Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 1d045980e1eff4800472f0e81df9460640c8eee9

Authored by David Howells
Committed by James Morris
1 parent a6f76f23d2
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

CRED: Prettify commoncap.c 

Prettify commoncap.c.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 1 changed file with 248 additions and 52 deletions Inline Diff

security/commoncap.c
Diff comments   View file @ 1d04598
1 /* Common capabilities, needed by capability.o and root_plug.o 1 /* Common capabilities, needed by capability.o and root_plug.o
2 * 2 *
3 * This program is free software; you can redistribute it and/or modify 3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by 4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or 5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version. 6 * (at your option) any later version.
7 * 7 *
8 */ 8 */
9 9
10 #include <linux/capability.h> 10 #include <linux/capability.h>
11 #include <linux/audit.h> 11 #include <linux/audit.h>
12 #include <linux/module.h> 12 #include <linux/module.h>
13 #include <linux/init.h> 13 #include <linux/init.h>
14 #include <linux/kernel.h> 14 #include <linux/kernel.h>
15 #include <linux/security.h> 15 #include <linux/security.h>
16 #include <linux/file.h> 16 #include <linux/file.h>
17 #include <linux/mm.h> 17 #include <linux/mm.h>
18 #include <linux/mman.h> 18 #include <linux/mman.h>
19 #include <linux/pagemap.h> 19 #include <linux/pagemap.h>
20 #include <linux/swap.h> 20 #include <linux/swap.h>
21 #include <linux/skbuff.h> 21 #include <linux/skbuff.h>
22 #include <linux/netlink.h> 22 #include <linux/netlink.h>
23 #include <linux/ptrace.h> 23 #include <linux/ptrace.h>
24 #include <linux/xattr.h> 24 #include <linux/xattr.h>
25 #include <linux/hugetlb.h> 25 #include <linux/hugetlb.h>
26 #include <linux/mount.h> 26 #include <linux/mount.h>
27 #include <linux/sched.h> 27 #include <linux/sched.h>
28 #include <linux/prctl.h> 28 #include <linux/prctl.h>
29 #include <linux/securebits.h> 29 #include <linux/securebits.h>
30 30
31 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 31 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
32 { 32 {
33 NETLINK_CB(skb).eff_cap = current_cap(); 33 NETLINK_CB(skb).eff_cap = current_cap();
34 return 0; 34 return 0;
35 } 35 }
36 36
37 int cap_netlink_recv(struct sk_buff *skb, int cap) 37 int cap_netlink_recv(struct sk_buff *skb, int cap)
38 { 38 {
39 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 39 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
40 return -EPERM; 40 return -EPERM;
41 return 0; 41 return 0;
42 } 42 }
43
44 EXPORT_SYMBOL(cap_netlink_recv); 43 EXPORT_SYMBOL(cap_netlink_recv);
45 44
46 /* 45 /**
46 * cap_capable - Determine whether a task has a particular effective capability
47 * @tsk: The task to query
48 * @cap: The capability to check for
49 * @audit: Whether to write an audit message or not
50 *
51 * Determine whether the nominated task has the specified capability amongst
52 * its effective set, returning 0 if it does, -ve if it does not.
53 *
47 * NOTE WELL: cap_capable() cannot be used like the kernel's capable() 54 * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
48 * function. That is, it has the reverse semantics: cap_capable() 55 * function. That is, it has the reverse semantics: cap_capable() returns 0
49 * returns 0 when a task has a capability, but the kernel's capable() 56 * when a task has a capability, but the kernel's capable() returns 1 for this
50 * returns 1 for this case. 57 * case.
51 */ 58 */
52 int cap_capable(struct task_struct *tsk, int cap, int audit) 59 int cap_capable(struct task_struct *tsk, int cap, int audit)
53 { 60 {
54 __u32 cap_raised; 61 __u32 cap_raised;
55 62
56 /* Derived from include/linux/sched.h:capable. */ 63 /* Derived from include/linux/sched.h:capable. */
57 rcu_read_lock(); 64 rcu_read_lock();
58 cap_raised = cap_raised(__task_cred(tsk)->cap_effective, cap); 65 cap_raised = cap_raised(__task_cred(tsk)->cap_effective, cap);
59 rcu_read_unlock(); 66 rcu_read_unlock();
60 return cap_raised ? 0 : -EPERM; 67 return cap_raised ? 0 : -EPERM;
61 } 68 }
62 69
70 /**
71 * cap_settime - Determine whether the current process may set the system clock
72 * @ts: The time to set
73 * @tz: The timezone to set
74 *
75 * Determine whether the current process may set the system clock and timezone
76 * information, returning 0 if permission granted, -ve if denied.
77 */
63 int cap_settime(struct timespec *ts, struct timezone *tz) 78 int cap_settime(struct timespec *ts, struct timezone *tz)
64 { 79 {
65 if (!capable(CAP_SYS_TIME)) 80 if (!capable(CAP_SYS_TIME))
66 return -EPERM; 81 return -EPERM;
67 return 0; 82 return 0;
68 } 83 }
69 84
85 /**
86 * cap_ptrace_may_access - Determine whether the current process may access
87 * another
88 * @child: The process to be accessed
89 * @mode: The mode of attachment.
90 *
91 * Determine whether a process may access another, returning 0 if permission
92 * granted, -ve if denied.
93 */
70 int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) 94 int cap_ptrace_may_access(struct task_struct *child, unsigned int mode)
71 { 95 {
72 int ret = 0; 96 int ret = 0;
73 97
74 rcu_read_lock(); 98 rcu_read_lock();
75 if (!cap_issubset(__task_cred(child)->cap_permitted, 99 if (!cap_issubset(__task_cred(child)->cap_permitted,
76 current_cred()->cap_permitted) && 100 current_cred()->cap_permitted) &&
77 !capable(CAP_SYS_PTRACE)) 101 !capable(CAP_SYS_PTRACE))
78 ret = -EPERM; 102 ret = -EPERM;
79 rcu_read_unlock(); 103 rcu_read_unlock();
80 return ret; 104 return ret;
81 } 105 }
82 106
107 /**
108 * cap_ptrace_traceme - Determine whether another process may trace the current
109 * @parent: The task proposed to be the tracer
110 *
111 * Determine whether the nominated task is permitted to trace the current
112 * process, returning 0 if permission is granted, -ve if denied.
113 */
83 int cap_ptrace_traceme(struct task_struct *parent) 114 int cap_ptrace_traceme(struct task_struct *parent)
84 { 115 {
85 int ret = 0; 116 int ret = 0;
86 117
87 rcu_read_lock(); 118 rcu_read_lock();
88 if (!cap_issubset(current_cred()->cap_permitted, 119 if (!cap_issubset(current_cred()->cap_permitted,
89 __task_cred(parent)->cap_permitted) && 120 __task_cred(parent)->cap_permitted) &&
90 !has_capability(parent, CAP_SYS_PTRACE)) 121 !has_capability(parent, CAP_SYS_PTRACE))
91 ret = -EPERM; 122 ret = -EPERM;
92 rcu_read_unlock(); 123 rcu_read_unlock();
93 return ret; 124 return ret;
94 } 125 }
95 126
96 int cap_capget (struct task_struct *target, kernel_cap_t *effective, 127 /**
97 kernel_cap_t *inheritable, kernel_cap_t *permitted) 128 * cap_capget - Retrieve a task's capability sets
129 * @target: The task from which to retrieve the capability sets
130 * @effective: The place to record the effective set
131 * @inheritable: The place to record the inheritable set
132 * @permitted: The place to record the permitted set
133 *
134 * This function retrieves the capabilities of the nominated task and returns
135 * them to the caller.
136 */
137 int cap_capget(struct task_struct *target, kernel_cap_t *effective,
138 kernel_cap_t *inheritable, kernel_cap_t *permitted)
98 { 139 {
99 const struct cred *cred; 140 const struct cred *cred;
100 141
101 /* Derived from kernel/capability.c:sys_capget. */ 142 /* Derived from kernel/capability.c:sys_capget. */
102 rcu_read_lock(); 143 rcu_read_lock();
103 cred = __task_cred(target); 144 cred = __task_cred(target);
104 *effective = cred->cap_effective; 145 *effective = cred->cap_effective;
105 *inheritable = cred->cap_inheritable; 146 *inheritable = cred->cap_inheritable;
106 *permitted = cred->cap_permitted; 147 *permitted = cred->cap_permitted;
107 rcu_read_unlock(); 148 rcu_read_unlock();
108 return 0; 149 return 0;
109 } 150 }
110 151
111 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 152 /*
112 153 * Determine whether the inheritable capabilities are limited to the old
154 * permitted set. Returns 1 if they are limited, 0 if they are not.
155 */
113 static inline int cap_inh_is_capped(void) 156 static inline int cap_inh_is_capped(void)
114 { 157 {
115 /* 158 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
116 * Return 1 if changes to the inheritable set are limited 159
117 * to the old permitted set. That is, if the current task 160 /* they are so limited unless the current task has the CAP_SETPCAP
118 * does *not* possess the CAP_SETPCAP capability. 161 * capability
119 */ 162 */
120 return cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0; 163 if (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
164 return 0;
165 #endif
166 return 1;
121 } 167 }
122 168
123 static inline int cap_limit_ptraced_target(void) { return 1; } 169 /**
124 170 * cap_capset - Validate and apply proposed changes to current's capabilities
125 #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 171 * @new: The proposed new credentials; alterations should be made here
126 172 * @old: The current task's current credentials
127 static inline int cap_inh_is_capped(void) { return 1; } 173 * @effective: A pointer to the proposed new effective capabilities set
128 static inline int cap_limit_ptraced_target(void) 174 * @inheritable: A pointer to the proposed new inheritable capabilities set
129 { 175 * @permitted: A pointer to the proposed new permitted capabilities set
130 return !capable(CAP_SETPCAP); 176 *
131 } 177 * This function validates and applies a proposed mass change to the current
132 178 * process's capability sets. The changes are made to the proposed new
133 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 179 * credentials, and assuming no error, will be committed by the caller of LSM.
134 180 */
135 int cap_capset(struct cred *new, 181 int cap_capset(struct cred *new,
136 const struct cred *old, 182 const struct cred *old,
137 const kernel_cap_t *effective, 183 const kernel_cap_t *effective,
138 const kernel_cap_t *inheritable, 184 const kernel_cap_t *inheritable,
139 const kernel_cap_t *permitted) 185 const kernel_cap_t *permitted)
140 { 186 {
141 if (cap_inh_is_capped() && 187 if (cap_inh_is_capped() &&
142 !cap_issubset(*inheritable, 188 !cap_issubset(*inheritable,
143 cap_combine(old->cap_inheritable, 189 cap_combine(old->cap_inheritable,
144 old->cap_permitted))) 190 old->cap_permitted)))
145 /* incapable of using this inheritable set */ 191 /* incapable of using this inheritable set */
146 return -EPERM; 192 return -EPERM;
147 193
148 if (!cap_issubset(*inheritable, 194 if (!cap_issubset(*inheritable,
149 cap_combine(old->cap_inheritable, 195 cap_combine(old->cap_inheritable,
150 old->cap_bset))) 196 old->cap_bset)))
151 /* no new pI capabilities outside bounding set */ 197 /* no new pI capabilities outside bounding set */
152 return -EPERM; 198 return -EPERM;
153 199
154 /* verify restrictions on target's new Permitted set */ 200 /* verify restrictions on target's new Permitted set */
155 if (!cap_issubset(*permitted, old->cap_permitted)) 201 if (!cap_issubset(*permitted, old->cap_permitted))
156 return -EPERM; 202 return -EPERM;
157 203
158 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 204 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
159 if (!cap_issubset(*effective, *permitted)) 205 if (!cap_issubset(*effective, *permitted))
160 return -EPERM; 206 return -EPERM;
161 207
162 new->cap_effective = *effective; 208 new->cap_effective = *effective;
163 new->cap_inheritable = *inheritable; 209 new->cap_inheritable = *inheritable;
164 new->cap_permitted = *permitted; 210 new->cap_permitted = *permitted;
165 return 0; 211 return 0;
166 } 212 }
167 213
214 /*
215 * Clear proposed capability sets for execve().
216 */
168 static inline void bprm_clear_caps(struct linux_binprm *bprm) 217 static inline void bprm_clear_caps(struct linux_binprm *bprm)
169 { 218 {
170 cap_clear(bprm->cred->cap_permitted); 219 cap_clear(bprm->cred->cap_permitted);
171 bprm->cap_effective = false; 220 bprm->cap_effective = false;
172 } 221 }
173 222
174 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 223 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
175 224
225 /**
226 * cap_inode_need_killpriv - Determine if inode change affects privileges
227 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
228 *
229 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
230 * affects the security markings on that inode, and if it is, should
231 * inode_killpriv() be invoked or the change rejected?
232 *
233 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
234 * -ve to deny the change.
235 */
176 int cap_inode_need_killpriv(struct dentry *dentry) 236 int cap_inode_need_killpriv(struct dentry *dentry)
177 { 237 {
178 struct inode *inode = dentry->d_inode; 238 struct inode *inode = dentry->d_inode;
179 int error; 239 int error;
180 240
181 if (!inode->i_op || !inode->i_op->getxattr) 241 if (!inode->i_op || !inode->i_op->getxattr)
182 return 0; 242 return 0;
183 243
184 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 244 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
185 if (error <= 0) 245 if (error <= 0)
186 return 0; 246 return 0;
187 return 1; 247 return 1;
188 } 248 }
189 249
250 /**
251 * cap_inode_killpriv - Erase the security markings on an inode
252 * @dentry: The inode/dentry to alter
253 *
254 * Erase the privilege-enhancing security markings on an inode.
255 *
256 * Returns 0 if successful, -ve on error.
257 */
190 int cap_inode_killpriv(struct dentry *dentry) 258 int cap_inode_killpriv(struct dentry *dentry)
191 { 259 {
192 struct inode *inode = dentry->d_inode; 260 struct inode *inode = dentry->d_inode;
193 261
194 if (!inode->i_op || !inode->i_op->removexattr) 262 if (!inode->i_op || !inode->i_op->removexattr)
195 return 0; 263 return 0;
196 264
197 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 265 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
198 } 266 }
199 267
268 /*
269 * Calculate the new process capability sets from the capability sets attached
270 * to a file.
271 */
200 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, 272 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
201 struct linux_binprm *bprm, 273 struct linux_binprm *bprm,
202 bool *effective) 274 bool *effective)
203 { 275 {
204 struct cred *new = bprm->cred; 276 struct cred *new = bprm->cred;
205 unsigned i; 277 unsigned i;
206 int ret = 0; 278 int ret = 0;
207 279
208 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 280 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
209 *effective = true; 281 *effective = true;
210 282
211 CAP_FOR_EACH_U32(i) { 283 CAP_FOR_EACH_U32(i) {
212 __u32 permitted = caps->permitted.cap[i]; 284 __u32 permitted = caps->permitted.cap[i];
213 __u32 inheritable = caps->inheritable.cap[i]; 285 __u32 inheritable = caps->inheritable.cap[i];
214 286
215 /* 287 /*
216 * pP' = (X & fP) | (pI & fI) 288 * pP' = (X & fP) | (pI & fI)
217 */ 289 */
218 new->cap_permitted.cap[i] = 290 new->cap_permitted.cap[i] =
219 (new->cap_bset.cap[i] & permitted) | 291 (new->cap_bset.cap[i] & permitted) |
220 (new->cap_inheritable.cap[i] & inheritable); 292 (new->cap_inheritable.cap[i] & inheritable);
221 293
222 if (permitted & ~new->cap_permitted.cap[i]) 294 if (permitted & ~new->cap_permitted.cap[i])
223 /* insufficient to execute correctly */ 295 /* insufficient to execute correctly */
224 ret = -EPERM; 296 ret = -EPERM;
225 } 297 }
226 298
227 /* 299 /*
228 * For legacy apps, with no internal support for recognizing they 300 * For legacy apps, with no internal support for recognizing they
229 * do not have enough capabilities, we return an error if they are 301 * do not have enough capabilities, we return an error if they are
230 * missing some "forced" (aka file-permitted) capabilities. 302 * missing some "forced" (aka file-permitted) capabilities.
231 */ 303 */
232 return *effective ? ret : 0; 304 return *effective ? ret : 0;
233 } 305 }
234 306
307 /*
308 * Extract the on-exec-apply capability sets for an executable file.
309 */
235 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 310 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
236 { 311 {
237 struct inode *inode = dentry->d_inode; 312 struct inode *inode = dentry->d_inode;
238 __u32 magic_etc; 313 __u32 magic_etc;
239 unsigned tocopy, i; 314 unsigned tocopy, i;
240 int size; 315 int size;
241 struct vfs_cap_data caps; 316 struct vfs_cap_data caps;
242 317
243 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 318 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
244 319
245 if (!inode || !inode->i_op || !inode->i_op->getxattr) 320 if (!inode || !inode->i_op || !inode->i_op->getxattr)
246 return -ENODATA; 321 return -ENODATA;
247 322
248 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, 323 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
249 XATTR_CAPS_SZ); 324 XATTR_CAPS_SZ);
250 if (size == -ENODATA || size == -EOPNOTSUPP) 325 if (size == -ENODATA || size == -EOPNOTSUPP)
251 /* no data, that's ok */ 326 /* no data, that's ok */
252 return -ENODATA; 327 return -ENODATA;
253 if (size < 0) 328 if (size < 0)
254 return size; 329 return size;
255 330
256 if (size < sizeof(magic_etc)) 331 if (size < sizeof(magic_etc))
257 return -EINVAL; 332 return -EINVAL;
258 333
259 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc); 334 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
260 335
261 switch (magic_etc & VFS_CAP_REVISION_MASK) { 336 switch (magic_etc & VFS_CAP_REVISION_MASK) {
262 case VFS_CAP_REVISION_1: 337 case VFS_CAP_REVISION_1:
263 if (size != XATTR_CAPS_SZ_1) 338 if (size != XATTR_CAPS_SZ_1)
264 return -EINVAL; 339 return -EINVAL;
265 tocopy = VFS_CAP_U32_1; 340 tocopy = VFS_CAP_U32_1;
266 break; 341 break;
267 case VFS_CAP_REVISION_2: 342 case VFS_CAP_REVISION_2:
268 if (size != XATTR_CAPS_SZ_2) 343 if (size != XATTR_CAPS_SZ_2)
269 return -EINVAL; 344 return -EINVAL;
270 tocopy = VFS_CAP_U32_2; 345 tocopy = VFS_CAP_U32_2;
271 break; 346 break;
272 default: 347 default:
273 return -EINVAL; 348 return -EINVAL;
274 } 349 }
275 350
276 CAP_FOR_EACH_U32(i) { 351 CAP_FOR_EACH_U32(i) {
277 if (i >= tocopy) 352 if (i >= tocopy)
278 break; 353 break;
279 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted); 354 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
280 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); 355 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
281 } 356 }
282 357
283 return 0; 358 return 0;
284 } 359 }
285 360
286 /* Locate any VFS capabilities: */ 361 /*
362 * Attempt to get the on-exec apply capability sets for an executable file from
363 * its xattrs and, if present, apply them to the proposed credentials being
364 * constructed by execve().
365 */
287 static int get_file_caps(struct linux_binprm *bprm, bool *effective) 366 static int get_file_caps(struct linux_binprm *bprm, bool *effective)
288 { 367 {
289 struct dentry *dentry; 368 struct dentry *dentry;
290 int rc = 0; 369 int rc = 0;
291 struct cpu_vfs_cap_data vcaps; 370 struct cpu_vfs_cap_data vcaps;
292 371
293 bprm_clear_caps(bprm); 372 bprm_clear_caps(bprm);
294 373
295 if (!file_caps_enabled) 374 if (!file_caps_enabled)
296 return 0; 375 return 0;
297 376
298 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 377 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
299 return 0; 378 return 0;
300 379
301 dentry = dget(bprm->file->f_dentry); 380 dentry = dget(bprm->file->f_dentry);
302 381
303 rc = get_vfs_caps_from_disk(dentry, &vcaps); 382 rc = get_vfs_caps_from_disk(dentry, &vcaps);
304 if (rc < 0) { 383 if (rc < 0) {
305 if (rc == -EINVAL) 384 if (rc == -EINVAL)
306 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n", 385 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
307 __func__, rc, bprm->filename); 386 __func__, rc, bprm->filename);
308 else if (rc == -ENODATA) 387 else if (rc == -ENODATA)
309 rc = 0; 388 rc = 0;
310 goto out; 389 goto out;
311 } 390 }
312 391
313 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective); 392 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective);
314 if (rc == -EINVAL) 393 if (rc == -EINVAL)
315 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 394 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
316 __func__, rc, bprm->filename); 395 __func__, rc, bprm->filename);
317 396
318 out: 397 out:
319 dput(dentry); 398 dput(dentry);
320 if (rc) 399 if (rc)
321 bprm_clear_caps(bprm); 400 bprm_clear_caps(bprm);
322 401
323 return rc; 402 return rc;
324 } 403 }
325 404
326 #else 405 #else
327 int cap_inode_need_killpriv(struct dentry *dentry) 406 int cap_inode_need_killpriv(struct dentry *dentry)
328 { 407 {
329 return 0; 408 return 0;
330 } 409 }
331 410
332 int cap_inode_killpriv(struct dentry *dentry) 411 int cap_inode_killpriv(struct dentry *dentry)
333 { 412 {
334 return 0; 413 return 0;
335 } 414 }
336 415
337 static inline int get_file_caps(struct linux_binprm *bprm, bool *effective) 416 static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
338 { 417 {
339 bprm_clear_caps(bprm); 418 bprm_clear_caps(bprm);
340 return 0; 419 return 0;
341 } 420 }
342 #endif 421 #endif
343 422
344 /* 423 /*
345 * set up the new credentials for an exec'd task 424 * Determine whether a exec'ing process's new permitted capabilities should be
425 * limited to just what it already has.
426 *
427 * This prevents processes that are being ptraced from gaining access to
428 * CAP_SETPCAP, unless the process they're tracing already has it, and the
429 * binary they're executing has filecaps that elevate it.
430 *
431 * Returns 1 if they should be limited, 0 if they are not.
346 */ 432 */
433 static inline int cap_limit_ptraced_target(void)
434 {
435 #ifndef CONFIG_SECURITY_FILE_CAPABILITIES
436 if (capable(CAP_SETPCAP))
437 return 0;
438 #endif
439 return 1;
440 }
441
442 /**
443 * cap_bprm_set_creds - Set up the proposed credentials for execve().
444 * @bprm: The execution parameters, including the proposed creds
445 *
446 * Set up the proposed credentials for a new execution context being
447 * constructed by execve(). The proposed creds in @bprm->cred is altered,
448 * which won't take effect immediately. Returns 0 if successful, -ve on error.
449 */
347 int cap_bprm_set_creds(struct linux_binprm *bprm) 450 int cap_bprm_set_creds(struct linux_binprm *bprm)
348 { 451 {
349 const struct cred *old = current_cred(); 452 const struct cred *old = current_cred();
350 struct cred *new = bprm->cred; 453 struct cred *new = bprm->cred;
351 bool effective; 454 bool effective;
352 int ret; 455 int ret;
353 456
354 effective = false; 457 effective = false;
355 ret = get_file_caps(bprm, &effective); 458 ret = get_file_caps(bprm, &effective);
356 if (ret < 0) 459 if (ret < 0)
357 return ret; 460 return ret;
358 461
359 if (!issecure(SECURE_NOROOT)) { 462 if (!issecure(SECURE_NOROOT)) {
360 /* 463 /*
361 * To support inheritance of root-permissions and suid-root 464 * To support inheritance of root-permissions and suid-root
362 * executables under compatibility mode, we override the 465 * executables under compatibility mode, we override the
363 * capability sets for the file. 466 * capability sets for the file.
364 * 467 *
365 * If only the real uid is 0, we do not set the effective bit. 468 * If only the real uid is 0, we do not set the effective bit.
366 */ 469 */
367 if (new->euid == 0 || new->uid == 0) { 470 if (new->euid == 0 || new->uid == 0) {
368 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 471 /* pP' = (cap_bset & ~0) | (pI & ~0) */
369 new->cap_permitted = cap_combine(old->cap_bset, 472 new->cap_permitted = cap_combine(old->cap_bset,
370 old->cap_inheritable); 473 old->cap_inheritable);
371 } 474 }
372 if (new->euid == 0) 475 if (new->euid == 0)
373 effective = true; 476 effective = true;
374 } 477 }
375 478
376 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 479 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
377 * credentials unless they have the appropriate permit 480 * credentials unless they have the appropriate permit
378 */ 481 */
379 if ((new->euid != old->uid || 482 if ((new->euid != old->uid ||
380 new->egid != old->gid || 483 new->egid != old->gid ||
381 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 484 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
382 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 485 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
383 /* downgrade; they get no more than they had, and maybe less */ 486 /* downgrade; they get no more than they had, and maybe less */
384 if (!capable(CAP_SETUID)) { 487 if (!capable(CAP_SETUID)) {
385 new->euid = new->uid; 488 new->euid = new->uid;
386 new->egid = new->gid; 489 new->egid = new->gid;
387 } 490 }
388 if (cap_limit_ptraced_target()) 491 if (cap_limit_ptraced_target())
389 new->cap_permitted = cap_intersect(new->cap_permitted, 492 new->cap_permitted = cap_intersect(new->cap_permitted,
390 old->cap_permitted); 493 old->cap_permitted);
391 } 494 }
392 495
393 new->suid = new->fsuid = new->euid; 496 new->suid = new->fsuid = new->euid;
394 new->sgid = new->fsgid = new->egid; 497 new->sgid = new->fsgid = new->egid;
395 498
396 /* For init, we want to retain the capabilities set in the initial 499 /* For init, we want to retain the capabilities set in the initial
397 * task. Thus we skip the usual capability rules 500 * task. Thus we skip the usual capability rules
398 */ 501 */
399 if (!is_global_init(current)) { 502 if (!is_global_init(current)) {
400 if (effective) 503 if (effective)
401 new->cap_effective = new->cap_permitted; 504 new->cap_effective = new->cap_permitted;
402 else 505 else
403 cap_clear(new->cap_effective); 506 cap_clear(new->cap_effective);
404 } 507 }
405 bprm->cap_effective = effective; 508 bprm->cap_effective = effective;
406 509
407 /* 510 /*
408 * Audit candidate if current->cap_effective is set 511 * Audit candidate if current->cap_effective is set
409 * 512 *
410 * We do not bother to audit if 3 things are true: 513 * We do not bother to audit if 3 things are true:
411 * 1) cap_effective has all caps 514 * 1) cap_effective has all caps
412 * 2) we are root 515 * 2) we are root
413 * 3) root is supposed to have all caps (SECURE_NOROOT) 516 * 3) root is supposed to have all caps (SECURE_NOROOT)
414 * Since this is just a normal root execing a process. 517 * Since this is just a normal root execing a process.
415 * 518 *
416 * Number 1 above might fail if you don't have a full bset, but I think 519 * Number 1 above might fail if you don't have a full bset, but I think
417 * that is interesting information to audit. 520 * that is interesting information to audit.
418 */ 521 */
419 if (!cap_isclear(new->cap_effective)) { 522 if (!cap_isclear(new->cap_effective)) {
420 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || 523 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
421 new->euid != 0 || new->uid != 0 || 524 new->euid != 0 || new->uid != 0 ||
422 issecure(SECURE_NOROOT)) { 525 issecure(SECURE_NOROOT)) {
423 ret = audit_log_bprm_fcaps(bprm, new, old); 526 ret = audit_log_bprm_fcaps(bprm, new, old);
424 if (ret < 0) 527 if (ret < 0)
425 return ret; 528 return ret;
426 } 529 }
427 } 530 }
428 531
429 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 532 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
430 return 0; 533 return 0;
431 } 534 }
432 535
433 /* 536 /**
434 * determine whether a secure execution is required 537 * cap_bprm_secureexec - Determine whether a secure execution is required
435 * - the creds have been committed at this point, and are no longer available 538 * @bprm: The execution parameters
436 * through bprm 539 *
540 * Determine whether a secure execution is required, return 1 if it is, and 0
541 * if it is not.
542 *
543 * The credentials have been committed by this point, and so are no longer
544 * available through @bprm->cred.
437 */ 545 */
438 int cap_bprm_secureexec(struct linux_binprm *bprm) 546 int cap_bprm_secureexec(struct linux_binprm *bprm)
439 { 547 {
440 const struct cred *cred = current_cred(); 548 const struct cred *cred = current_cred();
441 549
442 if (cred->uid != 0) { 550 if (cred->uid != 0) {
443 if (bprm->cap_effective) 551 if (bprm->cap_effective)
444 return 1; 552 return 1;
445 if (!cap_isclear(cred->cap_permitted)) 553 if (!cap_isclear(cred->cap_permitted))
446 return 1; 554 return 1;
447 } 555 }
448 556
449 return (cred->euid != cred->uid || 557 return (cred->euid != cred->uid ||
450 cred->egid != cred->gid); 558 cred->egid != cred->gid);
451 } 559 }
452 560
561 /**
562 * cap_inode_setxattr - Determine whether an xattr may be altered
563 * @dentry: The inode/dentry being altered
564 * @name: The name of the xattr to be changed
565 * @value: The value that the xattr will be changed to
566 * @size: The size of value
567 * @flags: The replacement flag
568 *
569 * Determine whether an xattr may be altered or set on an inode, returning 0 if
570 * permission is granted, -ve if denied.
571 *
572 * This is used to make sure security xattrs don't get updated or set by those
573 * who aren't privileged to do so.
574 */
453 int cap_inode_setxattr(struct dentry *dentry, const char *name, 575 int cap_inode_setxattr(struct dentry *dentry, const char *name,
454 const void *value, size_t size, int flags) 576 const void *value, size_t size, int flags)
455 { 577 {
456 if (!strcmp(name, XATTR_NAME_CAPS)) { 578 if (!strcmp(name, XATTR_NAME_CAPS)) {
457 if (!capable(CAP_SETFCAP)) 579 if (!capable(CAP_SETFCAP))
458 return -EPERM; 580 return -EPERM;
459 return 0; 581 return 0;
460 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 582 }
583
584 if (!strncmp(name, XATTR_SECURITY_PREFIX,
461 sizeof(XATTR_SECURITY_PREFIX) - 1) && 585 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
462 !capable(CAP_SYS_ADMIN)) 586 !capable(CAP_SYS_ADMIN))
463 return -EPERM; 587 return -EPERM;
464 return 0; 588 return 0;
465 } 589 }
466 590
591 /**
592 * cap_inode_removexattr - Determine whether an xattr may be removed
593 * @dentry: The inode/dentry being altered
594 * @name: The name of the xattr to be changed
595 *
596 * Determine whether an xattr may be removed from an inode, returning 0 if
597 * permission is granted, -ve if denied.
598 *
599 * This is used to make sure security xattrs don't get removed by those who
600 * aren't privileged to remove them.
601 */
467 int cap_inode_removexattr(struct dentry *dentry, const char *name) 602 int cap_inode_removexattr(struct dentry *dentry, const char *name)
468 { 603 {
469 if (!strcmp(name, XATTR_NAME_CAPS)) { 604 if (!strcmp(name, XATTR_NAME_CAPS)) {
470 if (!capable(CAP_SETFCAP)) 605 if (!capable(CAP_SETFCAP))
471 return -EPERM; 606 return -EPERM;
472 return 0; 607 return 0;
473 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 608 }
609
610 if (!strncmp(name, XATTR_SECURITY_PREFIX,
474 sizeof(XATTR_SECURITY_PREFIX) - 1) && 611 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
475 !capable(CAP_SYS_ADMIN)) 612 !capable(CAP_SYS_ADMIN))
476 return -EPERM; 613 return -EPERM;
477 return 0; 614 return 0;
478 } 615 }
479 616
480 /* moved from kernel/sys.c. */
481 /* 617 /*
482 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 618 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
483 * a process after a call to setuid, setreuid, or setresuid. 619 * a process after a call to setuid, setreuid, or setresuid.
484 * 620 *
485 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 621 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
486 * {r,e,s}uid != 0, the permitted and effective capabilities are 622 * {r,e,s}uid != 0, the permitted and effective capabilities are
487 * cleared. 623 * cleared.
488 * 624 *
489 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 625 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
490 * capabilities of the process are cleared. 626 * capabilities of the process are cleared.
491 * 627 *
492 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 628 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
493 * capabilities are set to the permitted capabilities. 629 * capabilities are set to the permitted capabilities.
494 * 630 *
495 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 631 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
496 * never happen. 632 * never happen.
497 * 633 *
498 * -astor 634 * -astor
499 * 635 *
500 * cevans - New behaviour, Oct '99 636 * cevans - New behaviour, Oct '99
501 * A process may, via prctl(), elect to keep its capabilities when it 637 * A process may, via prctl(), elect to keep its capabilities when it
502 * calls setuid() and switches away from uid==0. Both permitted and 638 * calls setuid() and switches away from uid==0. Both permitted and
503 * effective sets will be retained. 639 * effective sets will be retained.
504 * Without this change, it was impossible for a daemon to drop only some 640 * Without this change, it was impossible for a daemon to drop only some
505 * of its privilege. The call to setuid(!=0) would drop all privileges! 641 * of its privilege. The call to setuid(!=0) would drop all privileges!
506 * Keeping uid 0 is not an option because uid 0 owns too many vital 642 * Keeping uid 0 is not an option because uid 0 owns too many vital
507 * files.. 643 * files..
508 * Thanks to Olaf Kirch and Peter Benie for spotting this. 644 * Thanks to Olaf Kirch and Peter Benie for spotting this.
509 */ 645 */
510 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 646 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
511 { 647 {
512 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) && 648 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
513 (new->uid != 0 && new->euid != 0 && new->suid != 0) && 649 (new->uid != 0 && new->euid != 0 && new->suid != 0) &&
514 !issecure(SECURE_KEEP_CAPS)) { 650 !issecure(SECURE_KEEP_CAPS)) {
515 cap_clear(new->cap_permitted); 651 cap_clear(new->cap_permitted);
516 cap_clear(new->cap_effective); 652 cap_clear(new->cap_effective);
517 } 653 }
518 if (old->euid == 0 && new->euid != 0) 654 if (old->euid == 0 && new->euid != 0)
519 cap_clear(new->cap_effective); 655 cap_clear(new->cap_effective);
520 if (old->euid != 0 && new->euid == 0) 656 if (old->euid != 0 && new->euid == 0)
521 new->cap_effective = new->cap_permitted; 657 new->cap_effective = new->cap_permitted;
522 } 658 }
523 659
660 /**
661 * cap_task_fix_setuid - Fix up the results of setuid() call
662 * @new: The proposed credentials
663 * @old: The current task's current credentials
664 * @flags: Indications of what has changed
665 *
666 * Fix up the results of setuid() call before the credential changes are
667 * actually applied, returning 0 to grant the changes, -ve to deny them.
668 */
524 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) 669 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
525 { 670 {
526 switch (flags) { 671 switch (flags) {
527 case LSM_SETID_RE: 672 case LSM_SETID_RE:
528 case LSM_SETID_ID: 673 case LSM_SETID_ID:
529 case LSM_SETID_RES: 674 case LSM_SETID_RES:
530 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 675 /* juggle the capabilities to follow [RES]UID changes unless
676 * otherwise suppressed */
531 if (!issecure(SECURE_NO_SETUID_FIXUP)) 677 if (!issecure(SECURE_NO_SETUID_FIXUP))
532 cap_emulate_setxuid(new, old); 678 cap_emulate_setxuid(new, old);
533 break; 679 break;
534 case LSM_SETID_FS:
535 /* Copied from kernel/sys.c:setfsuid. */
536 680
537 /* 681 case LSM_SETID_FS:
682 /* juggle the capabilties to follow FSUID changes, unless
683 * otherwise suppressed
684 *
538 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 685 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
539 * if not, we might be a bit too harsh here. 686 * if not, we might be a bit too harsh here.
540 */ 687 */
541 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 688 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
542 if (old->fsuid == 0 && new->fsuid != 0) { 689 if (old->fsuid == 0 && new->fsuid != 0)
543 new->cap_effective = 690 new->cap_effective =
544 cap_drop_fs_set(new->cap_effective); 691 cap_drop_fs_set(new->cap_effective);
545 } 692
546 if (old->fsuid != 0 && new->fsuid == 0) { 693 if (old->fsuid != 0 && new->fsuid == 0)
547 new->cap_effective = 694 new->cap_effective =
548 cap_raise_fs_set(new->cap_effective, 695 cap_raise_fs_set(new->cap_effective,
549 new->cap_permitted); 696 new->cap_permitted);
550 }
551 } 697 }
552 break; 698 break;
699
553 default: 700 default:
554 return -EINVAL; 701 return -EINVAL;
555 } 702 }
556 703
557 return 0; 704 return 0;
558 } 705 }
559 706
560 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 707 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
561 /* 708 /*
562 * Rationale: code calling task_setscheduler, task_setioprio, and 709 * Rationale: code calling task_setscheduler, task_setioprio, and
563 * task_setnice, assumes that 710 * task_setnice, assumes that
564 * . if capable(cap_sys_nice), then those actions should be allowed 711 * . if capable(cap_sys_nice), then those actions should be allowed
565 * . if not capable(cap_sys_nice), but acting on your own processes, 712 * . if not capable(cap_sys_nice), but acting on your own processes,
566 * then those actions should be allowed 713 * then those actions should be allowed
567 * This is insufficient now since you can call code without suid, but 714 * This is insufficient now since you can call code without suid, but
568 * yet with increased caps. 715 * yet with increased caps.
569 * So we check for increased caps on the target process. 716 * So we check for increased caps on the target process.
570 */ 717 */
571 static int cap_safe_nice(struct task_struct *p) 718 static int cap_safe_nice(struct task_struct *p)
572 { 719 {
573 int is_subset; 720 int is_subset;
574 721
575 rcu_read_lock(); 722 rcu_read_lock();
576 is_subset = cap_issubset(__task_cred(p)->cap_permitted, 723 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
577 current_cred()->cap_permitted); 724 current_cred()->cap_permitted);
578 rcu_read_unlock(); 725 rcu_read_unlock();
579 726
580 if (!is_subset && !capable(CAP_SYS_NICE)) 727 if (!is_subset && !capable(CAP_SYS_NICE))
581 return -EPERM; 728 return -EPERM;
582 return 0; 729 return 0;
583 } 730 }
584 731
585 int cap_task_setscheduler (struct task_struct *p, int policy, 732 /**
733 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
734 * @p: The task to affect
735 * @policy: The policy to effect
736 * @lp: The parameters to the scheduling policy
737 *
738 * Detemine if the requested scheduler policy change is permitted for the
739 * specified task, returning 0 if permission is granted, -ve if denied.
740 */
741 int cap_task_setscheduler(struct task_struct *p, int policy,
586 struct sched_param *lp) 742 struct sched_param *lp)
587 { 743 {
588 return cap_safe_nice(p); 744 return cap_safe_nice(p);
589 } 745 }
590 746
591 int cap_task_setioprio (struct task_struct *p, int ioprio) 747 /**
748 * cap_task_ioprio - Detemine if I/O priority change is permitted
749 * @p: The task to affect
750 * @ioprio: The I/O priority to set
751 *
752 * Detemine if the requested I/O priority change is permitted for the specified
753 * task, returning 0 if permission is granted, -ve if denied.
754 */
755 int cap_task_setioprio(struct task_struct *p, int ioprio)
592 { 756 {
593 return cap_safe_nice(p); 757 return cap_safe_nice(p);
594 } 758 }
595 759
596 int cap_task_setnice (struct task_struct *p, int nice) 760 /**
761 * cap_task_ioprio - Detemine if task priority change is permitted
762 * @p: The task to affect
763 * @nice: The nice value to set
764 *
765 * Detemine if the requested task priority change is permitted for the
766 * specified task, returning 0 if permission is granted, -ve if denied.
767 */
768 int cap_task_setnice(struct task_struct *p, int nice)
597 { 769 {
598 return cap_safe_nice(p); 770 return cap_safe_nice(p);
599 } 771 }
600 772
601 /* 773 /*
602 * called from kernel/sys.c for prctl(PR_CABSET_DROP) 774 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
603 * done without task_capability_lock() because it introduces 775 * the current task's bounding set. Returns 0 on success, -ve on error.
604 * no new races - i.e. only another task doing capget() on
605 * this task could get inconsistent info. There can be no
606 * racing writer bc a task can only change its own caps.
607 */ 776 */
608 static long cap_prctl_drop(struct cred *new, unsigned long cap) 777 static long cap_prctl_drop(struct cred *new, unsigned long cap)
609 { 778 {
610 if (!capable(CAP_SETPCAP)) 779 if (!capable(CAP_SETPCAP))
611 return -EPERM; 780 return -EPERM;
612 if (!cap_valid(cap)) 781 if (!cap_valid(cap))
613 return -EINVAL; 782 return -EINVAL;
614 783
615 cap_lower(new->cap_bset, cap); 784 cap_lower(new->cap_bset, cap);
616 return 0; 785 return 0;
617 } 786 }
618 787
619 #else 788 #else
620 int cap_task_setscheduler (struct task_struct *p, int policy, 789 int cap_task_setscheduler (struct task_struct *p, int policy,
621 struct sched_param *lp) 790 struct sched_param *lp)
622 { 791 {
623 return 0; 792 return 0;
624 } 793 }
625 int cap_task_setioprio (struct task_struct *p, int ioprio) 794 int cap_task_setioprio (struct task_struct *p, int ioprio)
626 { 795 {
627 return 0; 796 return 0;
628 } 797 }
629 int cap_task_setnice (struct task_struct *p, int nice) 798 int cap_task_setnice (struct task_struct *p, int nice)
630 { 799 {
631 return 0; 800 return 0;
632 } 801 }
633 #endif 802 #endif
634 803
804 /**
805 * cap_task_prctl - Implement process control functions for this security module
806 * @option: The process control function requested
807 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
808 *
809 * Allow process control functions (sys_prctl()) to alter capabilities; may
810 * also deny access to other functions not otherwise implemented here.
811 *
812 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
813 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
814 * modules will consider performing the function.
815 */
635 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 816 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
636 unsigned long arg4, unsigned long arg5) 817 unsigned long arg4, unsigned long arg5)
637 { 818 {
638 struct cred *new; 819 struct cred *new;
639 long error = 0; 820 long error = 0;
640 821
641 new = prepare_creds(); 822 new = prepare_creds();
642 if (!new) 823 if (!new)
643 return -ENOMEM; 824 return -ENOMEM;
644 825
645 switch (option) { 826 switch (option) {
646 case PR_CAPBSET_READ: 827 case PR_CAPBSET_READ:
647 error = -EINVAL; 828 error = -EINVAL;
648 if (!cap_valid(arg2)) 829 if (!cap_valid(arg2))
649 goto error; 830 goto error;
650 error = !!cap_raised(new->cap_bset, arg2); 831 error = !!cap_raised(new->cap_bset, arg2);
651 goto no_change; 832 goto no_change;
652 833
653 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 834 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
654 case PR_CAPBSET_DROP: 835 case PR_CAPBSET_DROP:
655 error = cap_prctl_drop(new, arg2); 836 error = cap_prctl_drop(new, arg2);
656 if (error < 0) 837 if (error < 0)
657 goto error; 838 goto error;
658 goto changed; 839 goto changed;
659 840
660 /* 841 /*
661 * The next four prctl's remain to assist with transitioning a 842 * The next four prctl's remain to assist with transitioning a
662 * system from legacy UID=0 based privilege (when filesystem 843 * system from legacy UID=0 based privilege (when filesystem
663 * capabilities are not in use) to a system using filesystem 844 * capabilities are not in use) to a system using filesystem
664 * capabilities only - as the POSIX.1e draft intended. 845 * capabilities only - as the POSIX.1e draft intended.
665 * 846 *
666 * Note: 847 * Note:
667 * 848 *
668 * PR_SET_SECUREBITS = 849 * PR_SET_SECUREBITS =
669 * issecure_mask(SECURE_KEEP_CAPS_LOCKED) 850 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
670 * | issecure_mask(SECURE_NOROOT) 851 * | issecure_mask(SECURE_NOROOT)
671 * | issecure_mask(SECURE_NOROOT_LOCKED) 852 * | issecure_mask(SECURE_NOROOT_LOCKED)
672 * | issecure_mask(SECURE_NO_SETUID_FIXUP) 853 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
673 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) 854 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
674 * 855 *
675 * will ensure that the current process and all of its 856 * will ensure that the current process and all of its
676 * children will be locked into a pure 857 * children will be locked into a pure
677 * capability-based-privilege environment. 858 * capability-based-privilege environment.
678 */ 859 */
679 case PR_SET_SECUREBITS: 860 case PR_SET_SECUREBITS:
680 error = -EPERM; 861 error = -EPERM;
681 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1) 862 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
682 & (new->securebits ^ arg2)) /*[1]*/ 863 & (new->securebits ^ arg2)) /*[1]*/
683 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 864 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
684 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 865 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
685 || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0) /*[4]*/ 866 || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0) /*[4]*/
686 /* 867 /*
687 * [1] no changing of bits that are locked 868 * [1] no changing of bits that are locked
688 * [2] no unlocking of locks 869 * [2] no unlocking of locks
689 * [3] no setting of unsupported bits 870 * [3] no setting of unsupported bits
690 * [4] doing anything requires privilege (go read about 871 * [4] doing anything requires privilege (go read about
691 * the "sendmail capabilities bug") 872 * the "sendmail capabilities bug")
692 */ 873 */
693 ) 874 )
694 /* cannot change a locked bit */ 875 /* cannot change a locked bit */
695 goto error; 876 goto error;
696 new->securebits = arg2; 877 new->securebits = arg2;
697 goto changed; 878 goto changed;
698 879
699 case PR_GET_SECUREBITS: 880 case PR_GET_SECUREBITS:
700 error = new->securebits; 881 error = new->securebits;
701 goto no_change; 882 goto no_change;
702 883
703 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 884 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
704 885
705 case PR_GET_KEEPCAPS: 886 case PR_GET_KEEPCAPS:
706 if (issecure(SECURE_KEEP_CAPS)) 887 if (issecure(SECURE_KEEP_CAPS))
707 error = 1; 888 error = 1;
708 goto no_change; 889 goto no_change;
709 890
710 case PR_SET_KEEPCAPS: 891 case PR_SET_KEEPCAPS:
711 error = -EINVAL; 892 error = -EINVAL;
712 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 893 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
713 goto error; 894 goto error;
714 error = -EPERM; 895 error = -EPERM;
715 if (issecure(SECURE_KEEP_CAPS_LOCKED)) 896 if (issecure(SECURE_KEEP_CAPS_LOCKED))
716 goto error; 897 goto error;
717 if (arg2) 898 if (arg2)
718 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); 899 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
719 else 900 else
720 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 901 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
721 goto changed; 902 goto changed;
722 903
723 default: 904 default:
724 /* No functionality available - continue with default */ 905 /* No functionality available - continue with default */
725 error = -ENOSYS; 906 error = -ENOSYS;
726 goto error; 907 goto error;
727 } 908 }
728 909
729 /* Functionality provided */ 910 /* Functionality provided */
730 changed: 911 changed:
731 return commit_creds(new); 912 return commit_creds(new);
732 913
733 no_change: 914 no_change:
734 error = 0; 915 error = 0;
735 error: 916 error:
736 abort_creds(new); 917 abort_creds(new);
737 return error; 918 return error;
738 } 919 }
739 920
740 int cap_syslog (int type) 921 /**
922 * cap_syslog - Determine whether syslog function is permitted
923 * @type: Function requested
924 *
925 * Determine whether the current process is permitted to use a particular
926 * syslog function, returning 0 if permission is granted, -ve if not.
927 */
928 int cap_syslog(int type)
741 { 929 {
742 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 930 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
743 return -EPERM; 931 return -EPERM;
744 return 0; 932 return 0;
745 } 933 }
746 934
935 /**
936 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
937 * @mm: The VM space in which the new mapping is to be made
938 * @pages: The size of the mapping
939 *
940 * Determine whether the allocation of a new virtual mapping by the current
941 * task is permitted, returning 0 if permission is granted, -ve if not.
942 */
747 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 943 int cap_vm_enough_memory(struct mm_struct *mm, long pages)