683 struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
684 kuid_t rootkuid;
685 vfsuid_t rootvfsuid;
686 struct user_namespace *fs_ns;
687
688 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
689
690 if (!inode)
691 return -ENODATA;
692
693 fs_ns = inode->i_sb->s_user_ns;
694 size = __vfs_getxattr((struct dentry *)dentry, inode,
695 XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);
696 if (size == -ENODATA || size == -EOPNOTSUPP)
697 /* no data, that's ok */
698 return -ENODATA;
699
700 if (size < 0)
701 return size;
702
703 if (size < sizeof(magic_etc))
704 return -EINVAL;
705
706 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc);
707
708 rootkuid = make_kuid(fs_ns, 0);
709 switch (magic_etc & VFS_CAP_REVISION_MASK) {
710 case VFS_CAP_REVISION_1:
711 if (size != XATTR_CAPS_SZ_1)
712 return -EINVAL;
713 break;
714 case VFS_CAP_REVISION_2:
715 if (size != XATTR_CAPS_SZ_2)
716 return -EINVAL;
717 break;
718 case VFS_CAP_REVISION_3:
719 if (size != XATTR_CAPS_SZ_3)
720 return -EINVAL;
721 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid));
722 break;
723
724 default:
725 return -EINVAL;
726 }
727
728 rootvfsuid = make_vfsuid(idmap, fs_ns, rootkuid);
729 if (!vfsuid_valid(rootvfsuid))
730 return -ENODATA;
731
732 /* Limit the caps to the mounter of the filesystem
733 * or the more limited uid specified in the xattr.
734 */
735 if (!vfsuid_root_in_currentns(rootvfsuid))
736 return -ENODATA;
737
738 cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted);
739 cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable);
740
741 /*
742 * Rev1 had just a single 32-bit word, later expanded
743 * to a second one for the high bits
744 */
745 if ((magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) {
746 cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32;
747 cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32;
748 }
749
750 cpu_caps->permitted.val &= CAP_VALID_MASK;
751 cpu_caps->inheritable.val &= CAP_VALID_MASK;
752
753 cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid);
754
755 return 0;
756 }
757
758 /*
759 * Attempt to get the on-exec apply capability sets for an executable file from
760 * its xattrs and, if present, apply them to the proposed credentials being
761 * constructed by execve().
762 */
get_file_caps(struct linux_binprm * bprm,const struct file * file,bool * effective,bool * has_fcap)763 static int get_file_caps(struct linux_binprm *bprm, const struct file *file,
764 bool *effective, bool *has_fcap)
765 {
766 int rc = 0;
767 struct cpu_vfs_cap_data vcaps;
768
769 cap_clear(bprm->cred->cap_permitted);
770
771 if (!file_caps_enabled)
772 return 0;
773
774 if (!mnt_may_suid(file->f_path.mnt))
775 return 0;
776
777 /*
778 * This check is redundant with mnt_may_suid() but is kept to make
779 * explicit that capability bits are limited to s_user_ns and its
780 * descendants.
781 */
782 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
783 return 0;
784
785 rc = get_vfs_caps_from_disk(file_mnt_idmap(file),
786 file->f_path.dentry, &vcaps);
787 if (rc < 0) {
788 if (rc == -EINVAL)
789 printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
790 bprm->filename);
791 else if (rc == -ENODATA)
792 rc = 0;
793 goto out;
794 }
795
796 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
797
798 out:
799 if (rc)
800 cap_clear(bprm->cred->cap_permitted);
801
802 return rc;
803 }
804
root_privileged(void)805 static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
806
__is_real(kuid_t uid,struct cred * cred)807 static inline bool __is_real(kuid_t uid, struct cred *cred)
808 { return uid_eq(cred->uid, uid); }
809
__is_eff(kuid_t uid,struct cred * cred)810 static inline bool __is_eff(kuid_t uid, struct cred *cred)
811 { return uid_eq(cred->euid, uid); }
812
__is_suid(kuid_t uid,struct cred * cred)813 static inline bool __is_suid(kuid_t uid, struct cred *cred)
814 { return !__is_real(uid, cred) && __is_eff(uid, cred); }
815
816 /*
817 * handle_privileged_root - Handle case of privileged root
818 * @bprm: The execution parameters, including the proposed creds
819 * @has_fcap: Are any file capabilities set?
820 * @effective: Do we have effective root privilege?
821 * @root_uid: This namespace' root UID WRT initial USER namespace
822 *
823 * Handle the case where root is privileged and hasn't been neutered by
824 * SECURE_NOROOT. If file capabilities are set, they won't be combined with
825 * set UID root and nothing is changed. If we are root, cap_permitted is
826 * updated. If we have become set UID root, the effective bit is set.
827 */
handle_privileged_root(struct linux_binprm * bprm,bool has_fcap,bool * effective,kuid_t root_uid)828 static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
829 bool *effective, kuid_t root_uid)
830 {
831 const struct cred *old = current_cred();
832 struct cred *new = bprm->cred;
833
834 if (!root_privileged())
835 return;
836 /*
837 * If the legacy file capability is set, then don't set privs
838 * for a setuid root binary run by a non-root user. Do set it
839 * for a root user just to cause least surprise to an admin.
840 */
841 if (has_fcap && __is_suid(root_uid, new)) {
842 warn_setuid_and_fcaps_mixed(bprm->filename);
843 return;
844 }
845 /*
846 * To support inheritance of root-permissions and suid-root
847 * executables under compatibility mode, we override the
848 * capability sets for the file.
849 */
850 if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
851 /* pP' = (cap_bset & ~0) | (pI & ~0) */
852 new->cap_permitted = cap_combine(old->cap_bset,
853 old->cap_inheritable);
854 }
855 /*
856 * If only the real uid is 0, we do not set the effective bit.
857 */
858 if (__is_eff(root_uid, new))
859 *effective = true;
860 }
861
862 #define __cap_gained(field, target, source) \
863 !cap_issubset(target->cap_##field, source->cap_##field)
864 #define __cap_grew(target, source, cred) \
865 !cap_issubset(cred->cap_##target, cred->cap_##source)
866 #define __cap_full(field, cred) \
867 cap_issubset(CAP_FULL_SET, cred->cap_##field)
868
869 /*
870 * 1) Audit candidate if current->cap_effective is set
871 *
872 * We do not bother to audit if 3 things are true:
873 * 1) cap_effective has all caps
874 * 2) we became root *OR* are were already root
875 * 3) root is supposed to have all caps (SECURE_NOROOT)
876 * Since this is just a normal root execing a process.
877 *
878 * Number 1 above might fail if you don't have a full bset, but I think
879 * that is interesting information to audit.
880 *
881 * A number of other conditions require logging:
882 * 2) something prevented setuid root getting all caps
883 * 3) non-setuid root gets fcaps
884 * 4) non-setuid root gets ambient
885 */
nonroot_raised_pE(struct cred * new,const struct cred * old,kuid_t root,bool has_fcap)886 static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
887 kuid_t root, bool has_fcap)
888 {
889 bool ret = false;
890
891 if ((__cap_grew(effective, ambient, new) &&
892 !(__cap_full(effective, new) &&
893 (__is_eff(root, new) || __is_real(root, new)) &&
894 root_privileged())) ||
895 (root_privileged() &&
896 __is_suid(root, new) &&
897 !__cap_full(effective, new)) ||
898 (uid_eq(new->euid, old->euid) &&
899 ((has_fcap &&
900 __cap_gained(permitted, new, old)) ||
901 __cap_gained(ambient, new, old))))
902
903 ret = true;
904
905 return ret;
906 }
907
908 /**
909 * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
910 * @bprm: The execution parameters, including the proposed creds
911 * @file: The file to pull the credentials from
912 *
913 * Set up the proposed credentials for a new execution context being
914 * constructed by execve(). The proposed creds in @bprm->cred is altered,
915 * which won't take effect immediately.
916 *
917 * Return: 0 if successful, -ve on error.
918 */
cap_bprm_creds_from_file(struct linux_binprm * bprm,const struct file * file)919 int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
920 {
921 /* Process setpcap binaries and capabilities for uid 0 */
922 const struct cred *old = current_cred();
923 struct cred *new = bprm->cred;
924 bool effective = false, has_fcap = false, id_changed;
925 int ret;
926 kuid_t root_uid;
927
928 if (WARN_ON(!cap_ambient_invariant_ok(old)))
929 return -EPERM;
930
931 ret = get_file_caps(bprm, file, &effective, &has_fcap);
932 if (ret < 0)
933 return ret;
934
935 root_uid = make_kuid(new->user_ns, 0);
936
937 handle_privileged_root(bprm, has_fcap, &effective, root_uid);
938
939 /* if we have fs caps, clear dangerous personality flags */
940 if (__cap_gained(permitted, new, old))
941 bprm->per_clear |= PER_CLEAR_ON_SETID;
942
943 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
944 * credentials unless they have the appropriate permit.
945 *
946 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
947 */
948 id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
949
950 if ((id_changed || __cap_gained(permitted, new, old)) &&
951 ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
952 !ptracer_capable(current, new->user_ns))) {
953 /* downgrade; they get no more than they had, and maybe less */
954 if (!ns_capable(new->user_ns, CAP_SETUID) ||
955 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
956 new->euid = new->uid;
957 new->egid = new->gid;
958 }
959 new->cap_permitted = cap_intersect(new->cap_permitted,
960 old->cap_permitted);
961 }
962
963 new->suid = new->fsuid = new->euid;
964 new->sgid = new->fsgid = new->egid;
965
966 /* File caps or setid cancels ambient. */
967 if (has_fcap || id_changed)
968 cap_clear(new->cap_ambient);
969
970 /*
971 * Now that we've computed pA', update pP' to give:
972 * pP' = (X & fP) | (pI & fI) | pA'
973 */
974 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
975
976 /*
977 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
978 * this is the same as pE' = (fE ? pP' : 0) | pA'.
979 */
980 if (effective)
981 new->cap_effective = new->cap_permitted;
982 else
983 new->cap_effective = new->cap_ambient;
984
985 if (WARN_ON(!cap_ambient_invariant_ok(new)))
986 return -EPERM;
987
988 if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
989 ret = audit_log_bprm_fcaps(bprm, new, old);
990 if (ret < 0)
991 return ret;
992 }
993
994 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
995
996 if (WARN_ON(!cap_ambient_invariant_ok(new)))
997 return -EPERM;
998
999 /* Check for privilege-elevated exec. */
1000 if (id_changed ||
1001 !uid_eq(new->euid, old->uid) ||
1002 !gid_eq(new->egid, old->gid) ||
1003 (!__is_real(root_uid, new) &&
1004 (effective ||
1005 __cap_grew(permitted, ambient, new))))
1006 bprm->secureexec = 1;
1007
1008 return 0;
1009 }
1010
1011 /**
1012 * cap_inode_setxattr - Determine whether an xattr may be altered
1013 * @dentry: The inode/dentry being altered
1014 * @name: The name of the xattr to be changed
1015 * @value: The value that the xattr will be changed to
1016 * @size: The size of value
1017 * @flags: The replacement flag
1018 *
1019 * Determine whether an xattr may be altered or set on an inode, returning 0 if
1020 * permission is granted, -ve if denied.
1021 *
1022 * This is used to make sure security xattrs don't get updated or set by those
1023 * who aren't privileged to do so.
1024 */
cap_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)1025 int cap_inode_setxattr(struct dentry *dentry, const char *name,
1026 const void *value, size_t size, int flags)
1027 {
1028 struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
1029
1030 /* Ignore non-security xattrs */
1031 if (strncmp(name, XATTR_SECURITY_PREFIX,
1032 XATTR_SECURITY_PREFIX_LEN) != 0)
1033 return 0;
1034
1035 /*
1036 * For XATTR_NAME_CAPS the check will be done in
1037 * cap_convert_nscap(), called by setxattr()
1038 */
1039 if (strcmp(name, XATTR_NAME_CAPS) == 0)
1040 return 0;
1041
1042 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1043 return -EPERM;
1044 return 0;
1045 }
1046
1047 /**
1048 * cap_inode_removexattr - Determine whether an xattr may be removed
1049 *
1050 * @idmap: idmap of the mount the inode was found from
1051 * @dentry: The inode/dentry being altered
1052 * @name: The name of the xattr to be changed
1053 *
1054 * Determine whether an xattr may be removed from an inode, returning 0 if
1055 * permission is granted, -ve if denied.
1056 *
1057 * If the inode has been found through an idmapped mount the idmap of
1058 * the vfsmount must be passed through @idmap. This function will then
1059 * take care to map the inode according to @idmap before checking
1060 * permissions. On non-idmapped mounts or if permission checking is to be
1061 * performed on the raw inode simply pass @nop_mnt_idmap.
1062 *
1063 * This is used to make sure security xattrs don't get removed by those who
1064 * aren't privileged to remove them.
1065 */
cap_inode_removexattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name)1066 int cap_inode_removexattr(struct mnt_idmap *idmap,
1067 struct dentry *dentry, const char *name)
1068 {
1069 struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
1070
1071 /* Ignore non-security xattrs */
1072 if (strncmp(name, XATTR_SECURITY_PREFIX,
1073 XATTR_SECURITY_PREFIX_LEN) != 0)
1074 return 0;
1075
1076 if (strcmp(name, XATTR_NAME_CAPS) == 0) {
1077 /* security.capability gets namespaced */
1078 struct inode *inode = d_backing_inode(dentry);
1079 if (!inode)
1080 return -EINVAL;
1081 if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
1082 return -EPERM;
1083 return 0;
1084 }
1085
1086 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1087 return -EPERM;
1088 return 0;
1089 }
1090
1091 /*
1092 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
1093 * a process after a call to setuid, setreuid, or setresuid.
1094 *
1095 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
1096 * {r,e,s}uid != 0, the permitted and effective capabilities are
1097 * cleared.
1098 *
1099 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
1100 * capabilities of the process are cleared.
1101 *
1102 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
1103 * capabilities are set to the permitted capabilities.
1104 *
1105 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
1106 * never happen.
1107 *
1108 * -astor
1109 *
1110 * cevans - New behaviour, Oct '99
1111 * A process may, via prctl(), elect to keep its capabilities when it
1112 * calls setuid() and switches away from uid==0. Both permitted and
1113 * effective sets will be retained.
1114 * Without this change, it was impossible for a daemon to drop only some
1115 * of its privilege. The call to setuid(!=0) would drop all privileges!
1116 * Keeping uid 0 is not an option because uid 0 owns too many vital
1117 * files..
1118 * Thanks to Olaf Kirch and Peter Benie for spotting this.
1119 */
cap_emulate_setxuid(struct cred * new,const struct cred * old)1120 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
1121 {
1122 kuid_t root_uid = make_kuid(old->user_ns, 0);
1123
1124 if ((uid_eq(old->uid, root_uid) ||
1125 uid_eq(old->euid, root_uid) ||
1126 uid_eq(old->suid, root_uid)) &&
1127 (!uid_eq(new->uid, root_uid) &&
1128 !uid_eq(new->euid, root_uid) &&
1129 !uid_eq(new->suid, root_uid))) {
1130 if (!issecure(SECURE_KEEP_CAPS)) {
1131 cap_clear(new->cap_permitted);
1132 cap_clear(new->cap_effective);
1133 }
1134
1135 /*
1136 * Pre-ambient programs expect setresuid to nonroot followed
1137 * by exec to drop capabilities. We should make sure that
1138 * this remains the case.
1139 */
1140 cap_clear(new->cap_ambient);
1141 }
1142 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
1143 cap_clear(new->cap_effective);
1144 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
1145 new->cap_effective = new->cap_permitted;
1146 }
1147
1148 /**
1149 * cap_task_fix_setuid - Fix up the results of setuid() call
1150 * @new: The proposed credentials
1151 * @old: The current task's current credentials
1152 * @flags: Indications of what has changed
1153 *
1154 * Fix up the results of setuid() call before the credential changes are
1155 * actually applied.
1156 *
1157 * Return: 0 to grant the changes, -ve to deny them.
1158 */
cap_task_fix_setuid(struct cred * new,const struct cred * old,int flags)1159 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
1160 {
1161 switch (flags) {
1162 case LSM_SETID_RE:
1163 case LSM_SETID_ID:
1164 case LSM_SETID_RES:
1165 /* juggle the capabilities to follow [RES]UID changes unless
1166 * otherwise suppressed */
1167 if (!issecure(SECURE_NO_SETUID_FIXUP))
1168 cap_emulate_setxuid(new, old);
1169 break;
1170
1171 case LSM_SETID_FS:
1172 /* juggle the capabilities to follow FSUID changes, unless
1173 * otherwise suppressed
1174 *
1175 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
1176 * if not, we might be a bit too harsh here.
1177 */
1178 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
1179 kuid_t root_uid = make_kuid(old->user_ns, 0);
1180 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
1181 new->cap_effective =
1182 cap_drop_fs_set(new->cap_effective);
1183
1184 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
1185 new->cap_effective =
1186 cap_raise_fs_set(new->cap_effective,
1187 new->cap_permitted);
1188 }
1189 break;
1190
1191 default:
1192 return -EINVAL;
1193 }
1194
1195 return 0;
1196 }
1197
1198 /*
1199 * Rationale: code calling task_setscheduler, task_setioprio, and
1200 * task_setnice, assumes that
1201 * . if capable(cap_sys_nice), then those actions should be allowed
1202 * . if not capable(cap_sys_nice), but acting on your own processes,
1203 * then those actions should be allowed
1204 * This is insufficient now since you can call code without suid, but
1205 * yet with increased caps.
1206 * So we check for increased caps on the target process.
1207 */
cap_safe_nice(struct task_struct * p)1208 static int cap_safe_nice(struct task_struct *p)
1209 {
1210 int is_subset, ret = 0;
1211
1212 rcu_read_lock();
1213 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
1214 current_cred()->cap_permitted);
1215 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
1216 ret = -EPERM;
1217 rcu_read_unlock();
1218
1219 return ret;
1220 }
1221
1222 /**
1223 * cap_task_setscheduler - Determine if scheduler policy change is permitted
1224 * @p: The task to affect
1225 *
1226 * Determine if the requested scheduler policy change is permitted for the
1227 * specified task.
1228 *
1229 * Return: 0 if permission is granted, -ve if denied.
1230 */
cap_task_setscheduler(struct task_struct * p)1231 int cap_task_setscheduler(struct task_struct *p)
1232 {
1233 return cap_safe_nice(p);
1234 }
1235
1236 /**
1237 * cap_task_setioprio - Determine if I/O priority change is permitted
1238 * @p: The task to affect
1239 * @ioprio: The I/O priority to set
1240 *
1241 * Determine if the requested I/O priority change is permitted for the specified
1242 * task.
1243 *
1244 * Return: 0 if permission is granted, -ve if denied.
1245 */
cap_task_setioprio(struct task_struct * p,int ioprio)1246 int cap_task_setioprio(struct task_struct *p, int ioprio)
1247 {
1248 return cap_safe_nice(p);
1249 }
1250
1251 /**
1252 * cap_task_setnice - Determine if task priority change is permitted
1253 * @p: The task to affect
1254 * @nice: The nice value to set
1255 *
1256 * Determine if the requested task priority change is permitted for the
1257 * specified task.
1258 *
1259 * Return: 0 if permission is granted, -ve if denied.
1260 */
cap_task_setnice(struct task_struct * p,int nice)1261 int cap_task_setnice(struct task_struct *p, int nice)
1262 {
1263 return cap_safe_nice(p);
1264 }
1265
1266 /*
1267 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
1268 * the current task's bounding set. Returns 0 on success, -ve on error.
1269 */
cap_prctl_drop(unsigned long cap)1270 static int cap_prctl_drop(unsigned long cap)
1271 {
1272 struct cred *new;
1273
1274 if (!ns_capable(current_user_ns(), CAP_SETPCAP))
1275 return -EPERM;
1276 if (!cap_valid(cap))
1277 return -EINVAL;
1278
1279 new = prepare_creds();
1280 if (!new)
1281 return -ENOMEM;
1282 cap_lower(new->cap_bset, cap);
1283 return commit_creds(new);
1284 }
1285
1286 /**
1287 * cap_task_prctl - Implement process control functions for this security module
1288 * @option: The process control function requested
1289 * @arg2: The argument data for this function
1290 * @arg3: The argument data for this function
1291 * @arg4: The argument data for this function
1292 * @arg5: The argument data for this function
1293 *
1294 * Allow process control functions (sys_prctl()) to alter capabilities; may
1295 * also deny access to other functions not otherwise implemented here.
1296 *
1297 * Return: 0 or +ve on success, -ENOSYS if this function is not implemented
1298 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
1299 * modules will consider performing the function.
1300 */
cap_task_prctl(int option,unsigned long arg2,unsigned long arg3,unsigned long arg4,unsigned long arg5)1301 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
1302 unsigned long arg4, unsigned long arg5)
1303 {
1304 const struct cred *old = current_cred();
1305 struct cred *new;
1306
1307 switch (option) {
1308 case PR_CAPBSET_READ:
1309 if (!cap_valid(arg2))
1310 return -EINVAL;
1311 return !!cap_raised(old->cap_bset, arg2);
1312
1313 case PR_CAPBSET_DROP:
1314 return cap_prctl_drop(arg2);
1315
1316 /*
1317 * The next four prctl's remain to assist with transitioning a
1318 * system from legacy UID=0 based privilege (when filesystem
1319 * capabilities are not in use) to a system using filesystem
1320 * capabilities only - as the POSIX.1e draft intended.
1321 *
1322 * Note:
1323 *
1324 * PR_SET_SECUREBITS =
1325 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
1326 * | issecure_mask(SECURE_NOROOT)
1327 * | issecure_mask(SECURE_NOROOT_LOCKED)
1328 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
1329 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
1330 *
1331 * will ensure that the current process and all of its
1332 * children will be locked into a pure
1333 * capability-based-privilege environment.
1334 */
1335 case PR_SET_SECUREBITS:
1336 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
1337 & (old->securebits ^ arg2)) /*[1]*/
1338 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
1339 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
1340 /*
1341 * [1] no changing of bits that are locked
1342 * [2] no unlocking of locks
1343 * [3] no setting of unsupported bits
1344 */
1345 )
1346 /* cannot change a locked bit */
1347 return -EPERM;
1348
1349 /*
1350 * Doing anything requires privilege (go read about the
1351 * "sendmail capabilities bug"), except for unprivileged bits.
1352 * Indeed, the SECURE_ALL_UNPRIVILEGED bits are not
1353 * restrictions enforced by the kernel but by user space on
1354 * itself.
1355 */
1356 if (cap_capable(current_cred(), current_cred()->user_ns,
1357 CAP_SETPCAP, CAP_OPT_NONE) != 0) {
1358 const unsigned long unpriv_and_locks =
1359 SECURE_ALL_UNPRIVILEGED |
1360 SECURE_ALL_UNPRIVILEGED << 1;
1361 const unsigned long changed = old->securebits ^ arg2;
1362
1363 /* For legacy reason, denies non-change. */
1364 if (!changed)
1365 return -EPERM;
1366
1367 /* Denies privileged changes. */
1368 if (changed & ~unpriv_and_locks)
1369 return -EPERM;
1370 }
1371
1372 new = prepare_creds();
1373 if (!new)
1374 return -ENOMEM;
1375 new->securebits = arg2;
1376 return commit_creds(new);
1377
1378 case PR_GET_SECUREBITS:
1379 return old->securebits;
1380
1381 case PR_GET_KEEPCAPS:
1382 return !!issecure(SECURE_KEEP_CAPS);
1383
1384 case PR_SET_KEEPCAPS:
1385 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
1386 return -EINVAL;
1387 if (issecure(SECURE_KEEP_CAPS_LOCKED))
1388 return -EPERM;
1389
1390 new = prepare_creds();
1391 if (!new)
1392 return -ENOMEM;
1393 if (arg2)
1394 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
1395 else
1396 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
1397 return commit_creds(new);
1398
1399 case PR_CAP_AMBIENT:
1400 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
1401 if (arg3 | arg4 | arg5)
1402 return -EINVAL;
1403
1404 new = prepare_creds();
1405 if (!new)
1406 return -ENOMEM;
1407 cap_clear(new->cap_ambient);
1408 return commit_creds(new);
1409 }
1410
1411 if (((!cap_valid(arg3)) | arg4 | arg5))
1412 return -EINVAL;
1413
1414 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
1415 return !!cap_raised(current_cred()->cap_ambient, arg3);
1416 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
1417 arg2 != PR_CAP_AMBIENT_LOWER) {
1418 return -EINVAL;
1419 } else {
1420 if (arg2 == PR_CAP_AMBIENT_RAISE &&
1421 (!cap_raised(current_cred()->cap_permitted, arg3) ||
1422 !cap_raised(current_cred()->cap_inheritable,
1423 arg3) ||
1424 issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
1425 return -EPERM;
1426
1427 new = prepare_creds();
1428 if (!new)
1429 return -ENOMEM;
1430 if (arg2 == PR_CAP_AMBIENT_RAISE)
1431 cap_raise(new->cap_ambient, arg3);
1432 else
1433 cap_lower(new->cap_ambient, arg3);
1434 return commit_creds(new);
1435 }
1436
1437 default:
1438 /* No functionality available - continue with default */
1439 return -ENOSYS;
1440 }
1441 }
1442
1443 /**
1444 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1445 * @mm: The VM space in which the new mapping is to be made
1446 * @pages: The size of the mapping
1447 *
1448 * Determine whether the allocation of a new virtual mapping by the current
1449 * task is permitted.
1450 *
1451 * Return: 0 if permission granted, negative error code if not.
1452 */
cap_vm_enough_memory(struct mm_struct * mm,long pages)1453 int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1454 {
1455 return cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1456 CAP_OPT_NOAUDIT);
1457 }
1458
1459 /**
1460 * cap_mmap_addr - check if able to map given addr
1461 * @addr: address attempting to be mapped
1462 *
1463 * If the process is attempting to map memory below dac_mmap_min_addr they need
1464 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
1465 * capability security module.
1466 *
1467 * Return: 0 if this mapping should be allowed or -EPERM if not.
1468 */
cap_mmap_addr(unsigned long addr)1469 int cap_mmap_addr(unsigned long addr)
1470 {
1471 int ret = 0;
1472
1473 if (addr < dac_mmap_min_addr) {
1474 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
1475 CAP_OPT_NONE);
1476 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
1477 if (ret == 0)
1478 current->flags |= PF_SUPERPRIV;
1479 }
1480 return ret;
1481 }
1482
1483 #ifdef CONFIG_SECURITY
1484
1485 static const struct lsm_id capability_lsmid = {
1486 .name = "capability",
1487 .id = LSM_ID_CAPABILITY,
1488 };
1489
1490 static struct security_hook_list capability_hooks[] __ro_after_init = {
1491 LSM_HOOK_INIT(capable, cap_capable),
1492 LSM_HOOK_INIT(settime, cap_settime),
1493 LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
1494 LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
1495 LSM_HOOK_INIT(capget, cap_capget),
1496 LSM_HOOK_INIT(capset, cap_capset),
1497 LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file),
1498 LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
1499 LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
1500 LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
1501 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
1502 LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
1503 LSM_HOOK_INIT(task_prctl, cap_task_prctl),
1504 LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
1505 LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
1506 LSM_HOOK_INIT(task_setnice, cap_task_setnice),
1507 LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
1508 };
1509
capability_init(void)1510 static int __init capability_init(void)
1511 {
1512 security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
1513 &capability_lsmid);
1514 return 0;
1515 }
1516
1517 DEFINE_LSM(capability) = {
1518 .id = &capability_lsmid,
1519 .order = LSM_ORDER_FIRST,
1520 .init = capability_init,
1521 };
1522
1523 #endif /* CONFIG_SECURITY */
1524