1 /* Common capabilities, needed by capability.o and root_plug.o 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/config.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/security.h> 16 #include <linux/file.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/pagemap.h> 20 #include <linux/swap.h> 21 #include <linux/smp_lock.h> 22 #include <linux/skbuff.h> 23 #include <linux/netlink.h> 24 #include <linux/ptrace.h> 25 #include <linux/xattr.h> 26 #include <linux/hugetlb.h> 27 28 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 29 { 30 NETLINK_CB(skb).eff_cap = current->cap_effective; 31 return 0; 32 } 33 34 EXPORT_SYMBOL(cap_netlink_send); 35 36 int cap_netlink_recv(struct sk_buff *skb) 37 { 38 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) 39 return -EPERM; 40 return 0; 41 } 42 43 EXPORT_SYMBOL(cap_netlink_recv); 44 45 int cap_capable (struct task_struct *tsk, int cap) 46 { 47 /* Derived from include/linux/sched.h:capable. */ 48 if (cap_raised(tsk->cap_effective, cap)) 49 return 0; 50 return -EPERM; 51 } 52 53 int cap_settime(struct timespec *ts, struct timezone *tz) 54 { 55 if (!capable(CAP_SYS_TIME)) 56 return -EPERM; 57 return 0; 58 } 59 60 int cap_ptrace (struct task_struct *parent, struct task_struct *child) 61 { 62 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 63 if (!cap_issubset (child->cap_permitted, current->cap_permitted) && 64 !capable(CAP_SYS_PTRACE)) 65 return -EPERM; 66 return 0; 67 } 68 69 int cap_capget (struct task_struct *target, kernel_cap_t *effective, 70 kernel_cap_t *inheritable, kernel_cap_t *permitted) 71 { 72 /* Derived from kernel/capability.c:sys_capget. */ 73 *effective = cap_t (target->cap_effective); 74 *inheritable = cap_t (target->cap_inheritable); 75 *permitted = cap_t (target->cap_permitted); 76 return 0; 77 } 78 79 int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 80 kernel_cap_t *inheritable, kernel_cap_t *permitted) 81 { 82 /* Derived from kernel/capability.c:sys_capset. */ 83 /* verify restrictions on target's new Inheritable set */ 84 if (!cap_issubset (*inheritable, 85 cap_combine (target->cap_inheritable, 86 current->cap_permitted))) { 87 return -EPERM; 88 } 89 90 /* verify restrictions on target's new Permitted set */ 91 if (!cap_issubset (*permitted, 92 cap_combine (target->cap_permitted, 93 current->cap_permitted))) { 94 return -EPERM; 95 } 96 97 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 98 if (!cap_issubset (*effective, *permitted)) { 99 return -EPERM; 100 } 101 102 return 0; 103 } 104 105 void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 106 kernel_cap_t *inheritable, kernel_cap_t *permitted) 107 { 108 target->cap_effective = *effective; 109 target->cap_inheritable = *inheritable; 110 target->cap_permitted = *permitted; 111 } 112 113 int cap_bprm_set_security (struct linux_binprm *bprm) 114 { 115 /* Copied from fs/exec.c:prepare_binprm. */ 116 117 /* We don't have VFS support for capabilities yet */ 118 cap_clear (bprm->cap_inheritable); 119 cap_clear (bprm->cap_permitted); 120 cap_clear (bprm->cap_effective); 121 122 /* To support inheritance of root-permissions and suid-root 123 * executables under compatibility mode, we raise all three 124 * capability sets for the file. 125 * 126 * If only the real uid is 0, we only raise the inheritable 127 * and permitted sets of the executable file. 128 */ 129 130 if (!issecure (SECURE_NOROOT)) { 131 if (bprm->e_uid == 0 || current->uid == 0) { 132 cap_set_full (bprm->cap_inheritable); 133 cap_set_full (bprm->cap_permitted); 134 } 135 if (bprm->e_uid == 0) 136 cap_set_full (bprm->cap_effective); 137 } 138 return 0; 139 } 140 141 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 142 { 143 /* Derived from fs/exec.c:compute_creds. */ 144 kernel_cap_t new_permitted, working; 145 146 new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); 147 working = cap_intersect (bprm->cap_inheritable, 148 current->cap_inheritable); 149 new_permitted = cap_combine (new_permitted, working); 150 151 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 152 !cap_issubset (new_permitted, current->cap_permitted)) { 153 current->mm->dumpable = suid_dumpable; 154 155 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 156 if (!capable(CAP_SETUID)) { 157 bprm->e_uid = current->uid; 158 bprm->e_gid = current->gid; 159 } 160 if (!capable (CAP_SETPCAP)) { 161 new_permitted = cap_intersect (new_permitted, 162 current->cap_permitted); 163 } 164 } 165 } 166 167 current->suid = current->euid = current->fsuid = bprm->e_uid; 168 current->sgid = current->egid = current->fsgid = bprm->e_gid; 169 170 /* For init, we want to retain the capabilities set 171 * in the init_task struct. Thus we skip the usual 172 * capability rules */ 173 if (current->pid != 1) { 174 current->cap_permitted = new_permitted; 175 current->cap_effective = 176 cap_intersect (new_permitted, bprm->cap_effective); 177 } 178 179 /* AUD: Audit candidate if current->cap_effective is set */ 180 181 current->keep_capabilities = 0; 182 } 183 184 int cap_bprm_secureexec (struct linux_binprm *bprm) 185 { 186 /* If/when this module is enhanced to incorporate capability 187 bits on files, the test below should be extended to also perform a 188 test between the old and new capability sets. For now, 189 it simply preserves the legacy decision algorithm used by 190 the old userland. */ 191 return (current->euid != current->uid || 192 current->egid != current->gid); 193 } 194 195 int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, 196 size_t size, int flags) 197 { 198 if (!strncmp(name, XATTR_SECURITY_PREFIX, 199 sizeof(XATTR_SECURITY_PREFIX) - 1) && 200 !capable(CAP_SYS_ADMIN)) 201 return -EPERM; 202 return 0; 203 } 204 205 int cap_inode_removexattr(struct dentry *dentry, char *name) 206 { 207 if (!strncmp(name, XATTR_SECURITY_PREFIX, 208 sizeof(XATTR_SECURITY_PREFIX) - 1) && 209 !capable(CAP_SYS_ADMIN)) 210 return -EPERM; 211 return 0; 212 } 213 214 /* moved from kernel/sys.c. */ 215 /* 216 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 217 * a process after a call to setuid, setreuid, or setresuid. 218 * 219 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 220 * {r,e,s}uid != 0, the permitted and effective capabilities are 221 * cleared. 222 * 223 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 224 * capabilities of the process are cleared. 225 * 226 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 227 * capabilities are set to the permitted capabilities. 228 * 229 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 230 * never happen. 231 * 232 * -astor 233 * 234 * cevans - New behaviour, Oct '99 235 * A process may, via prctl(), elect to keep its capabilities when it 236 * calls setuid() and switches away from uid==0. Both permitted and 237 * effective sets will be retained. 238 * Without this change, it was impossible for a daemon to drop only some 239 * of its privilege. The call to setuid(!=0) would drop all privileges! 240 * Keeping uid 0 is not an option because uid 0 owns too many vital 241 * files.. 242 * Thanks to Olaf Kirch and Peter Benie for spotting this. 243 */ 244 static inline void cap_emulate_setxuid (int old_ruid, int old_euid, 245 int old_suid) 246 { 247 if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && 248 (current->uid != 0 && current->euid != 0 && current->suid != 0) && 249 !current->keep_capabilities) { 250 cap_clear (current->cap_permitted); 251 cap_clear (current->cap_effective); 252 } 253 if (old_euid == 0 && current->euid != 0) { 254 cap_clear (current->cap_effective); 255 } 256 if (old_euid != 0 && current->euid == 0) { 257 current->cap_effective = current->cap_permitted; 258 } 259 } 260 261 int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, 262 int flags) 263 { 264 switch (flags) { 265 case LSM_SETID_RE: 266 case LSM_SETID_ID: 267 case LSM_SETID_RES: 268 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 269 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 270 cap_emulate_setxuid (old_ruid, old_euid, old_suid); 271 } 272 break; 273 case LSM_SETID_FS: 274 { 275 uid_t old_fsuid = old_ruid; 276 277 /* Copied from kernel/sys.c:setfsuid. */ 278 279 /* 280 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 281 * if not, we might be a bit too harsh here. 282 */ 283 284 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 285 if (old_fsuid == 0 && current->fsuid != 0) { 286 cap_t (current->cap_effective) &= 287 ~CAP_FS_MASK; 288 } 289 if (old_fsuid != 0 && current->fsuid == 0) { 290 cap_t (current->cap_effective) |= 291 (cap_t (current->cap_permitted) & 292 CAP_FS_MASK); 293 } 294 } 295 break; 296 } 297 default: 298 return -EINVAL; 299 } 300 301 return 0; 302 } 303 304 void cap_task_reparent_to_init (struct task_struct *p) 305 { 306 p->cap_effective = CAP_INIT_EFF_SET; 307 p->cap_inheritable = CAP_INIT_INH_SET; 308 p->cap_permitted = CAP_FULL_SET; 309 p->keep_capabilities = 0; 310 return; 311 } 312 313 int cap_syslog (int type) 314 { 315 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 316 return -EPERM; 317 return 0; 318 } 319 320 int cap_vm_enough_memory(long pages) 321 { 322 int cap_sys_admin = 0; 323 324 if (cap_capable(current, CAP_SYS_ADMIN) == 0) 325 cap_sys_admin = 1; 326 return __vm_enough_memory(pages, cap_sys_admin); 327 } 328 329 EXPORT_SYMBOL(cap_capable); 330 EXPORT_SYMBOL(cap_settime); 331 EXPORT_SYMBOL(cap_ptrace); 332 EXPORT_SYMBOL(cap_capget); 333 EXPORT_SYMBOL(cap_capset_check); 334 EXPORT_SYMBOL(cap_capset_set); 335 EXPORT_SYMBOL(cap_bprm_set_security); 336 EXPORT_SYMBOL(cap_bprm_apply_creds); 337 EXPORT_SYMBOL(cap_bprm_secureexec); 338 EXPORT_SYMBOL(cap_inode_setxattr); 339 EXPORT_SYMBOL(cap_inode_removexattr); 340 EXPORT_SYMBOL(cap_task_post_setuid); 341 EXPORT_SYMBOL(cap_task_reparent_to_init); 342 EXPORT_SYMBOL(cap_syslog); 343 EXPORT_SYMBOL(cap_vm_enough_memory); 344 345 MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module"); 346 MODULE_LICENSE("GPL"); 347