1 /* Common capabilities, needed by capability.o and root_plug.o 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/module.h> 12 #include <linux/init.h> 13 #include <linux/kernel.h> 14 #include <linux/security.h> 15 #include <linux/file.h> 16 #include <linux/mm.h> 17 #include <linux/mman.h> 18 #include <linux/pagemap.h> 19 #include <linux/swap.h> 20 #include <linux/skbuff.h> 21 #include <linux/netlink.h> 22 #include <linux/ptrace.h> 23 #include <linux/xattr.h> 24 #include <linux/hugetlb.h> 25 #include <linux/mount.h> 26 #include <linux/sched.h> 27 28 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 29 /* 30 * Because of the reduced scope of CAP_SETPCAP when filesystem 31 * capabilities are in effect, it is safe to allow this capability to 32 * be available in the default configuration. 33 */ 34 # define CAP_INIT_BSET CAP_FULL_SET 35 #else /* ie. ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 36 # define CAP_INIT_BSET CAP_INIT_EFF_SET 37 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 38 39 kernel_cap_t cap_bset = CAP_INIT_BSET; /* systemwide capability bound */ 40 EXPORT_SYMBOL(cap_bset); 41 42 /* Global security state */ 43 44 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */ 45 EXPORT_SYMBOL(securebits); 46 47 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 48 { 49 NETLINK_CB(skb).eff_cap = current->cap_effective; 50 return 0; 51 } 52 53 int cap_netlink_recv(struct sk_buff *skb, int cap) 54 { 55 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 56 return -EPERM; 57 return 0; 58 } 59 60 EXPORT_SYMBOL(cap_netlink_recv); 61 62 int cap_capable (struct task_struct *tsk, int cap) 63 { 64 /* Derived from include/linux/sched.h:capable. */ 65 if (cap_raised(tsk->cap_effective, cap)) 66 return 0; 67 return -EPERM; 68 } 69 70 int cap_settime(struct timespec *ts, struct timezone *tz) 71 { 72 if (!capable(CAP_SYS_TIME)) 73 return -EPERM; 74 return 0; 75 } 76 77 int cap_ptrace (struct task_struct *parent, struct task_struct *child) 78 { 79 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 80 if (!cap_issubset(child->cap_permitted, parent->cap_permitted) && 81 !__capable(parent, CAP_SYS_PTRACE)) 82 return -EPERM; 83 return 0; 84 } 85 86 int cap_capget (struct task_struct *target, kernel_cap_t *effective, 87 kernel_cap_t *inheritable, kernel_cap_t *permitted) 88 { 89 /* Derived from kernel/capability.c:sys_capget. */ 90 *effective = cap_t (target->cap_effective); 91 *inheritable = cap_t (target->cap_inheritable); 92 *permitted = cap_t (target->cap_permitted); 93 return 0; 94 } 95 96 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 97 98 static inline int cap_block_setpcap(struct task_struct *target) 99 { 100 /* 101 * No support for remote process capability manipulation with 102 * filesystem capability support. 103 */ 104 return (target != current); 105 } 106 107 static inline int cap_inh_is_capped(void) 108 { 109 /* 110 * return 1 if changes to the inheritable set are limited 111 * to the old permitted set. 112 */ 113 return !cap_capable(current, CAP_SETPCAP); 114 } 115 116 #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 117 118 static inline int cap_block_setpcap(struct task_struct *t) { return 0; } 119 static inline int cap_inh_is_capped(void) { return 1; } 120 121 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 122 123 int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 124 kernel_cap_t *inheritable, kernel_cap_t *permitted) 125 { 126 if (cap_block_setpcap(target)) { 127 return -EPERM; 128 } 129 if (cap_inh_is_capped() 130 && !cap_issubset(*inheritable, 131 cap_combine(target->cap_inheritable, 132 current->cap_permitted))) { 133 /* incapable of using this inheritable set */ 134 return -EPERM; 135 } 136 137 /* verify restrictions on target's new Permitted set */ 138 if (!cap_issubset (*permitted, 139 cap_combine (target->cap_permitted, 140 current->cap_permitted))) { 141 return -EPERM; 142 } 143 144 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 145 if (!cap_issubset (*effective, *permitted)) { 146 return -EPERM; 147 } 148 149 return 0; 150 } 151 152 void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 153 kernel_cap_t *inheritable, kernel_cap_t *permitted) 154 { 155 target->cap_effective = *effective; 156 target->cap_inheritable = *inheritable; 157 target->cap_permitted = *permitted; 158 } 159 160 static inline void bprm_clear_caps(struct linux_binprm *bprm) 161 { 162 cap_clear(bprm->cap_inheritable); 163 cap_clear(bprm->cap_permitted); 164 bprm->cap_effective = false; 165 } 166 167 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 168 169 int cap_inode_need_killpriv(struct dentry *dentry) 170 { 171 struct inode *inode = dentry->d_inode; 172 int error; 173 174 if (!inode->i_op || !inode->i_op->getxattr) 175 return 0; 176 177 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 178 if (error <= 0) 179 return 0; 180 return 1; 181 } 182 183 int cap_inode_killpriv(struct dentry *dentry) 184 { 185 struct inode *inode = dentry->d_inode; 186 187 if (!inode->i_op || !inode->i_op->removexattr) 188 return 0; 189 190 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 191 } 192 193 static inline int cap_from_disk(struct vfs_cap_data *caps, 194 struct linux_binprm *bprm, 195 int size) 196 { 197 __u32 magic_etc; 198 199 if (size != XATTR_CAPS_SZ) 200 return -EINVAL; 201 202 magic_etc = le32_to_cpu(caps->magic_etc); 203 204 switch ((magic_etc & VFS_CAP_REVISION_MASK)) { 205 case VFS_CAP_REVISION: 206 if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 207 bprm->cap_effective = true; 208 else 209 bprm->cap_effective = false; 210 bprm->cap_permitted = to_cap_t(le32_to_cpu(caps->permitted)); 211 bprm->cap_inheritable = to_cap_t(le32_to_cpu(caps->inheritable)); 212 return 0; 213 default: 214 return -EINVAL; 215 } 216 } 217 218 /* Locate any VFS capabilities: */ 219 static int get_file_caps(struct linux_binprm *bprm) 220 { 221 struct dentry *dentry; 222 int rc = 0; 223 struct vfs_cap_data incaps; 224 struct inode *inode; 225 226 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) { 227 bprm_clear_caps(bprm); 228 return 0; 229 } 230 231 dentry = dget(bprm->file->f_dentry); 232 inode = dentry->d_inode; 233 if (!inode->i_op || !inode->i_op->getxattr) 234 goto out; 235 236 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 237 if (rc > 0) { 238 if (rc == XATTR_CAPS_SZ) 239 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, 240 &incaps, XATTR_CAPS_SZ); 241 else 242 rc = -EINVAL; 243 } 244 if (rc == -ENODATA || rc == -EOPNOTSUPP) { 245 /* no data, that's ok */ 246 rc = 0; 247 goto out; 248 } 249 if (rc < 0) 250 goto out; 251 252 rc = cap_from_disk(&incaps, bprm, rc); 253 if (rc) 254 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 255 __FUNCTION__, rc, bprm->filename); 256 257 out: 258 dput(dentry); 259 if (rc) 260 bprm_clear_caps(bprm); 261 262 return rc; 263 } 264 265 #else 266 int cap_inode_need_killpriv(struct dentry *dentry) 267 { 268 return 0; 269 } 270 271 int cap_inode_killpriv(struct dentry *dentry) 272 { 273 return 0; 274 } 275 276 static inline int get_file_caps(struct linux_binprm *bprm) 277 { 278 bprm_clear_caps(bprm); 279 return 0; 280 } 281 #endif 282 283 int cap_bprm_set_security (struct linux_binprm *bprm) 284 { 285 int ret; 286 287 ret = get_file_caps(bprm); 288 if (ret) 289 printk(KERN_NOTICE "%s: get_file_caps returned %d for %s\n", 290 __FUNCTION__, ret, bprm->filename); 291 292 /* To support inheritance of root-permissions and suid-root 293 * executables under compatibility mode, we raise all three 294 * capability sets for the file. 295 * 296 * If only the real uid is 0, we only raise the inheritable 297 * and permitted sets of the executable file. 298 */ 299 300 if (!issecure (SECURE_NOROOT)) { 301 if (bprm->e_uid == 0 || current->uid == 0) { 302 cap_set_full (bprm->cap_inheritable); 303 cap_set_full (bprm->cap_permitted); 304 } 305 if (bprm->e_uid == 0) 306 bprm->cap_effective = true; 307 } 308 309 return ret; 310 } 311 312 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 313 { 314 /* Derived from fs/exec.c:compute_creds. */ 315 kernel_cap_t new_permitted, working; 316 317 new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); 318 working = cap_intersect (bprm->cap_inheritable, 319 current->cap_inheritable); 320 new_permitted = cap_combine (new_permitted, working); 321 322 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 323 !cap_issubset (new_permitted, current->cap_permitted)) { 324 set_dumpable(current->mm, suid_dumpable); 325 current->pdeath_signal = 0; 326 327 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 328 if (!capable(CAP_SETUID)) { 329 bprm->e_uid = current->uid; 330 bprm->e_gid = current->gid; 331 } 332 if (!capable (CAP_SETPCAP)) { 333 new_permitted = cap_intersect (new_permitted, 334 current->cap_permitted); 335 } 336 } 337 } 338 339 current->suid = current->euid = current->fsuid = bprm->e_uid; 340 current->sgid = current->egid = current->fsgid = bprm->e_gid; 341 342 /* For init, we want to retain the capabilities set 343 * in the init_task struct. Thus we skip the usual 344 * capability rules */ 345 if (!is_global_init(current)) { 346 current->cap_permitted = new_permitted; 347 current->cap_effective = bprm->cap_effective ? 348 new_permitted : 0; 349 } 350 351 /* AUD: Audit candidate if current->cap_effective is set */ 352 353 current->keep_capabilities = 0; 354 } 355 356 int cap_bprm_secureexec (struct linux_binprm *bprm) 357 { 358 if (current->uid != 0) { 359 if (bprm->cap_effective) 360 return 1; 361 if (!cap_isclear(bprm->cap_permitted)) 362 return 1; 363 if (!cap_isclear(bprm->cap_inheritable)) 364 return 1; 365 } 366 367 return (current->euid != current->uid || 368 current->egid != current->gid); 369 } 370 371 int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, 372 size_t size, int flags) 373 { 374 if (!strcmp(name, XATTR_NAME_CAPS)) { 375 if (!capable(CAP_SETFCAP)) 376 return -EPERM; 377 return 0; 378 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 379 sizeof(XATTR_SECURITY_PREFIX) - 1) && 380 !capable(CAP_SYS_ADMIN)) 381 return -EPERM; 382 return 0; 383 } 384 385 int cap_inode_removexattr(struct dentry *dentry, char *name) 386 { 387 if (!strcmp(name, XATTR_NAME_CAPS)) { 388 if (!capable(CAP_SETFCAP)) 389 return -EPERM; 390 return 0; 391 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 392 sizeof(XATTR_SECURITY_PREFIX) - 1) && 393 !capable(CAP_SYS_ADMIN)) 394 return -EPERM; 395 return 0; 396 } 397 398 /* moved from kernel/sys.c. */ 399 /* 400 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 401 * a process after a call to setuid, setreuid, or setresuid. 402 * 403 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 404 * {r,e,s}uid != 0, the permitted and effective capabilities are 405 * cleared. 406 * 407 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 408 * capabilities of the process are cleared. 409 * 410 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 411 * capabilities are set to the permitted capabilities. 412 * 413 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 414 * never happen. 415 * 416 * -astor 417 * 418 * cevans - New behaviour, Oct '99 419 * A process may, via prctl(), elect to keep its capabilities when it 420 * calls setuid() and switches away from uid==0. Both permitted and 421 * effective sets will be retained. 422 * Without this change, it was impossible for a daemon to drop only some 423 * of its privilege. The call to setuid(!=0) would drop all privileges! 424 * Keeping uid 0 is not an option because uid 0 owns too many vital 425 * files.. 426 * Thanks to Olaf Kirch and Peter Benie for spotting this. 427 */ 428 static inline void cap_emulate_setxuid (int old_ruid, int old_euid, 429 int old_suid) 430 { 431 if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && 432 (current->uid != 0 && current->euid != 0 && current->suid != 0) && 433 !current->keep_capabilities) { 434 cap_clear (current->cap_permitted); 435 cap_clear (current->cap_effective); 436 } 437 if (old_euid == 0 && current->euid != 0) { 438 cap_clear (current->cap_effective); 439 } 440 if (old_euid != 0 && current->euid == 0) { 441 current->cap_effective = current->cap_permitted; 442 } 443 } 444 445 int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, 446 int flags) 447 { 448 switch (flags) { 449 case LSM_SETID_RE: 450 case LSM_SETID_ID: 451 case LSM_SETID_RES: 452 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 453 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 454 cap_emulate_setxuid (old_ruid, old_euid, old_suid); 455 } 456 break; 457 case LSM_SETID_FS: 458 { 459 uid_t old_fsuid = old_ruid; 460 461 /* Copied from kernel/sys.c:setfsuid. */ 462 463 /* 464 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 465 * if not, we might be a bit too harsh here. 466 */ 467 468 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 469 if (old_fsuid == 0 && current->fsuid != 0) { 470 cap_t (current->cap_effective) &= 471 ~CAP_FS_MASK; 472 } 473 if (old_fsuid != 0 && current->fsuid == 0) { 474 cap_t (current->cap_effective) |= 475 (cap_t (current->cap_permitted) & 476 CAP_FS_MASK); 477 } 478 } 479 break; 480 } 481 default: 482 return -EINVAL; 483 } 484 485 return 0; 486 } 487 488 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 489 /* 490 * Rationale: code calling task_setscheduler, task_setioprio, and 491 * task_setnice, assumes that 492 * . if capable(cap_sys_nice), then those actions should be allowed 493 * . if not capable(cap_sys_nice), but acting on your own processes, 494 * then those actions should be allowed 495 * This is insufficient now since you can call code without suid, but 496 * yet with increased caps. 497 * So we check for increased caps on the target process. 498 */ 499 static inline int cap_safe_nice(struct task_struct *p) 500 { 501 if (!cap_issubset(p->cap_permitted, current->cap_permitted) && 502 !__capable(current, CAP_SYS_NICE)) 503 return -EPERM; 504 return 0; 505 } 506 507 int cap_task_setscheduler (struct task_struct *p, int policy, 508 struct sched_param *lp) 509 { 510 return cap_safe_nice(p); 511 } 512 513 int cap_task_setioprio (struct task_struct *p, int ioprio) 514 { 515 return cap_safe_nice(p); 516 } 517 518 int cap_task_setnice (struct task_struct *p, int nice) 519 { 520 return cap_safe_nice(p); 521 } 522 523 int cap_task_kill(struct task_struct *p, struct siginfo *info, 524 int sig, u32 secid) 525 { 526 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 527 return 0; 528 529 /* 530 * Running a setuid root program raises your capabilities. 531 * Killing your own setuid root processes was previously 532 * allowed. 533 * We must preserve legacy signal behavior in this case. 534 */ 535 if (p->euid == 0 && p->uid == current->uid) 536 return 0; 537 538 /* sigcont is permitted within same session */ 539 if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p))) 540 return 0; 541 542 if (secid) 543 /* 544 * Signal sent as a particular user. 545 * Capabilities are ignored. May be wrong, but it's the 546 * only thing we can do at the moment. 547 * Used only by usb drivers? 548 */ 549 return 0; 550 if (cap_issubset(p->cap_permitted, current->cap_permitted)) 551 return 0; 552 if (capable(CAP_KILL)) 553 return 0; 554 555 return -EPERM; 556 } 557 #else 558 int cap_task_setscheduler (struct task_struct *p, int policy, 559 struct sched_param *lp) 560 { 561 return 0; 562 } 563 int cap_task_setioprio (struct task_struct *p, int ioprio) 564 { 565 return 0; 566 } 567 int cap_task_setnice (struct task_struct *p, int nice) 568 { 569 return 0; 570 } 571 int cap_task_kill(struct task_struct *p, struct siginfo *info, 572 int sig, u32 secid) 573 { 574 return 0; 575 } 576 #endif 577 578 void cap_task_reparent_to_init (struct task_struct *p) 579 { 580 p->cap_effective = CAP_INIT_EFF_SET; 581 p->cap_inheritable = CAP_INIT_INH_SET; 582 p->cap_permitted = CAP_FULL_SET; 583 p->keep_capabilities = 0; 584 return; 585 } 586 587 int cap_syslog (int type) 588 { 589 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 590 return -EPERM; 591 return 0; 592 } 593 594 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 595 { 596 int cap_sys_admin = 0; 597 598 if (cap_capable(current, CAP_SYS_ADMIN) == 0) 599 cap_sys_admin = 1; 600 return __vm_enough_memory(mm, pages, cap_sys_admin); 601 } 602 603