1/* Common capabilities, needed by capability.o. 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10#include <linux/capability.h> 11#include <linux/audit.h> 12#include <linux/module.h> 13#include <linux/init.h> 14#include <linux/kernel.h> 15#include <linux/security.h> 16#include <linux/file.h> 17#include <linux/mm.h> 18#include <linux/mman.h> 19#include <linux/pagemap.h> 20#include <linux/swap.h> 21#include <linux/skbuff.h> 22#include <linux/netlink.h> 23#include <linux/ptrace.h> 24#include <linux/xattr.h> 25#include <linux/hugetlb.h> 26#include <linux/mount.h> 27#include <linux/sched.h> 28#include <linux/prctl.h> 29#include <linux/securebits.h> 30#include <linux/user_namespace.h> 31#include <linux/binfmts.h> 32#include <linux/personality.h> 33 34/* 35 * If a non-root user executes a setuid-root binary in 36 * !secure(SECURE_NOROOT) mode, then we raise capabilities. 37 * However if fE is also set, then the intent is for only 38 * the file capabilities to be applied, and the setuid-root 39 * bit is left on either to change the uid (plausible) or 40 * to get full privilege on a kernel without file capabilities 41 * support. So in that case we do not raise capabilities. 42 * 43 * Warn if that happens, once per boot. 44 */ 45static void warn_setuid_and_fcaps_mixed(const char *fname) 46{ 47 static int warned; 48 if (!warned) { 49 printk(KERN_INFO "warning: `%s' has both setuid-root and" 50 " effective capabilities. Therefore not raising all" 51 " capabilities.\n", fname); 52 warned = 1; 53 } 54} 55 56int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 57{ 58 return 0; 59} 60 61/** 62 * cap_capable - Determine whether a task has a particular effective capability 63 * @cred: The credentials to use 64 * @ns: The user namespace in which we need the capability 65 * @cap: The capability to check for 66 * @audit: Whether to write an audit message or not 67 * 68 * Determine whether the nominated task has the specified capability amongst 69 * its effective set, returning 0 if it does, -ve if it does not. 70 * 71 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable() 72 * and has_capability() functions. That is, it has the reverse semantics: 73 * cap_has_capability() returns 0 when a task has a capability, but the 74 * kernel's capable() and has_capability() returns 1 for this case. 75 */ 76int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, 77 int cap, int audit) 78{ 79 struct user_namespace *ns = targ_ns; 80 81 /* See if cred has the capability in the target user namespace 82 * by examining the target user namespace and all of the target 83 * user namespace's parents. 84 */ 85 for (;;) { 86 /* Do we have the necessary capabilities? */ 87 if (ns == cred->user_ns) 88 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 89 90 /* Have we tried all of the parent namespaces? */ 91 if (ns == &init_user_ns) 92 return -EPERM; 93 94 /* 95 * The owner of the user namespace in the parent of the 96 * user namespace has all caps. 97 */ 98 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid)) 99 return 0; 100 101 /* 102 * If you have a capability in a parent user ns, then you have 103 * it over all children user namespaces as well. 104 */ 105 ns = ns->parent; 106 } 107 108 /* We never get here */ 109} 110 111/** 112 * cap_settime - Determine whether the current process may set the system clock 113 * @ts: The time to set 114 * @tz: The timezone to set 115 * 116 * Determine whether the current process may set the system clock and timezone 117 * information, returning 0 if permission granted, -ve if denied. 118 */ 119int cap_settime(const struct timespec *ts, const struct timezone *tz) 120{ 121 if (!capable(CAP_SYS_TIME)) 122 return -EPERM; 123 return 0; 124} 125 126/** 127 * cap_ptrace_access_check - Determine whether the current process may access 128 * another 129 * @child: The process to be accessed 130 * @mode: The mode of attachment. 131 * 132 * If we are in the same or an ancestor user_ns and have all the target 133 * task's capabilities, then ptrace access is allowed. 134 * If we have the ptrace capability to the target user_ns, then ptrace 135 * access is allowed. 136 * Else denied. 137 * 138 * Determine whether a process may access another, returning 0 if permission 139 * granted, -ve if denied. 140 */ 141int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) 142{ 143 int ret = 0; 144 const struct cred *cred, *child_cred; 145 const kernel_cap_t *caller_caps; 146 147 rcu_read_lock(); 148 cred = current_cred(); 149 child_cred = __task_cred(child); 150 if (mode & PTRACE_MODE_FSCREDS) 151 caller_caps = &cred->cap_effective; 152 else 153 caller_caps = &cred->cap_permitted; 154 if (cred->user_ns == child_cred->user_ns && 155 cap_issubset(child_cred->cap_permitted, *caller_caps)) 156 goto out; 157 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) 158 goto out; 159 ret = -EPERM; 160out: 161 rcu_read_unlock(); 162 return ret; 163} 164 165/** 166 * cap_ptrace_traceme - Determine whether another process may trace the current 167 * @parent: The task proposed to be the tracer 168 * 169 * If parent is in the same or an ancestor user_ns and has all current's 170 * capabilities, then ptrace access is allowed. 171 * If parent has the ptrace capability to current's user_ns, then ptrace 172 * access is allowed. 173 * Else denied. 174 * 175 * Determine whether the nominated task is permitted to trace the current 176 * process, returning 0 if permission is granted, -ve if denied. 177 */ 178int cap_ptrace_traceme(struct task_struct *parent) 179{ 180 int ret = 0; 181 const struct cred *cred, *child_cred; 182 183 rcu_read_lock(); 184 cred = __task_cred(parent); 185 child_cred = current_cred(); 186 if (cred->user_ns == child_cred->user_ns && 187 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 188 goto out; 189 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) 190 goto out; 191 ret = -EPERM; 192out: 193 rcu_read_unlock(); 194 return ret; 195} 196 197/** 198 * cap_capget - Retrieve a task's capability sets 199 * @target: The task from which to retrieve the capability sets 200 * @effective: The place to record the effective set 201 * @inheritable: The place to record the inheritable set 202 * @permitted: The place to record the permitted set 203 * 204 * This function retrieves the capabilities of the nominated task and returns 205 * them to the caller. 206 */ 207int cap_capget(struct task_struct *target, kernel_cap_t *effective, 208 kernel_cap_t *inheritable, kernel_cap_t *permitted) 209{ 210 const struct cred *cred; 211 212 /* Derived from kernel/capability.c:sys_capget. */ 213 rcu_read_lock(); 214 cred = __task_cred(target); 215 *effective = cred->cap_effective; 216 *inheritable = cred->cap_inheritable; 217 *permitted = cred->cap_permitted; 218 rcu_read_unlock(); 219 return 0; 220} 221 222/* 223 * Determine whether the inheritable capabilities are limited to the old 224 * permitted set. Returns 1 if they are limited, 0 if they are not. 225 */ 226static inline int cap_inh_is_capped(void) 227{ 228 229 /* they are so limited unless the current task has the CAP_SETPCAP 230 * capability 231 */ 232 if (cap_capable(current_cred(), current_cred()->user_ns, 233 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) 234 return 0; 235 return 1; 236} 237 238/** 239 * cap_capset - Validate and apply proposed changes to current's capabilities 240 * @new: The proposed new credentials; alterations should be made here 241 * @old: The current task's current credentials 242 * @effective: A pointer to the proposed new effective capabilities set 243 * @inheritable: A pointer to the proposed new inheritable capabilities set 244 * @permitted: A pointer to the proposed new permitted capabilities set 245 * 246 * This function validates and applies a proposed mass change to the current 247 * process's capability sets. The changes are made to the proposed new 248 * credentials, and assuming no error, will be committed by the caller of LSM. 249 */ 250int cap_capset(struct cred *new, 251 const struct cred *old, 252 const kernel_cap_t *effective, 253 const kernel_cap_t *inheritable, 254 const kernel_cap_t *permitted) 255{ 256 if (cap_inh_is_capped() && 257 !cap_issubset(*inheritable, 258 cap_combine(old->cap_inheritable, 259 old->cap_permitted))) 260 /* incapable of using this inheritable set */ 261 return -EPERM; 262 263 if (!cap_issubset(*inheritable, 264 cap_combine(old->cap_inheritable, 265 old->cap_bset))) 266 /* no new pI capabilities outside bounding set */ 267 return -EPERM; 268 269 /* verify restrictions on target's new Permitted set */ 270 if (!cap_issubset(*permitted, old->cap_permitted)) 271 return -EPERM; 272 273 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 274 if (!cap_issubset(*effective, *permitted)) 275 return -EPERM; 276 277 new->cap_effective = *effective; 278 new->cap_inheritable = *inheritable; 279 new->cap_permitted = *permitted; 280 return 0; 281} 282 283/* 284 * Clear proposed capability sets for execve(). 285 */ 286static inline void bprm_clear_caps(struct linux_binprm *bprm) 287{ 288 cap_clear(bprm->cred->cap_permitted); 289 bprm->cap_effective = false; 290} 291 292/** 293 * cap_inode_need_killpriv - Determine if inode change affects privileges 294 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 295 * 296 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV 297 * affects the security markings on that inode, and if it is, should 298 * inode_killpriv() be invoked or the change rejected? 299 * 300 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and 301 * -ve to deny the change. 302 */ 303int cap_inode_need_killpriv(struct dentry *dentry) 304{ 305 struct inode *inode = d_backing_inode(dentry); 306 int error; 307 308 if (!inode->i_op->getxattr) 309 return 0; 310 311 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 312 if (error <= 0) 313 return 0; 314 return 1; 315} 316 317/** 318 * cap_inode_killpriv - Erase the security markings on an inode 319 * @dentry: The inode/dentry to alter 320 * 321 * Erase the privilege-enhancing security markings on an inode. 322 * 323 * Returns 0 if successful, -ve on error. 324 */ 325int cap_inode_killpriv(struct dentry *dentry) 326{ 327 struct inode *inode = d_backing_inode(dentry); 328 329 if (!inode->i_op->removexattr) 330 return 0; 331 332 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 333} 334 335/* 336 * Calculate the new process capability sets from the capability sets attached 337 * to a file. 338 */ 339static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, 340 struct linux_binprm *bprm, 341 bool *effective, 342 bool *has_cap) 343{ 344 struct cred *new = bprm->cred; 345 unsigned i; 346 int ret = 0; 347 348 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 349 *effective = true; 350 351 if (caps->magic_etc & VFS_CAP_REVISION_MASK) 352 *has_cap = true; 353 354 CAP_FOR_EACH_U32(i) { 355 __u32 permitted = caps->permitted.cap[i]; 356 __u32 inheritable = caps->inheritable.cap[i]; 357 358 /* 359 * pP' = (X & fP) | (pI & fI) 360 */ 361 new->cap_permitted.cap[i] = 362 (new->cap_bset.cap[i] & permitted) | 363 (new->cap_inheritable.cap[i] & inheritable); 364 365 if (permitted & ~new->cap_permitted.cap[i]) 366 /* insufficient to execute correctly */ 367 ret = -EPERM; 368 } 369 370 /* 371 * For legacy apps, with no internal support for recognizing they 372 * do not have enough capabilities, we return an error if they are 373 * missing some "forced" (aka file-permitted) capabilities. 374 */ 375 return *effective ? ret : 0; 376} 377 378/* 379 * Extract the on-exec-apply capability sets for an executable file. 380 */ 381int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 382{ 383 struct inode *inode = d_backing_inode(dentry); 384 __u32 magic_etc; 385 unsigned tocopy, i; 386 int size; 387 struct vfs_cap_data caps; 388 389 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 390 391 if (!inode || !inode->i_op->getxattr) 392 return -ENODATA; 393 394 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, 395 XATTR_CAPS_SZ); 396 if (size == -ENODATA || size == -EOPNOTSUPP) 397 /* no data, that's ok */ 398 return -ENODATA; 399 if (size < 0) 400 return size; 401 402 if (size < sizeof(magic_etc)) 403 return -EINVAL; 404 405 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc); 406 407 switch (magic_etc & VFS_CAP_REVISION_MASK) { 408 case VFS_CAP_REVISION_1: 409 if (size != XATTR_CAPS_SZ_1) 410 return -EINVAL; 411 tocopy = VFS_CAP_U32_1; 412 break; 413 case VFS_CAP_REVISION_2: 414 if (size != XATTR_CAPS_SZ_2) 415 return -EINVAL; 416 tocopy = VFS_CAP_U32_2; 417 break; 418 default: 419 return -EINVAL; 420 } 421 422 CAP_FOR_EACH_U32(i) { 423 if (i >= tocopy) 424 break; 425 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted); 426 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); 427 } 428 429 cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; 430 cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; 431 432 return 0; 433} 434 435/* 436 * Attempt to get the on-exec apply capability sets for an executable file from 437 * its xattrs and, if present, apply them to the proposed credentials being 438 * constructed by execve(). 439 */ 440static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap) 441{ 442 int rc = 0; 443 struct cpu_vfs_cap_data vcaps; 444 445 bprm_clear_caps(bprm); 446 447 if (!file_caps_enabled) 448 return 0; 449 450 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 451 return 0; 452 453 rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps); 454 if (rc < 0) { 455 if (rc == -EINVAL) 456 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n", 457 __func__, rc, bprm->filename); 458 else if (rc == -ENODATA) 459 rc = 0; 460 goto out; 461 } 462 463 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap); 464 if (rc == -EINVAL) 465 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 466 __func__, rc, bprm->filename); 467 468out: 469 if (rc) 470 bprm_clear_caps(bprm); 471 472 return rc; 473} 474 475/** 476 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 477 * @bprm: The execution parameters, including the proposed creds 478 * 479 * Set up the proposed credentials for a new execution context being 480 * constructed by execve(). The proposed creds in @bprm->cred is altered, 481 * which won't take effect immediately. Returns 0 if successful, -ve on error. 482 */ 483int cap_bprm_set_creds(struct linux_binprm *bprm) 484{ 485 const struct cred *old = current_cred(); 486 struct cred *new = bprm->cred; 487 bool effective, has_cap = false; 488 int ret; 489 kuid_t root_uid; 490 491 effective = false; 492 ret = get_file_caps(bprm, &effective, &has_cap); 493 if (ret < 0) 494 return ret; 495 496 root_uid = make_kuid(new->user_ns, 0); 497 498 if (!issecure(SECURE_NOROOT)) { 499 /* 500 * If the legacy file capability is set, then don't set privs 501 * for a setuid root binary run by a non-root user. Do set it 502 * for a root user just to cause least surprise to an admin. 503 */ 504 if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) { 505 warn_setuid_and_fcaps_mixed(bprm->filename); 506 goto skip; 507 } 508 /* 509 * To support inheritance of root-permissions and suid-root 510 * executables under compatibility mode, we override the 511 * capability sets for the file. 512 * 513 * If only the real uid is 0, we do not set the effective bit. 514 */ 515 if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) { 516 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 517 new->cap_permitted = cap_combine(old->cap_bset, 518 old->cap_inheritable); 519 } 520 if (uid_eq(new->euid, root_uid)) 521 effective = true; 522 } 523skip: 524 525 /* if we have fs caps, clear dangerous personality flags */ 526 if (!cap_issubset(new->cap_permitted, old->cap_permitted)) 527 bprm->per_clear |= PER_CLEAR_ON_SETID; 528 529 530 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 531 * credentials unless they have the appropriate permit. 532 * 533 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. 534 */ 535 if ((!uid_eq(new->euid, old->uid) || 536 !gid_eq(new->egid, old->gid) || 537 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 538 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 539 /* downgrade; they get no more than they had, and maybe less */ 540 if (!capable(CAP_SETUID) || 541 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { 542 new->euid = new->uid; 543 new->egid = new->gid; 544 } 545 new->cap_permitted = cap_intersect(new->cap_permitted, 546 old->cap_permitted); 547 } 548 549 new->suid = new->fsuid = new->euid; 550 new->sgid = new->fsgid = new->egid; 551 552 if (effective) 553 new->cap_effective = new->cap_permitted; 554 else 555 cap_clear(new->cap_effective); 556 bprm->cap_effective = effective; 557 558 /* 559 * Audit candidate if current->cap_effective is set 560 * 561 * We do not bother to audit if 3 things are true: 562 * 1) cap_effective has all caps 563 * 2) we are root 564 * 3) root is supposed to have all caps (SECURE_NOROOT) 565 * Since this is just a normal root execing a process. 566 * 567 * Number 1 above might fail if you don't have a full bset, but I think 568 * that is interesting information to audit. 569 */ 570 if (!cap_isclear(new->cap_effective)) { 571 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || 572 !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) || 573 issecure(SECURE_NOROOT)) { 574 ret = audit_log_bprm_fcaps(bprm, new, old); 575 if (ret < 0) 576 return ret; 577 } 578 } 579 580 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 581 return 0; 582} 583 584/** 585 * cap_bprm_secureexec - Determine whether a secure execution is required 586 * @bprm: The execution parameters 587 * 588 * Determine whether a secure execution is required, return 1 if it is, and 0 589 * if it is not. 590 * 591 * The credentials have been committed by this point, and so are no longer 592 * available through @bprm->cred. 593 */ 594int cap_bprm_secureexec(struct linux_binprm *bprm) 595{ 596 const struct cred *cred = current_cred(); 597 kuid_t root_uid = make_kuid(cred->user_ns, 0); 598 599 if (!uid_eq(cred->uid, root_uid)) { 600 if (bprm->cap_effective) 601 return 1; 602 if (!cap_isclear(cred->cap_permitted)) 603 return 1; 604 } 605 606 return (!uid_eq(cred->euid, cred->uid) || 607 !gid_eq(cred->egid, cred->gid)); 608} 609 610/** 611 * cap_inode_setxattr - Determine whether an xattr may be altered 612 * @dentry: The inode/dentry being altered 613 * @name: The name of the xattr to be changed 614 * @value: The value that the xattr will be changed to 615 * @size: The size of value 616 * @flags: The replacement flag 617 * 618 * Determine whether an xattr may be altered or set on an inode, returning 0 if 619 * permission is granted, -ve if denied. 620 * 621 * This is used to make sure security xattrs don't get updated or set by those 622 * who aren't privileged to do so. 623 */ 624int cap_inode_setxattr(struct dentry *dentry, const char *name, 625 const void *value, size_t size, int flags) 626{ 627 if (!strcmp(name, XATTR_NAME_CAPS)) { 628 if (!capable(CAP_SETFCAP)) 629 return -EPERM; 630 return 0; 631 } 632 633 if (!strncmp(name, XATTR_SECURITY_PREFIX, 634 sizeof(XATTR_SECURITY_PREFIX) - 1) && 635 !capable(CAP_SYS_ADMIN)) 636 return -EPERM; 637 return 0; 638} 639 640/** 641 * cap_inode_removexattr - Determine whether an xattr may be removed 642 * @dentry: The inode/dentry being altered 643 * @name: The name of the xattr to be changed 644 * 645 * Determine whether an xattr may be removed from an inode, returning 0 if 646 * permission is granted, -ve if denied. 647 * 648 * This is used to make sure security xattrs don't get removed by those who 649 * aren't privileged to remove them. 650 */ 651int cap_inode_removexattr(struct dentry *dentry, const char *name) 652{ 653 if (!strcmp(name, XATTR_NAME_CAPS)) { 654 if (!capable(CAP_SETFCAP)) 655 return -EPERM; 656 return 0; 657 } 658 659 if (!strncmp(name, XATTR_SECURITY_PREFIX, 660 sizeof(XATTR_SECURITY_PREFIX) - 1) && 661 !capable(CAP_SYS_ADMIN)) 662 return -EPERM; 663 return 0; 664} 665 666/* 667 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 668 * a process after a call to setuid, setreuid, or setresuid. 669 * 670 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 671 * {r,e,s}uid != 0, the permitted and effective capabilities are 672 * cleared. 673 * 674 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 675 * capabilities of the process are cleared. 676 * 677 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 678 * capabilities are set to the permitted capabilities. 679 * 680 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 681 * never happen. 682 * 683 * -astor 684 * 685 * cevans - New behaviour, Oct '99 686 * A process may, via prctl(), elect to keep its capabilities when it 687 * calls setuid() and switches away from uid==0. Both permitted and 688 * effective sets will be retained. 689 * Without this change, it was impossible for a daemon to drop only some 690 * of its privilege. The call to setuid(!=0) would drop all privileges! 691 * Keeping uid 0 is not an option because uid 0 owns too many vital 692 * files.. 693 * Thanks to Olaf Kirch and Peter Benie for spotting this. 694 */ 695static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 696{ 697 kuid_t root_uid = make_kuid(old->user_ns, 0); 698 699 if ((uid_eq(old->uid, root_uid) || 700 uid_eq(old->euid, root_uid) || 701 uid_eq(old->suid, root_uid)) && 702 (!uid_eq(new->uid, root_uid) && 703 !uid_eq(new->euid, root_uid) && 704 !uid_eq(new->suid, root_uid)) && 705 !issecure(SECURE_KEEP_CAPS)) { 706 cap_clear(new->cap_permitted); 707 cap_clear(new->cap_effective); 708 } 709 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid)) 710 cap_clear(new->cap_effective); 711 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid)) 712 new->cap_effective = new->cap_permitted; 713} 714 715/** 716 * cap_task_fix_setuid - Fix up the results of setuid() call 717 * @new: The proposed credentials 718 * @old: The current task's current credentials 719 * @flags: Indications of what has changed 720 * 721 * Fix up the results of setuid() call before the credential changes are 722 * actually applied, returning 0 to grant the changes, -ve to deny them. 723 */ 724int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) 725{ 726 switch (flags) { 727 case LSM_SETID_RE: 728 case LSM_SETID_ID: 729 case LSM_SETID_RES: 730 /* juggle the capabilities to follow [RES]UID changes unless 731 * otherwise suppressed */ 732 if (!issecure(SECURE_NO_SETUID_FIXUP)) 733 cap_emulate_setxuid(new, old); 734 break; 735 736 case LSM_SETID_FS: 737 /* juggle the capabilties to follow FSUID changes, unless 738 * otherwise suppressed 739 * 740 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 741 * if not, we might be a bit too harsh here. 742 */ 743 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 744 kuid_t root_uid = make_kuid(old->user_ns, 0); 745 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid)) 746 new->cap_effective = 747 cap_drop_fs_set(new->cap_effective); 748 749 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid)) 750 new->cap_effective = 751 cap_raise_fs_set(new->cap_effective, 752 new->cap_permitted); 753 } 754 break; 755 756 default: 757 return -EINVAL; 758 } 759 760 return 0; 761} 762 763/* 764 * Rationale: code calling task_setscheduler, task_setioprio, and 765 * task_setnice, assumes that 766 * . if capable(cap_sys_nice), then those actions should be allowed 767 * . if not capable(cap_sys_nice), but acting on your own processes, 768 * then those actions should be allowed 769 * This is insufficient now since you can call code without suid, but 770 * yet with increased caps. 771 * So we check for increased caps on the target process. 772 */ 773static int cap_safe_nice(struct task_struct *p) 774{ 775 int is_subset, ret = 0; 776 777 rcu_read_lock(); 778 is_subset = cap_issubset(__task_cred(p)->cap_permitted, 779 current_cred()->cap_permitted); 780 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) 781 ret = -EPERM; 782 rcu_read_unlock(); 783 784 return ret; 785} 786 787/** 788 * cap_task_setscheduler - Detemine if scheduler policy change is permitted 789 * @p: The task to affect 790 * 791 * Detemine if the requested scheduler policy change is permitted for the 792 * specified task, returning 0 if permission is granted, -ve if denied. 793 */ 794int cap_task_setscheduler(struct task_struct *p) 795{ 796 return cap_safe_nice(p); 797} 798 799/** 800 * cap_task_ioprio - Detemine if I/O priority change is permitted 801 * @p: The task to affect 802 * @ioprio: The I/O priority to set 803 * 804 * Detemine if the requested I/O priority change is permitted for the specified 805 * task, returning 0 if permission is granted, -ve if denied. 806 */ 807int cap_task_setioprio(struct task_struct *p, int ioprio) 808{ 809 return cap_safe_nice(p); 810} 811 812/** 813 * cap_task_ioprio - Detemine if task priority change is permitted 814 * @p: The task to affect 815 * @nice: The nice value to set 816 * 817 * Detemine if the requested task priority change is permitted for the 818 * specified task, returning 0 if permission is granted, -ve if denied. 819 */ 820int cap_task_setnice(struct task_struct *p, int nice) 821{ 822 return cap_safe_nice(p); 823} 824 825/* 826 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from 827 * the current task's bounding set. Returns 0 on success, -ve on error. 828 */ 829static int cap_prctl_drop(unsigned long cap) 830{ 831 struct cred *new; 832 833 if (!ns_capable(current_user_ns(), CAP_SETPCAP)) 834 return -EPERM; 835 if (!cap_valid(cap)) 836 return -EINVAL; 837 838 new = prepare_creds(); 839 if (!new) 840 return -ENOMEM; 841 cap_lower(new->cap_bset, cap); 842 return commit_creds(new); 843} 844 845/** 846 * cap_task_prctl - Implement process control functions for this security module 847 * @option: The process control function requested 848 * @arg2, @arg3, @arg4, @arg5: The argument data for this function 849 * 850 * Allow process control functions (sys_prctl()) to alter capabilities; may 851 * also deny access to other functions not otherwise implemented here. 852 * 853 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented 854 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM 855 * modules will consider performing the function. 856 */ 857int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 858 unsigned long arg4, unsigned long arg5) 859{ 860 const struct cred *old = current_cred(); 861 struct cred *new; 862 863 switch (option) { 864 case PR_CAPBSET_READ: 865 if (!cap_valid(arg2)) 866 return -EINVAL; 867 return !!cap_raised(old->cap_bset, arg2); 868 869 case PR_CAPBSET_DROP: 870 return cap_prctl_drop(arg2); 871 872 /* 873 * The next four prctl's remain to assist with transitioning a 874 * system from legacy UID=0 based privilege (when filesystem 875 * capabilities are not in use) to a system using filesystem 876 * capabilities only - as the POSIX.1e draft intended. 877 * 878 * Note: 879 * 880 * PR_SET_SECUREBITS = 881 * issecure_mask(SECURE_KEEP_CAPS_LOCKED) 882 * | issecure_mask(SECURE_NOROOT) 883 * | issecure_mask(SECURE_NOROOT_LOCKED) 884 * | issecure_mask(SECURE_NO_SETUID_FIXUP) 885 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) 886 * 887 * will ensure that the current process and all of its 888 * children will be locked into a pure 889 * capability-based-privilege environment. 890 */ 891 case PR_SET_SECUREBITS: 892 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1) 893 & (old->securebits ^ arg2)) /*[1]*/ 894 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 895 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 896 || (cap_capable(current_cred(), 897 current_cred()->user_ns, CAP_SETPCAP, 898 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 899 /* 900 * [1] no changing of bits that are locked 901 * [2] no unlocking of locks 902 * [3] no setting of unsupported bits 903 * [4] doing anything requires privilege (go read about 904 * the "sendmail capabilities bug") 905 */ 906 ) 907 /* cannot change a locked bit */ 908 return -EPERM; 909 910 new = prepare_creds(); 911 if (!new) 912 return -ENOMEM; 913 new->securebits = arg2; 914 return commit_creds(new); 915 916 case PR_GET_SECUREBITS: 917 return old->securebits; 918 919 case PR_GET_KEEPCAPS: 920 return !!issecure(SECURE_KEEP_CAPS); 921 922 case PR_SET_KEEPCAPS: 923 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 924 return -EINVAL; 925 if (issecure(SECURE_KEEP_CAPS_LOCKED)) 926 return -EPERM; 927 928 new = prepare_creds(); 929 if (!new) 930 return -ENOMEM; 931 if (arg2) 932 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); 933 else 934 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 935 return commit_creds(new); 936 937 default: 938 /* No functionality available - continue with default */ 939 return -ENOSYS; 940 } 941} 942 943/** 944 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 945 * @mm: The VM space in which the new mapping is to be made 946 * @pages: The size of the mapping 947 * 948 * Determine whether the allocation of a new virtual mapping by the current 949 * task is permitted, returning 0 if permission is granted, -ve if not. 950 */ 951int cap_vm_enough_memory(struct mm_struct *mm, long pages) 952{ 953 int cap_sys_admin = 0; 954 955 if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN, 956 SECURITY_CAP_NOAUDIT) == 0) 957 cap_sys_admin = 1; 958 return __vm_enough_memory(mm, pages, cap_sys_admin); 959} 960 961/* 962 * cap_mmap_addr - check if able to map given addr 963 * @addr: address attempting to be mapped 964 * 965 * If the process is attempting to map memory below dac_mmap_min_addr they need 966 * CAP_SYS_RAWIO. The other parameters to this function are unused by the 967 * capability security module. Returns 0 if this mapping should be allowed 968 * -EPERM if not. 969 */ 970int cap_mmap_addr(unsigned long addr) 971{ 972 int ret = 0; 973 974 if (addr < dac_mmap_min_addr) { 975 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO, 976 SECURITY_CAP_AUDIT); 977 /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 978 if (ret == 0) 979 current->flags |= PF_SUPERPRIV; 980 } 981 return ret; 982} 983 984int cap_mmap_file(struct file *file, unsigned long reqprot, 985 unsigned long prot, unsigned long flags) 986{ 987 return 0; 988} 989