Blame view
kernel/capability.c
12.9 KB
1da177e4c
|
1 2 3 4 5 |
/* * linux/kernel/capability.c * * Copyright (C) 1997 Andrew Main <zefram@fysh.org> * |
72c2d5823
|
6 |
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
1da177e4c
|
7 |
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
314f70fd9
|
8 |
*/ |
1da177e4c
|
9 |
|
f5645d357
|
10 |
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
e68b75a02
|
11 |
#include <linux/audit.h> |
c59ede7b7
|
12 |
#include <linux/capability.h> |
1da177e4c
|
13 |
#include <linux/mm.h> |
9984de1a5
|
14 |
#include <linux/export.h> |
1da177e4c
|
15 16 |
#include <linux/security.h> #include <linux/syscalls.h> |
b460cbc58
|
17 |
#include <linux/pid_namespace.h> |
3486740a4
|
18 |
#include <linux/user_namespace.h> |
1da177e4c
|
19 |
#include <asm/uaccess.h> |
1da177e4c
|
20 21 |
/* |
e338d263a
|
22 23 24 25 |
* Leveraged for setting/resetting capabilities */ const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
e338d263a
|
26 |
EXPORT_SYMBOL(__cap_empty_set); |
e338d263a
|
27 |
|
1f29fae29
|
28 29 30 31 32 33 34 35 |
int file_caps_enabled = 1; static int __init file_caps_disable(char *str) { file_caps_enabled = 0; return 1; } __setup("no_file_caps", file_caps_disable); |
1f29fae29
|
36 |
|
2813893f8
|
37 |
#ifdef CONFIG_MULTIUSER |
e338d263a
|
38 39 40 41 42 43 44 45 |
/* * More recent versions of libcap are available from: * * http://www.kernel.org/pub/linux/libs/security/linux-privs/ */ static void warn_legacy_capability_use(void) { |
f5645d357
|
46 47 48 49 50 |
char name[sizeof(current->comm)]; pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use) ", get_task_comm(name, current)); |
e338d263a
|
51 52 53 |
} /* |
ca05a99a5
|
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
* Version 2 capabilities worked fine, but the linux/capability.h file * that accompanied their introduction encouraged their use without * the necessary user-space source code changes. As such, we have * created a version 3 with equivalent functionality to version 2, but * with a header change to protect legacy source code from using * version 2 when it wanted to use version 1. If your system has code * that trips the following warning, it is using version 2 specific * capabilities and may be doing so insecurely. * * The remedy is to either upgrade your version of libcap (to 2.10+, * if the application is linked against it), or recompile your * application with modern kernel headers and this warning will go * away. */ static void warn_deprecated_v2(void) { |
f5645d357
|
71 |
char name[sizeof(current->comm)]; |
ca05a99a5
|
72 |
|
f5645d357
|
73 74 75 |
pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure ", get_task_comm(name, current)); |
ca05a99a5
|
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
} /* * Version check. Return the number of u32s in each capability flag * array, or a negative value on error. */ static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) { __u32 version; if (get_user(version, &header->version)) return -EFAULT; switch (version) { case _LINUX_CAPABILITY_VERSION_1: warn_legacy_capability_use(); *tocopy = _LINUX_CAPABILITY_U32S_1; break; case _LINUX_CAPABILITY_VERSION_2: warn_deprecated_v2(); /* * fall through - v3 is otherwise equivalent to v2. */ case _LINUX_CAPABILITY_VERSION_3: *tocopy = _LINUX_CAPABILITY_U32S_3; break; default: if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) return -EFAULT; return -EINVAL; } return 0; } |
ab763c711
|
110 |
/* |
d84f4f992
|
111 112 113 114 115 |
* The only thing that can change the capabilities of the current * process is the current process. As such, we can't be in this code * at the same time as we are in the process of setting capabilities * in this process. The net result is that we can limit our use of * locks to when we are reading the caps of another process. |
ab763c711
|
116 117 118 119 120 121 122 123 |
*/ static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, kernel_cap_t *pIp, kernel_cap_t *pPp) { int ret; if (pid && (pid != task_pid_vnr(current))) { struct task_struct *target; |
86fc80f16
|
124 |
rcu_read_lock(); |
ab763c711
|
125 126 127 128 129 130 |
target = find_task_by_vpid(pid); if (!target) ret = -ESRCH; else ret = security_capget(target, pEp, pIp, pPp); |
86fc80f16
|
131 |
rcu_read_unlock(); |
ab763c711
|
132 133 134 135 136 |
} else ret = security_capget(current, pEp, pIp, pPp); return ret; } |
207a7ba8d
|
137 |
/** |
1da177e4c
|
138 |
* sys_capget - get the capabilities of a given process. |
207a7ba8d
|
139 140 141 142 143 144 |
* @header: pointer to struct that contains capability version and * target pid data * @dataptr: pointer to struct that contains the effective, permitted, * and inheritable capabilities that are returned * * Returns 0 on success and < 0 on error. |
1da177e4c
|
145 |
*/ |
b290ebe2c
|
146 |
SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
1da177e4c
|
147 |
{ |
314f70fd9
|
148 149 |
int ret = 0; pid_t pid; |
e338d263a
|
150 151 |
unsigned tocopy; kernel_cap_t pE, pI, pP; |
314f70fd9
|
152 |
|
ca05a99a5
|
153 |
ret = cap_validate_magic(header, &tocopy); |
c4a5af54c
|
154 155 |
if ((dataptr == NULL) || (ret != 0)) return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
1da177e4c
|
156 |
|
314f70fd9
|
157 158 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1da177e4c
|
159 |
|
314f70fd9
|
160 161 |
if (pid < 0) return -EINVAL; |
1da177e4c
|
162 |
|
ab763c711
|
163 |
ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
e338d263a
|
164 |
if (!ret) { |
ca05a99a5
|
165 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263a
|
166 167 168 169 170 171 172 173 174 |
unsigned i; for (i = 0; i < tocopy; i++) { kdata[i].effective = pE.cap[i]; kdata[i].permitted = pP.cap[i]; kdata[i].inheritable = pI.cap[i]; } /* |
ca05a99a5
|
175 |
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
e338d263a
|
176 177 178 179 180 181 182 183 184 185 186 187 188 |
* we silently drop the upper capabilities here. This * has the effect of making older libcap * implementations implicitly drop upper capability * bits when they perform a: capget/modify/capset * sequence. * * This behavior is considered fail-safe * behavior. Upgrading the application to a newer * version of libcap will enable access to the newer * capabilities. * * An alternative would be to return an error here * (-ERANGE), but that causes legacy applications to |
a6c8c6902
|
189 |
* unexpectedly fail; the capget/modify/capset aborts |
e338d263a
|
190 191 192 |
* before modification is attempted and the application * fails. */ |
e338d263a
|
193 194 195 196 197 |
if (copy_to_user(dataptr, kdata, tocopy * sizeof(struct __user_cap_data_struct))) { return -EFAULT; } } |
1da177e4c
|
198 |
|
314f70fd9
|
199 |
return ret; |
1da177e4c
|
200 |
} |
207a7ba8d
|
201 |
/** |
ab763c711
|
202 |
* sys_capset - set capabilities for a process or (*) a group of processes |
207a7ba8d
|
203 204 205 206 207 |
* @header: pointer to struct that contains capability version and * target pid data * @data: pointer to struct that contains the effective, permitted, * and inheritable capabilities * |
1cdcbec1a
|
208 209 |
* Set capabilities for the current process only. The ability to any other * process(es) has been deprecated and removed. |
1da177e4c
|
210 211 212 |
* * The restrictions on setting capabilities are specified as: * |
1cdcbec1a
|
213 214 215 |
* I: any raised capabilities must be a subset of the old permitted * P: any raised capabilities must be a subset of the old permitted * E: must be set to a subset of new permitted |
207a7ba8d
|
216 217 |
* * Returns 0 on success and < 0 on error. |
1da177e4c
|
218 |
*/ |
b290ebe2c
|
219 |
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
1da177e4c
|
220 |
{ |
ca05a99a5
|
221 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
825332e4f
|
222 |
unsigned i, tocopy, copybytes; |
314f70fd9
|
223 |
kernel_cap_t inheritable, permitted, effective; |
d84f4f992
|
224 |
struct cred *new; |
314f70fd9
|
225 226 |
int ret; pid_t pid; |
ca05a99a5
|
227 228 229 |
ret = cap_validate_magic(header, &tocopy); if (ret != 0) return ret; |
314f70fd9
|
230 231 232 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1cdcbec1a
|
233 234 235 |
/* may only affect current now */ if (pid != 0 && pid != task_pid_vnr(current)) return -EPERM; |
825332e4f
|
236 237 238 239 240 |
copybytes = tocopy * sizeof(struct __user_cap_data_struct); if (copybytes > sizeof(kdata)) return -EFAULT; if (copy_from_user(&kdata, data, copybytes)) |
314f70fd9
|
241 |
return -EFAULT; |
e338d263a
|
242 243 244 245 246 247 |
for (i = 0; i < tocopy; i++) { effective.cap[i] = kdata[i].effective; permitted.cap[i] = kdata[i].permitted; inheritable.cap[i] = kdata[i].inheritable; } |
ca05a99a5
|
248 |
while (i < _KERNEL_CAPABILITY_U32S) { |
e338d263a
|
249 250 251 252 253 |
effective.cap[i] = 0; permitted.cap[i] = 0; inheritable.cap[i] = 0; i++; } |
314f70fd9
|
254 |
|
7d8b6c637
|
255 256 257 |
effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; |
d84f4f992
|
258 259 260 261 262 263 264 265 |
new = prepare_creds(); if (!new) return -ENOMEM; ret = security_capset(new, current_cred(), &effective, &inheritable, &permitted); if (ret < 0) goto error; |
ca24a23eb
|
266 |
audit_log_capset(new, current_cred()); |
e68b75a02
|
267 |
|
d84f4f992
|
268 269 270 271 |
return commit_creds(new); error: abort_creds(new); |
314f70fd9
|
272 |
return ret; |
1da177e4c
|
273 |
} |
12b5989be
|
274 |
|
5cd9c58fb
|
275 |
/** |
25e757034
|
276 |
* has_ns_capability - Does a task have a capability in a specific user ns |
3263245de
|
277 |
* @t: The task in question |
25e757034
|
278 |
* @ns: target user namespace |
3263245de
|
279 280 281 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034
|
282 |
* currently in effect to the specified user namespace, false if not. |
3263245de
|
283 284 285 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034
|
286 287 |
bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de
|
288 |
{ |
2920a8409
|
289 290 291 |
int ret; rcu_read_lock(); |
25e757034
|
292 |
ret = security_capable(__task_cred(t), ns, cap); |
2920a8409
|
293 |
rcu_read_unlock(); |
3263245de
|
294 295 296 297 298 |
return (ret == 0); } /** |
25e757034
|
299 |
* has_capability - Does a task have a capability in init_user_ns |
3263245de
|
300 |
* @t: The task in question |
3263245de
|
301 302 303 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034
|
304 |
* currently in effect to the initial user namespace, false if not. |
3263245de
|
305 306 307 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034
|
308 |
bool has_capability(struct task_struct *t, int cap) |
3263245de
|
309 |
{ |
25e757034
|
310 |
return has_ns_capability(t, &init_user_ns, cap); |
3263245de
|
311 312 313 |
} /** |
7b61d6484
|
314 315 |
* has_ns_capability_noaudit - Does a task have a capability (unaudited) * in a specific user ns. |
3263245de
|
316 |
* @t: The task in question |
7b61d6484
|
317 |
* @ns: target user namespace |
3263245de
|
318 319 320 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
7b61d6484
|
321 322 |
* currently in effect to the specified user namespace, false if not. * Do not write an audit message for the check. |
3263245de
|
323 324 325 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
7b61d6484
|
326 327 |
bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de
|
328 |
{ |
2920a8409
|
329 330 331 |
int ret; rcu_read_lock(); |
7b61d6484
|
332 |
ret = security_capable_noaudit(__task_cred(t), ns, cap); |
2920a8409
|
333 |
rcu_read_unlock(); |
3263245de
|
334 335 336 337 338 |
return (ret == 0); } /** |
7b61d6484
|
339 340 341 |
* has_capability_noaudit - Does a task have a capability (unaudited) in the * initial user ns * @t: The task in question |
5cd9c58fb
|
342 343 |
* @cap: The capability to be tested for * |
7b61d6484
|
344 345 346 |
* Return true if the specified task has the given superior capability * currently in effect to init_user_ns, false if not. Don't write an * audit message for the check. |
5cd9c58fb
|
347 |
* |
7b61d6484
|
348 |
* Note that this does not set PF_SUPERPRIV on the task. |
5cd9c58fb
|
349 |
*/ |
7b61d6484
|
350 |
bool has_capability_noaudit(struct task_struct *t, int cap) |
3486740a4
|
351 |
{ |
7b61d6484
|
352 |
return has_ns_capability_noaudit(t, &init_user_ns, cap); |
3486740a4
|
353 |
} |
3486740a4
|
354 |
|
98f368e9e
|
355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 |
static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit) { int capable; if (unlikely(!cap_valid(cap))) { pr_crit("capable() called with invalid cap=%u ", cap); BUG(); } capable = audit ? security_capable(current_cred(), ns, cap) : security_capable_noaudit(current_cred(), ns, cap); if (capable == 0) { current->flags |= PF_SUPERPRIV; return true; } return false; } |
3486740a4
|
373 374 375 376 377 378 379 380 381 382 383 384 |
/** * ns_capable - Determine if the current task has a superior capability in effect * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool ns_capable(struct user_namespace *ns, int cap) |
12b5989be
|
385 |
{ |
98f368e9e
|
386 |
return ns_capable_common(ns, cap, true); |
12b5989be
|
387 |
} |
3486740a4
|
388 |
EXPORT_SYMBOL(ns_capable); |
98f368e9e
|
389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 |
/** * ns_capable_noaudit - Determine if the current task has a superior capability * (unaudited) in effect * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool ns_capable_noaudit(struct user_namespace *ns, int cap) { return ns_capable_common(ns, cap, false); } EXPORT_SYMBOL(ns_capable_noaudit); |
2813893f8
|
406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 |
/** * capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool capable(int cap) { return ns_capable(&init_user_ns, cap); } EXPORT_SYMBOL(capable); #endif /* CONFIG_MULTIUSER */ |
3486740a4
|
423 |
/** |
935d8aabd
|
424 425 426 427 428 429 430 431 432 433 434 |
* file_ns_capable - Determine if the file's opener had a capability in effect * @file: The file we want to check * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if task that opened the file had a capability in effect * when the file was opened. * * This does not set PF_SUPERPRIV because the caller may not * actually be privileged. */ |
a6c8c6902
|
435 436 |
bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap) |
935d8aabd
|
437 438 439 440 441 442 443 444 445 446 447 448 |
{ if (WARN_ON_ONCE(!cap_valid(cap))) return false; if (security_capable(file->f_cred, ns, cap) == 0) return true; return false; } EXPORT_SYMBOL(file_ns_capable); /** |
23adbe12e
|
449 |
* capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
1a48e2ac0
|
450 451 452 |
* @inode: The inode in question * @cap: The capability in question * |
23adbe12e
|
453 454 455 |
* Return true if the current task has the given capability targeted at * its own user namespace and that the given inode's uid and gid are * mapped into the current user namespace. |
1a48e2ac0
|
456 |
*/ |
23adbe12e
|
457 |
bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) |
1a48e2ac0
|
458 459 |
{ struct user_namespace *ns = current_user_ns(); |
23adbe12e
|
460 461 |
return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && kgid_has_mapping(ns, inode->i_gid); |
1a48e2ac0
|
462 |
} |
23adbe12e
|
463 |
EXPORT_SYMBOL(capable_wrt_inode_uidgid); |