1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Common capabilities, needed by capability.o. 3 */ 4 5 #include <linux/capability.h> 6 #include <linux/audit.h> 7 #include <linux/init.h> 8 #include <linux/kernel.h> 9 #include <linux/lsm_hooks.h> 10 #include <linux/file.h> 11 #include <linux/mm.h> 12 #include <linux/mman.h> 13 #include <linux/pagemap.h> 14 #include <linux/swap.h> 15 #include <linux/skbuff.h> 16 #include <linux/netlink.h> 17 #include <linux/ptrace.h> 18 #include <linux/xattr.h> 19 #include <linux/hugetlb.h> 20 #include <linux/mount.h> 21 #include <linux/sched.h> 22 #include <linux/prctl.h> 23 #include <linux/securebits.h> 24 #include <linux/user_namespace.h> 25 #include <linux/binfmts.h> 26 #include <linux/personality.h> 27 #include <linux/mnt_idmapping.h> 28 29 /* 30 * If a non-root user executes a setuid-root binary in 31 * !secure(SECURE_NOROOT) mode, then we raise capabilities. 32 * However if fE is also set, then the intent is for only 33 * the file capabilities to be applied, and the setuid-root 34 * bit is left on either to change the uid (plausible) or 35 * to get full privilege on a kernel without file capabilities 36 * support. So in that case we do not raise capabilities. 37 * 38 * Warn if that happens, once per boot. 39 */ 40 static void warn_setuid_and_fcaps_mixed(const char *fname) 41 { 42 static int warned; 43 if (!warned) { 44 printk(KERN_INFO "warning: `%s' has both setuid-root and" 45 " effective capabilities. Therefore not raising all" 46 " capabilities.\n", fname); 47 warned = 1; 48 } 49 } 50 51 /** 52 * cap_capable - Determine whether a task has a particular effective capability 53 * @cred: The credentials to use 54 * @targ_ns: The user namespace in which we need the capability 55 * @cap: The capability to check for 56 * @opts: Bitmask of options defined in include/linux/security.h 57 * 58 * Determine whether the nominated task has the specified capability amongst 59 * its effective set, returning 0 if it does, -ve if it does not. 60 * 61 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable() 62 * and has_capability() functions. That is, it has the reverse semantics: 63 * cap_has_capability() returns 0 when a task has a capability, but the 64 * kernel's capable() and has_capability() returns 1 for this case. 65 */ 66 int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, 67 int cap, unsigned int opts) 68 { 69 struct user_namespace *ns = targ_ns; 70 71 /* See if cred has the capability in the target user namespace 72 * by examining the target user namespace and all of the target 73 * user namespace's parents. 74 */ 75 for (;;) { 76 /* Do we have the necessary capabilities? */ 77 if (ns == cred->user_ns) 78 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 79 80 /* 81 * If we're already at a lower level than we're looking for, 82 * we're done searching. 83 */ 84 if (ns->level <= cred->user_ns->level) 85 return -EPERM; 86 87 /* 88 * The owner of the user namespace in the parent of the 89 * user namespace has all caps. 90 */ 91 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) 92 return 0; 93 94 /* 95 * If you have a capability in a parent user ns, then you have 96 * it over all children user namespaces as well. 97 */ 98 ns = ns->parent; 99 } 100 101 /* We never get here */ 102 } 103 104 /** 105 * cap_settime - Determine whether the current process may set the system clock 106 * @ts: The time to set 107 * @tz: The timezone to set 108 * 109 * Determine whether the current process may set the system clock and timezone 110 * information, returning 0 if permission granted, -ve if denied. 111 */ 112 int cap_settime(const struct timespec64 *ts, const struct timezone *tz) 113 { 114 if (!capable(CAP_SYS_TIME)) 115 return -EPERM; 116 return 0; 117 } 118 119 /** 120 * cap_ptrace_access_check - Determine whether the current process may access 121 * another 122 * @child: The process to be accessed 123 * @mode: The mode of attachment. 124 * 125 * If we are in the same or an ancestor user_ns and have all the target 126 * task's capabilities, then ptrace access is allowed. 127 * If we have the ptrace capability to the target user_ns, then ptrace 128 * access is allowed. 129 * Else denied. 130 * 131 * Determine whether a process may access another, returning 0 if permission 132 * granted, -ve if denied. 133 */ 134 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) 135 { 136 int ret = 0; 137 const struct cred *cred, *child_cred; 138 const kernel_cap_t *caller_caps; 139 140 rcu_read_lock(); 141 cred = current_cred(); 142 child_cred = __task_cred(child); 143 if (mode & PTRACE_MODE_FSCREDS) 144 caller_caps = &cred->cap_effective; 145 else 146 caller_caps = &cred->cap_permitted; 147 if (cred->user_ns == child_cred->user_ns && 148 cap_issubset(child_cred->cap_permitted, *caller_caps)) 149 goto out; 150 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) 151 goto out; 152 ret = -EPERM; 153 out: 154 rcu_read_unlock(); 155 return ret; 156 } 157 158 /** 159 * cap_ptrace_traceme - Determine whether another process may trace the current 160 * @parent: The task proposed to be the tracer 161 * 162 * If parent is in the same or an ancestor user_ns and has all current's 163 * capabilities, then ptrace access is allowed. 164 * If parent has the ptrace capability to current's user_ns, then ptrace 165 * access is allowed. 166 * Else denied. 167 * 168 * Determine whether the nominated task is permitted to trace the current 169 * process, returning 0 if permission is granted, -ve if denied. 170 */ 171 int cap_ptrace_traceme(struct task_struct *parent) 172 { 173 int ret = 0; 174 const struct cred *cred, *child_cred; 175 176 rcu_read_lock(); 177 cred = __task_cred(parent); 178 child_cred = current_cred(); 179 if (cred->user_ns == child_cred->user_ns && 180 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 181 goto out; 182 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) 183 goto out; 184 ret = -EPERM; 185 out: 186 rcu_read_unlock(); 187 return ret; 188 } 189 190 /** 191 * cap_capget - Retrieve a task's capability sets 192 * @target: The task from which to retrieve the capability sets 193 * @effective: The place to record the effective set 194 * @inheritable: The place to record the inheritable set 195 * @permitted: The place to record the permitted set 196 * 197 * This function retrieves the capabilities of the nominated task and returns 198 * them to the caller. 199 */ 200 int cap_capget(struct task_struct *target, kernel_cap_t *effective, 201 kernel_cap_t *inheritable, kernel_cap_t *permitted) 202 { 203 const struct cred *cred; 204 205 /* Derived from kernel/capability.c:sys_capget. */ 206 rcu_read_lock(); 207 cred = __task_cred(target); 208 *effective = cred->cap_effective; 209 *inheritable = cred->cap_inheritable; 210 *permitted = cred->cap_permitted; 211 rcu_read_unlock(); 212 return 0; 213 } 214 215 /* 216 * Determine whether the inheritable capabilities are limited to the old 217 * permitted set. Returns 1 if they are limited, 0 if they are not. 218 */ 219 static inline int cap_inh_is_capped(void) 220 { 221 /* they are so limited unless the current task has the CAP_SETPCAP 222 * capability 223 */ 224 if (cap_capable(current_cred(), current_cred()->user_ns, 225 CAP_SETPCAP, CAP_OPT_NONE) == 0) 226 return 0; 227 return 1; 228 } 229 230 /** 231 * cap_capset - Validate and apply proposed changes to current's capabilities 232 * @new: The proposed new credentials; alterations should be made here 233 * @old: The current task's current credentials 234 * @effective: A pointer to the proposed new effective capabilities set 235 * @inheritable: A pointer to the proposed new inheritable capabilities set 236 * @permitted: A pointer to the proposed new permitted capabilities set 237 * 238 * This function validates and applies a proposed mass change to the current 239 * process's capability sets. The changes are made to the proposed new 240 * credentials, and assuming no error, will be committed by the caller of LSM. 241 */ 242 int cap_capset(struct cred *new, 243 const struct cred *old, 244 const kernel_cap_t *effective, 245 const kernel_cap_t *inheritable, 246 const kernel_cap_t *permitted) 247 { 248 if (cap_inh_is_capped() && 249 !cap_issubset(*inheritable, 250 cap_combine(old->cap_inheritable, 251 old->cap_permitted))) 252 /* incapable of using this inheritable set */ 253 return -EPERM; 254 255 if (!cap_issubset(*inheritable, 256 cap_combine(old->cap_inheritable, 257 old->cap_bset))) 258 /* no new pI capabilities outside bounding set */ 259 return -EPERM; 260 261 /* verify restrictions on target's new Permitted set */ 262 if (!cap_issubset(*permitted, old->cap_permitted)) 263 return -EPERM; 264 265 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 266 if (!cap_issubset(*effective, *permitted)) 267 return -EPERM; 268 269 new->cap_effective = *effective; 270 new->cap_inheritable = *inheritable; 271 new->cap_permitted = *permitted; 272 273 /* 274 * Mask off ambient bits that are no longer both permitted and 275 * inheritable. 276 */ 277 new->cap_ambient = cap_intersect(new->cap_ambient, 278 cap_intersect(*permitted, 279 *inheritable)); 280 if (WARN_ON(!cap_ambient_invariant_ok(new))) 281 return -EINVAL; 282 return 0; 283 } 284 285 /** 286 * cap_inode_need_killpriv - Determine if inode change affects privileges 287 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 288 * 289 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV 290 * affects the security markings on that inode, and if it is, should 291 * inode_killpriv() be invoked or the change rejected. 292 * 293 * Return: 1 if security.capability has a value, meaning inode_killpriv() 294 * is required, 0 otherwise, meaning inode_killpriv() is not required. 295 */ 296 int cap_inode_need_killpriv(struct dentry *dentry) 297 { 298 struct inode *inode = d_backing_inode(dentry); 299 int error; 300 301 error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0); 302 return error > 0; 303 } 304 305 /** 306 * cap_inode_killpriv - Erase the security markings on an inode 307 * 308 * @mnt_userns: user namespace of the mount the inode was found from 309 * @dentry: The inode/dentry to alter 310 * 311 * Erase the privilege-enhancing security markings on an inode. 312 * 313 * If the inode has been found through an idmapped mount the user namespace of 314 * the vfsmount must be passed through @mnt_userns. This function will then 315 * take care to map the inode according to @mnt_userns before checking 316 * permissions. On non-idmapped mounts or if permission checking is to be 317 * performed on the raw inode simply passs init_user_ns. 318 * 319 * Return: 0 if successful, -ve on error. 320 */ 321 int cap_inode_killpriv(struct user_namespace *mnt_userns, struct dentry *dentry) 322 { 323 int error; 324 325 error = __vfs_removexattr(mnt_userns, dentry, XATTR_NAME_CAPS); 326 if (error == -EOPNOTSUPP) 327 error = 0; 328 return error; 329 } 330 331 static bool rootid_owns_currentns(vfsuid_t rootvfsuid) 332 { 333 struct user_namespace *ns; 334 kuid_t kroot; 335 336 if (!vfsuid_valid(rootvfsuid)) 337 return false; 338 339 kroot = vfsuid_into_kuid(rootvfsuid); 340 for (ns = current_user_ns();; ns = ns->parent) { 341 if (from_kuid(ns, kroot) == 0) 342 return true; 343 if (ns == &init_user_ns) 344 break; 345 } 346 347 return false; 348 } 349 350 static __u32 sansflags(__u32 m) 351 { 352 return m & ~VFS_CAP_FLAGS_EFFECTIVE; 353 } 354 355 static bool is_v2header(int size, const struct vfs_cap_data *cap) 356 { 357 if (size != XATTR_CAPS_SZ_2) 358 return false; 359 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2; 360 } 361 362 static bool is_v3header(int size, const struct vfs_cap_data *cap) 363 { 364 if (size != XATTR_CAPS_SZ_3) 365 return false; 366 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3; 367 } 368 369 /* 370 * getsecurity: We are called for security.* before any attempt to read the 371 * xattr from the inode itself. 372 * 373 * This gives us a chance to read the on-disk value and convert it. If we 374 * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler. 375 * 376 * Note we are not called by vfs_getxattr_alloc(), but that is only called 377 * by the integrity subsystem, which really wants the unconverted values - 378 * so that's good. 379 */ 380 int cap_inode_getsecurity(struct user_namespace *mnt_userns, 381 struct inode *inode, const char *name, void **buffer, 382 bool alloc) 383 { 384 int size; 385 kuid_t kroot; 386 vfsuid_t vfsroot; 387 u32 nsmagic, magic; 388 uid_t root, mappedroot; 389 char *tmpbuf = NULL; 390 struct vfs_cap_data *cap; 391 struct vfs_ns_cap_data *nscap = NULL; 392 struct dentry *dentry; 393 struct user_namespace *fs_ns; 394 395 if (strcmp(name, "capability") != 0) 396 return -EOPNOTSUPP; 397 398 dentry = d_find_any_alias(inode); 399 if (!dentry) 400 return -EINVAL; 401 size = vfs_getxattr_alloc(mnt_userns, dentry, XATTR_NAME_CAPS, &tmpbuf, 402 sizeof(struct vfs_ns_cap_data), GFP_NOFS); 403 dput(dentry); 404 /* gcc11 complains if we don't check for !tmpbuf */ 405 if (size < 0 || !tmpbuf) 406 goto out_free; 407 408 fs_ns = inode->i_sb->s_user_ns; 409 cap = (struct vfs_cap_data *) tmpbuf; 410 if (is_v2header(size, cap)) { 411 root = 0; 412 } else if (is_v3header(size, cap)) { 413 nscap = (struct vfs_ns_cap_data *) tmpbuf; 414 root = le32_to_cpu(nscap->rootid); 415 } else { 416 size = -EINVAL; 417 goto out_free; 418 } 419 420 kroot = make_kuid(fs_ns, root); 421 422 /* If this is an idmapped mount shift the kuid. */ 423 vfsroot = make_vfsuid(mnt_userns, fs_ns, kroot); 424 425 /* If the root kuid maps to a valid uid in current ns, then return 426 * this as a nscap. */ 427 mappedroot = from_kuid(current_user_ns(), vfsuid_into_kuid(vfsroot)); 428 if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) { 429 size = sizeof(struct vfs_ns_cap_data); 430 if (alloc) { 431 if (!nscap) { 432 /* v2 -> v3 conversion */ 433 nscap = kzalloc(size, GFP_ATOMIC); 434 if (!nscap) { 435 size = -ENOMEM; 436 goto out_free; 437 } 438 nsmagic = VFS_CAP_REVISION_3; 439 magic = le32_to_cpu(cap->magic_etc); 440 if (magic & VFS_CAP_FLAGS_EFFECTIVE) 441 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE; 442 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); 443 nscap->magic_etc = cpu_to_le32(nsmagic); 444 } else { 445 /* use allocated v3 buffer */ 446 tmpbuf = NULL; 447 } 448 nscap->rootid = cpu_to_le32(mappedroot); 449 *buffer = nscap; 450 } 451 goto out_free; 452 } 453 454 if (!rootid_owns_currentns(vfsroot)) { 455 size = -EOVERFLOW; 456 goto out_free; 457 } 458 459 /* This comes from a parent namespace. Return as a v2 capability */ 460 size = sizeof(struct vfs_cap_data); 461 if (alloc) { 462 if (nscap) { 463 /* v3 -> v2 conversion */ 464 cap = kzalloc(size, GFP_ATOMIC); 465 if (!cap) { 466 size = -ENOMEM; 467 goto out_free; 468 } 469 magic = VFS_CAP_REVISION_2; 470 nsmagic = le32_to_cpu(nscap->magic_etc); 471 if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE) 472 magic |= VFS_CAP_FLAGS_EFFECTIVE; 473 memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); 474 cap->magic_etc = cpu_to_le32(magic); 475 } else { 476 /* use unconverted v2 */ 477 tmpbuf = NULL; 478 } 479 *buffer = cap; 480 } 481 out_free: 482 kfree(tmpbuf); 483 return size; 484 } 485 486 /** 487 * rootid_from_xattr - translate root uid of vfs caps 488 * 489 * @value: vfs caps value which may be modified by this function 490 * @size: size of @ivalue 491 * @task_ns: user namespace of the caller 492 */ 493 static vfsuid_t rootid_from_xattr(const void *value, size_t size, 494 struct user_namespace *task_ns) 495 { 496 const struct vfs_ns_cap_data *nscap = value; 497 uid_t rootid = 0; 498 499 if (size == XATTR_CAPS_SZ_3) 500 rootid = le32_to_cpu(nscap->rootid); 501 502 return VFSUIDT_INIT(make_kuid(task_ns, rootid)); 503 } 504 505 static bool validheader(size_t size, const struct vfs_cap_data *cap) 506 { 507 return is_v2header(size, cap) || is_v3header(size, cap); 508 } 509 510 /** 511 * cap_convert_nscap - check vfs caps 512 * 513 * @mnt_userns: user namespace of the mount the inode was found from 514 * @dentry: used to retrieve inode to check permissions on 515 * @ivalue: vfs caps value which may be modified by this function 516 * @size: size of @ivalue 517 * 518 * User requested a write of security.capability. If needed, update the 519 * xattr to change from v2 to v3, or to fixup the v3 rootid. 520 * 521 * If the inode has been found through an idmapped mount the user namespace of 522 * the vfsmount must be passed through @mnt_userns. This function will then 523 * take care to map the inode according to @mnt_userns before checking 524 * permissions. On non-idmapped mounts or if permission checking is to be 525 * performed on the raw inode simply passs init_user_ns. 526 * 527 * Return: On success, return the new size; on error, return < 0. 528 */ 529 int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry, 530 const void **ivalue, size_t size) 531 { 532 struct vfs_ns_cap_data *nscap; 533 uid_t nsrootid; 534 const struct vfs_cap_data *cap = *ivalue; 535 __u32 magic, nsmagic; 536 struct inode *inode = d_backing_inode(dentry); 537 struct user_namespace *task_ns = current_user_ns(), 538 *fs_ns = inode->i_sb->s_user_ns; 539 kuid_t rootid; 540 vfsuid_t vfsrootid; 541 size_t newsize; 542 543 if (!*ivalue) 544 return -EINVAL; 545 if (!validheader(size, cap)) 546 return -EINVAL; 547 if (!capable_wrt_inode_uidgid(mnt_userns, inode, CAP_SETFCAP)) 548 return -EPERM; 549 if (size == XATTR_CAPS_SZ_2 && (mnt_userns == fs_ns)) 550 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP)) 551 /* user is privileged, just write the v2 */ 552 return size; 553 554 vfsrootid = rootid_from_xattr(*ivalue, size, task_ns); 555 if (!vfsuid_valid(vfsrootid)) 556 return -EINVAL; 557 558 rootid = from_vfsuid(mnt_userns, fs_ns, vfsrootid); 559 if (!uid_valid(rootid)) 560 return -EINVAL; 561 562 nsrootid = from_kuid(fs_ns, rootid); 563 if (nsrootid == -1) 564 return -EINVAL; 565 566 newsize = sizeof(struct vfs_ns_cap_data); 567 nscap = kmalloc(newsize, GFP_ATOMIC); 568 if (!nscap) 569 return -ENOMEM; 570 nscap->rootid = cpu_to_le32(nsrootid); 571 nsmagic = VFS_CAP_REVISION_3; 572 magic = le32_to_cpu(cap->magic_etc); 573 if (magic & VFS_CAP_FLAGS_EFFECTIVE) 574 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE; 575 nscap->magic_etc = cpu_to_le32(nsmagic); 576 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); 577 578 *ivalue = nscap; 579 return newsize; 580 } 581 582 /* 583 * Calculate the new process capability sets from the capability sets attached 584 * to a file. 585 */ 586 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, 587 struct linux_binprm *bprm, 588 bool *effective, 589 bool *has_fcap) 590 { 591 struct cred *new = bprm->cred; 592 unsigned i; 593 int ret = 0; 594 595 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 596 *effective = true; 597 598 if (caps->magic_etc & VFS_CAP_REVISION_MASK) 599 *has_fcap = true; 600 601 CAP_FOR_EACH_U32(i) { 602 __u32 permitted = caps->permitted.cap[i]; 603 __u32 inheritable = caps->inheritable.cap[i]; 604 605 /* 606 * pP' = (X & fP) | (pI & fI) 607 * The addition of pA' is handled later. 608 */ 609 new->cap_permitted.cap[i] = 610 (new->cap_bset.cap[i] & permitted) | 611 (new->cap_inheritable.cap[i] & inheritable); 612 613 if (permitted & ~new->cap_permitted.cap[i]) 614 /* insufficient to execute correctly */ 615 ret = -EPERM; 616 } 617 618 /* 619 * For legacy apps, with no internal support for recognizing they 620 * do not have enough capabilities, we return an error if they are 621 * missing some "forced" (aka file-permitted) capabilities. 622 */ 623 return *effective ? ret : 0; 624 } 625 626 /** 627 * get_vfs_caps_from_disk - retrieve vfs caps from disk 628 * 629 * @mnt_userns: user namespace of the mount the inode was found from 630 * @dentry: dentry from which @inode is retrieved 631 * @cpu_caps: vfs capabilities 632 * 633 * Extract the on-exec-apply capability sets for an executable file. 634 * 635 * If the inode has been found through an idmapped mount the user namespace of 636 * the vfsmount must be passed through @mnt_userns. This function will then 637 * take care to map the inode according to @mnt_userns before checking 638 * permissions. On non-idmapped mounts or if permission checking is to be 639 * performed on the raw inode simply passs init_user_ns. 640 */ 641 int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, 642 const struct dentry *dentry, 643 struct cpu_vfs_cap_data *cpu_caps) 644 { 645 struct inode *inode = d_backing_inode(dentry); 646 __u32 magic_etc; 647 unsigned tocopy, i; 648 int size; 649 struct vfs_ns_cap_data data, *nscaps = &data; 650 struct vfs_cap_data *caps = (struct vfs_cap_data *) &data; 651 kuid_t rootkuid; 652 vfsuid_t rootvfsuid; 653 struct user_namespace *fs_ns; 654 655 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 656 657 if (!inode) 658 return -ENODATA; 659 660 fs_ns = inode->i_sb->s_user_ns; 661 size = __vfs_getxattr((struct dentry *)dentry, inode, 662 XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ); 663 if (size == -ENODATA || size == -EOPNOTSUPP) 664 /* no data, that's ok */ 665 return -ENODATA; 666 667 if (size < 0) 668 return size; 669 670 if (size < sizeof(magic_etc)) 671 return -EINVAL; 672 673 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc); 674 675 rootkuid = make_kuid(fs_ns, 0); 676 switch (magic_etc & VFS_CAP_REVISION_MASK) { 677 case VFS_CAP_REVISION_1: 678 if (size != XATTR_CAPS_SZ_1) 679 return -EINVAL; 680 tocopy = VFS_CAP_U32_1; 681 break; 682 case VFS_CAP_REVISION_2: 683 if (size != XATTR_CAPS_SZ_2) 684 return -EINVAL; 685 tocopy = VFS_CAP_U32_2; 686 break; 687 case VFS_CAP_REVISION_3: 688 if (size != XATTR_CAPS_SZ_3) 689 return -EINVAL; 690 tocopy = VFS_CAP_U32_3; 691 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid)); 692 break; 693 694 default: 695 return -EINVAL; 696 } 697 698 rootvfsuid = make_vfsuid(mnt_userns, fs_ns, rootkuid); 699 if (!vfsuid_valid(rootvfsuid)) 700 return -ENODATA; 701 702 /* Limit the caps to the mounter of the filesystem 703 * or the more limited uid specified in the xattr. 704 */ 705 if (!rootid_owns_currentns(rootvfsuid)) 706 return -ENODATA; 707 708 CAP_FOR_EACH_U32(i) { 709 if (i >= tocopy) 710 break; 711 cpu_caps->permitted.cap[i] = le32_to_cpu(caps->data[i].permitted); 712 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps->data[i].inheritable); 713 } 714 715 cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; 716 cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; 717 718 cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid); 719 720 return 0; 721 } 722 723 /* 724 * Attempt to get the on-exec apply capability sets for an executable file from 725 * its xattrs and, if present, apply them to the proposed credentials being 726 * constructed by execve(). 727 */ 728 static int get_file_caps(struct linux_binprm *bprm, struct file *file, 729 bool *effective, bool *has_fcap) 730 { 731 int rc = 0; 732 struct cpu_vfs_cap_data vcaps; 733 734 cap_clear(bprm->cred->cap_permitted); 735 736 if (!file_caps_enabled) 737 return 0; 738 739 if (!mnt_may_suid(file->f_path.mnt)) 740 return 0; 741 742 /* 743 * This check is redundant with mnt_may_suid() but is kept to make 744 * explicit that capability bits are limited to s_user_ns and its 745 * descendants. 746 */ 747 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns)) 748 return 0; 749 750 rc = get_vfs_caps_from_disk(file_mnt_user_ns(file), 751 file->f_path.dentry, &vcaps); 752 if (rc < 0) { 753 if (rc == -EINVAL) 754 printk(KERN_NOTICE "Invalid argument reading file caps for %s\n", 755 bprm->filename); 756 else if (rc == -ENODATA) 757 rc = 0; 758 goto out; 759 } 760 761 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap); 762 763 out: 764 if (rc) 765 cap_clear(bprm->cred->cap_permitted); 766 767 return rc; 768 } 769 770 static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); } 771 772 static inline bool __is_real(kuid_t uid, struct cred *cred) 773 { return uid_eq(cred->uid, uid); } 774 775 static inline bool __is_eff(kuid_t uid, struct cred *cred) 776 { return uid_eq(cred->euid, uid); } 777 778 static inline bool __is_suid(kuid_t uid, struct cred *cred) 779 { return !__is_real(uid, cred) && __is_eff(uid, cred); } 780 781 /* 782 * handle_privileged_root - Handle case of privileged root 783 * @bprm: The execution parameters, including the proposed creds 784 * @has_fcap: Are any file capabilities set? 785 * @effective: Do we have effective root privilege? 786 * @root_uid: This namespace' root UID WRT initial USER namespace 787 * 788 * Handle the case where root is privileged and hasn't been neutered by 789 * SECURE_NOROOT. If file capabilities are set, they won't be combined with 790 * set UID root and nothing is changed. If we are root, cap_permitted is 791 * updated. If we have become set UID root, the effective bit is set. 792 */ 793 static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap, 794 bool *effective, kuid_t root_uid) 795 { 796 const struct cred *old = current_cred(); 797 struct cred *new = bprm->cred; 798 799 if (!root_privileged()) 800 return; 801 /* 802 * If the legacy file capability is set, then don't set privs 803 * for a setuid root binary run by a non-root user. Do set it 804 * for a root user just to cause least surprise to an admin. 805 */ 806 if (has_fcap && __is_suid(root_uid, new)) { 807 warn_setuid_and_fcaps_mixed(bprm->filename); 808 return; 809 } 810 /* 811 * To support inheritance of root-permissions and suid-root 812 * executables under compatibility mode, we override the 813 * capability sets for the file. 814 */ 815 if (__is_eff(root_uid, new) || __is_real(root_uid, new)) { 816 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 817 new->cap_permitted = cap_combine(old->cap_bset, 818 old->cap_inheritable); 819 } 820 /* 821 * If only the real uid is 0, we do not set the effective bit. 822 */ 823 if (__is_eff(root_uid, new)) 824 *effective = true; 825 } 826 827 #define __cap_gained(field, target, source) \ 828 !cap_issubset(target->cap_##field, source->cap_##field) 829 #define __cap_grew(target, source, cred) \ 830 !cap_issubset(cred->cap_##target, cred->cap_##source) 831 #define __cap_full(field, cred) \ 832 cap_issubset(CAP_FULL_SET, cred->cap_##field) 833 834 static inline bool __is_setuid(struct cred *new, const struct cred *old) 835 { return !uid_eq(new->euid, old->uid); } 836 837 static inline bool __is_setgid(struct cred *new, const struct cred *old) 838 { return !gid_eq(new->egid, old->gid); } 839 840 /* 841 * 1) Audit candidate if current->cap_effective is set 842 * 843 * We do not bother to audit if 3 things are true: 844 * 1) cap_effective has all caps 845 * 2) we became root *OR* are were already root 846 * 3) root is supposed to have all caps (SECURE_NOROOT) 847 * Since this is just a normal root execing a process. 848 * 849 * Number 1 above might fail if you don't have a full bset, but I think 850 * that is interesting information to audit. 851 * 852 * A number of other conditions require logging: 853 * 2) something prevented setuid root getting all caps 854 * 3) non-setuid root gets fcaps 855 * 4) non-setuid root gets ambient 856 */ 857 static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old, 858 kuid_t root, bool has_fcap) 859 { 860 bool ret = false; 861 862 if ((__cap_grew(effective, ambient, new) && 863 !(__cap_full(effective, new) && 864 (__is_eff(root, new) || __is_real(root, new)) && 865 root_privileged())) || 866 (root_privileged() && 867 __is_suid(root, new) && 868 !__cap_full(effective, new)) || 869 (!__is_setuid(new, old) && 870 ((has_fcap && 871 __cap_gained(permitted, new, old)) || 872 __cap_gained(ambient, new, old)))) 873 874 ret = true; 875 876 return ret; 877 } 878 879 /** 880 * cap_bprm_creds_from_file - Set up the proposed credentials for execve(). 881 * @bprm: The execution parameters, including the proposed creds 882 * @file: The file to pull the credentials from 883 * 884 * Set up the proposed credentials for a new execution context being 885 * constructed by execve(). The proposed creds in @bprm->cred is altered, 886 * which won't take effect immediately. 887 * 888 * Return: 0 if successful, -ve on error. 889 */ 890 int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file) 891 { 892 /* Process setpcap binaries and capabilities for uid 0 */ 893 const struct cred *old = current_cred(); 894 struct cred *new = bprm->cred; 895 bool effective = false, has_fcap = false, is_setid; 896 int ret; 897 kuid_t root_uid; 898 899 if (WARN_ON(!cap_ambient_invariant_ok(old))) 900 return -EPERM; 901 902 ret = get_file_caps(bprm, file, &effective, &has_fcap); 903 if (ret < 0) 904 return ret; 905 906 root_uid = make_kuid(new->user_ns, 0); 907 908 handle_privileged_root(bprm, has_fcap, &effective, root_uid); 909 910 /* if we have fs caps, clear dangerous personality flags */ 911 if (__cap_gained(permitted, new, old)) 912 bprm->per_clear |= PER_CLEAR_ON_SETID; 913 914 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 915 * credentials unless they have the appropriate permit. 916 * 917 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. 918 */ 919 is_setid = __is_setuid(new, old) || __is_setgid(new, old); 920 921 if ((is_setid || __cap_gained(permitted, new, old)) && 922 ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) || 923 !ptracer_capable(current, new->user_ns))) { 924 /* downgrade; they get no more than they had, and maybe less */ 925 if (!ns_capable(new->user_ns, CAP_SETUID) || 926 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { 927 new->euid = new->uid; 928 new->egid = new->gid; 929 } 930 new->cap_permitted = cap_intersect(new->cap_permitted, 931 old->cap_permitted); 932 } 933 934 new->suid = new->fsuid = new->euid; 935 new->sgid = new->fsgid = new->egid; 936 937 /* File caps or setid cancels ambient. */ 938 if (has_fcap || is_setid) 939 cap_clear(new->cap_ambient); 940 941 /* 942 * Now that we've computed pA', update pP' to give: 943 * pP' = (X & fP) | (pI & fI) | pA' 944 */ 945 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient); 946 947 /* 948 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set, 949 * this is the same as pE' = (fE ? pP' : 0) | pA'. 950 */ 951 if (effective) 952 new->cap_effective = new->cap_permitted; 953 else 954 new->cap_effective = new->cap_ambient; 955 956 if (WARN_ON(!cap_ambient_invariant_ok(new))) 957 return -EPERM; 958 959 if (nonroot_raised_pE(new, old, root_uid, has_fcap)) { 960 ret = audit_log_bprm_fcaps(bprm, new, old); 961 if (ret < 0) 962 return ret; 963 } 964 965 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 966 967 if (WARN_ON(!cap_ambient_invariant_ok(new))) 968 return -EPERM; 969 970 /* Check for privilege-elevated exec. */ 971 if (is_setid || 972 (!__is_real(root_uid, new) && 973 (effective || 974 __cap_grew(permitted, ambient, new)))) 975 bprm->secureexec = 1; 976 977 return 0; 978 } 979 980 /** 981 * cap_inode_setxattr - Determine whether an xattr may be altered 982 * @dentry: The inode/dentry being altered 983 * @name: The name of the xattr to be changed 984 * @value: The value that the xattr will be changed to 985 * @size: The size of value 986 * @flags: The replacement flag 987 * 988 * Determine whether an xattr may be altered or set on an inode, returning 0 if 989 * permission is granted, -ve if denied. 990 * 991 * This is used to make sure security xattrs don't get updated or set by those 992 * who aren't privileged to do so. 993 */ 994 int cap_inode_setxattr(struct dentry *dentry, const char *name, 995 const void *value, size_t size, int flags) 996 { 997 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; 998 999 /* Ignore non-security xattrs */ 1000 if (strncmp(name, XATTR_SECURITY_PREFIX, 1001 XATTR_SECURITY_PREFIX_LEN) != 0) 1002 return 0; 1003 1004 /* 1005 * For XATTR_NAME_CAPS the check will be done in 1006 * cap_convert_nscap(), called by setxattr() 1007 */ 1008 if (strcmp(name, XATTR_NAME_CAPS) == 0) 1009 return 0; 1010 1011 if (!ns_capable(user_ns, CAP_SYS_ADMIN)) 1012 return -EPERM; 1013 return 0; 1014 } 1015 1016 /** 1017 * cap_inode_removexattr - Determine whether an xattr may be removed 1018 * 1019 * @mnt_userns: User namespace of the mount the inode was found from 1020 * @dentry: The inode/dentry being altered 1021 * @name: The name of the xattr to be changed 1022 * 1023 * Determine whether an xattr may be removed from an inode, returning 0 if 1024 * permission is granted, -ve if denied. 1025 * 1026 * If the inode has been found through an idmapped mount the user namespace of 1027 * the vfsmount must be passed through @mnt_userns. This function will then 1028 * take care to map the inode according to @mnt_userns before checking 1029 * permissions. On non-idmapped mounts or if permission checking is to be 1030 * performed on the raw inode simply passs init_user_ns. 1031 * 1032 * This is used to make sure security xattrs don't get removed by those who 1033 * aren't privileged to remove them. 1034 */ 1035 int cap_inode_removexattr(struct user_namespace *mnt_userns, 1036 struct dentry *dentry, const char *name) 1037 { 1038 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; 1039 1040 /* Ignore non-security xattrs */ 1041 if (strncmp(name, XATTR_SECURITY_PREFIX, 1042 XATTR_SECURITY_PREFIX_LEN) != 0) 1043 return 0; 1044 1045 if (strcmp(name, XATTR_NAME_CAPS) == 0) { 1046 /* security.capability gets namespaced */ 1047 struct inode *inode = d_backing_inode(dentry); 1048 if (!inode) 1049 return -EINVAL; 1050 if (!capable_wrt_inode_uidgid(mnt_userns, inode, CAP_SETFCAP)) 1051 return -EPERM; 1052 return 0; 1053 } 1054 1055 if (!ns_capable(user_ns, CAP_SYS_ADMIN)) 1056 return -EPERM; 1057 return 0; 1058 } 1059 1060 /* 1061 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 1062 * a process after a call to setuid, setreuid, or setresuid. 1063 * 1064 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 1065 * {r,e,s}uid != 0, the permitted and effective capabilities are 1066 * cleared. 1067 * 1068 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 1069 * capabilities of the process are cleared. 1070 * 1071 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 1072 * capabilities are set to the permitted capabilities. 1073 * 1074 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 1075 * never happen. 1076 * 1077 * -astor 1078 * 1079 * cevans - New behaviour, Oct '99 1080 * A process may, via prctl(), elect to keep its capabilities when it 1081 * calls setuid() and switches away from uid==0. Both permitted and 1082 * effective sets will be retained. 1083 * Without this change, it was impossible for a daemon to drop only some 1084 * of its privilege. The call to setuid(!=0) would drop all privileges! 1085 * Keeping uid 0 is not an option because uid 0 owns too many vital 1086 * files.. 1087 * Thanks to Olaf Kirch and Peter Benie for spotting this. 1088 */ 1089 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 1090 { 1091 kuid_t root_uid = make_kuid(old->user_ns, 0); 1092 1093 if ((uid_eq(old->uid, root_uid) || 1094 uid_eq(old->euid, root_uid) || 1095 uid_eq(old->suid, root_uid)) && 1096 (!uid_eq(new->uid, root_uid) && 1097 !uid_eq(new->euid, root_uid) && 1098 !uid_eq(new->suid, root_uid))) { 1099 if (!issecure(SECURE_KEEP_CAPS)) { 1100 cap_clear(new->cap_permitted); 1101 cap_clear(new->cap_effective); 1102 } 1103 1104 /* 1105 * Pre-ambient programs expect setresuid to nonroot followed 1106 * by exec to drop capabilities. We should make sure that 1107 * this remains the case. 1108 */ 1109 cap_clear(new->cap_ambient); 1110 } 1111 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid)) 1112 cap_clear(new->cap_effective); 1113 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid)) 1114 new->cap_effective = new->cap_permitted; 1115 } 1116 1117 /** 1118 * cap_task_fix_setuid - Fix up the results of setuid() call 1119 * @new: The proposed credentials 1120 * @old: The current task's current credentials 1121 * @flags: Indications of what has changed 1122 * 1123 * Fix up the results of setuid() call before the credential changes are 1124 * actually applied. 1125 * 1126 * Return: 0 to grant the changes, -ve to deny them. 1127 */ 1128 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) 1129 { 1130 switch (flags) { 1131 case LSM_SETID_RE: 1132 case LSM_SETID_ID: 1133 case LSM_SETID_RES: 1134 /* juggle the capabilities to follow [RES]UID changes unless 1135 * otherwise suppressed */ 1136 if (!issecure(SECURE_NO_SETUID_FIXUP)) 1137 cap_emulate_setxuid(new, old); 1138 break; 1139 1140 case LSM_SETID_FS: 1141 /* juggle the capabilties to follow FSUID changes, unless 1142 * otherwise suppressed 1143 * 1144 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 1145 * if not, we might be a bit too harsh here. 1146 */ 1147 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 1148 kuid_t root_uid = make_kuid(old->user_ns, 0); 1149 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid)) 1150 new->cap_effective = 1151 cap_drop_fs_set(new->cap_effective); 1152 1153 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid)) 1154 new->cap_effective = 1155 cap_raise_fs_set(new->cap_effective, 1156 new->cap_permitted); 1157 } 1158 break; 1159 1160 default: 1161 return -EINVAL; 1162 } 1163 1164 return 0; 1165 } 1166 1167 /* 1168 * Rationale: code calling task_setscheduler, task_setioprio, and 1169 * task_setnice, assumes that 1170 * . if capable(cap_sys_nice), then those actions should be allowed 1171 * . if not capable(cap_sys_nice), but acting on your own processes, 1172 * then those actions should be allowed 1173 * This is insufficient now since you can call code without suid, but 1174 * yet with increased caps. 1175 * So we check for increased caps on the target process. 1176 */ 1177 static int cap_safe_nice(struct task_struct *p) 1178 { 1179 int is_subset, ret = 0; 1180 1181 rcu_read_lock(); 1182 is_subset = cap_issubset(__task_cred(p)->cap_permitted, 1183 current_cred()->cap_permitted); 1184 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) 1185 ret = -EPERM; 1186 rcu_read_unlock(); 1187 1188 return ret; 1189 } 1190 1191 /** 1192 * cap_task_setscheduler - Detemine if scheduler policy change is permitted 1193 * @p: The task to affect 1194 * 1195 * Detemine if the requested scheduler policy change is permitted for the 1196 * specified task. 1197 * 1198 * Return: 0 if permission is granted, -ve if denied. 1199 */ 1200 int cap_task_setscheduler(struct task_struct *p) 1201 { 1202 return cap_safe_nice(p); 1203 } 1204 1205 /** 1206 * cap_task_setioprio - Detemine if I/O priority change is permitted 1207 * @p: The task to affect 1208 * @ioprio: The I/O priority to set 1209 * 1210 * Detemine if the requested I/O priority change is permitted for the specified 1211 * task. 1212 * 1213 * Return: 0 if permission is granted, -ve if denied. 1214 */ 1215 int cap_task_setioprio(struct task_struct *p, int ioprio) 1216 { 1217 return cap_safe_nice(p); 1218 } 1219 1220 /** 1221 * cap_task_setnice - Detemine if task priority change is permitted 1222 * @p: The task to affect 1223 * @nice: The nice value to set 1224 * 1225 * Detemine if the requested task priority change is permitted for the 1226 * specified task. 1227 * 1228 * Return: 0 if permission is granted, -ve if denied. 1229 */ 1230 int cap_task_setnice(struct task_struct *p, int nice) 1231 { 1232 return cap_safe_nice(p); 1233 } 1234 1235 /* 1236 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from 1237 * the current task's bounding set. Returns 0 on success, -ve on error. 1238 */ 1239 static int cap_prctl_drop(unsigned long cap) 1240 { 1241 struct cred *new; 1242 1243 if (!ns_capable(current_user_ns(), CAP_SETPCAP)) 1244 return -EPERM; 1245 if (!cap_valid(cap)) 1246 return -EINVAL; 1247 1248 new = prepare_creds(); 1249 if (!new) 1250 return -ENOMEM; 1251 cap_lower(new->cap_bset, cap); 1252 return commit_creds(new); 1253 } 1254 1255 /** 1256 * cap_task_prctl - Implement process control functions for this security module 1257 * @option: The process control function requested 1258 * @arg2: The argument data for this function 1259 * @arg3: The argument data for this function 1260 * @arg4: The argument data for this function 1261 * @arg5: The argument data for this function 1262 * 1263 * Allow process control functions (sys_prctl()) to alter capabilities; may 1264 * also deny access to other functions not otherwise implemented here. 1265 * 1266 * Return: 0 or +ve on success, -ENOSYS if this function is not implemented 1267 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM 1268 * modules will consider performing the function. 1269 */ 1270 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 1271 unsigned long arg4, unsigned long arg5) 1272 { 1273 const struct cred *old = current_cred(); 1274 struct cred *new; 1275 1276 switch (option) { 1277 case PR_CAPBSET_READ: 1278 if (!cap_valid(arg2)) 1279 return -EINVAL; 1280 return !!cap_raised(old->cap_bset, arg2); 1281 1282 case PR_CAPBSET_DROP: 1283 return cap_prctl_drop(arg2); 1284 1285 /* 1286 * The next four prctl's remain to assist with transitioning a 1287 * system from legacy UID=0 based privilege (when filesystem 1288 * capabilities are not in use) to a system using filesystem 1289 * capabilities only - as the POSIX.1e draft intended. 1290 * 1291 * Note: 1292 * 1293 * PR_SET_SECUREBITS = 1294 * issecure_mask(SECURE_KEEP_CAPS_LOCKED) 1295 * | issecure_mask(SECURE_NOROOT) 1296 * | issecure_mask(SECURE_NOROOT_LOCKED) 1297 * | issecure_mask(SECURE_NO_SETUID_FIXUP) 1298 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) 1299 * 1300 * will ensure that the current process and all of its 1301 * children will be locked into a pure 1302 * capability-based-privilege environment. 1303 */ 1304 case PR_SET_SECUREBITS: 1305 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1) 1306 & (old->securebits ^ arg2)) /*[1]*/ 1307 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 1308 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 1309 || (cap_capable(current_cred(), 1310 current_cred()->user_ns, 1311 CAP_SETPCAP, 1312 CAP_OPT_NONE) != 0) /*[4]*/ 1313 /* 1314 * [1] no changing of bits that are locked 1315 * [2] no unlocking of locks 1316 * [3] no setting of unsupported bits 1317 * [4] doing anything requires privilege (go read about 1318 * the "sendmail capabilities bug") 1319 */ 1320 ) 1321 /* cannot change a locked bit */ 1322 return -EPERM; 1323 1324 new = prepare_creds(); 1325 if (!new) 1326 return -ENOMEM; 1327 new->securebits = arg2; 1328 return commit_creds(new); 1329 1330 case PR_GET_SECUREBITS: 1331 return old->securebits; 1332 1333 case PR_GET_KEEPCAPS: 1334 return !!issecure(SECURE_KEEP_CAPS); 1335 1336 case PR_SET_KEEPCAPS: 1337 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 1338 return -EINVAL; 1339 if (issecure(SECURE_KEEP_CAPS_LOCKED)) 1340 return -EPERM; 1341 1342 new = prepare_creds(); 1343 if (!new) 1344 return -ENOMEM; 1345 if (arg2) 1346 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); 1347 else 1348 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 1349 return commit_creds(new); 1350 1351 case PR_CAP_AMBIENT: 1352 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) { 1353 if (arg3 | arg4 | arg5) 1354 return -EINVAL; 1355 1356 new = prepare_creds(); 1357 if (!new) 1358 return -ENOMEM; 1359 cap_clear(new->cap_ambient); 1360 return commit_creds(new); 1361 } 1362 1363 if (((!cap_valid(arg3)) | arg4 | arg5)) 1364 return -EINVAL; 1365 1366 if (arg2 == PR_CAP_AMBIENT_IS_SET) { 1367 return !!cap_raised(current_cred()->cap_ambient, arg3); 1368 } else if (arg2 != PR_CAP_AMBIENT_RAISE && 1369 arg2 != PR_CAP_AMBIENT_LOWER) { 1370 return -EINVAL; 1371 } else { 1372 if (arg2 == PR_CAP_AMBIENT_RAISE && 1373 (!cap_raised(current_cred()->cap_permitted, arg3) || 1374 !cap_raised(current_cred()->cap_inheritable, 1375 arg3) || 1376 issecure(SECURE_NO_CAP_AMBIENT_RAISE))) 1377 return -EPERM; 1378 1379 new = prepare_creds(); 1380 if (!new) 1381 return -ENOMEM; 1382 if (arg2 == PR_CAP_AMBIENT_RAISE) 1383 cap_raise(new->cap_ambient, arg3); 1384 else 1385 cap_lower(new->cap_ambient, arg3); 1386 return commit_creds(new); 1387 } 1388 1389 default: 1390 /* No functionality available - continue with default */ 1391 return -ENOSYS; 1392 } 1393 } 1394 1395 /** 1396 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 1397 * @mm: The VM space in which the new mapping is to be made 1398 * @pages: The size of the mapping 1399 * 1400 * Determine whether the allocation of a new virtual mapping by the current 1401 * task is permitted. 1402 * 1403 * Return: 1 if permission is granted, 0 if not. 1404 */ 1405 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 1406 { 1407 int cap_sys_admin = 0; 1408 1409 if (cap_capable(current_cred(), &init_user_ns, 1410 CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0) 1411 cap_sys_admin = 1; 1412 1413 return cap_sys_admin; 1414 } 1415 1416 /** 1417 * cap_mmap_addr - check if able to map given addr 1418 * @addr: address attempting to be mapped 1419 * 1420 * If the process is attempting to map memory below dac_mmap_min_addr they need 1421 * CAP_SYS_RAWIO. The other parameters to this function are unused by the 1422 * capability security module. 1423 * 1424 * Return: 0 if this mapping should be allowed or -EPERM if not. 1425 */ 1426 int cap_mmap_addr(unsigned long addr) 1427 { 1428 int ret = 0; 1429 1430 if (addr < dac_mmap_min_addr) { 1431 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, 1432 CAP_OPT_NONE); 1433 /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 1434 if (ret == 0) 1435 current->flags |= PF_SUPERPRIV; 1436 } 1437 return ret; 1438 } 1439 1440 int cap_mmap_file(struct file *file, unsigned long reqprot, 1441 unsigned long prot, unsigned long flags) 1442 { 1443 return 0; 1444 } 1445 1446 #ifdef CONFIG_SECURITY 1447 1448 static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { 1449 LSM_HOOK_INIT(capable, cap_capable), 1450 LSM_HOOK_INIT(settime, cap_settime), 1451 LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check), 1452 LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme), 1453 LSM_HOOK_INIT(capget, cap_capget), 1454 LSM_HOOK_INIT(capset, cap_capset), 1455 LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file), 1456 LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv), 1457 LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv), 1458 LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity), 1459 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 1460 LSM_HOOK_INIT(mmap_file, cap_mmap_file), 1461 LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid), 1462 LSM_HOOK_INIT(task_prctl, cap_task_prctl), 1463 LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler), 1464 LSM_HOOK_INIT(task_setioprio, cap_task_setioprio), 1465 LSM_HOOK_INIT(task_setnice, cap_task_setnice), 1466 LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory), 1467 }; 1468 1469 static int __init capability_init(void) 1470 { 1471 security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), 1472 "capability"); 1473 return 0; 1474 } 1475 1476 DEFINE_LSM(capability) = { 1477 .name = "capability", 1478 .order = LSM_ORDER_FIRST, 1479 .init = capability_init, 1480 }; 1481 1482 #endif /* CONFIG_SECURITY */ 1483