Blame view
kernel/capability.c
12 KB
1da177e4c
|
1 2 3 4 5 |
/* * linux/kernel/capability.c * * Copyright (C) 1997 Andrew Main <zefram@fysh.org> * |
72c2d5823
|
6 |
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
1da177e4c
|
7 |
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
314f70fd9
|
8 |
*/ |
1da177e4c
|
9 |
|
f5645d357
|
10 |
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
e68b75a02
|
11 |
#include <linux/audit.h> |
c59ede7b7
|
12 |
#include <linux/capability.h> |
1da177e4c
|
13 |
#include <linux/mm.h> |
9984de1a5
|
14 |
#include <linux/export.h> |
1da177e4c
|
15 16 |
#include <linux/security.h> #include <linux/syscalls.h> |
b460cbc58
|
17 |
#include <linux/pid_namespace.h> |
3486740a4
|
18 |
#include <linux/user_namespace.h> |
1da177e4c
|
19 |
#include <asm/uaccess.h> |
1da177e4c
|
20 21 |
/* |
e338d263a
|
22 23 24 25 |
* Leveraged for setting/resetting capabilities */ const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
e338d263a
|
26 |
EXPORT_SYMBOL(__cap_empty_set); |
e338d263a
|
27 |
|
1f29fae29
|
28 29 30 31 32 33 34 35 |
int file_caps_enabled = 1; static int __init file_caps_disable(char *str) { file_caps_enabled = 0; return 1; } __setup("no_file_caps", file_caps_disable); |
1f29fae29
|
36 |
|
e338d263a
|
37 38 39 40 41 42 43 44 |
/* * More recent versions of libcap are available from: * * http://www.kernel.org/pub/linux/libs/security/linux-privs/ */ static void warn_legacy_capability_use(void) { |
f5645d357
|
45 46 47 48 49 |
char name[sizeof(current->comm)]; pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use) ", get_task_comm(name, current)); |
e338d263a
|
50 51 52 |
} /* |
ca05a99a5
|
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
* Version 2 capabilities worked fine, but the linux/capability.h file * that accompanied their introduction encouraged their use without * the necessary user-space source code changes. As such, we have * created a version 3 with equivalent functionality to version 2, but * with a header change to protect legacy source code from using * version 2 when it wanted to use version 1. If your system has code * that trips the following warning, it is using version 2 specific * capabilities and may be doing so insecurely. * * The remedy is to either upgrade your version of libcap (to 2.10+, * if the application is linked against it), or recompile your * application with modern kernel headers and this warning will go * away. */ static void warn_deprecated_v2(void) { |
f5645d357
|
70 |
char name[sizeof(current->comm)]; |
ca05a99a5
|
71 |
|
f5645d357
|
72 73 74 |
pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure ", get_task_comm(name, current)); |
ca05a99a5
|
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
} /* * Version check. Return the number of u32s in each capability flag * array, or a negative value on error. */ static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) { __u32 version; if (get_user(version, &header->version)) return -EFAULT; switch (version) { case _LINUX_CAPABILITY_VERSION_1: warn_legacy_capability_use(); *tocopy = _LINUX_CAPABILITY_U32S_1; break; case _LINUX_CAPABILITY_VERSION_2: warn_deprecated_v2(); /* * fall through - v3 is otherwise equivalent to v2. */ case _LINUX_CAPABILITY_VERSION_3: *tocopy = _LINUX_CAPABILITY_U32S_3; break; default: if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) return -EFAULT; return -EINVAL; } return 0; } |
ab763c711
|
109 |
/* |
d84f4f992
|
110 111 112 113 114 |
* The only thing that can change the capabilities of the current * process is the current process. As such, we can't be in this code * at the same time as we are in the process of setting capabilities * in this process. The net result is that we can limit our use of * locks to when we are reading the caps of another process. |
ab763c711
|
115 116 117 118 119 120 121 122 |
*/ static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, kernel_cap_t *pIp, kernel_cap_t *pPp) { int ret; if (pid && (pid != task_pid_vnr(current))) { struct task_struct *target; |
86fc80f16
|
123 |
rcu_read_lock(); |
ab763c711
|
124 125 126 127 128 129 |
target = find_task_by_vpid(pid); if (!target) ret = -ESRCH; else ret = security_capget(target, pEp, pIp, pPp); |
86fc80f16
|
130 |
rcu_read_unlock(); |
ab763c711
|
131 132 133 134 135 |
} else ret = security_capget(current, pEp, pIp, pPp); return ret; } |
207a7ba8d
|
136 |
/** |
1da177e4c
|
137 |
* sys_capget - get the capabilities of a given process. |
207a7ba8d
|
138 139 140 141 142 143 |
* @header: pointer to struct that contains capability version and * target pid data * @dataptr: pointer to struct that contains the effective, permitted, * and inheritable capabilities that are returned * * Returns 0 on success and < 0 on error. |
1da177e4c
|
144 |
*/ |
b290ebe2c
|
145 |
SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
1da177e4c
|
146 |
{ |
314f70fd9
|
147 148 |
int ret = 0; pid_t pid; |
e338d263a
|
149 150 |
unsigned tocopy; kernel_cap_t pE, pI, pP; |
314f70fd9
|
151 |
|
ca05a99a5
|
152 |
ret = cap_validate_magic(header, &tocopy); |
c4a5af54c
|
153 154 |
if ((dataptr == NULL) || (ret != 0)) return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
1da177e4c
|
155 |
|
314f70fd9
|
156 157 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1da177e4c
|
158 |
|
314f70fd9
|
159 160 |
if (pid < 0) return -EINVAL; |
1da177e4c
|
161 |
|
ab763c711
|
162 |
ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
e338d263a
|
163 |
if (!ret) { |
ca05a99a5
|
164 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263a
|
165 166 167 168 169 170 171 172 173 |
unsigned i; for (i = 0; i < tocopy; i++) { kdata[i].effective = pE.cap[i]; kdata[i].permitted = pP.cap[i]; kdata[i].inheritable = pI.cap[i]; } /* |
ca05a99a5
|
174 |
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
e338d263a
|
175 176 177 178 179 180 181 182 183 184 185 186 187 |
* we silently drop the upper capabilities here. This * has the effect of making older libcap * implementations implicitly drop upper capability * bits when they perform a: capget/modify/capset * sequence. * * This behavior is considered fail-safe * behavior. Upgrading the application to a newer * version of libcap will enable access to the newer * capabilities. * * An alternative would be to return an error here * (-ERANGE), but that causes legacy applications to |
a6c8c6902
|
188 |
* unexpectedly fail; the capget/modify/capset aborts |
e338d263a
|
189 190 191 |
* before modification is attempted and the application * fails. */ |
e338d263a
|
192 193 194 195 196 |
if (copy_to_user(dataptr, kdata, tocopy * sizeof(struct __user_cap_data_struct))) { return -EFAULT; } } |
1da177e4c
|
197 |
|
314f70fd9
|
198 |
return ret; |
1da177e4c
|
199 |
} |
207a7ba8d
|
200 |
/** |
ab763c711
|
201 |
* sys_capset - set capabilities for a process or (*) a group of processes |
207a7ba8d
|
202 203 204 205 206 |
* @header: pointer to struct that contains capability version and * target pid data * @data: pointer to struct that contains the effective, permitted, * and inheritable capabilities * |
1cdcbec1a
|
207 208 |
* Set capabilities for the current process only. The ability to any other * process(es) has been deprecated and removed. |
1da177e4c
|
209 210 211 |
* * The restrictions on setting capabilities are specified as: * |
1cdcbec1a
|
212 213 214 |
* I: any raised capabilities must be a subset of the old permitted * P: any raised capabilities must be a subset of the old permitted * E: must be set to a subset of new permitted |
207a7ba8d
|
215 216 |
* * Returns 0 on success and < 0 on error. |
1da177e4c
|
217 |
*/ |
b290ebe2c
|
218 |
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
1da177e4c
|
219 |
{ |
ca05a99a5
|
220 |
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
825332e4f
|
221 |
unsigned i, tocopy, copybytes; |
314f70fd9
|
222 |
kernel_cap_t inheritable, permitted, effective; |
d84f4f992
|
223 |
struct cred *new; |
314f70fd9
|
224 225 |
int ret; pid_t pid; |
ca05a99a5
|
226 227 228 |
ret = cap_validate_magic(header, &tocopy); if (ret != 0) return ret; |
314f70fd9
|
229 230 231 |
if (get_user(pid, &header->pid)) return -EFAULT; |
1cdcbec1a
|
232 233 234 |
/* may only affect current now */ if (pid != 0 && pid != task_pid_vnr(current)) return -EPERM; |
825332e4f
|
235 236 237 238 239 |
copybytes = tocopy * sizeof(struct __user_cap_data_struct); if (copybytes > sizeof(kdata)) return -EFAULT; if (copy_from_user(&kdata, data, copybytes)) |
314f70fd9
|
240 |
return -EFAULT; |
e338d263a
|
241 242 243 244 245 246 |
for (i = 0; i < tocopy; i++) { effective.cap[i] = kdata[i].effective; permitted.cap[i] = kdata[i].permitted; inheritable.cap[i] = kdata[i].inheritable; } |
ca05a99a5
|
247 |
while (i < _KERNEL_CAPABILITY_U32S) { |
e338d263a
|
248 249 250 251 252 |
effective.cap[i] = 0; permitted.cap[i] = 0; inheritable.cap[i] = 0; i++; } |
314f70fd9
|
253 |
|
7d8b6c637
|
254 255 256 |
effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; |
d84f4f992
|
257 258 259 260 261 262 263 264 |
new = prepare_creds(); if (!new) return -ENOMEM; ret = security_capset(new, current_cred(), &effective, &inheritable, &permitted); if (ret < 0) goto error; |
ca24a23eb
|
265 |
audit_log_capset(new, current_cred()); |
e68b75a02
|
266 |
|
d84f4f992
|
267 268 269 270 |
return commit_creds(new); error: abort_creds(new); |
314f70fd9
|
271 |
return ret; |
1da177e4c
|
272 |
} |
12b5989be
|
273 |
|
5cd9c58fb
|
274 |
/** |
25e757034
|
275 |
* has_ns_capability - Does a task have a capability in a specific user ns |
3263245de
|
276 |
* @t: The task in question |
25e757034
|
277 |
* @ns: target user namespace |
3263245de
|
278 279 280 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034
|
281 |
* currently in effect to the specified user namespace, false if not. |
3263245de
|
282 283 284 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034
|
285 286 |
bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de
|
287 |
{ |
2920a8409
|
288 289 290 |
int ret; rcu_read_lock(); |
25e757034
|
291 |
ret = security_capable(__task_cred(t), ns, cap); |
2920a8409
|
292 |
rcu_read_unlock(); |
3263245de
|
293 294 295 296 297 |
return (ret == 0); } /** |
25e757034
|
298 |
* has_capability - Does a task have a capability in init_user_ns |
3263245de
|
299 |
* @t: The task in question |
3263245de
|
300 301 302 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
25e757034
|
303 |
* currently in effect to the initial user namespace, false if not. |
3263245de
|
304 305 306 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
25e757034
|
307 |
bool has_capability(struct task_struct *t, int cap) |
3263245de
|
308 |
{ |
25e757034
|
309 |
return has_ns_capability(t, &init_user_ns, cap); |
3263245de
|
310 311 312 |
} /** |
7b61d6484
|
313 314 |
* has_ns_capability_noaudit - Does a task have a capability (unaudited) * in a specific user ns. |
3263245de
|
315 |
* @t: The task in question |
7b61d6484
|
316 |
* @ns: target user namespace |
3263245de
|
317 318 319 |
* @cap: The capability to be tested for * * Return true if the specified task has the given superior capability |
7b61d6484
|
320 321 |
* currently in effect to the specified user namespace, false if not. * Do not write an audit message for the check. |
3263245de
|
322 323 324 |
* * Note that this does not set PF_SUPERPRIV on the task. */ |
7b61d6484
|
325 326 |
bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap) |
3263245de
|
327 |
{ |
2920a8409
|
328 329 330 |
int ret; rcu_read_lock(); |
7b61d6484
|
331 |
ret = security_capable_noaudit(__task_cred(t), ns, cap); |
2920a8409
|
332 |
rcu_read_unlock(); |
3263245de
|
333 334 335 336 337 |
return (ret == 0); } /** |
7b61d6484
|
338 339 340 |
* has_capability_noaudit - Does a task have a capability (unaudited) in the * initial user ns * @t: The task in question |
5cd9c58fb
|
341 342 |
* @cap: The capability to be tested for * |
7b61d6484
|
343 344 345 |
* Return true if the specified task has the given superior capability * currently in effect to init_user_ns, false if not. Don't write an * audit message for the check. |
5cd9c58fb
|
346 |
* |
7b61d6484
|
347 |
* Note that this does not set PF_SUPERPRIV on the task. |
5cd9c58fb
|
348 |
*/ |
7b61d6484
|
349 |
bool has_capability_noaudit(struct task_struct *t, int cap) |
3486740a4
|
350 |
{ |
7b61d6484
|
351 |
return has_ns_capability_noaudit(t, &init_user_ns, cap); |
3486740a4
|
352 |
} |
3486740a4
|
353 354 355 356 357 358 359 360 361 362 363 364 365 |
/** * ns_capable - Determine if the current task has a superior capability in effect * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. * * This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. */ bool ns_capable(struct user_namespace *ns, int cap) |
12b5989be
|
366 |
{ |
637d32dc7
|
367 |
if (unlikely(!cap_valid(cap))) { |
f5645d357
|
368 369 |
pr_crit("capable() called with invalid cap=%u ", cap); |
637d32dc7
|
370 371 |
BUG(); } |
951880e63
|
372 |
if (security_capable(current_cred(), ns, cap) == 0) { |
5cd9c58fb
|
373 |
current->flags |= PF_SUPERPRIV; |
3486740a4
|
374 |
return true; |
12b5989be
|
375 |
} |
3486740a4
|
376 |
return false; |
12b5989be
|
377 |
} |
3486740a4
|
378 379 380 |
EXPORT_SYMBOL(ns_capable); /** |
935d8aabd
|
381 382 383 384 385 386 387 388 389 390 391 |
* file_ns_capable - Determine if the file's opener had a capability in effect * @file: The file we want to check * @ns: The usernamespace we want the capability in * @cap: The capability to be tested for * * Return true if task that opened the file had a capability in effect * when the file was opened. * * This does not set PF_SUPERPRIV because the caller may not * actually be privileged. */ |
a6c8c6902
|
392 393 |
bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap) |
935d8aabd
|
394 395 396 397 398 399 400 401 402 403 404 405 |
{ if (WARN_ON_ONCE(!cap_valid(cap))) return false; if (security_capable(file->f_cred, ns, cap) == 0) return true; return false; } EXPORT_SYMBOL(file_ns_capable); /** |
105ddf49c
|
406 407 408 409 410 |
* capable - Determine if the current task has a superior capability in effect * @cap: The capability to be tested for * * Return true if the current task has the given superior capability currently * available for use, false if not. |
3486740a4
|
411 |
* |
105ddf49c
|
412 413 |
* This sets PF_SUPERPRIV on the task if the capability is available on the * assumption that it's about to be used. |
3486740a4
|
414 |
*/ |
105ddf49c
|
415 |
bool capable(int cap) |
3486740a4
|
416 |
{ |
105ddf49c
|
417 |
return ns_capable(&init_user_ns, cap); |
3486740a4
|
418 |
} |
105ddf49c
|
419 |
EXPORT_SYMBOL(capable); |
47a150edc
|
420 421 |
/** |
23adbe12e
|
422 |
* capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
1a48e2ac0
|
423 424 425 |
* @inode: The inode in question * @cap: The capability in question * |
23adbe12e
|
426 427 428 |
* Return true if the current task has the given capability targeted at * its own user namespace and that the given inode's uid and gid are * mapped into the current user namespace. |
1a48e2ac0
|
429 |
*/ |
23adbe12e
|
430 |
bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) |
1a48e2ac0
|
431 432 |
{ struct user_namespace *ns = current_user_ns(); |
23adbe12e
|
433 434 |
return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && kgid_has_mapping(ns, inode->i_gid); |
1a48e2ac0
|
435 |
} |
23adbe12e
|
436 |
EXPORT_SYMBOL(capable_wrt_inode_uidgid); |