1 /* Common capabilities, needed by capability.o and root_plug.o 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/module.h> 12 #include <linux/init.h> 13 #include <linux/kernel.h> 14 #include <linux/security.h> 15 #include <linux/file.h> 16 #include <linux/mm.h> 17 #include <linux/mman.h> 18 #include <linux/pagemap.h> 19 #include <linux/swap.h> 20 #include <linux/skbuff.h> 21 #include <linux/netlink.h> 22 #include <linux/ptrace.h> 23 #include <linux/xattr.h> 24 #include <linux/hugetlb.h> 25 #include <linux/mount.h> 26 27 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 28 /* 29 * Because of the reduced scope of CAP_SETPCAP when filesystem 30 * capabilities are in effect, it is safe to allow this capability to 31 * be available in the default configuration. 32 */ 33 # define CAP_INIT_BSET CAP_FULL_SET 34 #else /* ie. ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 35 # define CAP_INIT_BSET CAP_INIT_EFF_SET 36 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 37 38 kernel_cap_t cap_bset = CAP_INIT_BSET; /* systemwide capability bound */ 39 EXPORT_SYMBOL(cap_bset); 40 41 /* Global security state */ 42 43 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */ 44 EXPORT_SYMBOL(securebits); 45 46 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 47 { 48 NETLINK_CB(skb).eff_cap = current->cap_effective; 49 return 0; 50 } 51 52 int cap_netlink_recv(struct sk_buff *skb, int cap) 53 { 54 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 55 return -EPERM; 56 return 0; 57 } 58 59 EXPORT_SYMBOL(cap_netlink_recv); 60 61 int cap_capable (struct task_struct *tsk, int cap) 62 { 63 /* Derived from include/linux/sched.h:capable. */ 64 if (cap_raised(tsk->cap_effective, cap)) 65 return 0; 66 return -EPERM; 67 } 68 69 int cap_settime(struct timespec *ts, struct timezone *tz) 70 { 71 if (!capable(CAP_SYS_TIME)) 72 return -EPERM; 73 return 0; 74 } 75 76 int cap_ptrace (struct task_struct *parent, struct task_struct *child) 77 { 78 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 79 if (!cap_issubset(child->cap_permitted, parent->cap_permitted) && 80 !__capable(parent, CAP_SYS_PTRACE)) 81 return -EPERM; 82 return 0; 83 } 84 85 int cap_capget (struct task_struct *target, kernel_cap_t *effective, 86 kernel_cap_t *inheritable, kernel_cap_t *permitted) 87 { 88 /* Derived from kernel/capability.c:sys_capget. */ 89 *effective = cap_t (target->cap_effective); 90 *inheritable = cap_t (target->cap_inheritable); 91 *permitted = cap_t (target->cap_permitted); 92 return 0; 93 } 94 95 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 96 97 static inline int cap_block_setpcap(struct task_struct *target) 98 { 99 /* 100 * No support for remote process capability manipulation with 101 * filesystem capability support. 102 */ 103 return (target != current); 104 } 105 106 static inline int cap_inh_is_capped(void) 107 { 108 /* 109 * return 1 if changes to the inheritable set are limited 110 * to the old permitted set. 111 */ 112 return !cap_capable(current, CAP_SETPCAP); 113 } 114 115 #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 116 117 static inline int cap_block_setpcap(struct task_struct *t) { return 0; } 118 static inline int cap_inh_is_capped(void) { return 1; } 119 120 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 121 122 int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 123 kernel_cap_t *inheritable, kernel_cap_t *permitted) 124 { 125 if (cap_block_setpcap(target)) { 126 return -EPERM; 127 } 128 if (cap_inh_is_capped() 129 && !cap_issubset(*inheritable, 130 cap_combine(target->cap_inheritable, 131 current->cap_permitted))) { 132 /* incapable of using this inheritable set */ 133 return -EPERM; 134 } 135 136 /* verify restrictions on target's new Permitted set */ 137 if (!cap_issubset (*permitted, 138 cap_combine (target->cap_permitted, 139 current->cap_permitted))) { 140 return -EPERM; 141 } 142 143 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 144 if (!cap_issubset (*effective, *permitted)) { 145 return -EPERM; 146 } 147 148 return 0; 149 } 150 151 void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 152 kernel_cap_t *inheritable, kernel_cap_t *permitted) 153 { 154 target->cap_effective = *effective; 155 target->cap_inheritable = *inheritable; 156 target->cap_permitted = *permitted; 157 } 158 159 static inline void bprm_clear_caps(struct linux_binprm *bprm) 160 { 161 cap_clear(bprm->cap_inheritable); 162 cap_clear(bprm->cap_permitted); 163 bprm->cap_effective = false; 164 } 165 166 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 167 168 int cap_inode_need_killpriv(struct dentry *dentry) 169 { 170 struct inode *inode = dentry->d_inode; 171 int error; 172 173 if (!inode->i_op || !inode->i_op->getxattr) 174 return 0; 175 176 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 177 if (error <= 0) 178 return 0; 179 return 1; 180 } 181 182 int cap_inode_killpriv(struct dentry *dentry) 183 { 184 struct inode *inode = dentry->d_inode; 185 186 if (!inode->i_op || !inode->i_op->removexattr) 187 return 0; 188 189 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 190 } 191 192 static inline int cap_from_disk(__le32 *caps, struct linux_binprm *bprm, 193 int size) 194 { 195 __u32 magic_etc; 196 197 if (size != XATTR_CAPS_SZ) 198 return -EINVAL; 199 200 magic_etc = le32_to_cpu(caps[0]); 201 202 switch ((magic_etc & VFS_CAP_REVISION_MASK)) { 203 case VFS_CAP_REVISION: 204 if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 205 bprm->cap_effective = true; 206 else 207 bprm->cap_effective = false; 208 bprm->cap_permitted = to_cap_t( le32_to_cpu(caps[1]) ); 209 bprm->cap_inheritable = to_cap_t( le32_to_cpu(caps[2]) ); 210 return 0; 211 default: 212 return -EINVAL; 213 } 214 } 215 216 /* Locate any VFS capabilities: */ 217 static int get_file_caps(struct linux_binprm *bprm) 218 { 219 struct dentry *dentry; 220 int rc = 0; 221 __le32 v1caps[XATTR_CAPS_SZ]; 222 struct inode *inode; 223 224 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) { 225 bprm_clear_caps(bprm); 226 return 0; 227 } 228 229 dentry = dget(bprm->file->f_dentry); 230 inode = dentry->d_inode; 231 if (!inode->i_op || !inode->i_op->getxattr) 232 goto out; 233 234 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &v1caps, 235 XATTR_CAPS_SZ); 236 if (rc == -ENODATA || rc == -EOPNOTSUPP) { 237 /* no data, that's ok */ 238 rc = 0; 239 goto out; 240 } 241 if (rc < 0) 242 goto out; 243 244 rc = cap_from_disk(v1caps, bprm, rc); 245 if (rc) 246 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 247 __FUNCTION__, rc, bprm->filename); 248 249 out: 250 dput(dentry); 251 if (rc) 252 bprm_clear_caps(bprm); 253 254 return rc; 255 } 256 257 #else 258 int cap_inode_need_killpriv(struct dentry *dentry) 259 { 260 return 0; 261 } 262 263 int cap_inode_killpriv(struct dentry *dentry) 264 { 265 return 0; 266 } 267 268 static inline int get_file_caps(struct linux_binprm *bprm) 269 { 270 bprm_clear_caps(bprm); 271 return 0; 272 } 273 #endif 274 275 int cap_bprm_set_security (struct linux_binprm *bprm) 276 { 277 int ret; 278 279 ret = get_file_caps(bprm); 280 if (ret) 281 printk(KERN_NOTICE "%s: get_file_caps returned %d for %s\n", 282 __FUNCTION__, ret, bprm->filename); 283 284 /* To support inheritance of root-permissions and suid-root 285 * executables under compatibility mode, we raise all three 286 * capability sets for the file. 287 * 288 * If only the real uid is 0, we only raise the inheritable 289 * and permitted sets of the executable file. 290 */ 291 292 if (!issecure (SECURE_NOROOT)) { 293 if (bprm->e_uid == 0 || current->uid == 0) { 294 cap_set_full (bprm->cap_inheritable); 295 cap_set_full (bprm->cap_permitted); 296 } 297 if (bprm->e_uid == 0) 298 bprm->cap_effective = true; 299 } 300 301 return ret; 302 } 303 304 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 305 { 306 /* Derived from fs/exec.c:compute_creds. */ 307 kernel_cap_t new_permitted, working; 308 309 new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); 310 working = cap_intersect (bprm->cap_inheritable, 311 current->cap_inheritable); 312 new_permitted = cap_combine (new_permitted, working); 313 314 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 315 !cap_issubset (new_permitted, current->cap_permitted)) { 316 set_dumpable(current->mm, suid_dumpable); 317 current->pdeath_signal = 0; 318 319 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 320 if (!capable(CAP_SETUID)) { 321 bprm->e_uid = current->uid; 322 bprm->e_gid = current->gid; 323 } 324 if (!capable (CAP_SETPCAP)) { 325 new_permitted = cap_intersect (new_permitted, 326 current->cap_permitted); 327 } 328 } 329 } 330 331 current->suid = current->euid = current->fsuid = bprm->e_uid; 332 current->sgid = current->egid = current->fsgid = bprm->e_gid; 333 334 /* For init, we want to retain the capabilities set 335 * in the init_task struct. Thus we skip the usual 336 * capability rules */ 337 if (!is_init(current)) { 338 current->cap_permitted = new_permitted; 339 current->cap_effective = bprm->cap_effective ? 340 new_permitted : 0; 341 } 342 343 /* AUD: Audit candidate if current->cap_effective is set */ 344 345 current->keep_capabilities = 0; 346 } 347 348 int cap_bprm_secureexec (struct linux_binprm *bprm) 349 { 350 if (current->uid != 0) { 351 if (bprm->cap_effective) 352 return 1; 353 if (!cap_isclear(bprm->cap_permitted)) 354 return 1; 355 if (!cap_isclear(bprm->cap_inheritable)) 356 return 1; 357 } 358 359 return (current->euid != current->uid || 360 current->egid != current->gid); 361 } 362 363 int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, 364 size_t size, int flags) 365 { 366 if (!strcmp(name, XATTR_NAME_CAPS)) { 367 if (!capable(CAP_SETFCAP)) 368 return -EPERM; 369 return 0; 370 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 371 sizeof(XATTR_SECURITY_PREFIX) - 1) && 372 !capable(CAP_SYS_ADMIN)) 373 return -EPERM; 374 return 0; 375 } 376 377 int cap_inode_removexattr(struct dentry *dentry, char *name) 378 { 379 if (!strcmp(name, XATTR_NAME_CAPS)) { 380 if (!capable(CAP_SETFCAP)) 381 return -EPERM; 382 return 0; 383 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 384 sizeof(XATTR_SECURITY_PREFIX) - 1) && 385 !capable(CAP_SYS_ADMIN)) 386 return -EPERM; 387 return 0; 388 } 389 390 /* moved from kernel/sys.c. */ 391 /* 392 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 393 * a process after a call to setuid, setreuid, or setresuid. 394 * 395 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 396 * {r,e,s}uid != 0, the permitted and effective capabilities are 397 * cleared. 398 * 399 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 400 * capabilities of the process are cleared. 401 * 402 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 403 * capabilities are set to the permitted capabilities. 404 * 405 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 406 * never happen. 407 * 408 * -astor 409 * 410 * cevans - New behaviour, Oct '99 411 * A process may, via prctl(), elect to keep its capabilities when it 412 * calls setuid() and switches away from uid==0. Both permitted and 413 * effective sets will be retained. 414 * Without this change, it was impossible for a daemon to drop only some 415 * of its privilege. The call to setuid(!=0) would drop all privileges! 416 * Keeping uid 0 is not an option because uid 0 owns too many vital 417 * files.. 418 * Thanks to Olaf Kirch and Peter Benie for spotting this. 419 */ 420 static inline void cap_emulate_setxuid (int old_ruid, int old_euid, 421 int old_suid) 422 { 423 if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && 424 (current->uid != 0 && current->euid != 0 && current->suid != 0) && 425 !current->keep_capabilities) { 426 cap_clear (current->cap_permitted); 427 cap_clear (current->cap_effective); 428 } 429 if (old_euid == 0 && current->euid != 0) { 430 cap_clear (current->cap_effective); 431 } 432 if (old_euid != 0 && current->euid == 0) { 433 current->cap_effective = current->cap_permitted; 434 } 435 } 436 437 int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, 438 int flags) 439 { 440 switch (flags) { 441 case LSM_SETID_RE: 442 case LSM_SETID_ID: 443 case LSM_SETID_RES: 444 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 445 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 446 cap_emulate_setxuid (old_ruid, old_euid, old_suid); 447 } 448 break; 449 case LSM_SETID_FS: 450 { 451 uid_t old_fsuid = old_ruid; 452 453 /* Copied from kernel/sys.c:setfsuid. */ 454 455 /* 456 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 457 * if not, we might be a bit too harsh here. 458 */ 459 460 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 461 if (old_fsuid == 0 && current->fsuid != 0) { 462 cap_t (current->cap_effective) &= 463 ~CAP_FS_MASK; 464 } 465 if (old_fsuid != 0 && current->fsuid == 0) { 466 cap_t (current->cap_effective) |= 467 (cap_t (current->cap_permitted) & 468 CAP_FS_MASK); 469 } 470 } 471 break; 472 } 473 default: 474 return -EINVAL; 475 } 476 477 return 0; 478 } 479 480 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 481 /* 482 * Rationale: code calling task_setscheduler, task_setioprio, and 483 * task_setnice, assumes that 484 * . if capable(cap_sys_nice), then those actions should be allowed 485 * . if not capable(cap_sys_nice), but acting on your own processes, 486 * then those actions should be allowed 487 * This is insufficient now since you can call code without suid, but 488 * yet with increased caps. 489 * So we check for increased caps on the target process. 490 */ 491 static inline int cap_safe_nice(struct task_struct *p) 492 { 493 if (!cap_issubset(p->cap_permitted, current->cap_permitted) && 494 !__capable(current, CAP_SYS_NICE)) 495 return -EPERM; 496 return 0; 497 } 498 499 int cap_task_setscheduler (struct task_struct *p, int policy, 500 struct sched_param *lp) 501 { 502 return cap_safe_nice(p); 503 } 504 505 int cap_task_setioprio (struct task_struct *p, int ioprio) 506 { 507 return cap_safe_nice(p); 508 } 509 510 int cap_task_setnice (struct task_struct *p, int nice) 511 { 512 return cap_safe_nice(p); 513 } 514 515 int cap_task_kill(struct task_struct *p, struct siginfo *info, 516 int sig, u32 secid) 517 { 518 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 519 return 0; 520 521 if (secid) 522 /* 523 * Signal sent as a particular user. 524 * Capabilities are ignored. May be wrong, but it's the 525 * only thing we can do at the moment. 526 * Used only by usb drivers? 527 */ 528 return 0; 529 if (cap_issubset(p->cap_permitted, current->cap_permitted)) 530 return 0; 531 if (capable(CAP_KILL)) 532 return 0; 533 534 return -EPERM; 535 } 536 #else 537 int cap_task_setscheduler (struct task_struct *p, int policy, 538 struct sched_param *lp) 539 { 540 return 0; 541 } 542 int cap_task_setioprio (struct task_struct *p, int ioprio) 543 { 544 return 0; 545 } 546 int cap_task_setnice (struct task_struct *p, int nice) 547 { 548 return 0; 549 } 550 int cap_task_kill(struct task_struct *p, struct siginfo *info, 551 int sig, u32 secid) 552 { 553 return 0; 554 } 555 #endif 556 557 void cap_task_reparent_to_init (struct task_struct *p) 558 { 559 p->cap_effective = CAP_INIT_EFF_SET; 560 p->cap_inheritable = CAP_INIT_INH_SET; 561 p->cap_permitted = CAP_FULL_SET; 562 p->keep_capabilities = 0; 563 return; 564 } 565 566 int cap_syslog (int type) 567 { 568 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 569 return -EPERM; 570 return 0; 571 } 572 573 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 574 { 575 int cap_sys_admin = 0; 576 577 if (cap_capable(current, CAP_SYS_ADMIN) == 0) 578 cap_sys_admin = 1; 579 return __vm_enough_memory(mm, pages, cap_sys_admin); 580 } 581 582