1 /* Common capabilities, needed by capability.o. 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/audit.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/security.h> 16 #include <linux/file.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/pagemap.h> 20 #include <linux/swap.h> 21 #include <linux/skbuff.h> 22 #include <linux/netlink.h> 23 #include <linux/ptrace.h> 24 #include <linux/xattr.h> 25 #include <linux/hugetlb.h> 26 #include <linux/mount.h> 27 #include <linux/sched.h> 28 #include <linux/prctl.h> 29 #include <linux/securebits.h> 30 31 /* 32 * If a non-root user executes a setuid-root binary in 33 * !secure(SECURE_NOROOT) mode, then we raise capabilities. 34 * However if fE is also set, then the intent is for only 35 * the file capabilities to be applied, and the setuid-root 36 * bit is left on either to change the uid (plausible) or 37 * to get full privilege on a kernel without file capabilities 38 * support. So in that case we do not raise capabilities. 39 * 40 * Warn if that happens, once per boot. 41 */ 42 static void warn_setuid_and_fcaps_mixed(const char *fname) 43 { 44 static int warned; 45 if (!warned) { 46 printk(KERN_INFO "warning: `%s' has both setuid-root and" 47 " effective capabilities. Therefore not raising all" 48 " capabilities.\n", fname); 49 warned = 1; 50 } 51 } 52 53 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 54 { 55 return 0; 56 } 57 58 int cap_netlink_recv(struct sk_buff *skb, int cap) 59 { 60 if (!cap_raised(current_cap(), cap)) 61 return -EPERM; 62 return 0; 63 } 64 EXPORT_SYMBOL(cap_netlink_recv); 65 66 /** 67 * cap_capable - Determine whether a task has a particular effective capability 68 * @tsk: The task to query 69 * @cred: The credentials to use 70 * @cap: The capability to check for 71 * @audit: Whether to write an audit message or not 72 * 73 * Determine whether the nominated task has the specified capability amongst 74 * its effective set, returning 0 if it does, -ve if it does not. 75 * 76 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable() 77 * and has_capability() functions. That is, it has the reverse semantics: 78 * cap_has_capability() returns 0 when a task has a capability, but the 79 * kernel's capable() and has_capability() returns 1 for this case. 80 */ 81 int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, 82 int audit) 83 { 84 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 85 } 86 87 /** 88 * cap_settime - Determine whether the current process may set the system clock 89 * @ts: The time to set 90 * @tz: The timezone to set 91 * 92 * Determine whether the current process may set the system clock and timezone 93 * information, returning 0 if permission granted, -ve if denied. 94 */ 95 int cap_settime(const struct timespec *ts, const struct timezone *tz) 96 { 97 if (!capable(CAP_SYS_TIME)) 98 return -EPERM; 99 return 0; 100 } 101 102 /** 103 * cap_ptrace_access_check - Determine whether the current process may access 104 * another 105 * @child: The process to be accessed 106 * @mode: The mode of attachment. 107 * 108 * Determine whether a process may access another, returning 0 if permission 109 * granted, -ve if denied. 110 */ 111 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) 112 { 113 int ret = 0; 114 115 rcu_read_lock(); 116 if (!cap_issubset(__task_cred(child)->cap_permitted, 117 current_cred()->cap_permitted) && 118 !capable(CAP_SYS_PTRACE)) 119 ret = -EPERM; 120 rcu_read_unlock(); 121 return ret; 122 } 123 124 /** 125 * cap_ptrace_traceme - Determine whether another process may trace the current 126 * @parent: The task proposed to be the tracer 127 * 128 * Determine whether the nominated task is permitted to trace the current 129 * process, returning 0 if permission is granted, -ve if denied. 130 */ 131 int cap_ptrace_traceme(struct task_struct *parent) 132 { 133 int ret = 0; 134 135 rcu_read_lock(); 136 if (!cap_issubset(current_cred()->cap_permitted, 137 __task_cred(parent)->cap_permitted) && 138 !has_capability(parent, CAP_SYS_PTRACE)) 139 ret = -EPERM; 140 rcu_read_unlock(); 141 return ret; 142 } 143 144 /** 145 * cap_capget - Retrieve a task's capability sets 146 * @target: The task from which to retrieve the capability sets 147 * @effective: The place to record the effective set 148 * @inheritable: The place to record the inheritable set 149 * @permitted: The place to record the permitted set 150 * 151 * This function retrieves the capabilities of the nominated task and returns 152 * them to the caller. 153 */ 154 int cap_capget(struct task_struct *target, kernel_cap_t *effective, 155 kernel_cap_t *inheritable, kernel_cap_t *permitted) 156 { 157 const struct cred *cred; 158 159 /* Derived from kernel/capability.c:sys_capget. */ 160 rcu_read_lock(); 161 cred = __task_cred(target); 162 *effective = cred->cap_effective; 163 *inheritable = cred->cap_inheritable; 164 *permitted = cred->cap_permitted; 165 rcu_read_unlock(); 166 return 0; 167 } 168 169 /* 170 * Determine whether the inheritable capabilities are limited to the old 171 * permitted set. Returns 1 if they are limited, 0 if they are not. 172 */ 173 static inline int cap_inh_is_capped(void) 174 { 175 176 /* they are so limited unless the current task has the CAP_SETPCAP 177 * capability 178 */ 179 if (cap_capable(current, current_cred(), CAP_SETPCAP, 180 SECURITY_CAP_AUDIT) == 0) 181 return 0; 182 return 1; 183 } 184 185 /** 186 * cap_capset - Validate and apply proposed changes to current's capabilities 187 * @new: The proposed new credentials; alterations should be made here 188 * @old: The current task's current credentials 189 * @effective: A pointer to the proposed new effective capabilities set 190 * @inheritable: A pointer to the proposed new inheritable capabilities set 191 * @permitted: A pointer to the proposed new permitted capabilities set 192 * 193 * This function validates and applies a proposed mass change to the current 194 * process's capability sets. The changes are made to the proposed new 195 * credentials, and assuming no error, will be committed by the caller of LSM. 196 */ 197 int cap_capset(struct cred *new, 198 const struct cred *old, 199 const kernel_cap_t *effective, 200 const kernel_cap_t *inheritable, 201 const kernel_cap_t *permitted) 202 { 203 if (cap_inh_is_capped() && 204 !cap_issubset(*inheritable, 205 cap_combine(old->cap_inheritable, 206 old->cap_permitted))) 207 /* incapable of using this inheritable set */ 208 return -EPERM; 209 210 if (!cap_issubset(*inheritable, 211 cap_combine(old->cap_inheritable, 212 old->cap_bset))) 213 /* no new pI capabilities outside bounding set */ 214 return -EPERM; 215 216 /* verify restrictions on target's new Permitted set */ 217 if (!cap_issubset(*permitted, old->cap_permitted)) 218 return -EPERM; 219 220 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 221 if (!cap_issubset(*effective, *permitted)) 222 return -EPERM; 223 224 new->cap_effective = *effective; 225 new->cap_inheritable = *inheritable; 226 new->cap_permitted = *permitted; 227 return 0; 228 } 229 230 /* 231 * Clear proposed capability sets for execve(). 232 */ 233 static inline void bprm_clear_caps(struct linux_binprm *bprm) 234 { 235 cap_clear(bprm->cred->cap_permitted); 236 bprm->cap_effective = false; 237 } 238 239 /** 240 * cap_inode_need_killpriv - Determine if inode change affects privileges 241 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 242 * 243 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV 244 * affects the security markings on that inode, and if it is, should 245 * inode_killpriv() be invoked or the change rejected? 246 * 247 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and 248 * -ve to deny the change. 249 */ 250 int cap_inode_need_killpriv(struct dentry *dentry) 251 { 252 struct inode *inode = dentry->d_inode; 253 int error; 254 255 if (!inode->i_op->getxattr) 256 return 0; 257 258 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 259 if (error <= 0) 260 return 0; 261 return 1; 262 } 263 264 /** 265 * cap_inode_killpriv - Erase the security markings on an inode 266 * @dentry: The inode/dentry to alter 267 * 268 * Erase the privilege-enhancing security markings on an inode. 269 * 270 * Returns 0 if successful, -ve on error. 271 */ 272 int cap_inode_killpriv(struct dentry *dentry) 273 { 274 struct inode *inode = dentry->d_inode; 275 276 if (!inode->i_op->removexattr) 277 return 0; 278 279 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 280 } 281 282 /* 283 * Calculate the new process capability sets from the capability sets attached 284 * to a file. 285 */ 286 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, 287 struct linux_binprm *bprm, 288 bool *effective) 289 { 290 struct cred *new = bprm->cred; 291 unsigned i; 292 int ret = 0; 293 294 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 295 *effective = true; 296 297 CAP_FOR_EACH_U32(i) { 298 __u32 permitted = caps->permitted.cap[i]; 299 __u32 inheritable = caps->inheritable.cap[i]; 300 301 /* 302 * pP' = (X & fP) | (pI & fI) 303 */ 304 new->cap_permitted.cap[i] = 305 (new->cap_bset.cap[i] & permitted) | 306 (new->cap_inheritable.cap[i] & inheritable); 307 308 if (permitted & ~new->cap_permitted.cap[i]) 309 /* insufficient to execute correctly */ 310 ret = -EPERM; 311 } 312 313 /* 314 * For legacy apps, with no internal support for recognizing they 315 * do not have enough capabilities, we return an error if they are 316 * missing some "forced" (aka file-permitted) capabilities. 317 */ 318 return *effective ? ret : 0; 319 } 320 321 /* 322 * Extract the on-exec-apply capability sets for an executable file. 323 */ 324 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 325 { 326 struct inode *inode = dentry->d_inode; 327 __u32 magic_etc; 328 unsigned tocopy, i; 329 int size; 330 struct vfs_cap_data caps; 331 332 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 333 334 if (!inode || !inode->i_op->getxattr) 335 return -ENODATA; 336 337 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, 338 XATTR_CAPS_SZ); 339 if (size == -ENODATA || size == -EOPNOTSUPP) 340 /* no data, that's ok */ 341 return -ENODATA; 342 if (size < 0) 343 return size; 344 345 if (size < sizeof(magic_etc)) 346 return -EINVAL; 347 348 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc); 349 350 switch (magic_etc & VFS_CAP_REVISION_MASK) { 351 case VFS_CAP_REVISION_1: 352 if (size != XATTR_CAPS_SZ_1) 353 return -EINVAL; 354 tocopy = VFS_CAP_U32_1; 355 break; 356 case VFS_CAP_REVISION_2: 357 if (size != XATTR_CAPS_SZ_2) 358 return -EINVAL; 359 tocopy = VFS_CAP_U32_2; 360 break; 361 default: 362 return -EINVAL; 363 } 364 365 CAP_FOR_EACH_U32(i) { 366 if (i >= tocopy) 367 break; 368 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted); 369 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); 370 } 371 372 return 0; 373 } 374 375 /* 376 * Attempt to get the on-exec apply capability sets for an executable file from 377 * its xattrs and, if present, apply them to the proposed credentials being 378 * constructed by execve(). 379 */ 380 static int get_file_caps(struct linux_binprm *bprm, bool *effective) 381 { 382 struct dentry *dentry; 383 int rc = 0; 384 struct cpu_vfs_cap_data vcaps; 385 386 bprm_clear_caps(bprm); 387 388 if (!file_caps_enabled) 389 return 0; 390 391 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 392 return 0; 393 394 dentry = dget(bprm->file->f_dentry); 395 396 rc = get_vfs_caps_from_disk(dentry, &vcaps); 397 if (rc < 0) { 398 if (rc == -EINVAL) 399 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n", 400 __func__, rc, bprm->filename); 401 else if (rc == -ENODATA) 402 rc = 0; 403 goto out; 404 } 405 406 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective); 407 if (rc == -EINVAL) 408 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 409 __func__, rc, bprm->filename); 410 411 out: 412 dput(dentry); 413 if (rc) 414 bprm_clear_caps(bprm); 415 416 return rc; 417 } 418 419 /** 420 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 421 * @bprm: The execution parameters, including the proposed creds 422 * 423 * Set up the proposed credentials for a new execution context being 424 * constructed by execve(). The proposed creds in @bprm->cred is altered, 425 * which won't take effect immediately. Returns 0 if successful, -ve on error. 426 */ 427 int cap_bprm_set_creds(struct linux_binprm *bprm) 428 { 429 const struct cred *old = current_cred(); 430 struct cred *new = bprm->cred; 431 bool effective; 432 int ret; 433 434 effective = false; 435 ret = get_file_caps(bprm, &effective); 436 if (ret < 0) 437 return ret; 438 439 if (!issecure(SECURE_NOROOT)) { 440 /* 441 * If the legacy file capability is set, then don't set privs 442 * for a setuid root binary run by a non-root user. Do set it 443 * for a root user just to cause least surprise to an admin. 444 */ 445 if (effective && new->uid != 0 && new->euid == 0) { 446 warn_setuid_and_fcaps_mixed(bprm->filename); 447 goto skip; 448 } 449 /* 450 * To support inheritance of root-permissions and suid-root 451 * executables under compatibility mode, we override the 452 * capability sets for the file. 453 * 454 * If only the real uid is 0, we do not set the effective bit. 455 */ 456 if (new->euid == 0 || new->uid == 0) { 457 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 458 new->cap_permitted = cap_combine(old->cap_bset, 459 old->cap_inheritable); 460 } 461 if (new->euid == 0) 462 effective = true; 463 } 464 skip: 465 466 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 467 * credentials unless they have the appropriate permit 468 */ 469 if ((new->euid != old->uid || 470 new->egid != old->gid || 471 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 472 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 473 /* downgrade; they get no more than they had, and maybe less */ 474 if (!capable(CAP_SETUID)) { 475 new->euid = new->uid; 476 new->egid = new->gid; 477 } 478 new->cap_permitted = cap_intersect(new->cap_permitted, 479 old->cap_permitted); 480 } 481 482 new->suid = new->fsuid = new->euid; 483 new->sgid = new->fsgid = new->egid; 484 485 /* For init, we want to retain the capabilities set in the initial 486 * task. Thus we skip the usual capability rules 487 */ 488 if (!is_global_init(current)) { 489 if (effective) 490 new->cap_effective = new->cap_permitted; 491 else 492 cap_clear(new->cap_effective); 493 } 494 bprm->cap_effective = effective; 495 496 /* 497 * Audit candidate if current->cap_effective is set 498 * 499 * We do not bother to audit if 3 things are true: 500 * 1) cap_effective has all caps 501 * 2) we are root 502 * 3) root is supposed to have all caps (SECURE_NOROOT) 503 * Since this is just a normal root execing a process. 504 * 505 * Number 1 above might fail if you don't have a full bset, but I think 506 * that is interesting information to audit. 507 */ 508 if (!cap_isclear(new->cap_effective)) { 509 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || 510 new->euid != 0 || new->uid != 0 || 511 issecure(SECURE_NOROOT)) { 512 ret = audit_log_bprm_fcaps(bprm, new, old); 513 if (ret < 0) 514 return ret; 515 } 516 } 517 518 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 519 return 0; 520 } 521 522 /** 523 * cap_bprm_secureexec - Determine whether a secure execution is required 524 * @bprm: The execution parameters 525 * 526 * Determine whether a secure execution is required, return 1 if it is, and 0 527 * if it is not. 528 * 529 * The credentials have been committed by this point, and so are no longer 530 * available through @bprm->cred. 531 */ 532 int cap_bprm_secureexec(struct linux_binprm *bprm) 533 { 534 const struct cred *cred = current_cred(); 535 536 if (cred->uid != 0) { 537 if (bprm->cap_effective) 538 return 1; 539 if (!cap_isclear(cred->cap_permitted)) 540 return 1; 541 } 542 543 return (cred->euid != cred->uid || 544 cred->egid != cred->gid); 545 } 546 547 /** 548 * cap_inode_setxattr - Determine whether an xattr may be altered 549 * @dentry: The inode/dentry being altered 550 * @name: The name of the xattr to be changed 551 * @value: The value that the xattr will be changed to 552 * @size: The size of value 553 * @flags: The replacement flag 554 * 555 * Determine whether an xattr may be altered or set on an inode, returning 0 if 556 * permission is granted, -ve if denied. 557 * 558 * This is used to make sure security xattrs don't get updated or set by those 559 * who aren't privileged to do so. 560 */ 561 int cap_inode_setxattr(struct dentry *dentry, const char *name, 562 const void *value, size_t size, int flags) 563 { 564 if (!strcmp(name, XATTR_NAME_CAPS)) { 565 if (!capable(CAP_SETFCAP)) 566 return -EPERM; 567 return 0; 568 } 569 570 if (!strncmp(name, XATTR_SECURITY_PREFIX, 571 sizeof(XATTR_SECURITY_PREFIX) - 1) && 572 !capable(CAP_SYS_ADMIN)) 573 return -EPERM; 574 return 0; 575 } 576 577 /** 578 * cap_inode_removexattr - Determine whether an xattr may be removed 579 * @dentry: The inode/dentry being altered 580 * @name: The name of the xattr to be changed 581 * 582 * Determine whether an xattr may be removed from an inode, returning 0 if 583 * permission is granted, -ve if denied. 584 * 585 * This is used to make sure security xattrs don't get removed by those who 586 * aren't privileged to remove them. 587 */ 588 int cap_inode_removexattr(struct dentry *dentry, const char *name) 589 { 590 if (!strcmp(name, XATTR_NAME_CAPS)) { 591 if (!capable(CAP_SETFCAP)) 592 return -EPERM; 593 return 0; 594 } 595 596 if (!strncmp(name, XATTR_SECURITY_PREFIX, 597 sizeof(XATTR_SECURITY_PREFIX) - 1) && 598 !capable(CAP_SYS_ADMIN)) 599 return -EPERM; 600 return 0; 601 } 602 603 /* 604 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 605 * a process after a call to setuid, setreuid, or setresuid. 606 * 607 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 608 * {r,e,s}uid != 0, the permitted and effective capabilities are 609 * cleared. 610 * 611 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 612 * capabilities of the process are cleared. 613 * 614 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 615 * capabilities are set to the permitted capabilities. 616 * 617 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 618 * never happen. 619 * 620 * -astor 621 * 622 * cevans - New behaviour, Oct '99 623 * A process may, via prctl(), elect to keep its capabilities when it 624 * calls setuid() and switches away from uid==0. Both permitted and 625 * effective sets will be retained. 626 * Without this change, it was impossible for a daemon to drop only some 627 * of its privilege. The call to setuid(!=0) would drop all privileges! 628 * Keeping uid 0 is not an option because uid 0 owns too many vital 629 * files.. 630 * Thanks to Olaf Kirch and Peter Benie for spotting this. 631 */ 632 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 633 { 634 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) && 635 (new->uid != 0 && new->euid != 0 && new->suid != 0) && 636 !issecure(SECURE_KEEP_CAPS)) { 637 cap_clear(new->cap_permitted); 638 cap_clear(new->cap_effective); 639 } 640 if (old->euid == 0 && new->euid != 0) 641 cap_clear(new->cap_effective); 642 if (old->euid != 0 && new->euid == 0) 643 new->cap_effective = new->cap_permitted; 644 } 645 646 /** 647 * cap_task_fix_setuid - Fix up the results of setuid() call 648 * @new: The proposed credentials 649 * @old: The current task's current credentials 650 * @flags: Indications of what has changed 651 * 652 * Fix up the results of setuid() call before the credential changes are 653 * actually applied, returning 0 to grant the changes, -ve to deny them. 654 */ 655 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) 656 { 657 switch (flags) { 658 case LSM_SETID_RE: 659 case LSM_SETID_ID: 660 case LSM_SETID_RES: 661 /* juggle the capabilities to follow [RES]UID changes unless 662 * otherwise suppressed */ 663 if (!issecure(SECURE_NO_SETUID_FIXUP)) 664 cap_emulate_setxuid(new, old); 665 break; 666 667 case LSM_SETID_FS: 668 /* juggle the capabilties to follow FSUID changes, unless 669 * otherwise suppressed 670 * 671 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 672 * if not, we might be a bit too harsh here. 673 */ 674 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 675 if (old->fsuid == 0 && new->fsuid != 0) 676 new->cap_effective = 677 cap_drop_fs_set(new->cap_effective); 678 679 if (old->fsuid != 0 && new->fsuid == 0) 680 new->cap_effective = 681 cap_raise_fs_set(new->cap_effective, 682 new->cap_permitted); 683 } 684 break; 685 686 default: 687 return -EINVAL; 688 } 689 690 return 0; 691 } 692 693 /* 694 * Rationale: code calling task_setscheduler, task_setioprio, and 695 * task_setnice, assumes that 696 * . if capable(cap_sys_nice), then those actions should be allowed 697 * . if not capable(cap_sys_nice), but acting on your own processes, 698 * then those actions should be allowed 699 * This is insufficient now since you can call code without suid, but 700 * yet with increased caps. 701 * So we check for increased caps on the target process. 702 */ 703 static int cap_safe_nice(struct task_struct *p) 704 { 705 int is_subset; 706 707 rcu_read_lock(); 708 is_subset = cap_issubset(__task_cred(p)->cap_permitted, 709 current_cred()->cap_permitted); 710 rcu_read_unlock(); 711 712 if (!is_subset && !capable(CAP_SYS_NICE)) 713 return -EPERM; 714 return 0; 715 } 716 717 /** 718 * cap_task_setscheduler - Detemine if scheduler policy change is permitted 719 * @p: The task to affect 720 * 721 * Detemine if the requested scheduler policy change is permitted for the 722 * specified task, returning 0 if permission is granted, -ve if denied. 723 */ 724 int cap_task_setscheduler(struct task_struct *p) 725 { 726 return cap_safe_nice(p); 727 } 728 729 /** 730 * cap_task_ioprio - Detemine if I/O priority change is permitted 731 * @p: The task to affect 732 * @ioprio: The I/O priority to set 733 * 734 * Detemine if the requested I/O priority change is permitted for the specified 735 * task, returning 0 if permission is granted, -ve if denied. 736 */ 737 int cap_task_setioprio(struct task_struct *p, int ioprio) 738 { 739 return cap_safe_nice(p); 740 } 741 742 /** 743 * cap_task_ioprio - Detemine if task priority change is permitted 744 * @p: The task to affect 745 * @nice: The nice value to set 746 * 747 * Detemine if the requested task priority change is permitted for the 748 * specified task, returning 0 if permission is granted, -ve if denied. 749 */ 750 int cap_task_setnice(struct task_struct *p, int nice) 751 { 752 return cap_safe_nice(p); 753 } 754 755 /* 756 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from 757 * the current task's bounding set. Returns 0 on success, -ve on error. 758 */ 759 static long cap_prctl_drop(struct cred *new, unsigned long cap) 760 { 761 if (!capable(CAP_SETPCAP)) 762 return -EPERM; 763 if (!cap_valid(cap)) 764 return -EINVAL; 765 766 cap_lower(new->cap_bset, cap); 767 return 0; 768 } 769 770 /** 771 * cap_task_prctl - Implement process control functions for this security module 772 * @option: The process control function requested 773 * @arg2, @arg3, @arg4, @arg5: The argument data for this function 774 * 775 * Allow process control functions (sys_prctl()) to alter capabilities; may 776 * also deny access to other functions not otherwise implemented here. 777 * 778 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented 779 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM 780 * modules will consider performing the function. 781 */ 782 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 783 unsigned long arg4, unsigned long arg5) 784 { 785 struct cred *new; 786 long error = 0; 787 788 new = prepare_creds(); 789 if (!new) 790 return -ENOMEM; 791 792 switch (option) { 793 case PR_CAPBSET_READ: 794 error = -EINVAL; 795 if (!cap_valid(arg2)) 796 goto error; 797 error = !!cap_raised(new->cap_bset, arg2); 798 goto no_change; 799 800 case PR_CAPBSET_DROP: 801 error = cap_prctl_drop(new, arg2); 802 if (error < 0) 803 goto error; 804 goto changed; 805 806 /* 807 * The next four prctl's remain to assist with transitioning a 808 * system from legacy UID=0 based privilege (when filesystem 809 * capabilities are not in use) to a system using filesystem 810 * capabilities only - as the POSIX.1e draft intended. 811 * 812 * Note: 813 * 814 * PR_SET_SECUREBITS = 815 * issecure_mask(SECURE_KEEP_CAPS_LOCKED) 816 * | issecure_mask(SECURE_NOROOT) 817 * | issecure_mask(SECURE_NOROOT_LOCKED) 818 * | issecure_mask(SECURE_NO_SETUID_FIXUP) 819 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) 820 * 821 * will ensure that the current process and all of its 822 * children will be locked into a pure 823 * capability-based-privilege environment. 824 */ 825 case PR_SET_SECUREBITS: 826 error = -EPERM; 827 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1) 828 & (new->securebits ^ arg2)) /*[1]*/ 829 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 830 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 831 || (cap_capable(current, current_cred(), CAP_SETPCAP, 832 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 833 /* 834 * [1] no changing of bits that are locked 835 * [2] no unlocking of locks 836 * [3] no setting of unsupported bits 837 * [4] doing anything requires privilege (go read about 838 * the "sendmail capabilities bug") 839 */ 840 ) 841 /* cannot change a locked bit */ 842 goto error; 843 new->securebits = arg2; 844 goto changed; 845 846 case PR_GET_SECUREBITS: 847 error = new->securebits; 848 goto no_change; 849 850 case PR_GET_KEEPCAPS: 851 if (issecure(SECURE_KEEP_CAPS)) 852 error = 1; 853 goto no_change; 854 855 case PR_SET_KEEPCAPS: 856 error = -EINVAL; 857 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 858 goto error; 859 error = -EPERM; 860 if (issecure(SECURE_KEEP_CAPS_LOCKED)) 861 goto error; 862 if (arg2) 863 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); 864 else 865 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 866 goto changed; 867 868 default: 869 /* No functionality available - continue with default */ 870 error = -ENOSYS; 871 goto error; 872 } 873 874 /* Functionality provided */ 875 changed: 876 return commit_creds(new); 877 878 no_change: 879 error: 880 abort_creds(new); 881 return error; 882 } 883 884 /** 885 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 886 * @mm: The VM space in which the new mapping is to be made 887 * @pages: The size of the mapping 888 * 889 * Determine whether the allocation of a new virtual mapping by the current 890 * task is permitted, returning 0 if permission is granted, -ve if not. 891 */ 892 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 893 { 894 int cap_sys_admin = 0; 895 896 if (cap_capable(current, current_cred(), CAP_SYS_ADMIN, 897 SECURITY_CAP_NOAUDIT) == 0) 898 cap_sys_admin = 1; 899 return __vm_enough_memory(mm, pages, cap_sys_admin); 900 } 901 902 /* 903 * cap_file_mmap - check if able to map given addr 904 * @file: unused 905 * @reqprot: unused 906 * @prot: unused 907 * @flags: unused 908 * @addr: address attempting to be mapped 909 * @addr_only: unused 910 * 911 * If the process is attempting to map memory below dac_mmap_min_addr they need 912 * CAP_SYS_RAWIO. The other parameters to this function are unused by the 913 * capability security module. Returns 0 if this mapping should be allowed 914 * -EPERM if not. 915 */ 916 int cap_file_mmap(struct file *file, unsigned long reqprot, 917 unsigned long prot, unsigned long flags, 918 unsigned long addr, unsigned long addr_only) 919 { 920 int ret = 0; 921 922 if (addr < dac_mmap_min_addr) { 923 ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO, 924 SECURITY_CAP_AUDIT); 925 /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 926 if (ret == 0) 927 current->flags |= PF_SUPERPRIV; 928 } 929 return ret; 930 } 931