Blame view
kernel/capability.c
11 KB
1da177e4c
|
1 2 3 4 5 |
/* * linux/kernel/capability.c * * Copyright (C) 1997 Andrew Main <zefram@fysh.org> * |
72c2d5823
|
6 |
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
1da177e4c
|
7 |
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
314f70fd9
|
8 |
*/ |
1da177e4c
|
9 |
|
e68b75a02
|
10 |
#include <linux/audit.h> |
c59ede7b7
|
11 |
#include <linux/capability.h> |
1da177e4c
|
12 |
#include <linux/mm.h> |
9984de1a5
|
13 |
#include <linux/export.h> |
1da177e4c
|
14 15 |
#include <linux/security.h> #include <linux/syscalls.h> |
b460cbc58
|
16 |
#include <linux/pid_namespace.h> |
3486740a4
|
17 |
#include <linux/user_namespace.h> |
1da177e4c
|
18 |
#include <asm/uaccess.h> |
1da177e4c
|
19 20 |
/* |
e338d263a
|
21 22 23 24 |
* Leveraged for setting/resetting capabilities */ const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
e338d263a
|
25 26 |
EXPORT_SYMBOL(__cap_empty_set); |
e338d263a
|
27 |
|
1f29fae29
|
28 29 30 31 32 33 34 35 |
int file_caps_enabled = 1; static int __init file_caps_disable(char *str) { file_caps_enabled = 0; return 1; } __setup("no_file_caps", file_caps_disable); |
1f29fae29
|
36 |
|
e338d263a
|
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
/* * More recent versions of libcap are available from: * * http://www.kernel.org/pub/linux/libs/security/linux-privs/ */ static void warn_legacy_capability_use(void) { static int warned; if (!warned) { char name[sizeof(current->comm)]; printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" " (legacy support in use) ", get_task_comm(name, current)); warned = 1; } } /* |
ca05a99a5
|
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 |
* Version 2 capabilities worked fine, but the linux/capability.h file * that accompanied their introduction encouraged their use without * the necessary user-space source code changes. As such, we have * created a version 3 with equivalent functionality to version 2, but * with a header change to protect legacy source code from using * version 2 when it wanted to use version 1. If your system has code * that trips the following warning, it is using version 2 specific * capabilities and may be doing so insecurely. * * The remedy is to either upgrade your version of libcap (to 2.10+, * if the application is linked against it), or recompile your * application with modern kernel headers and this warning will go * away. */ static void warn_deprecated_v2(void) { static int warned; if (!warned) { char name[sizeof(current->comm)]; printk(KERN_INFO "warning: `%s' uses deprecated v2" " capabilities in a way that may be insecure. ", get_task_comm(name, current)); warned = 1; } } /* * Version check. Return the number of u32s in each capability flag * array, or a negative value on error. */ static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) { __u32 version; if (get_user(version, &header->version)) return -EFAULT; switch (version) { case _LINUX_CAPABILITY_VERSION_1: warn_legacy_capability_use(); *tocopy = _LINUX_CAPABILITY_U32S_1; break; case _LINUX_CAPABILITY_VERSION_2: warn_deprecated_v2(); /* * fall through - v3 is otherwise equivalent to v2. */ case _LINUX_CAPABILITY_VERSION_3: *tocopy = _LINUX_CAPABILITY_U32S_3; break; default: if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) return -EFAULT; return -EINVAL; } return 0; } |
ab763c711
|
120 |
/* |
d84f4f992
|
121 122 123 124 125 |
* The only thing that can change the capabilities of the current * process is the current process. As such, we can't be in this code * at the same time as we are in the process of setting capabilities * in this process. The net result is that we can limit our use of * locks to when we are reading the caps of another process. |
ab763c711
|
126 127 128 129 130 131 132 133 |
*/ static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, kernel_cap_t *pIp, kernel_cap_t *pPp) { int ret; if (pid && (pid != task_pid_vnr(current))) { struct task_struct *target; |
86fc80f16
|
134 |
rcu_read_lock(); |
ab763c711
|
135 136 137 138 139 140 |
target = find_task_by_vpid(pid); if (!target) ret = -ESRCH; else ret = security_capget(target, pEp, pIp, pPp); |
86fc80f16
|
141 |
rcu_read_unlock(); |
ab763c711
|
142 143 144 145 146 |
} else ret = security_capget(current, pEp, pIp, pPp); return ret; } |
207a7ba8d
|
147 |
/** |
1da177e4c
|
148 |
* sys_capget - get the capabilities of a given process. |
207a7ba8d
|
149 150 151 152 153 154 |
* @header: pointer to struct that contains capability version and * target pid data * @dataptr: pointer to struct that contains the effective, permitted, * and inheritable capabilities that are returned * * Returns 0 on success and < 0 on error. |
1da177e4c
|
155 |
*/ |
b290ebe2c
|
156 |
SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
1da177e4c
|
157 |
{ |
314f70fd9
|
158 159 |
int ret = 0; pid_t pid; |
e338d263a
|
160 161 |
unsigned tocopy; kernel_cap_t pE, pI, pP; |
314f70fd9
|
162 |
|
ca05a99a5
|
163 |
ret = cap_validate_magic(header, &tocopy); |
c4a5af54c
|
164 165 |
if ((dataptr == NULL) || (ret != 0)) return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
1da177e4c
|
166 |
|
314f70fd9
|
167 168 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1da177e4c
|
169 |
|
314f70fd9
|
170 171 |
if (pid < 0) return -EINVAL; |
1da177e4c
|
172 |
|
ab763c711
|
173 |
ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
e338d263a
|
174 |
if (!ret) { |
ca05a99a5
|
175 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263a
|
176 177 178 179 180 181 182 183 184 |
unsigned i; for (i = 0; i < tocopy; i++) { kdata[i].effective = pE.cap[i]; kdata[i].permitted = pP.cap[i]; kdata[i].inheritable = pI.cap[i]; } /* |
ca05a99a5
|
185 |
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
e338d263a
|
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 |
* we silently drop the upper capabilities here. This * has the effect of making older libcap * implementations implicitly drop upper capability * bits when they perform a: capget/modify/capset * sequence. * * This behavior is considered fail-safe * behavior. Upgrading the application to a newer * version of libcap will enable access to the newer * capabilities. * * An alternative would be to return an error here * (-ERANGE), but that causes legacy applications to * unexpectidly fail; the capget/modify/capset aborts * before modification is attempted and the application * fails. */ |
e338d263a
|
203 204 205 206 207 |
if (copy_to_user(dataptr, kdata, tocopy * sizeof(struct __user_cap_data_struct))) { return -EFAULT; } } |
1da177e4c
|
208 |
|
314f70fd9
|
209 |
return ret; |
1da177e4c
|
210 |
} |
207a7ba8d
|
211 |
/** |
ab763c711
|
212 |
* sys_capset - set capabilities for a process or (*) a group of processes |
207a7ba8d
|
213 214 215 216 217 |
* @header: pointer to struct that contains capability version and * target pid data * @data: pointer to struct that contains the effective, permitted, * and inheritable capabilities * |
1cdcbec1a
|
218 219 |
* Set capabilities for the current process only. The ability to any other * process(es) has been deprecated and removed. |
1da177e4c
|
220 221 222 |
* * The restrictions on setting capabilities are specified as: * |
1cdcbec1a
|
223 224 225 |
* I: any raised capabilities must be a subset of the old permitted * P: any raised capabilities must be a subset of the old permitted * E: must be set to a subset of new permitted |
207a7ba8d
|
226 227 |
* * Returns 0 on success and < 0 on error. |
1da177e4c
|
228 |
*/ |
b290ebe2c
|
229 |
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
1da177e4c
|
230 |
{ |
ca05a99a5
|
231 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
825332e4f
|
232 |
unsigned i, tocopy, copybytes; |
314f70fd9
|
233 |
kernel_cap_t inheritable, permitted, effective; |
d84f4f992
|
234 |
struct cred *new; |
314f70fd9
|
235 236 |
int ret; pid_t pid; |
ca05a99a5
|
237 238 239 |
ret = cap_validate_magic(header, &tocopy); if (ret != 0) return ret; |
314f70fd9
|
240 241 242 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1cdcbec1a
|
243 244 245 |
/* may only affect current now */ if (pid != 0 && pid != task_pid_vnr(current)) return -EPERM; |
825332e4f
|
246 247 248 249 250 |
copybytes = tocopy * sizeof(struct __user_cap_data_struct); if (copybytes > sizeof(kdata)) return -EFAULT; if (copy_from_user(&kdata, data, copybytes)) |
314f70fd9
|
251 |
return -EFAULT; |
e338d263a
|
252 253 254 255 256 257 |
for (i = 0; i < tocopy; i++) { effective.cap[i] = kdata[i].effective; permitted.cap[i] = kdata[i].permitted; inheritable.cap[i] = kdata[i].inheritable; } |
ca05a99a5
|
258 |
while (i < _KERNEL_CAPABILITY_U32S) { |
e338d263a
|
259 260 261 262 263 |
effective.cap[i] = 0; permitted.cap[i] = 0; inheritable.cap[i] = 0; i++; } |
314f70fd9
|
264 |
|
d84f4f992
|
265 266 267 268 269 270 271 272 |
new = prepare_creds(); if (!new) return -ENOMEM; ret = security_capset(new, current_cred(), &effective, &inheritable, &permitted); if (ret < 0) goto error; |
57f71a0af
|
273 |
audit_log_capset(pid, new, current_cred()); |
e68b75a02
|
274 |
|
d84f4f992
|
275 276 277 278 |
return commit_creds(new); error: abort_creds(new); |
314f70fd9
|
279 |
return ret; |
1da177e4c
|
280 |
} |
12b5989be
|
281 |
|
5cd9c58fb
|
282 |
/** |
25e757034
|
283 |
* has_ns_capability - Does a task have a capability in a specific user ns |
3263245de
|
284 |
* @t: The task in question |
25e757034
|
285 |
* @ns: target user namespace |
3263245de
|
286 287 288 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034
|
289 |
* currently in effect to the specified user namespace, false if not. |
3263245de
|
290 291 292 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034
|
293 294 |
bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de
|
295 |
{ |
2920a8409
|
296 297 298 |
int ret; rcu_read_lock(); |
25e757034
|
299 |
ret = security_capable(__task_cred(t), ns, cap); |
2920a8409
|
300 |
rcu_read_unlock(); |
3263245de
|
301 302 303 304 305 |
return (ret == 0); } /** |
25e757034
|
306 |
* has_capability - Does a task have a capability in init_user_ns |
3263245de
|
307 |
* @t: The task in question |
3263245de
|
308 309 310 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034
|
311 |
* currently in effect to the initial user namespace, false if not. |
3263245de
|
312 313 314 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034
|
315 |
bool has_capability(struct task_struct *t, int cap) |
3263245de
|
316 |
{ |
25e757034
|
317 |
return has_ns_capability(t, &init_user_ns, cap); |
3263245de
|
318 319 320 |
} /** |
7b61d6484
|
321 322 |
* has_ns_capability_noaudit - Does a task have a capability (unaudited) * in a specific user ns. |
3263245de
|
323 |
* @t: The task in question |
7b61d6484
|
324 |
* @ns: target user namespace |
3263245de
|
325 326 327 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
7b61d6484
|
328 329 |
* currently in effect to the specified user namespace, false if not. * Do not write an audit message for the check. |
3263245de
|
330 331 332 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
7b61d6484
|
333 334 |
bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de
|
335 |
{ |
2920a8409
|
336 337 338 |
int ret; rcu_read_lock(); |
7b61d6484
|
339 |
ret = security_capable_noaudit(__task_cred(t), ns, cap); |
2920a8409
|
340 |
rcu_read_unlock(); |
3263245de
|
341 342 343 344 345 |
return (ret == 0); } /** |
7b61d6484
|
346 347 348 |
* has_capability_noaudit - Does a task have a capability (unaudited) in the * initial user ns * @t: The task in question |
5cd9c58fb
|
349 350 |
* @cap: The capability to be tested for * |
7b61d6484
|
351 352 353 |
* Return true if the specified task has the given superior capability * currently in effect to init_user_ns, false if not. Don't write an * audit message for the check. |
5cd9c58fb
|
354 |
* |
7b61d6484
|
355 |
* Note that this does not set PF_SUPERPRIV on the task. |
5cd9c58fb
|
356 |
*/ |
7b61d6484
|
357 |
bool has_capability_noaudit(struct task_struct *t, int cap) |
3486740a4
|
358 |
{ |
7b61d6484
|
359 |
return has_ns_capability_noaudit(t, &init_user_ns, cap); |
3486740a4
|
360 |
} |
3486740a4
|
361 362 363 364 365 366 367 368 369 370 371 372 373 |
/** * ns_capable - Determine if the current task has a superior capability in effect * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool ns_capable(struct user_namespace *ns, int cap) |
12b5989be
|
374 |
{ |
637d32dc7
|
375 376 377 378 379 |
if (unlikely(!cap_valid(cap))) { printk(KERN_CRIT "capable() called with invalid cap=%u ", cap); BUG(); } |
951880e63
|
380 |
if (security_capable(current_cred(), ns, cap) == 0) { |
5cd9c58fb
|
381 |
current->flags |= PF_SUPERPRIV; |
3486740a4
|
382 |
return true; |
12b5989be
|
383 |
} |
3486740a4
|
384 |
return false; |
12b5989be
|
385 |
} |
3486740a4
|
386 387 388 |
EXPORT_SYMBOL(ns_capable); /** |
105ddf49c
|
389 390 391 392 393 |
* capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. |
3486740a4
|
394 |
* |
105ddf49c
|
395 396 |
* This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. |
3486740a4
|
397 |
*/ |
105ddf49c
|
398 |
bool capable(int cap) |
3486740a4
|
399 |
{ |
105ddf49c
|
400 |
return ns_capable(&init_user_ns, cap); |
3486740a4
|
401 |
} |
105ddf49c
|
402 |
EXPORT_SYMBOL(capable); |
47a150edc
|
403 404 405 406 407 408 409 410 411 412 413 414 |
/** * nsown_capable - Check superior capability to one's own user_ns * @cap: The capability in question * * Return true if the current task has the given superior capability * targeted at its own user namespace. */ bool nsown_capable(int cap) { return ns_capable(current_user_ns(), cap); } |