Blame view
kernel/capability.c
12.1 KB
1da177e4c Linux-2.6.12-rc2 |
1 2 3 4 5 |
/* * linux/kernel/capability.c * * Copyright (C) 1997 Andrew Main <zefram@fysh.org> * |
72c2d5823 V3 file capabilit... |
6 |
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
1da177e4c Linux-2.6.12-rc2 |
7 |
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
314f70fd9 whitespace fixes:... |
8 |
*/ |
1da177e4c Linux-2.6.12-rc2 |
9 |
|
f5645d357 capability: Use c... |
10 |
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
e68b75a02 When the capset s... |
11 |
#include <linux/audit.h> |
c59ede7b7 [PATCH] move capa... |
12 |
#include <linux/capability.h> |
1da177e4c Linux-2.6.12-rc2 |
13 |
#include <linux/mm.h> |
9984de1a5 kernel: Map most ... |
14 |
#include <linux/export.h> |
1da177e4c Linux-2.6.12-rc2 |
15 16 |
#include <linux/security.h> #include <linux/syscalls.h> |
b460cbc58 pid namespaces: d... |
17 |
#include <linux/pid_namespace.h> |
3486740a4 userns: security:... |
18 |
#include <linux/user_namespace.h> |
1da177e4c Linux-2.6.12-rc2 |
19 |
#include <asm/uaccess.h> |
1da177e4c Linux-2.6.12-rc2 |
20 21 |
/* |
e338d263a Add 64-bit capabi... |
22 23 24 25 |
* Leveraged for setting/resetting capabilities */ const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
e338d263a Add 64-bit capabi... |
26 |
EXPORT_SYMBOL(__cap_empty_set); |
e338d263a Add 64-bit capabi... |
27 |
|
1f29fae29 file capabilities... |
28 29 30 31 32 33 34 35 |
int file_caps_enabled = 1; static int __init file_caps_disable(char *str) { file_caps_enabled = 0; return 1; } __setup("no_file_caps", file_caps_disable); |
1f29fae29 file capabilities... |
36 |
|
2813893f8 kernel: condition... |
37 |
#ifdef CONFIG_MULTIUSER |
e338d263a Add 64-bit capabi... |
38 39 40 41 42 43 44 45 |
/* * More recent versions of libcap are available from: * * http://www.kernel.org/pub/linux/libs/security/linux-privs/ */ static void warn_legacy_capability_use(void) { |
f5645d357 capability: Use c... |
46 47 48 49 50 |
char name[sizeof(current->comm)]; pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use) ", get_task_comm(name, current)); |
e338d263a Add 64-bit capabi... |
51 52 53 |
} /* |
ca05a99a5 capabilities: rem... |
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
* Version 2 capabilities worked fine, but the linux/capability.h file * that accompanied their introduction encouraged their use without * the necessary user-space source code changes. As such, we have * created a version 3 with equivalent functionality to version 2, but * with a header change to protect legacy source code from using * version 2 when it wanted to use version 1. If your system has code * that trips the following warning, it is using version 2 specific * capabilities and may be doing so insecurely. * * The remedy is to either upgrade your version of libcap (to 2.10+, * if the application is linked against it), or recompile your * application with modern kernel headers and this warning will go * away. */ static void warn_deprecated_v2(void) { |
f5645d357 capability: Use c... |
71 |
char name[sizeof(current->comm)]; |
ca05a99a5 capabilities: rem... |
72 |
|
f5645d357 capability: Use c... |
73 74 75 |
pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure ", get_task_comm(name, current)); |
ca05a99a5 capabilities: rem... |
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
} /* * Version check. Return the number of u32s in each capability flag * array, or a negative value on error. */ static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) { __u32 version; if (get_user(version, &header->version)) return -EFAULT; switch (version) { case _LINUX_CAPABILITY_VERSION_1: warn_legacy_capability_use(); *tocopy = _LINUX_CAPABILITY_U32S_1; break; case _LINUX_CAPABILITY_VERSION_2: warn_deprecated_v2(); /* * fall through - v3 is otherwise equivalent to v2. */ case _LINUX_CAPABILITY_VERSION_3: *tocopy = _LINUX_CAPABILITY_U32S_3; break; default: if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) return -EFAULT; return -EINVAL; } return 0; } |
ab763c711 security: filesys... |
110 |
/* |
d84f4f992 CRED: Inaugurate ... |
111 112 113 114 115 |
* The only thing that can change the capabilities of the current * process is the current process. As such, we can't be in this code * at the same time as we are in the process of setting capabilities * in this process. The net result is that we can limit our use of * locks to when we are reading the caps of another process. |
ab763c711 security: filesys... |
116 117 118 119 120 121 122 123 |
*/ static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, kernel_cap_t *pIp, kernel_cap_t *pPp) { int ret; if (pid && (pid != task_pid_vnr(current))) { struct task_struct *target; |
86fc80f16 capabilities: Use... |
124 |
rcu_read_lock(); |
ab763c711 security: filesys... |
125 126 127 128 129 130 |
target = find_task_by_vpid(pid); if (!target) ret = -ESRCH; else ret = security_capget(target, pEp, pIp, pPp); |
86fc80f16 capabilities: Use... |
131 |
rcu_read_unlock(); |
ab763c711 security: filesys... |
132 133 134 135 136 |
} else ret = security_capget(current, pEp, pIp, pPp); return ret; } |
207a7ba8d [PATCH] kernel/ca... |
137 |
/** |
1da177e4c Linux-2.6.12-rc2 |
138 |
* sys_capget - get the capabilities of a given process. |
207a7ba8d [PATCH] kernel/ca... |
139 140 141 142 143 144 |
* @header: pointer to struct that contains capability version and * target pid data * @dataptr: pointer to struct that contains the effective, permitted, * and inheritable capabilities that are returned * * Returns 0 on success and < 0 on error. |
1da177e4c Linux-2.6.12-rc2 |
145 |
*/ |
b290ebe2c [CVE-2009-0029] S... |
146 |
SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
1da177e4c Linux-2.6.12-rc2 |
147 |
{ |
314f70fd9 whitespace fixes:... |
148 149 |
int ret = 0; pid_t pid; |
e338d263a Add 64-bit capabi... |
150 151 |
unsigned tocopy; kernel_cap_t pE, pI, pP; |
314f70fd9 whitespace fixes:... |
152 |
|
ca05a99a5 capabilities: rem... |
153 |
ret = cap_validate_magic(header, &tocopy); |
c4a5af54c Silence the exist... |
154 155 |
if ((dataptr == NULL) || (ret != 0)) return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
1da177e4c Linux-2.6.12-rc2 |
156 |
|
314f70fd9 whitespace fixes:... |
157 158 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1da177e4c Linux-2.6.12-rc2 |
159 |
|
314f70fd9 whitespace fixes:... |
160 161 |
if (pid < 0) return -EINVAL; |
1da177e4c Linux-2.6.12-rc2 |
162 |
|
ab763c711 security: filesys... |
163 |
ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
e338d263a Add 64-bit capabi... |
164 |
if (!ret) { |
ca05a99a5 capabilities: rem... |
165 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263a Add 64-bit capabi... |
166 167 168 169 170 171 172 173 174 |
unsigned i; for (i = 0; i < tocopy; i++) { kdata[i].effective = pE.cap[i]; kdata[i].permitted = pP.cap[i]; kdata[i].inheritable = pI.cap[i]; } /* |
ca05a99a5 capabilities: rem... |
175 |
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
e338d263a Add 64-bit capabi... |
176 177 178 179 180 181 182 183 184 185 186 187 188 |
* we silently drop the upper capabilities here. This * has the effect of making older libcap * implementations implicitly drop upper capability * bits when they perform a: capget/modify/capset * sequence. * * This behavior is considered fail-safe * behavior. Upgrading the application to a newer * version of libcap will enable access to the newer * capabilities. * * An alternative would be to return an error here * (-ERANGE), but that causes legacy applications to |
a6c8c6902 kernel/capability... |
189 |
* unexpectedly fail; the capget/modify/capset aborts |
e338d263a Add 64-bit capabi... |
190 191 192 |
* before modification is attempted and the application * fails. */ |
e338d263a Add 64-bit capabi... |
193 194 195 196 197 |
if (copy_to_user(dataptr, kdata, tocopy * sizeof(struct __user_cap_data_struct))) { return -EFAULT; } } |
1da177e4c Linux-2.6.12-rc2 |
198 |
|
314f70fd9 whitespace fixes:... |
199 |
return ret; |
1da177e4c Linux-2.6.12-rc2 |
200 |
} |
207a7ba8d [PATCH] kernel/ca... |
201 |
/** |
ab763c711 security: filesys... |
202 |
* sys_capset - set capabilities for a process or (*) a group of processes |
207a7ba8d [PATCH] kernel/ca... |
203 204 205 206 207 |
* @header: pointer to struct that contains capability version and * target pid data * @data: pointer to struct that contains the effective, permitted, * and inheritable capabilities * |
1cdcbec1a CRED: Neuter sys_... |
208 209 |
* Set capabilities for the current process only. The ability to any other * process(es) has been deprecated and removed. |
1da177e4c Linux-2.6.12-rc2 |
210 211 212 |
* * The restrictions on setting capabilities are specified as: * |
1cdcbec1a CRED: Neuter sys_... |
213 214 215 |
* I: any raised capabilities must be a subset of the old permitted * P: any raised capabilities must be a subset of the old permitted * E: must be set to a subset of new permitted |
207a7ba8d [PATCH] kernel/ca... |
216 217 |
* * Returns 0 on success and < 0 on error. |
1da177e4c Linux-2.6.12-rc2 |
218 |
*/ |
b290ebe2c [CVE-2009-0029] S... |
219 |
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
1da177e4c Linux-2.6.12-rc2 |
220 |
{ |
ca05a99a5 capabilities: rem... |
221 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
825332e4f capabilities: sim... |
222 |
unsigned i, tocopy, copybytes; |
314f70fd9 whitespace fixes:... |
223 |
kernel_cap_t inheritable, permitted, effective; |
d84f4f992 CRED: Inaugurate ... |
224 |
struct cred *new; |
314f70fd9 whitespace fixes:... |
225 226 |
int ret; pid_t pid; |
ca05a99a5 capabilities: rem... |
227 228 229 |
ret = cap_validate_magic(header, &tocopy); if (ret != 0) return ret; |
314f70fd9 whitespace fixes:... |
230 231 232 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1cdcbec1a CRED: Neuter sys_... |
233 234 235 |
/* may only affect current now */ if (pid != 0 && pid != task_pid_vnr(current)) return -EPERM; |
825332e4f capabilities: sim... |
236 237 238 239 240 |
copybytes = tocopy * sizeof(struct __user_cap_data_struct); if (copybytes > sizeof(kdata)) return -EFAULT; if (copy_from_user(&kdata, data, copybytes)) |
314f70fd9 whitespace fixes:... |
241 |
return -EFAULT; |
e338d263a Add 64-bit capabi... |
242 243 244 245 246 247 |
for (i = 0; i < tocopy; i++) { effective.cap[i] = kdata[i].effective; permitted.cap[i] = kdata[i].permitted; inheritable.cap[i] = kdata[i].inheritable; } |
ca05a99a5 capabilities: rem... |
248 |
while (i < _KERNEL_CAPABILITY_U32S) { |
e338d263a Add 64-bit capabi... |
249 250 251 252 253 |
effective.cap[i] = 0; permitted.cap[i] = 0; inheritable.cap[i] = 0; i++; } |
314f70fd9 whitespace fixes:... |
254 |
|
7d8b6c637 CAPABILITIES: rem... |
255 256 257 |
effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; |
d84f4f992 CRED: Inaugurate ... |
258 259 260 261 262 263 264 265 |
new = prepare_creds(); if (!new) return -ENOMEM; ret = security_capset(new, current_cred(), &effective, &inheritable, &permitted); if (ret < 0) goto error; |
ca24a23eb audit: Simplify a... |
266 |
audit_log_capset(new, current_cred()); |
e68b75a02 When the capset s... |
267 |
|
d84f4f992 CRED: Inaugurate ... |
268 269 270 271 |
return commit_creds(new); error: abort_creds(new); |
314f70fd9 whitespace fixes:... |
272 |
return ret; |
1da177e4c Linux-2.6.12-rc2 |
273 |
} |
12b5989be [PATCH] refactor ... |
274 |
|
5cd9c58fb security: Fix set... |
275 |
/** |
25e757034 capabilities: cal... |
276 |
* has_ns_capability - Does a task have a capability in a specific user ns |
3263245de userns: make has_... |
277 |
* @t: The task in question |
25e757034 capabilities: cal... |
278 |
* @ns: target user namespace |
3263245de userns: make has_... |
279 280 281 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034 capabilities: cal... |
282 |
* currently in effect to the specified user namespace, false if not. |
3263245de userns: make has_... |
283 284 285 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034 capabilities: cal... |
286 287 |
bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de userns: make has_... |
288 |
{ |
2920a8409 capabilities: rem... |
289 290 291 |
int ret; rcu_read_lock(); |
25e757034 capabilities: cal... |
292 |
ret = security_capable(__task_cred(t), ns, cap); |
2920a8409 capabilities: rem... |
293 |
rcu_read_unlock(); |
3263245de userns: make has_... |
294 295 296 297 298 |
return (ret == 0); } /** |
25e757034 capabilities: cal... |
299 |
* has_capability - Does a task have a capability in init_user_ns |
3263245de userns: make has_... |
300 |
* @t: The task in question |
3263245de userns: make has_... |
301 302 303 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034 capabilities: cal... |
304 |
* currently in effect to the initial user namespace, false if not. |
3263245de userns: make has_... |
305 306 307 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034 capabilities: cal... |
308 |
bool has_capability(struct task_struct *t, int cap) |
3263245de userns: make has_... |
309 |
{ |
25e757034 capabilities: cal... |
310 |
return has_ns_capability(t, &init_user_ns, cap); |
3263245de userns: make has_... |
311 312 313 |
} /** |
7b61d6484 capabilites: intr... |
314 315 |
* has_ns_capability_noaudit - Does a task have a capability (unaudited) * in a specific user ns. |
3263245de userns: make has_... |
316 |
* @t: The task in question |
7b61d6484 capabilites: intr... |
317 |
* @ns: target user namespace |
3263245de userns: make has_... |
318 319 320 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
7b61d6484 capabilites: intr... |
321 322 |
* currently in effect to the specified user namespace, false if not. * Do not write an audit message for the check. |
3263245de userns: make has_... |
323 324 325 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
7b61d6484 capabilites: intr... |
326 327 |
bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de userns: make has_... |
328 |
{ |
2920a8409 capabilities: rem... |
329 330 331 |
int ret; rcu_read_lock(); |
7b61d6484 capabilites: intr... |
332 |
ret = security_capable_noaudit(__task_cred(t), ns, cap); |
2920a8409 capabilities: rem... |
333 |
rcu_read_unlock(); |
3263245de userns: make has_... |
334 335 336 337 338 |
return (ret == 0); } /** |
7b61d6484 capabilites: intr... |
339 340 341 |
* has_capability_noaudit - Does a task have a capability (unaudited) in the * initial user ns * @t: The task in question |
5cd9c58fb security: Fix set... |
342 343 |
* @cap: The capability to be tested for * |
7b61d6484 capabilites: intr... |
344 345 346 |
* Return true if the specified task has the given superior capability * currently in effect to init_user_ns, false if not. Don't write an * audit message for the check. |
5cd9c58fb security: Fix set... |
347 |
* |
7b61d6484 capabilites: intr... |
348 |
* Note that this does not set PF_SUPERPRIV on the task. |
5cd9c58fb security: Fix set... |
349 |
*/ |
7b61d6484 capabilites: intr... |
350 |
bool has_capability_noaudit(struct task_struct *t, int cap) |
3486740a4 userns: security:... |
351 |
{ |
7b61d6484 capabilites: intr... |
352 |
return has_ns_capability_noaudit(t, &init_user_ns, cap); |
3486740a4 userns: security:... |
353 |
} |
3486740a4 userns: security:... |
354 355 356 357 358 359 360 361 362 363 364 365 366 |
/** * ns_capable - Determine if the current task has a superior capability in effect * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool ns_capable(struct user_namespace *ns, int cap) |
12b5989be [PATCH] refactor ... |
367 |
{ |
637d32dc7 Capabilities: BUG... |
368 |
if (unlikely(!cap_valid(cap))) { |
f5645d357 capability: Use c... |
369 370 |
pr_crit("capable() called with invalid cap=%u ", cap); |
637d32dc7 Capabilities: BUG... |
371 372 |
BUG(); } |
951880e63 Revert "capabitli... |
373 |
if (security_capable(current_cred(), ns, cap) == 0) { |
5cd9c58fb security: Fix set... |
374 |
current->flags |= PF_SUPERPRIV; |
3486740a4 userns: security:... |
375 |
return true; |
12b5989be [PATCH] refactor ... |
376 |
} |
3486740a4 userns: security:... |
377 |
return false; |
12b5989be [PATCH] refactor ... |
378 |
} |
3486740a4 userns: security:... |
379 |
EXPORT_SYMBOL(ns_capable); |
2813893f8 kernel: condition... |
380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 |
/** * capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool capable(int cap) { return ns_capable(&init_user_ns, cap); } EXPORT_SYMBOL(capable); #endif /* CONFIG_MULTIUSER */ |
3486740a4 userns: security:... |
397 |
/** |
935d8aabd Add file_ns_capab... |
398 399 400 401 402 403 404 405 406 407 408 |
* file_ns_capable - Determine if the file's opener had a capability in effect * @file: The file we want to check * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if task that opened the file had a capability in effect * when the file was opened. * * This does not set PF_SUPERPRIV because the caller may not * actually be privileged. */ |
a6c8c6902 kernel/capability... |
409 410 |
bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap) |
935d8aabd Add file_ns_capab... |
411 412 413 414 415 416 417 418 419 420 421 422 |
{ if (WARN_ON_ONCE(!cap_valid(cap))) return false; if (security_capable(file->f_cred, ns, cap) == 0) return true; return false; } EXPORT_SYMBOL(file_ns_capable); /** |
23adbe12e fs,userns: Change... |
423 |
* capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
1a48e2ac0 userns: Replace t... |
424 425 426 |
* @inode: The inode in question * @cap: The capability in question * |
23adbe12e fs,userns: Change... |
427 428 429 |
* Return true if the current task has the given capability targeted at * its own user namespace and that the given inode's uid and gid are * mapped into the current user namespace. |
1a48e2ac0 userns: Replace t... |
430 |
*/ |
23adbe12e fs,userns: Change... |
431 |
bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) |
1a48e2ac0 userns: Replace t... |
432 433 |
{ struct user_namespace *ns = current_user_ns(); |
23adbe12e fs,userns: Change... |
434 435 |
return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && kgid_has_mapping(ns, inode->i_gid); |
1a48e2ac0 userns: Replace t... |
436 |
} |
23adbe12e fs,userns: Change... |
437 |
EXPORT_SYMBOL(capable_wrt_inode_uidgid); |