1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Common capabilities, needed by capability.o.
3 */
4
5 #include <linux/capability.h>
6 #include <linux/audit.h>
7 #include <linux/init.h>
8 #include <linux/kernel.h>
9 #include <linux/lsm_hooks.h>
10 #include <linux/file.h>
11 #include <linux/mm.h>
12 #include <linux/mman.h>
13 #include <linux/pagemap.h>
14 #include <linux/swap.h>
15 #include <linux/skbuff.h>
16 #include <linux/netlink.h>
17 #include <linux/ptrace.h>
18 #include <linux/xattr.h>
19 #include <linux/hugetlb.h>
20 #include <linux/mount.h>
21 #include <linux/sched.h>
22 #include <linux/prctl.h>
23 #include <linux/securebits.h>
24 #include <linux/user_namespace.h>
25 #include <linux/binfmts.h>
26 #include <linux/personality.h>
27 #include <linux/mnt_idmapping.h>
28 #include <uapi/linux/lsm.h>
29
30 #define CREATE_TRACE_POINTS
31 #include <trace/events/capability.h>
32
33 /*
34 * If a non-root user executes a setuid-root binary in
35 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
36 * However if fE is also set, then the intent is for only
37 * the file capabilities to be applied, and the setuid-root
38 * bit is left on either to change the uid (plausible) or
39 * to get full privilege on a kernel without file capabilities
40 * support. So in that case we do not raise capabilities.
41 *
42 * Warn if that happens, once per boot.
43 */
warn_setuid_and_fcaps_mixed(const char * fname)44 static void warn_setuid_and_fcaps_mixed(const char *fname)
45 {
46 static int warned;
47 if (!warned) {
48 printk(KERN_INFO "warning: `%s' has both setuid-root and"
49 " effective capabilities. Therefore not raising all"
50 " capabilities.\n", fname);
51 warned = 1;
52 }
53 }
54
55 /**
56 * cap_capable_helper - Determine whether a task has a particular effective
57 * capability.
58 * @cred: The credentials to use
59 * @target_ns: The user namespace of the resource being accessed
60 * @cred_ns: The user namespace of the credentials
61 * @cap: The capability to check for
62 *
63 * Determine whether the nominated task has the specified capability amongst
64 * its effective set, returning 0 if it does, -ve if it does not.
65 *
66 * See cap_capable for more details.
67 */
cap_capable_helper(const struct cred * cred,struct user_namespace * target_ns,const struct user_namespace * cred_ns,int cap)68 static inline int cap_capable_helper(const struct cred *cred,
69 struct user_namespace *target_ns,
70 const struct user_namespace *cred_ns,
71 int cap)
72 {
73 struct user_namespace *ns = target_ns;
74
75 /* See if cred has the capability in the target user namespace
76 * by examining the target user namespace and all of the target
77 * user namespace's parents.
78 */
79 for (;;) {
80 /* Do we have the necessary capabilities? */
81 if (likely(ns == cred_ns))
82 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
83
84 /*
85 * If we're already at a lower level than we're looking for,
86 * we're done searching.
87 */
88 if (ns->level <= cred_ns->level)
89 return -EPERM;
90
91 /*
92 * The owner of the user namespace in the parent of the
93 * user namespace has all caps.
94 */
95 if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
96 return 0;
97
98 /*
99 * If you have a capability in a parent user ns, then you have
100 * it over all children user namespaces as well.
101 */
102 ns = ns->parent;
103 }
104
105 /* We never get here */
106 }
107
108 /**
109 * cap_capable - Determine whether a task has a particular effective capability
110 * @cred: The credentials to use
111 * @target_ns: The user namespace of the resource being accessed
112 * @cap: The capability to check for
113 * @opts: Bitmask of options defined in include/linux/security.h (unused)
114 *
115 * Determine whether the nominated task has the specified capability amongst
116 * its effective set, returning 0 if it does, -ve if it does not.
117 *
118 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
119 * and has_capability() functions. That is, it has the reverse semantics:
120 * cap_has_capability() returns 0 when a task has a capability, but the
121 * kernel's capable() and has_capability() returns 1 for this case.
122 */
cap_capable(const struct cred * cred,struct user_namespace * target_ns,int cap,unsigned int opts)123 int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
124 int cap, unsigned int opts)
125 {
126 const struct user_namespace *cred_ns = cred->user_ns;
127 int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
128
129 trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
130 return ret;
131 }
132
133 /**
134 * cap_settime - Determine whether the current process may set the system clock
135 * @ts: The time to set
136 * @tz: The timezone to set
137 *
138 * Determine whether the current process may set the system clock and timezone
139 * information, returning 0 if permission granted, -ve if denied.
140 */
cap_settime(const struct timespec64 * ts,const struct timezone * tz)141 int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
142 {
143 if (!capable(CAP_SYS_TIME))
144 return -EPERM;
145 return 0;
146 }
147
148 /**
149 * cap_ptrace_access_check - Determine whether the current process may access
150 * another
151 * @child: The process to be accessed
152 * @mode: The mode of attachment.
153 *
154 * If we are in the same or an ancestor user_ns and have all the target
155 * task's capabilities, then ptrace access is allowed.
156 * If we have the ptrace capability to the target user_ns, then ptrace
157 * access is allowed.
158 * Else denied.
159 *
160 * Determine whether a process may access another, returning 0 if permission
161 * granted, -ve if denied.
162 */
cap_ptrace_access_check(struct task_struct * child,unsigned int mode)163 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
164 {
165 int ret = 0;
166 const struct cred *cred, *child_cred;
167 const kernel_cap_t *caller_caps;
168
169 rcu_read_lock();
170 cred = current_cred();
171 child_cred = __task_cred(child);
172 if (mode & PTRACE_MODE_FSCREDS)
173 caller_caps = &cred->cap_effective;
174 else
175 caller_caps = &cred->cap_permitted;
176 if (cred->user_ns == child_cred->user_ns &&
177 cap_issubset(child_cred->cap_permitted, *caller_caps))
178 goto out;
179 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
180 goto out;
181 ret = -EPERM;
182 out:
183 rcu_read_unlock();
184 return ret;
185 }
186
187 /**
188 * cap_ptrace_traceme - Determine whether another process may trace the current
189 * @parent: The task proposed to be the tracer
190 *
191 * If parent is in the same or an ancestor user_ns and has all current's
192 * capabilities, then ptrace access is allowed.
193 * If parent has the ptrace capability to current's user_ns, then ptrace
194 * access is allowed.
195 * Else denied.
196 *
197 * Determine whether the nominated task is permitted to trace the current
198 * process, returning 0 if permission is granted, -ve if denied.
199 */
cap_ptrace_traceme(struct task_struct * parent)200 int cap_ptrace_traceme(struct task_struct *parent)
201 {
202 int ret = 0;
203 const struct cred *cred, *child_cred;
204
205 rcu_read_lock();
206 cred = __task_cred(parent);
207 child_cred = current_cred();
208 if (cred->user_ns == child_cred->user_ns &&
209 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
210 goto out;
211 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
212 goto out;
213 ret = -EPERM;
214 out:
215 rcu_read_unlock();
216 return ret;
217 }
218
219 /**
220 * cap_capget - Retrieve a task's capability sets
221 * @target: The task from which to retrieve the capability sets
222 * @effective: The place to record the effective set
223 * @inheritable: The place to record the inheritable set
224 * @permitted: The place to record the permitted set
225 *
226 * This function retrieves the capabilities of the nominated task and returns
227 * them to the caller.
228 */
cap_capget(const struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)229 int cap_capget(const struct task_struct *target, kernel_cap_t *effective,
230 kernel_cap_t *inheritable, kernel_cap_t *permitted)
231 {
232 const struct cred *cred;
233
234 /* Derived from kernel/capability.c:sys_capget. */
235 rcu_read_lock();
236 cred = __task_cred(target);
237 *effective = cred->cap_effective;
238 *inheritable = cred->cap_inheritable;
239 *permitted = cred->cap_permitted;
240 rcu_read_unlock();
241 return 0;
242 }
243
244 /*
245 * Determine whether the inheritable capabilities are limited to the old
246 * permitted set. Returns 1 if they are limited, 0 if they are not.
247 */
cap_inh_is_capped(void)248 static inline int cap_inh_is_capped(void)
249 {
250 /* they are so limited unless the current task has the CAP_SETPCAP
251 * capability
252 */
253 if (cap_capable(current_cred(), current_cred()->user_ns,
254 CAP_SETPCAP, CAP_OPT_NONE) == 0)
255 return 0;
256 return 1;
257 }
258
259 /**
260 * cap_capset - Validate and apply proposed changes to current's capabilities
261 * @new: The proposed new credentials; alterations should be made here
262 * @old: The current task's current credentials
263 * @effective: A pointer to the proposed new effective capabilities set
264 * @inheritable: A pointer to the proposed new inheritable capabilities set
265 * @permitted: A pointer to the proposed new permitted capabilities set
266 *
267 * This function validates and applies a proposed mass change to the current
268 * process's capability sets. The changes are made to the proposed new
269 * credentials, and assuming no error, will be committed by the caller of LSM.
270 */
cap_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)271 int cap_capset(struct cred *new,
272 const struct cred *old,
273 const kernel_cap_t *effective,
274 const kernel_cap_t *inheritable,
275 const kernel_cap_t *permitted)
276 {
277 if (cap_inh_is_capped() &&
278 !cap_issubset(*inheritable,
279 cap_combine(old->cap_inheritable,
280 old->cap_permitted)))
281 /* incapable of using this inheritable set */
282 return -EPERM;
283
284 if (!cap_issubset(*inheritable,
285 cap_combine(old->cap_inheritable,
286 old->cap_bset)))
287 /* no new pI capabilities outside bounding set */
288 return -EPERM;
289
290 /* verify restrictions on target's new Permitted set */
291 if (!cap_issubset(*permitted, old->cap_permitted))
292 return -EPERM;
293
294 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
295 if (!cap_issubset(*effective, *permitted))
296 return -EPERM;
297
298 new->cap_effective = *effective;
299 new->cap_inheritable = *inheritable;
300 new->cap_permitted = *permitted;
301
302 /*
303 * Mask off ambient bits that are no longer both permitted and
304 * inheritable.
305 */
306 new->cap_ambient = cap_intersect(new->cap_ambient,
307 cap_intersect(*permitted,
308 *inheritable));
309 if (WARN_ON(!cap_ambient_invariant_ok(new)))
310 return -EINVAL;
311 return 0;
312 }
313
314 /**
315 * cap_inode_need_killpriv - Determine if inode change affects privileges
316 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
317 *
318 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
319 * affects the security markings on that inode, and if it is, should
320 * inode_killpriv() be invoked or the change rejected.
321 *
322 * Return: 1 if security.capability has a value, meaning inode_killpriv()
323 * is required, 0 otherwise, meaning inode_killpriv() is not required.
324 */
cap_inode_need_killpriv(struct dentry * dentry)325 int cap_inode_need_killpriv(struct dentry *dentry)
326 {
327 struct inode *inode = d_backing_inode(dentry);
328 int error;
329
330 error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
331 return error > 0;
332 }
333
334 /**
335 * cap_inode_killpriv - Erase the security markings on an inode
336 *
337 * @idmap: idmap of the mount the inode was found from
338 * @dentry: The inode/dentry to alter
339 *
340 * Erase the privilege-enhancing security markings on an inode.
341 *
342 * If the inode has been found through an idmapped mount the idmap of
343 * the vfsmount must be passed through @idmap. This function will then
344 * take care to map the inode according to @idmap before checking
345 * permissions. On non-idmapped mounts or if permission checking is to be
346 * performed on the raw inode simply pass @nop_mnt_idmap.
347 *
348 * Return: 0 if successful, -ve on error.
349 */
cap_inode_killpriv(struct mnt_idmap * idmap,struct dentry * dentry)350 int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry)
351 {
352 int error;
353
354 error = __vfs_removexattr(idmap, dentry, XATTR_NAME_CAPS);
355 if (error == -EOPNOTSUPP)
356 error = 0;
357 return error;
358 }
359
rootid_owns_currentns(vfsuid_t rootvfsuid)360 static bool rootid_owns_currentns(vfsuid_t rootvfsuid)
361 {
362 struct user_namespace *ns;
363 kuid_t kroot;
364
365 if (!vfsuid_valid(rootvfsuid))
366 return false;
367
368 kroot = vfsuid_into_kuid(rootvfsuid);
369 for (ns = current_user_ns();; ns = ns->parent) {
370 if (from_kuid(ns, kroot) == 0)
371 return true;
372 if (ns == &init_user_ns)
373 break;
374 }
375
376 return false;
377 }
378
sansflags(__u32 m)379 static __u32 sansflags(__u32 m)
380 {
381 return m & ~VFS_CAP_FLAGS_EFFECTIVE;
382 }
383
is_v2header(int size,const struct vfs_cap_data * cap)384 static bool is_v2header(int size, const struct vfs_cap_data *cap)
385 {
386 if (size != XATTR_CAPS_SZ_2)
387 return false;
388 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
389 }
390
is_v3header(int size,const struct vfs_cap_data * cap)391 static bool is_v3header(int size, const struct vfs_cap_data *cap)
392 {
393 if (size != XATTR_CAPS_SZ_3)
394 return false;
395 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
396 }
397
398 /*
399 * getsecurity: We are called for security.* before any attempt to read the
400 * xattr from the inode itself.
401 *
402 * This gives us a chance to read the on-disk value and convert it. If we
403 * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
404 *
405 * Note we are not called by vfs_getxattr_alloc(), but that is only called
406 * by the integrity subsystem, which really wants the unconverted values -
407 * so that's good.
408 */
cap_inode_getsecurity(struct mnt_idmap * idmap,struct inode * inode,const char * name,void ** buffer,bool alloc)409 int cap_inode_getsecurity(struct mnt_idmap *idmap,
410 struct inode *inode, const char *name, void **buffer,
411 bool alloc)
412 {
413 int size;
414 kuid_t kroot;
415 vfsuid_t vfsroot;
416 u32 nsmagic, magic;
417 uid_t root, mappedroot;
418 char *tmpbuf = NULL;
419 struct vfs_cap_data *cap;
420 struct vfs_ns_cap_data *nscap = NULL;
421 struct dentry *dentry;
422 struct user_namespace *fs_ns;
423
424 if (strcmp(name, "capability") != 0)
425 return -EOPNOTSUPP;
426
427 dentry = d_find_any_alias(inode);
428 if (!dentry)
429 return -EINVAL;
430 size = vfs_getxattr_alloc(idmap, dentry, XATTR_NAME_CAPS, &tmpbuf,
431 sizeof(struct vfs_ns_cap_data), GFP_NOFS);
432 dput(dentry);
433 /* gcc11 complains if we don't check for !tmpbuf */
434 if (size < 0 || !tmpbuf)
435 goto out_free;
436
437 fs_ns = inode->i_sb->s_user_ns;
438 cap = (struct vfs_cap_data *) tmpbuf;
439 if (is_v2header(size, cap)) {
440 root = 0;
441 } else if (is_v3header(size, cap)) {
442 nscap = (struct vfs_ns_cap_data *) tmpbuf;
443 root = le32_to_cpu(nscap->rootid);
444 } else {
445 size = -EINVAL;
446 goto out_free;
447 }
448
449 kroot = make_kuid(fs_ns, root);
450
451 /* If this is an idmapped mount shift the kuid. */
452 vfsroot = make_vfsuid(idmap, fs_ns, kroot);
453
454 /* If the root kuid maps to a valid uid in current ns, then return
455 * this as a nscap. */
456 mappedroot = from_kuid(current_user_ns(), vfsuid_into_kuid(vfsroot));
457 if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
458 size = sizeof(struct vfs_ns_cap_data);
459 if (alloc) {
460 if (!nscap) {
461 /* v2 -> v3 conversion */
462 nscap = kzalloc(size, GFP_ATOMIC);
463 if (!nscap) {
464 size = -ENOMEM;
465 goto out_free;
466 }
467 nsmagic = VFS_CAP_REVISION_3;
468 magic = le32_to_cpu(cap->magic_etc);
469 if (magic & VFS_CAP_FLAGS_EFFECTIVE)
470 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
471 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
472 nscap->magic_etc = cpu_to_le32(nsmagic);
473 } else {
474 /* use allocated v3 buffer */
475 tmpbuf = NULL;
476 }
477 nscap->rootid = cpu_to_le32(mappedroot);
478 *buffer = nscap;
479 }
480 goto out_free;
481 }
482
483 if (!rootid_owns_currentns(vfsroot)) {
484 size = -EOVERFLOW;
485 goto out_free;
486 }
487
488 /* This comes from a parent namespace. Return as a v2 capability */
489 size = sizeof(struct vfs_cap_data);
490 if (alloc) {
491 if (nscap) {
492 /* v3 -> v2 conversion */
493 cap = kzalloc(size, GFP_ATOMIC);
494 if (!cap) {
495 size = -ENOMEM;
496 goto out_free;
497 }
498 magic = VFS_CAP_REVISION_2;
499 nsmagic = le32_to_cpu(nscap->magic_etc);
500 if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
501 magic |= VFS_CAP_FLAGS_EFFECTIVE;
502 memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
503 cap->magic_etc = cpu_to_le32(magic);
504 } else {
505 /* use unconverted v2 */
506 tmpbuf = NULL;
507 }
508 *buffer = cap;
509 }
510 out_free:
511 kfree(tmpbuf);
512 return size;
513 }
514
515 /**
516 * rootid_from_xattr - translate root uid of vfs caps
517 *
518 * @value: vfs caps value which may be modified by this function
519 * @size: size of @ivalue
520 * @task_ns: user namespace of the caller
521 */
rootid_from_xattr(const void * value,size_t size,struct user_namespace * task_ns)522 static vfsuid_t rootid_from_xattr(const void *value, size_t size,
523 struct user_namespace *task_ns)
524 {
525 const struct vfs_ns_cap_data *nscap = value;
526 uid_t rootid = 0;
527
528 if (size == XATTR_CAPS_SZ_3)
529 rootid = le32_to_cpu(nscap->rootid);
530
531 return VFSUIDT_INIT(make_kuid(task_ns, rootid));
532 }
533
validheader(size_t size,const struct vfs_cap_data * cap)534 static bool validheader(size_t size, const struct vfs_cap_data *cap)
535 {
536 return is_v2header(size, cap) || is_v3header(size, cap);
537 }
538
539 /**
540 * cap_convert_nscap - check vfs caps
541 *
542 * @idmap: idmap of the mount the inode was found from
543 * @dentry: used to retrieve inode to check permissions on
544 * @ivalue: vfs caps value which may be modified by this function
545 * @size: size of @ivalue
546 *
547 * User requested a write of security.capability. If needed, update the
548 * xattr to change from v2 to v3, or to fixup the v3 rootid.
549 *
550 * If the inode has been found through an idmapped mount the idmap of
551 * the vfsmount must be passed through @idmap. This function will then
552 * take care to map the inode according to @idmap before checking
553 * permissions. On non-idmapped mounts or if permission checking is to be
554 * performed on the raw inode simply pass @nop_mnt_idmap.
555 *
556 * Return: On success, return the new size; on error, return < 0.
557 */
cap_convert_nscap(struct mnt_idmap * idmap,struct dentry * dentry,const void ** ivalue,size_t size)558 int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry,
559 const void **ivalue, size_t size)
560 {
561 struct vfs_ns_cap_data *nscap;
562 uid_t nsrootid;
563 const struct vfs_cap_data *cap = *ivalue;
564 __u32 magic, nsmagic;
565 struct inode *inode = d_backing_inode(dentry);
566 struct user_namespace *task_ns = current_user_ns(),
567 *fs_ns = inode->i_sb->s_user_ns;
568 kuid_t rootid;
569 vfsuid_t vfsrootid;
570 size_t newsize;
571
572 if (!*ivalue)
573 return -EINVAL;
574 if (!validheader(size, cap))
575 return -EINVAL;
576 if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
577 return -EPERM;
578 if (size == XATTR_CAPS_SZ_2 && (idmap == &nop_mnt_idmap))
579 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
580 /* user is privileged, just write the v2 */
581 return size;
582
583 vfsrootid = rootid_from_xattr(*ivalue, size, task_ns);
584 if (!vfsuid_valid(vfsrootid))
585 return -EINVAL;
586
587 rootid = from_vfsuid(idmap, fs_ns, vfsrootid);
588 if (!uid_valid(rootid))
589 return -EINVAL;
590
591 nsrootid = from_kuid(fs_ns, rootid);
592 if (nsrootid == -1)
593 return -EINVAL;
594
595 newsize = sizeof(struct vfs_ns_cap_data);
596 nscap = kmalloc(newsize, GFP_ATOMIC);
597 if (!nscap)
598 return -ENOMEM;
599 nscap->rootid = cpu_to_le32(nsrootid);
600 nsmagic = VFS_CAP_REVISION_3;
601 magic = le32_to_cpu(cap->magic_etc);
602 if (magic & VFS_CAP_FLAGS_EFFECTIVE)
603 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
604 nscap->magic_etc = cpu_to_le32(nsmagic);
605 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
606
607 *ivalue = nscap;
608 return newsize;
609 }
610
611 /*
612 * Calculate the new process capability sets from the capability sets attached
613 * to a file.
614 */
bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data * caps,struct linux_binprm * bprm,bool * effective,bool * has_fcap)615 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
616 struct linux_binprm *bprm,
617 bool *effective,
618 bool *has_fcap)
619 {
620 struct cred *new = bprm->cred;
621 int ret = 0;
622
623 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
624 *effective = true;
625
626 if (caps->magic_etc & VFS_CAP_REVISION_MASK)
627 *has_fcap = true;
628
629 /*
630 * pP' = (X & fP) | (pI & fI)
631 * The addition of pA' is handled later.
632 */
633 new->cap_permitted.val =
634 (new->cap_bset.val & caps->permitted.val) |
635 (new->cap_inheritable.val & caps->inheritable.val);
636
637 if (caps->permitted.val & ~new->cap_permitted.val)
638 /* insufficient to execute correctly */
639 ret = -EPERM;
640
641 /*
642 * For legacy apps, with no internal support for recognizing they
643 * do not have enough capabilities, we return an error if they are
644 * missing some "forced" (aka file-permitted) capabilities.
645 */
646 return *effective ? ret : 0;
647 }
648
649 /**
650 * get_vfs_caps_from_disk - retrieve vfs caps from disk
651 *
652 * @idmap: idmap of the mount the inode was found from
653 * @dentry: dentry from which @inode is retrieved
654 * @cpu_caps: vfs capabilities
655 *
656 * Extract the on-exec-apply capability sets for an executable file.
657 *
658 * If the inode has been found through an idmapped mount the idmap of
659 * the vfsmount must be passed through @idmap. This function will then
660 * take care to map the inode according to @idmap before checking
661 * permissions. On non-idmapped mounts or if permission checking is to be
662 * performed on the raw inode simply pass @nop_mnt_idmap.
663 */
get_vfs_caps_from_disk(struct mnt_idmap * idmap,const struct dentry * dentry,struct cpu_vfs_cap_data * cpu_caps)664 int get_vfs_caps_from_disk(struct mnt_idmap *idmap,
665 const struct dentry *dentry,
666 struct cpu_vfs_cap_data *cpu_caps)
667 {
668 struct inode *inode = d_backing_inode(dentry);
669 __u32 magic_etc;
670 int size;
671 struct vfs_ns_cap_data data, *nscaps = &data;
672 struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
673 kuid_t rootkuid;
674 vfsuid_t rootvfsuid;
675 struct user_namespace *fs_ns;
676
677 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
678
679 if (!inode)
680 return -ENODATA;
681
682 fs_ns = inode->i_sb->s_user_ns;
683 size = __vfs_getxattr((struct dentry *)dentry, inode,
684 XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);
685 if (size == -ENODATA || size == -EOPNOTSUPP)
686 /* no data, that's ok */
687 return -ENODATA;
688
689 if (size < 0)
690 return size;
691
692 if (size < sizeof(magic_etc))
693 return -EINVAL;
694
695 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc);
696
697 rootkuid = make_kuid(fs_ns, 0);
698 switch (magic_etc & VFS_CAP_REVISION_MASK) {
699 case VFS_CAP_REVISION_1:
700 if (size != XATTR_CAPS_SZ_1)
701 return -EINVAL;
702 break;
703 case VFS_CAP_REVISION_2:
704 if (size != XATTR_CAPS_SZ_2)
705 return -EINVAL;
706 break;
707 case VFS_CAP_REVISION_3:
708 if (size != XATTR_CAPS_SZ_3)
709 return -EINVAL;
710 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid));
711 break;
712
713 default:
714 return -EINVAL;
715 }
716
717 rootvfsuid = make_vfsuid(idmap, fs_ns, rootkuid);
718 if (!vfsuid_valid(rootvfsuid))
719 return -ENODATA;
720
721 /* Limit the caps to the mounter of the filesystem
722 * or the more limited uid specified in the xattr.
723 */
724 if (!rootid_owns_currentns(rootvfsuid))
725 return -ENODATA;
726
727 cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted);
728 cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable);
729
730 /*
731 * Rev1 had just a single 32-bit word, later expanded
732 * to a second one for the high bits
733 */
734 if ((magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) {
735 cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32;
736 cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32;
737 }
738
739 cpu_caps->permitted.val &= CAP_VALID_MASK;
740 cpu_caps->inheritable.val &= CAP_VALID_MASK;
741
742 cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid);
743
744 return 0;
745 }
746
747 /*
748 * Attempt to get the on-exec apply capability sets for an executable file from
749 * its xattrs and, if present, apply them to the proposed credentials being
750 * constructed by execve().
751 */
get_file_caps(struct linux_binprm * bprm,const struct file * file,bool * effective,bool * has_fcap)752 static int get_file_caps(struct linux_binprm *bprm, const struct file *file,
753 bool *effective, bool *has_fcap)
754 {
755 int rc = 0;
756 struct cpu_vfs_cap_data vcaps;
757
758 cap_clear(bprm->cred->cap_permitted);
759
760 if (!file_caps_enabled)
761 return 0;
762
763 if (!mnt_may_suid(file->f_path.mnt))
764 return 0;
765
766 /*
767 * This check is redundant with mnt_may_suid() but is kept to make
768 * explicit that capability bits are limited to s_user_ns and its
769 * descendants.
770 */
771 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
772 return 0;
773
774 rc = get_vfs_caps_from_disk(file_mnt_idmap(file),
775 file->f_path.dentry, &vcaps);
776 if (rc < 0) {
777 if (rc == -EINVAL)
778 printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
779 bprm->filename);
780 else if (rc == -ENODATA)
781 rc = 0;
782 goto out;
783 }
784
785 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
786
787 out:
788 if (rc)
789 cap_clear(bprm->cred->cap_permitted);
790
791 return rc;
792 }
793
root_privileged(void)794 static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
795
__is_real(kuid_t uid,struct cred * cred)796 static inline bool __is_real(kuid_t uid, struct cred *cred)
797 { return uid_eq(cred->uid, uid); }
798
__is_eff(kuid_t uid,struct cred * cred)799 static inline bool __is_eff(kuid_t uid, struct cred *cred)
800 { return uid_eq(cred->euid, uid); }
801
__is_suid(kuid_t uid,struct cred * cred)802 static inline bool __is_suid(kuid_t uid, struct cred *cred)
803 { return !__is_real(uid, cred) && __is_eff(uid, cred); }
804
805 /*
806 * handle_privileged_root - Handle case of privileged root
807 * @bprm: The execution parameters, including the proposed creds
808 * @has_fcap: Are any file capabilities set?
809 * @effective: Do we have effective root privilege?
810 * @root_uid: This namespace' root UID WRT initial USER namespace
811 *
812 * Handle the case where root is privileged and hasn't been neutered by
813 * SECURE_NOROOT. If file capabilities are set, they won't be combined with
814 * set UID root and nothing is changed. If we are root, cap_permitted is
815 * updated. If we have become set UID root, the effective bit is set.
816 */
handle_privileged_root(struct linux_binprm * bprm,bool has_fcap,bool * effective,kuid_t root_uid)817 static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
818 bool *effective, kuid_t root_uid)
819 {
820 const struct cred *old = current_cred();
821 struct cred *new = bprm->cred;
822
823 if (!root_privileged())
824 return;
825 /*
826 * If the legacy file capability is set, then don't set privs
827 * for a setuid root binary run by a non-root user. Do set it
828 * for a root user just to cause least surprise to an admin.
829 */
830 if (has_fcap && __is_suid(root_uid, new)) {
831 warn_setuid_and_fcaps_mixed(bprm->filename);
832 return;
833 }
834 /*
835 * To support inheritance of root-permissions and suid-root
836 * executables under compatibility mode, we override the
837 * capability sets for the file.
838 */
839 if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
840 /* pP' = (cap_bset & ~0) | (pI & ~0) */
841 new->cap_permitted = cap_combine(old->cap_bset,
842 old->cap_inheritable);
843 }
844 /*
845 * If only the real uid is 0, we do not set the effective bit.
846 */
847 if (__is_eff(root_uid, new))
848 *effective = true;
849 }
850
851 #define __cap_gained(field, target, source) \
852 !cap_issubset(target->cap_##field, source->cap_##field)
853 #define __cap_grew(target, source, cred) \
854 !cap_issubset(cred->cap_##target, cred->cap_##source)
855 #define __cap_full(field, cred) \
856 cap_issubset(CAP_FULL_SET, cred->cap_##field)
857
__is_setuid(struct cred * new,const struct cred * old)858 static inline bool __is_setuid(struct cred *new, const struct cred *old)
859 { return !uid_eq(new->euid, old->uid); }
860
__is_setgid(struct cred * new,const struct cred * old)861 static inline bool __is_setgid(struct cred *new, const struct cred *old)
862 { return !gid_eq(new->egid, old->gid); }
863
864 /*
865 * 1) Audit candidate if current->cap_effective is set
866 *
867 * We do not bother to audit if 3 things are true:
868 * 1) cap_effective has all caps
869 * 2) we became root *OR* are were already root
870 * 3) root is supposed to have all caps (SECURE_NOROOT)
871 * Since this is just a normal root execing a process.
872 *
873 * Number 1 above might fail if you don't have a full bset, but I think
874 * that is interesting information to audit.
875 *
876 * A number of other conditions require logging:
877 * 2) something prevented setuid root getting all caps
878 * 3) non-setuid root gets fcaps
879 * 4) non-setuid root gets ambient
880 */
nonroot_raised_pE(struct cred * new,const struct cred * old,kuid_t root,bool has_fcap)881 static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
882 kuid_t root, bool has_fcap)
883 {
884 bool ret = false;
885
886 if ((__cap_grew(effective, ambient, new) &&
887 !(__cap_full(effective, new) &&
888 (__is_eff(root, new) || __is_real(root, new)) &&
889 root_privileged())) ||
890 (root_privileged() &&
891 __is_suid(root, new) &&
892 !__cap_full(effective, new)) ||
893 (!__is_setuid(new, old) &&
894 ((has_fcap &&
895 __cap_gained(permitted, new, old)) ||
896 __cap_gained(ambient, new, old))))
897
898 ret = true;
899
900 return ret;
901 }
902
903 /**
904 * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
905 * @bprm: The execution parameters, including the proposed creds
906 * @file: The file to pull the credentials from
907 *
908 * Set up the proposed credentials for a new execution context being
909 * constructed by execve(). The proposed creds in @bprm->cred is altered,
910 * which won't take effect immediately.
911 *
912 * Return: 0 if successful, -ve on error.
913 */
cap_bprm_creds_from_file(struct linux_binprm * bprm,const struct file * file)914 int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
915 {
916 /* Process setpcap binaries and capabilities for uid 0 */
917 const struct cred *old = current_cred();
918 struct cred *new = bprm->cred;
919 bool effective = false, has_fcap = false, is_setid;
920 int ret;
921 kuid_t root_uid;
922
923 if (WARN_ON(!cap_ambient_invariant_ok(old)))
924 return -EPERM;
925
926 ret = get_file_caps(bprm, file, &effective, &has_fcap);
927 if (ret < 0)
928 return ret;
929
930 root_uid = make_kuid(new->user_ns, 0);
931
932 handle_privileged_root(bprm, has_fcap, &effective, root_uid);
933
934 /* if we have fs caps, clear dangerous personality flags */
935 if (__cap_gained(permitted, new, old))
936 bprm->per_clear |= PER_CLEAR_ON_SETID;
937
938 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
939 * credentials unless they have the appropriate permit.
940 *
941 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
942 */
943 is_setid = __is_setuid(new, old) || __is_setgid(new, old);
944
945 if ((is_setid || __cap_gained(permitted, new, old)) &&
946 ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
947 !ptracer_capable(current, new->user_ns))) {
948 /* downgrade; they get no more than they had, and maybe less */
949 if (!ns_capable(new->user_ns, CAP_SETUID) ||
950 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
951 new->euid = new->uid;
952 new->egid = new->gid;
953 }
954 new->cap_permitted = cap_intersect(new->cap_permitted,
955 old->cap_permitted);
956 }
957
958 new->suid = new->fsuid = new->euid;
959 new->sgid = new->fsgid = new->egid;
960
961 /* File caps or setid cancels ambient. */
962 if (has_fcap || is_setid)
963 cap_clear(new->cap_ambient);
964
965 /*
966 * Now that we've computed pA', update pP' to give:
967 * pP' = (X & fP) | (pI & fI) | pA'
968 */
969 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
970
971 /*
972 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
973 * this is the same as pE' = (fE ? pP' : 0) | pA'.
974 */
975 if (effective)
976 new->cap_effective = new->cap_permitted;
977 else
978 new->cap_effective = new->cap_ambient;
979
980 if (WARN_ON(!cap_ambient_invariant_ok(new)))
981 return -EPERM;
982
983 if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
984 ret = audit_log_bprm_fcaps(bprm, new, old);
985 if (ret < 0)
986 return ret;
987 }
988
989 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
990
991 if (WARN_ON(!cap_ambient_invariant_ok(new)))
992 return -EPERM;
993
994 /* Check for privilege-elevated exec. */
995 if (is_setid ||
996 (!__is_real(root_uid, new) &&
997 (effective ||
998 __cap_grew(permitted, ambient, new))))
999 bprm->secureexec = 1;
1000
1001 return 0;
1002 }
1003
1004 /**
1005 * cap_inode_setxattr - Determine whether an xattr may be altered
1006 * @dentry: The inode/dentry being altered
1007 * @name: The name of the xattr to be changed
1008 * @value: The value that the xattr will be changed to
1009 * @size: The size of value
1010 * @flags: The replacement flag
1011 *
1012 * Determine whether an xattr may be altered or set on an inode, returning 0 if
1013 * permission is granted, -ve if denied.
1014 *
1015 * This is used to make sure security xattrs don't get updated or set by those
1016 * who aren't privileged to do so.
1017 */
cap_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)1018 int cap_inode_setxattr(struct dentry *dentry, const char *name,
1019 const void *value, size_t size, int flags)
1020 {
1021 struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
1022
1023 /* Ignore non-security xattrs */
1024 if (strncmp(name, XATTR_SECURITY_PREFIX,
1025 XATTR_SECURITY_PREFIX_LEN) != 0)
1026 return 0;
1027
1028 /*
1029 * For XATTR_NAME_CAPS the check will be done in
1030 * cap_convert_nscap(), called by setxattr()
1031 */
1032 if (strcmp(name, XATTR_NAME_CAPS) == 0)
1033 return 0;
1034
1035 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1036 return -EPERM;
1037 return 0;
1038 }
1039
1040 /**
1041 * cap_inode_removexattr - Determine whether an xattr may be removed
1042 *
1043 * @idmap: idmap of the mount the inode was found from
1044 * @dentry: The inode/dentry being altered
1045 * @name: The name of the xattr to be changed
1046 *
1047 * Determine whether an xattr may be removed from an inode, returning 0 if
1048 * permission is granted, -ve if denied.
1049 *
1050 * If the inode has been found through an idmapped mount the idmap of
1051 * the vfsmount must be passed through @idmap. This function will then
1052 * take care to map the inode according to @idmap before checking
1053 * permissions. On non-idmapped mounts or if permission checking is to be
1054 * performed on the raw inode simply pass @nop_mnt_idmap.
1055 *
1056 * This is used to make sure security xattrs don't get removed by those who
1057 * aren't privileged to remove them.
1058 */
cap_inode_removexattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name)1059 int cap_inode_removexattr(struct mnt_idmap *idmap,
1060 struct dentry *dentry, const char *name)
1061 {
1062 struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
1063
1064 /* Ignore non-security xattrs */
1065 if (strncmp(name, XATTR_SECURITY_PREFIX,
1066 XATTR_SECURITY_PREFIX_LEN) != 0)
1067 return 0;
1068
1069 if (strcmp(name, XATTR_NAME_CAPS) == 0) {
1070 /* security.capability gets namespaced */
1071 struct inode *inode = d_backing_inode(dentry);
1072 if (!inode)
1073 return -EINVAL;
1074 if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
1075 return -EPERM;
1076 return 0;
1077 }
1078
1079 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1080 return -EPERM;
1081 return 0;
1082 }
1083
1084 /*
1085 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
1086 * a process after a call to setuid, setreuid, or setresuid.
1087 *
1088 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
1089 * {r,e,s}uid != 0, the permitted and effective capabilities are
1090 * cleared.
1091 *
1092 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
1093 * capabilities of the process are cleared.
1094 *
1095 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
1096 * capabilities are set to the permitted capabilities.
1097 *
1098 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
1099 * never happen.
1100 *
1101 * -astor
1102 *
1103 * cevans - New behaviour, Oct '99
1104 * A process may, via prctl(), elect to keep its capabilities when it
1105 * calls setuid() and switches away from uid==0. Both permitted and
1106 * effective sets will be retained.
1107 * Without this change, it was impossible for a daemon to drop only some
1108 * of its privilege. The call to setuid(!=0) would drop all privileges!
1109 * Keeping uid 0 is not an option because uid 0 owns too many vital
1110 * files..
1111 * Thanks to Olaf Kirch and Peter Benie for spotting this.
1112 */
cap_emulate_setxuid(struct cred * new,const struct cred * old)1113 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
1114 {
1115 kuid_t root_uid = make_kuid(old->user_ns, 0);
1116
1117 if ((uid_eq(old->uid, root_uid) ||
1118 uid_eq(old->euid, root_uid) ||
1119 uid_eq(old->suid, root_uid)) &&
1120 (!uid_eq(new->uid, root_uid) &&
1121 !uid_eq(new->euid, root_uid) &&
1122 !uid_eq(new->suid, root_uid))) {
1123 if (!issecure(SECURE_KEEP_CAPS)) {
1124 cap_clear(new->cap_permitted);
1125 cap_clear(new->cap_effective);
1126 }
1127
1128 /*
1129 * Pre-ambient programs expect setresuid to nonroot followed
1130 * by exec to drop capabilities. We should make sure that
1131 * this remains the case.
1132 */
1133 cap_clear(new->cap_ambient);
1134 }
1135 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
1136 cap_clear(new->cap_effective);
1137 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
1138 new->cap_effective = new->cap_permitted;
1139 }
1140
1141 /**
1142 * cap_task_fix_setuid - Fix up the results of setuid() call
1143 * @new: The proposed credentials
1144 * @old: The current task's current credentials
1145 * @flags: Indications of what has changed
1146 *
1147 * Fix up the results of setuid() call before the credential changes are
1148 * actually applied.
1149 *
1150 * Return: 0 to grant the changes, -ve to deny them.
1151 */
cap_task_fix_setuid(struct cred * new,const struct cred * old,int flags)1152 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
1153 {
1154 switch (flags) {
1155 case LSM_SETID_RE:
1156 case LSM_SETID_ID:
1157 case LSM_SETID_RES:
1158 /* juggle the capabilities to follow [RES]UID changes unless
1159 * otherwise suppressed */
1160 if (!issecure(SECURE_NO_SETUID_FIXUP))
1161 cap_emulate_setxuid(new, old);
1162 break;
1163
1164 case LSM_SETID_FS:
1165 /* juggle the capabilities to follow FSUID changes, unless
1166 * otherwise suppressed
1167 *
1168 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
1169 * if not, we might be a bit too harsh here.
1170 */
1171 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
1172 kuid_t root_uid = make_kuid(old->user_ns, 0);
1173 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
1174 new->cap_effective =
1175 cap_drop_fs_set(new->cap_effective);
1176
1177 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
1178 new->cap_effective =
1179 cap_raise_fs_set(new->cap_effective,
1180 new->cap_permitted);
1181 }
1182 break;
1183
1184 default:
1185 return -EINVAL;
1186 }
1187
1188 return 0;
1189 }
1190
1191 /*
1192 * Rationale: code calling task_setscheduler, task_setioprio, and
1193 * task_setnice, assumes that
1194 * . if capable(cap_sys_nice), then those actions should be allowed
1195 * . if not capable(cap_sys_nice), but acting on your own processes,
1196 * then those actions should be allowed
1197 * This is insufficient now since you can call code without suid, but
1198 * yet with increased caps.
1199 * So we check for increased caps on the target process.
1200 */
cap_safe_nice(struct task_struct * p)1201 static int cap_safe_nice(struct task_struct *p)
1202 {
1203 int is_subset, ret = 0;
1204
1205 rcu_read_lock();
1206 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
1207 current_cred()->cap_permitted);
1208 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
1209 ret = -EPERM;
1210 rcu_read_unlock();
1211
1212 return ret;
1213 }
1214
1215 /**
1216 * cap_task_setscheduler - Determine if scheduler policy change is permitted
1217 * @p: The task to affect
1218 *
1219 * Determine if the requested scheduler policy change is permitted for the
1220 * specified task.
1221 *
1222 * Return: 0 if permission is granted, -ve if denied.
1223 */
cap_task_setscheduler(struct task_struct * p)1224 int cap_task_setscheduler(struct task_struct *p)
1225 {
1226 return cap_safe_nice(p);
1227 }
1228
1229 /**
1230 * cap_task_setioprio - Determine if I/O priority change is permitted
1231 * @p: The task to affect
1232 * @ioprio: The I/O priority to set
1233 *
1234 * Determine if the requested I/O priority change is permitted for the specified
1235 * task.
1236 *
1237 * Return: 0 if permission is granted, -ve if denied.
1238 */
cap_task_setioprio(struct task_struct * p,int ioprio)1239 int cap_task_setioprio(struct task_struct *p, int ioprio)
1240 {
1241 return cap_safe_nice(p);
1242 }
1243
1244 /**
1245 * cap_task_setnice - Determine if task priority change is permitted
1246 * @p: The task to affect
1247 * @nice: The nice value to set
1248 *
1249 * Determine if the requested task priority change is permitted for the
1250 * specified task.
1251 *
1252 * Return: 0 if permission is granted, -ve if denied.
1253 */
cap_task_setnice(struct task_struct * p,int nice)1254 int cap_task_setnice(struct task_struct *p, int nice)
1255 {
1256 return cap_safe_nice(p);
1257 }
1258
1259 /*
1260 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
1261 * the current task's bounding set. Returns 0 on success, -ve on error.
1262 */
cap_prctl_drop(unsigned long cap)1263 static int cap_prctl_drop(unsigned long cap)
1264 {
1265 struct cred *new;
1266
1267 if (!ns_capable(current_user_ns(), CAP_SETPCAP))
1268 return -EPERM;
1269 if (!cap_valid(cap))
1270 return -EINVAL;
1271
1272 new = prepare_creds();
1273 if (!new)
1274 return -ENOMEM;
1275 cap_lower(new->cap_bset, cap);
1276 return commit_creds(new);
1277 }
1278
1279 /**
1280 * cap_task_prctl - Implement process control functions for this security module
1281 * @option: The process control function requested
1282 * @arg2: The argument data for this function
1283 * @arg3: The argument data for this function
1284 * @arg4: The argument data for this function
1285 * @arg5: The argument data for this function
1286 *
1287 * Allow process control functions (sys_prctl()) to alter capabilities; may
1288 * also deny access to other functions not otherwise implemented here.
1289 *
1290 * Return: 0 or +ve on success, -ENOSYS if this function is not implemented
1291 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
1292 * modules will consider performing the function.
1293 */
cap_task_prctl(int option,unsigned long arg2,unsigned long arg3,unsigned long arg4,unsigned long arg5)1294 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
1295 unsigned long arg4, unsigned long arg5)
1296 {
1297 const struct cred *old = current_cred();
1298 struct cred *new;
1299
1300 switch (option) {
1301 case PR_CAPBSET_READ:
1302 if (!cap_valid(arg2))
1303 return -EINVAL;
1304 return !!cap_raised(old->cap_bset, arg2);
1305
1306 case PR_CAPBSET_DROP:
1307 return cap_prctl_drop(arg2);
1308
1309 /*
1310 * The next four prctl's remain to assist with transitioning a
1311 * system from legacy UID=0 based privilege (when filesystem
1312 * capabilities are not in use) to a system using filesystem
1313 * capabilities only - as the POSIX.1e draft intended.
1314 *
1315 * Note:
1316 *
1317 * PR_SET_SECUREBITS =
1318 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
1319 * | issecure_mask(SECURE_NOROOT)
1320 * | issecure_mask(SECURE_NOROOT_LOCKED)
1321 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
1322 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
1323 *
1324 * will ensure that the current process and all of its
1325 * children will be locked into a pure
1326 * capability-based-privilege environment.
1327 */
1328 case PR_SET_SECUREBITS:
1329 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
1330 & (old->securebits ^ arg2)) /*[1]*/
1331 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
1332 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
1333 /*
1334 * [1] no changing of bits that are locked
1335 * [2] no unlocking of locks
1336 * [3] no setting of unsupported bits
1337 */
1338 )
1339 /* cannot change a locked bit */
1340 return -EPERM;
1341
1342 /*
1343 * Doing anything requires privilege (go read about the
1344 * "sendmail capabilities bug"), except for unprivileged bits.
1345 * Indeed, the SECURE_ALL_UNPRIVILEGED bits are not
1346 * restrictions enforced by the kernel but by user space on
1347 * itself.
1348 */
1349 if (cap_capable(current_cred(), current_cred()->user_ns,
1350 CAP_SETPCAP, CAP_OPT_NONE) != 0) {
1351 const unsigned long unpriv_and_locks =
1352 SECURE_ALL_UNPRIVILEGED |
1353 SECURE_ALL_UNPRIVILEGED << 1;
1354 const unsigned long changed = old->securebits ^ arg2;
1355
1356 /* For legacy reason, denies non-change. */
1357 if (!changed)
1358 return -EPERM;
1359
1360 /* Denies privileged changes. */
1361 if (changed & ~unpriv_and_locks)
1362 return -EPERM;
1363 }
1364
1365 new = prepare_creds();
1366 if (!new)
1367 return -ENOMEM;
1368 new->securebits = arg2;
1369 return commit_creds(new);
1370
1371 case PR_GET_SECUREBITS:
1372 return old->securebits;
1373
1374 case PR_GET_KEEPCAPS:
1375 return !!issecure(SECURE_KEEP_CAPS);
1376
1377 case PR_SET_KEEPCAPS:
1378 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
1379 return -EINVAL;
1380 if (issecure(SECURE_KEEP_CAPS_LOCKED))
1381 return -EPERM;
1382
1383 new = prepare_creds();
1384 if (!new)
1385 return -ENOMEM;
1386 if (arg2)
1387 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
1388 else
1389 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
1390 return commit_creds(new);
1391
1392 case PR_CAP_AMBIENT:
1393 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
1394 if (arg3 | arg4 | arg5)
1395 return -EINVAL;
1396
1397 new = prepare_creds();
1398 if (!new)
1399 return -ENOMEM;
1400 cap_clear(new->cap_ambient);
1401 return commit_creds(new);
1402 }
1403
1404 if (((!cap_valid(arg3)) | arg4 | arg5))
1405 return -EINVAL;
1406
1407 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
1408 return !!cap_raised(current_cred()->cap_ambient, arg3);
1409 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
1410 arg2 != PR_CAP_AMBIENT_LOWER) {
1411 return -EINVAL;
1412 } else {
1413 if (arg2 == PR_CAP_AMBIENT_RAISE &&
1414 (!cap_raised(current_cred()->cap_permitted, arg3) ||
1415 !cap_raised(current_cred()->cap_inheritable,
1416 arg3) ||
1417 issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
1418 return -EPERM;
1419
1420 new = prepare_creds();
1421 if (!new)
1422 return -ENOMEM;
1423 if (arg2 == PR_CAP_AMBIENT_RAISE)
1424 cap_raise(new->cap_ambient, arg3);
1425 else
1426 cap_lower(new->cap_ambient, arg3);
1427 return commit_creds(new);
1428 }
1429
1430 default:
1431 /* No functionality available - continue with default */
1432 return -ENOSYS;
1433 }
1434 }
1435
1436 /**
1437 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1438 * @mm: The VM space in which the new mapping is to be made
1439 * @pages: The size of the mapping
1440 *
1441 * Determine whether the allocation of a new virtual mapping by the current
1442 * task is permitted.
1443 *
1444 * Return: 0 if permission granted, negative error code if not.
1445 */
cap_vm_enough_memory(struct mm_struct * mm,long pages)1446 int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1447 {
1448 return cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1449 CAP_OPT_NOAUDIT);
1450 }
1451
1452 /**
1453 * cap_mmap_addr - check if able to map given addr
1454 * @addr: address attempting to be mapped
1455 *
1456 * If the process is attempting to map memory below dac_mmap_min_addr they need
1457 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
1458 * capability security module.
1459 *
1460 * Return: 0 if this mapping should be allowed or -EPERM if not.
1461 */
cap_mmap_addr(unsigned long addr)1462 int cap_mmap_addr(unsigned long addr)
1463 {
1464 int ret = 0;
1465
1466 if (addr < dac_mmap_min_addr) {
1467 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
1468 CAP_OPT_NONE);
1469 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
1470 if (ret == 0)
1471 current->flags |= PF_SUPERPRIV;
1472 }
1473 return ret;
1474 }
1475
1476 #ifdef CONFIG_SECURITY
1477
1478 static const struct lsm_id capability_lsmid = {
1479 .name = "capability",
1480 .id = LSM_ID_CAPABILITY,
1481 };
1482
1483 static struct security_hook_list capability_hooks[] __ro_after_init = {
1484 LSM_HOOK_INIT(capable, cap_capable),
1485 LSM_HOOK_INIT(settime, cap_settime),
1486 LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
1487 LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
1488 LSM_HOOK_INIT(capget, cap_capget),
1489 LSM_HOOK_INIT(capset, cap_capset),
1490 LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file),
1491 LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
1492 LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
1493 LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
1494 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
1495 LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
1496 LSM_HOOK_INIT(task_prctl, cap_task_prctl),
1497 LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
1498 LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
1499 LSM_HOOK_INIT(task_setnice, cap_task_setnice),
1500 LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
1501 };
1502
capability_init(void)1503 static int __init capability_init(void)
1504 {
1505 security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
1506 &capability_lsmid);
1507 return 0;
1508 }
1509
1510 DEFINE_LSM(capability) = {
1511 .name = "capability",
1512 .order = LSM_ORDER_FIRST,
1513 .init = capability_init,
1514 };
1515
1516 #endif /* CONFIG_SECURITY */
1517