1 /* Common capabilities, needed by capability.o and root_plug.o 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/audit.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/security.h> 16 #include <linux/file.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/pagemap.h> 20 #include <linux/swap.h> 21 #include <linux/skbuff.h> 22 #include <linux/netlink.h> 23 #include <linux/ptrace.h> 24 #include <linux/xattr.h> 25 #include <linux/hugetlb.h> 26 #include <linux/mount.h> 27 #include <linux/sched.h> 28 #include <linux/prctl.h> 29 #include <linux/securebits.h> 30 31 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 32 { 33 NETLINK_CB(skb).eff_cap = current_cap(); 34 return 0; 35 } 36 37 int cap_netlink_recv(struct sk_buff *skb, int cap) 38 { 39 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 40 return -EPERM; 41 return 0; 42 } 43 EXPORT_SYMBOL(cap_netlink_recv); 44 45 /** 46 * cap_capable - Determine whether a task has a particular effective capability 47 * @tsk: The task to query 48 * @cap: The capability to check for 49 * @audit: Whether to write an audit message or not 50 * 51 * Determine whether the nominated task has the specified capability amongst 52 * its effective set, returning 0 if it does, -ve if it does not. 53 * 54 * NOTE WELL: cap_capable() cannot be used like the kernel's capable() 55 * function. That is, it has the reverse semantics: cap_capable() returns 0 56 * when a task has a capability, but the kernel's capable() returns 1 for this 57 * case. 58 */ 59 int cap_capable(struct task_struct *tsk, int cap, int audit) 60 { 61 __u32 cap_raised; 62 63 /* Derived from include/linux/sched.h:capable. */ 64 rcu_read_lock(); 65 cap_raised = cap_raised(__task_cred(tsk)->cap_effective, cap); 66 rcu_read_unlock(); 67 return cap_raised ? 0 : -EPERM; 68 } 69 70 /** 71 * cap_settime - Determine whether the current process may set the system clock 72 * @ts: The time to set 73 * @tz: The timezone to set 74 * 75 * Determine whether the current process may set the system clock and timezone 76 * information, returning 0 if permission granted, -ve if denied. 77 */ 78 int cap_settime(struct timespec *ts, struct timezone *tz) 79 { 80 if (!capable(CAP_SYS_TIME)) 81 return -EPERM; 82 return 0; 83 } 84 85 /** 86 * cap_ptrace_may_access - Determine whether the current process may access 87 * another 88 * @child: The process to be accessed 89 * @mode: The mode of attachment. 90 * 91 * Determine whether a process may access another, returning 0 if permission 92 * granted, -ve if denied. 93 */ 94 int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) 95 { 96 int ret = 0; 97 98 rcu_read_lock(); 99 if (!cap_issubset(__task_cred(child)->cap_permitted, 100 current_cred()->cap_permitted) && 101 !capable(CAP_SYS_PTRACE)) 102 ret = -EPERM; 103 rcu_read_unlock(); 104 return ret; 105 } 106 107 /** 108 * cap_ptrace_traceme - Determine whether another process may trace the current 109 * @parent: The task proposed to be the tracer 110 * 111 * Determine whether the nominated task is permitted to trace the current 112 * process, returning 0 if permission is granted, -ve if denied. 113 */ 114 int cap_ptrace_traceme(struct task_struct *parent) 115 { 116 int ret = 0; 117 118 rcu_read_lock(); 119 if (!cap_issubset(current_cred()->cap_permitted, 120 __task_cred(parent)->cap_permitted) && 121 !has_capability(parent, CAP_SYS_PTRACE)) 122 ret = -EPERM; 123 rcu_read_unlock(); 124 return ret; 125 } 126 127 /** 128 * cap_capget - Retrieve a task's capability sets 129 * @target: The task from which to retrieve the capability sets 130 * @effective: The place to record the effective set 131 * @inheritable: The place to record the inheritable set 132 * @permitted: The place to record the permitted set 133 * 134 * This function retrieves the capabilities of the nominated task and returns 135 * them to the caller. 136 */ 137 int cap_capget(struct task_struct *target, kernel_cap_t *effective, 138 kernel_cap_t *inheritable, kernel_cap_t *permitted) 139 { 140 const struct cred *cred; 141 142 /* Derived from kernel/capability.c:sys_capget. */ 143 rcu_read_lock(); 144 cred = __task_cred(target); 145 *effective = cred->cap_effective; 146 *inheritable = cred->cap_inheritable; 147 *permitted = cred->cap_permitted; 148 rcu_read_unlock(); 149 return 0; 150 } 151 152 /* 153 * Determine whether the inheritable capabilities are limited to the old 154 * permitted set. Returns 1 if they are limited, 0 if they are not. 155 */ 156 static inline int cap_inh_is_capped(void) 157 { 158 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 159 160 /* they are so limited unless the current task has the CAP_SETPCAP 161 * capability 162 */ 163 if (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) 164 return 0; 165 #endif 166 return 1; 167 } 168 169 /** 170 * cap_capset - Validate and apply proposed changes to current's capabilities 171 * @new: The proposed new credentials; alterations should be made here 172 * @old: The current task's current credentials 173 * @effective: A pointer to the proposed new effective capabilities set 174 * @inheritable: A pointer to the proposed new inheritable capabilities set 175 * @permitted: A pointer to the proposed new permitted capabilities set 176 * 177 * This function validates and applies a proposed mass change to the current 178 * process's capability sets. The changes are made to the proposed new 179 * credentials, and assuming no error, will be committed by the caller of LSM. 180 */ 181 int cap_capset(struct cred *new, 182 const struct cred *old, 183 const kernel_cap_t *effective, 184 const kernel_cap_t *inheritable, 185 const kernel_cap_t *permitted) 186 { 187 if (cap_inh_is_capped() && 188 !cap_issubset(*inheritable, 189 cap_combine(old->cap_inheritable, 190 old->cap_permitted))) 191 /* incapable of using this inheritable set */ 192 return -EPERM; 193 194 if (!cap_issubset(*inheritable, 195 cap_combine(old->cap_inheritable, 196 old->cap_bset))) 197 /* no new pI capabilities outside bounding set */ 198 return -EPERM; 199 200 /* verify restrictions on target's new Permitted set */ 201 if (!cap_issubset(*permitted, old->cap_permitted)) 202 return -EPERM; 203 204 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 205 if (!cap_issubset(*effective, *permitted)) 206 return -EPERM; 207 208 new->cap_effective = *effective; 209 new->cap_inheritable = *inheritable; 210 new->cap_permitted = *permitted; 211 return 0; 212 } 213 214 /* 215 * Clear proposed capability sets for execve(). 216 */ 217 static inline void bprm_clear_caps(struct linux_binprm *bprm) 218 { 219 cap_clear(bprm->cred->cap_permitted); 220 bprm->cap_effective = false; 221 } 222 223 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 224 225 /** 226 * cap_inode_need_killpriv - Determine if inode change affects privileges 227 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 228 * 229 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV 230 * affects the security markings on that inode, and if it is, should 231 * inode_killpriv() be invoked or the change rejected? 232 * 233 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and 234 * -ve to deny the change. 235 */ 236 int cap_inode_need_killpriv(struct dentry *dentry) 237 { 238 struct inode *inode = dentry->d_inode; 239 int error; 240 241 if (!inode->i_op->getxattr) 242 return 0; 243 244 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 245 if (error <= 0) 246 return 0; 247 return 1; 248 } 249 250 /** 251 * cap_inode_killpriv - Erase the security markings on an inode 252 * @dentry: The inode/dentry to alter 253 * 254 * Erase the privilege-enhancing security markings on an inode. 255 * 256 * Returns 0 if successful, -ve on error. 257 */ 258 int cap_inode_killpriv(struct dentry *dentry) 259 { 260 struct inode *inode = dentry->d_inode; 261 262 if (!inode->i_op->removexattr) 263 return 0; 264 265 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 266 } 267 268 /* 269 * Calculate the new process capability sets from the capability sets attached 270 * to a file. 271 */ 272 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, 273 struct linux_binprm *bprm, 274 bool *effective) 275 { 276 struct cred *new = bprm->cred; 277 unsigned i; 278 int ret = 0; 279 280 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 281 *effective = true; 282 283 CAP_FOR_EACH_U32(i) { 284 __u32 permitted = caps->permitted.cap[i]; 285 __u32 inheritable = caps->inheritable.cap[i]; 286 287 /* 288 * pP' = (X & fP) | (pI & fI) 289 */ 290 new->cap_permitted.cap[i] = 291 (new->cap_bset.cap[i] & permitted) | 292 (new->cap_inheritable.cap[i] & inheritable); 293 294 if (permitted & ~new->cap_permitted.cap[i]) 295 /* insufficient to execute correctly */ 296 ret = -EPERM; 297 } 298 299 /* 300 * For legacy apps, with no internal support for recognizing they 301 * do not have enough capabilities, we return an error if they are 302 * missing some "forced" (aka file-permitted) capabilities. 303 */ 304 return *effective ? ret : 0; 305 } 306 307 /* 308 * Extract the on-exec-apply capability sets for an executable file. 309 */ 310 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 311 { 312 struct inode *inode = dentry->d_inode; 313 __u32 magic_etc; 314 unsigned tocopy, i; 315 int size; 316 struct vfs_cap_data caps; 317 318 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 319 320 if (!inode || !inode->i_op->getxattr) 321 return -ENODATA; 322 323 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, 324 XATTR_CAPS_SZ); 325 if (size == -ENODATA || size == -EOPNOTSUPP) 326 /* no data, that's ok */ 327 return -ENODATA; 328 if (size < 0) 329 return size; 330 331 if (size < sizeof(magic_etc)) 332 return -EINVAL; 333 334 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc); 335 336 switch (magic_etc & VFS_CAP_REVISION_MASK) { 337 case VFS_CAP_REVISION_1: 338 if (size != XATTR_CAPS_SZ_1) 339 return -EINVAL; 340 tocopy = VFS_CAP_U32_1; 341 break; 342 case VFS_CAP_REVISION_2: 343 if (size != XATTR_CAPS_SZ_2) 344 return -EINVAL; 345 tocopy = VFS_CAP_U32_2; 346 break; 347 default: 348 return -EINVAL; 349 } 350 351 CAP_FOR_EACH_U32(i) { 352 if (i >= tocopy) 353 break; 354 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted); 355 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); 356 } 357 358 return 0; 359 } 360 361 /* 362 * Attempt to get the on-exec apply capability sets for an executable file from 363 * its xattrs and, if present, apply them to the proposed credentials being 364 * constructed by execve(). 365 */ 366 static int get_file_caps(struct linux_binprm *bprm, bool *effective) 367 { 368 struct dentry *dentry; 369 int rc = 0; 370 struct cpu_vfs_cap_data vcaps; 371 372 bprm_clear_caps(bprm); 373 374 if (!file_caps_enabled) 375 return 0; 376 377 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 378 return 0; 379 380 dentry = dget(bprm->file->f_dentry); 381 382 rc = get_vfs_caps_from_disk(dentry, &vcaps); 383 if (rc < 0) { 384 if (rc == -EINVAL) 385 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n", 386 __func__, rc, bprm->filename); 387 else if (rc == -ENODATA) 388 rc = 0; 389 goto out; 390 } 391 392 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective); 393 if (rc == -EINVAL) 394 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 395 __func__, rc, bprm->filename); 396 397 out: 398 dput(dentry); 399 if (rc) 400 bprm_clear_caps(bprm); 401 402 return rc; 403 } 404 405 #else 406 int cap_inode_need_killpriv(struct dentry *dentry) 407 { 408 return 0; 409 } 410 411 int cap_inode_killpriv(struct dentry *dentry) 412 { 413 return 0; 414 } 415 416 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 417 { 418 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 419 return -ENODATA; 420 } 421 422 static inline int get_file_caps(struct linux_binprm *bprm, bool *effective) 423 { 424 bprm_clear_caps(bprm); 425 return 0; 426 } 427 #endif 428 429 /* 430 * Determine whether a exec'ing process's new permitted capabilities should be 431 * limited to just what it already has. 432 * 433 * This prevents processes that are being ptraced from gaining access to 434 * CAP_SETPCAP, unless the process they're tracing already has it, and the 435 * binary they're executing has filecaps that elevate it. 436 * 437 * Returns 1 if they should be limited, 0 if they are not. 438 */ 439 static inline int cap_limit_ptraced_target(void) 440 { 441 #ifndef CONFIG_SECURITY_FILE_CAPABILITIES 442 if (capable(CAP_SETPCAP)) 443 return 0; 444 #endif 445 return 1; 446 } 447 448 /** 449 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 450 * @bprm: The execution parameters, including the proposed creds 451 * 452 * Set up the proposed credentials for a new execution context being 453 * constructed by execve(). The proposed creds in @bprm->cred is altered, 454 * which won't take effect immediately. Returns 0 if successful, -ve on error. 455 */ 456 int cap_bprm_set_creds(struct linux_binprm *bprm) 457 { 458 const struct cred *old = current_cred(); 459 struct cred *new = bprm->cred; 460 bool effective; 461 int ret; 462 463 effective = false; 464 ret = get_file_caps(bprm, &effective); 465 if (ret < 0) 466 return ret; 467 468 if (!issecure(SECURE_NOROOT)) { 469 /* 470 * To support inheritance of root-permissions and suid-root 471 * executables under compatibility mode, we override the 472 * capability sets for the file. 473 * 474 * If only the real uid is 0, we do not set the effective bit. 475 */ 476 if (new->euid == 0 || new->uid == 0) { 477 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 478 new->cap_permitted = cap_combine(old->cap_bset, 479 old->cap_inheritable); 480 } 481 if (new->euid == 0) 482 effective = true; 483 } 484 485 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 486 * credentials unless they have the appropriate permit 487 */ 488 if ((new->euid != old->uid || 489 new->egid != old->gid || 490 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 491 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 492 /* downgrade; they get no more than they had, and maybe less */ 493 if (!capable(CAP_SETUID)) { 494 new->euid = new->uid; 495 new->egid = new->gid; 496 } 497 if (cap_limit_ptraced_target()) 498 new->cap_permitted = cap_intersect(new->cap_permitted, 499 old->cap_permitted); 500 } 501 502 new->suid = new->fsuid = new->euid; 503 new->sgid = new->fsgid = new->egid; 504 505 /* For init, we want to retain the capabilities set in the initial 506 * task. Thus we skip the usual capability rules 507 */ 508 if (!is_global_init(current)) { 509 if (effective) 510 new->cap_effective = new->cap_permitted; 511 else 512 cap_clear(new->cap_effective); 513 } 514 bprm->cap_effective = effective; 515 516 /* 517 * Audit candidate if current->cap_effective is set 518 * 519 * We do not bother to audit if 3 things are true: 520 * 1) cap_effective has all caps 521 * 2) we are root 522 * 3) root is supposed to have all caps (SECURE_NOROOT) 523 * Since this is just a normal root execing a process. 524 * 525 * Number 1 above might fail if you don't have a full bset, but I think 526 * that is interesting information to audit. 527 */ 528 if (!cap_isclear(new->cap_effective)) { 529 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || 530 new->euid != 0 || new->uid != 0 || 531 issecure(SECURE_NOROOT)) { 532 ret = audit_log_bprm_fcaps(bprm, new, old); 533 if (ret < 0) 534 return ret; 535 } 536 } 537 538 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 539 return 0; 540 } 541 542 /** 543 * cap_bprm_secureexec - Determine whether a secure execution is required 544 * @bprm: The execution parameters 545 * 546 * Determine whether a secure execution is required, return 1 if it is, and 0 547 * if it is not. 548 * 549 * The credentials have been committed by this point, and so are no longer 550 * available through @bprm->cred. 551 */ 552 int cap_bprm_secureexec(struct linux_binprm *bprm) 553 { 554 const struct cred *cred = current_cred(); 555 556 if (cred->uid != 0) { 557 if (bprm->cap_effective) 558 return 1; 559 if (!cap_isclear(cred->cap_permitted)) 560 return 1; 561 } 562 563 return (cred->euid != cred->uid || 564 cred->egid != cred->gid); 565 } 566 567 /** 568 * cap_inode_setxattr - Determine whether an xattr may be altered 569 * @dentry: The inode/dentry being altered 570 * @name: The name of the xattr to be changed 571 * @value: The value that the xattr will be changed to 572 * @size: The size of value 573 * @flags: The replacement flag 574 * 575 * Determine whether an xattr may be altered or set on an inode, returning 0 if 576 * permission is granted, -ve if denied. 577 * 578 * This is used to make sure security xattrs don't get updated or set by those 579 * who aren't privileged to do so. 580 */ 581 int cap_inode_setxattr(struct dentry *dentry, const char *name, 582 const void *value, size_t size, int flags) 583 { 584 if (!strcmp(name, XATTR_NAME_CAPS)) { 585 if (!capable(CAP_SETFCAP)) 586 return -EPERM; 587 return 0; 588 } 589 590 if (!strncmp(name, XATTR_SECURITY_PREFIX, 591 sizeof(XATTR_SECURITY_PREFIX) - 1) && 592 !capable(CAP_SYS_ADMIN)) 593 return -EPERM; 594 return 0; 595 } 596 597 /** 598 * cap_inode_removexattr - Determine whether an xattr may be removed 599 * @dentry: The inode/dentry being altered 600 * @name: The name of the xattr to be changed 601 * 602 * Determine whether an xattr may be removed from an inode, returning 0 if 603 * permission is granted, -ve if denied. 604 * 605 * This is used to make sure security xattrs don't get removed by those who 606 * aren't privileged to remove them. 607 */ 608 int cap_inode_removexattr(struct dentry *dentry, const char *name) 609 { 610 if (!strcmp(name, XATTR_NAME_CAPS)) { 611 if (!capable(CAP_SETFCAP)) 612 return -EPERM; 613 return 0; 614 } 615 616 if (!strncmp(name, XATTR_SECURITY_PREFIX, 617 sizeof(XATTR_SECURITY_PREFIX) - 1) && 618 !capable(CAP_SYS_ADMIN)) 619 return -EPERM; 620 return 0; 621 } 622 623 /* 624 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 625 * a process after a call to setuid, setreuid, or setresuid. 626 * 627 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 628 * {r,e,s}uid != 0, the permitted and effective capabilities are 629 * cleared. 630 * 631 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 632 * capabilities of the process are cleared. 633 * 634 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 635 * capabilities are set to the permitted capabilities. 636 * 637 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 638 * never happen. 639 * 640 * -astor 641 * 642 * cevans - New behaviour, Oct '99 643 * A process may, via prctl(), elect to keep its capabilities when it 644 * calls setuid() and switches away from uid==0. Both permitted and 645 * effective sets will be retained. 646 * Without this change, it was impossible for a daemon to drop only some 647 * of its privilege. The call to setuid(!=0) would drop all privileges! 648 * Keeping uid 0 is not an option because uid 0 owns too many vital 649 * files.. 650 * Thanks to Olaf Kirch and Peter Benie for spotting this. 651 */ 652 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 653 { 654 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) && 655 (new->uid != 0 && new->euid != 0 && new->suid != 0) && 656 !issecure(SECURE_KEEP_CAPS)) { 657 cap_clear(new->cap_permitted); 658 cap_clear(new->cap_effective); 659 } 660 if (old->euid == 0 && new->euid != 0) 661 cap_clear(new->cap_effective); 662 if (old->euid != 0 && new->euid == 0) 663 new->cap_effective = new->cap_permitted; 664 } 665 666 /** 667 * cap_task_fix_setuid - Fix up the results of setuid() call 668 * @new: The proposed credentials 669 * @old: The current task's current credentials 670 * @flags: Indications of what has changed 671 * 672 * Fix up the results of setuid() call before the credential changes are 673 * actually applied, returning 0 to grant the changes, -ve to deny them. 674 */ 675 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) 676 { 677 switch (flags) { 678 case LSM_SETID_RE: 679 case LSM_SETID_ID: 680 case LSM_SETID_RES: 681 /* juggle the capabilities to follow [RES]UID changes unless 682 * otherwise suppressed */ 683 if (!issecure(SECURE_NO_SETUID_FIXUP)) 684 cap_emulate_setxuid(new, old); 685 break; 686 687 case LSM_SETID_FS: 688 /* juggle the capabilties to follow FSUID changes, unless 689 * otherwise suppressed 690 * 691 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 692 * if not, we might be a bit too harsh here. 693 */ 694 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 695 if (old->fsuid == 0 && new->fsuid != 0) 696 new->cap_effective = 697 cap_drop_fs_set(new->cap_effective); 698 699 if (old->fsuid != 0 && new->fsuid == 0) 700 new->cap_effective = 701 cap_raise_fs_set(new->cap_effective, 702 new->cap_permitted); 703 } 704 break; 705 706 default: 707 return -EINVAL; 708 } 709 710 return 0; 711 } 712 713 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 714 /* 715 * Rationale: code calling task_setscheduler, task_setioprio, and 716 * task_setnice, assumes that 717 * . if capable(cap_sys_nice), then those actions should be allowed 718 * . if not capable(cap_sys_nice), but acting on your own processes, 719 * then those actions should be allowed 720 * This is insufficient now since you can call code without suid, but 721 * yet with increased caps. 722 * So we check for increased caps on the target process. 723 */ 724 static int cap_safe_nice(struct task_struct *p) 725 { 726 int is_subset; 727 728 rcu_read_lock(); 729 is_subset = cap_issubset(__task_cred(p)->cap_permitted, 730 current_cred()->cap_permitted); 731 rcu_read_unlock(); 732 733 if (!is_subset && !capable(CAP_SYS_NICE)) 734 return -EPERM; 735 return 0; 736 } 737 738 /** 739 * cap_task_setscheduler - Detemine if scheduler policy change is permitted 740 * @p: The task to affect 741 * @policy: The policy to effect 742 * @lp: The parameters to the scheduling policy 743 * 744 * Detemine if the requested scheduler policy change is permitted for the 745 * specified task, returning 0 if permission is granted, -ve if denied. 746 */ 747 int cap_task_setscheduler(struct task_struct *p, int policy, 748 struct sched_param *lp) 749 { 750 return cap_safe_nice(p); 751 } 752 753 /** 754 * cap_task_ioprio - Detemine if I/O priority change is permitted 755 * @p: The task to affect 756 * @ioprio: The I/O priority to set 757 * 758 * Detemine if the requested I/O priority change is permitted for the specified 759 * task, returning 0 if permission is granted, -ve if denied. 760 */ 761 int cap_task_setioprio(struct task_struct *p, int ioprio) 762 { 763 return cap_safe_nice(p); 764 } 765 766 /** 767 * cap_task_ioprio - Detemine if task priority change is permitted 768 * @p: The task to affect 769 * @nice: The nice value to set 770 * 771 * Detemine if the requested task priority change is permitted for the 772 * specified task, returning 0 if permission is granted, -ve if denied. 773 */ 774 int cap_task_setnice(struct task_struct *p, int nice) 775 { 776 return cap_safe_nice(p); 777 } 778 779 /* 780 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from 781 * the current task's bounding set. Returns 0 on success, -ve on error. 782 */ 783 static long cap_prctl_drop(struct cred *new, unsigned long cap) 784 { 785 if (!capable(CAP_SETPCAP)) 786 return -EPERM; 787 if (!cap_valid(cap)) 788 return -EINVAL; 789 790 cap_lower(new->cap_bset, cap); 791 return 0; 792 } 793 794 #else 795 int cap_task_setscheduler (struct task_struct *p, int policy, 796 struct sched_param *lp) 797 { 798 return 0; 799 } 800 int cap_task_setioprio (struct task_struct *p, int ioprio) 801 { 802 return 0; 803 } 804 int cap_task_setnice (struct task_struct *p, int nice) 805 { 806 return 0; 807 } 808 #endif 809 810 /** 811 * cap_task_prctl - Implement process control functions for this security module 812 * @option: The process control function requested 813 * @arg2, @arg3, @arg4, @arg5: The argument data for this function 814 * 815 * Allow process control functions (sys_prctl()) to alter capabilities; may 816 * also deny access to other functions not otherwise implemented here. 817 * 818 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented 819 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM 820 * modules will consider performing the function. 821 */ 822 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 823 unsigned long arg4, unsigned long arg5) 824 { 825 struct cred *new; 826 long error = 0; 827 828 new = prepare_creds(); 829 if (!new) 830 return -ENOMEM; 831 832 switch (option) { 833 case PR_CAPBSET_READ: 834 error = -EINVAL; 835 if (!cap_valid(arg2)) 836 goto error; 837 error = !!cap_raised(new->cap_bset, arg2); 838 goto no_change; 839 840 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 841 case PR_CAPBSET_DROP: 842 error = cap_prctl_drop(new, arg2); 843 if (error < 0) 844 goto error; 845 goto changed; 846 847 /* 848 * The next four prctl's remain to assist with transitioning a 849 * system from legacy UID=0 based privilege (when filesystem 850 * capabilities are not in use) to a system using filesystem 851 * capabilities only - as the POSIX.1e draft intended. 852 * 853 * Note: 854 * 855 * PR_SET_SECUREBITS = 856 * issecure_mask(SECURE_KEEP_CAPS_LOCKED) 857 * | issecure_mask(SECURE_NOROOT) 858 * | issecure_mask(SECURE_NOROOT_LOCKED) 859 * | issecure_mask(SECURE_NO_SETUID_FIXUP) 860 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) 861 * 862 * will ensure that the current process and all of its 863 * children will be locked into a pure 864 * capability-based-privilege environment. 865 */ 866 case PR_SET_SECUREBITS: 867 error = -EPERM; 868 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1) 869 & (new->securebits ^ arg2)) /*[1]*/ 870 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 871 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 872 || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0) /*[4]*/ 873 /* 874 * [1] no changing of bits that are locked 875 * [2] no unlocking of locks 876 * [3] no setting of unsupported bits 877 * [4] doing anything requires privilege (go read about 878 * the "sendmail capabilities bug") 879 */ 880 ) 881 /* cannot change a locked bit */ 882 goto error; 883 new->securebits = arg2; 884 goto changed; 885 886 case PR_GET_SECUREBITS: 887 error = new->securebits; 888 goto no_change; 889 890 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 891 892 case PR_GET_KEEPCAPS: 893 if (issecure(SECURE_KEEP_CAPS)) 894 error = 1; 895 goto no_change; 896 897 case PR_SET_KEEPCAPS: 898 error = -EINVAL; 899 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 900 goto error; 901 error = -EPERM; 902 if (issecure(SECURE_KEEP_CAPS_LOCKED)) 903 goto error; 904 if (arg2) 905 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); 906 else 907 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 908 goto changed; 909 910 default: 911 /* No functionality available - continue with default */ 912 error = -ENOSYS; 913 goto error; 914 } 915 916 /* Functionality provided */ 917 changed: 918 return commit_creds(new); 919 920 no_change: 921 error = 0; 922 error: 923 abort_creds(new); 924 return error; 925 } 926 927 /** 928 * cap_syslog - Determine whether syslog function is permitted 929 * @type: Function requested 930 * 931 * Determine whether the current process is permitted to use a particular 932 * syslog function, returning 0 if permission is granted, -ve if not. 933 */ 934 int cap_syslog(int type) 935 { 936 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 937 return -EPERM; 938 return 0; 939 } 940 941 /** 942 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 943 * @mm: The VM space in which the new mapping is to be made 944 * @pages: The size of the mapping 945 * 946 * Determine whether the allocation of a new virtual mapping by the current 947 * task is permitted, returning 0 if permission is granted, -ve if not. 948 */ 949 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 950 { 951 int cap_sys_admin = 0; 952 953 if (cap_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT) == 0) 954 cap_sys_admin = 1; 955 return __vm_enough_memory(mm, pages, cap_sys_admin); 956 } 957