[mirror_ubuntu-kernels.git] / include / linux / capability.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * This is <linux/capability.h>
 *
 * Andrew G. Morgan <morgan@kernel.org>
 * Alexander Kjeldaas <astor@guardian.no>
 * with help from Aleph1, Roland Buresund and Andrew Main.
 *
 * See here for the libcap library ("POSIX draft" compliance):
 *
 * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
 */
#ifndef _LINUX_CAPABILITY_H
#define _LINUX_CAPABILITY_H

#include <uapi/linux/capability.h>
#include <linux/uidgid.h>

#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
#define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3

extern int file_caps_enabled;

typedef struct kernel_cap_struct {
	__u32 cap[_KERNEL_CAPABILITY_U32S];
} kernel_cap_t;

/* same as vfs_ns_cap_data but in cpu endian and always filled completely */
struct cpu_vfs_cap_data {
	__u32 magic_etc;
	kernel_cap_t permitted;
	kernel_cap_t inheritable;
	kuid_t rootid;
};

#define _USER_CAP_HEADER_SIZE  (sizeof(struct __user_cap_header_struct))
#define _KERNEL_CAP_T_SIZE     (sizeof(kernel_cap_t))


struct file;
struct inode;
struct dentry;
struct task_struct;
struct user_namespace;

extern const kernel_cap_t __cap_empty_set;
extern const kernel_cap_t __cap_init_eff_set;

/*
 * Internal kernel functions only
 */

#define CAP_FOR_EACH_U32(__capi)  \
	for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)

/*
 * CAP_FS_MASK and CAP_NFSD_MASKS:
 *
 * The fs mask is all the privileges that fsuid==0 historically meant.
 * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
 *
 * It has never meant setting security.* and trusted.* xattrs.
 *
 * We could also define fsmask as follows:
 *   1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
 *   2. The security.* and trusted.* xattrs are fs-related MAC permissions
 */

# define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)		\
			    | CAP_TO_MASK(CAP_MKNOD)		\
			    | CAP_TO_MASK(CAP_DAC_OVERRIDE)	\
			    | CAP_TO_MASK(CAP_DAC_READ_SEARCH)	\
			    | CAP_TO_MASK(CAP_FOWNER)		\
			    | CAP_TO_MASK(CAP_FSETID))

# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))

#if _KERNEL_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
#else /* HAND-CODED capability initializers */

#define CAP_LAST_U32			((_KERNEL_CAPABILITY_U32S) - 1)
#define CAP_LAST_U32_VALID_MASK		(CAP_TO_MASK(CAP_LAST_CAP + 1) -1)

# define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
# define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
				    | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
				    CAP_FS_MASK_B1 } })
# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
				    | CAP_TO_MASK(CAP_SYS_RESOURCE), \
				    CAP_FS_MASK_B1 } })

#endif /* _KERNEL_CAPABILITY_U32S != 2 */

# define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)

#define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
#define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))

#define CAP_BOP_ALL(c, a, b, OP)                                    \
do {                                                                \
	unsigned __capi;                                            \
	CAP_FOR_EACH_U32(__capi) {                                  \
		c.cap[__capi] = a.cap[__capi] OP b.cap[__capi];     \
	}                                                           \
} while (0)

#define CAP_UOP_ALL(c, a, OP)                                       \
do {                                                                \
	unsigned __capi;                                            \
	CAP_FOR_EACH_U32(__capi) {                                  \
		c.cap[__capi] = OP a.cap[__capi];                   \
	}                                                           \
} while (0)

static inline kernel_cap_t cap_combine(const kernel_cap_t a,
				       const kernel_cap_t b)
{
	kernel_cap_t dest;
	CAP_BOP_ALL(dest, a, b, |);
	return dest;
}

static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
					 const kernel_cap_t b)
{
	kernel_cap_t dest;
	CAP_BOP_ALL(dest, a, b, &);
	return dest;
}

static inline kernel_cap_t cap_drop(const kernel_cap_t a,
				    const kernel_cap_t drop)
{
	kernel_cap_t dest;
	CAP_BOP_ALL(dest, a, drop, &~);
	return dest;
}

static inline kernel_cap_t cap_invert(const kernel_cap_t c)
{
	kernel_cap_t dest;
	CAP_UOP_ALL(dest, c, ~);
	return dest;
}

static inline bool cap_isclear(const kernel_cap_t a)
{
	unsigned __capi;
	CAP_FOR_EACH_U32(__capi) {
		if (a.cap[__capi] != 0)
			return false;
	}
	return true;
}

/*
 * Check if "a" is a subset of "set".
 * return true if ALL of the capabilities in "a" are also in "set"
 *	cap_issubset(0101, 1111) will return true
 * return false if ANY of the capabilities in "a" are not in "set"
 *	cap_issubset(1111, 0101) will return false
 */
static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
{
	kernel_cap_t dest;
	dest = cap_drop(a, set);
	return cap_isclear(dest);
}

/* Used to decide between falling back on the old suser() or fsuser(). */

static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
{
	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
	return cap_drop(a, __cap_fs_set);
}

static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
					    const kernel_cap_t permitted)
{
	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
	return cap_combine(a,
			   cap_intersect(permitted, __cap_fs_set));
}

static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
{
	const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
	return cap_drop(a, __cap_fs_set);
}

static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
					      const kernel_cap_t permitted)
{
	const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
	return cap_combine(a,
			   cap_intersect(permitted, __cap_nfsd_set));
}

#ifdef CONFIG_MULTIUSER
extern bool has_capability(struct task_struct *t, int cap);
extern bool has_ns_capability(struct task_struct *t,
			      struct user_namespace *ns, int cap);
extern bool has_capability_noaudit(struct task_struct *t, int cap);
extern bool has_ns_capability_noaudit(struct task_struct *t,
				      struct user_namespace *ns, int cap);
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
extern bool ns_capable_setid(struct user_namespace *ns, int cap);
#else
static inline bool has_capability(struct task_struct *t, int cap)
{
	return true;
}
static inline bool has_ns_capability(struct task_struct *t,
			      struct user_namespace *ns, int cap)
{
	return true;
}
static inline bool has_capability_noaudit(struct task_struct *t, int cap)
{
	return true;
}
static inline bool has_ns_capability_noaudit(struct task_struct *t,
				      struct user_namespace *ns, int cap)
{
	return true;
}
static inline bool capable(int cap)
{
	return true;
}
static inline bool ns_capable(struct user_namespace *ns, int cap)
{
	return true;
}
static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
{
	return true;
}
static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
{
	return true;
}
#endif /* CONFIG_MULTIUSER */
bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
				 struct user_namespace *mnt_userns,
				 const struct inode *inode);
bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns,
			      const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
static inline bool perfmon_capable(void)
{
	return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
}

static inline bool bpf_capable(void)
{
	return capable(CAP_BPF) || capable(CAP_SYS_ADMIN);
}

static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
{
	return ns_capable(ns, CAP_CHECKPOINT_RESTORE) ||
		ns_capable(ns, CAP_SYS_ADMIN);
}

/* audit system wants to get cap info from files as well */
int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
			   const struct dentry *dentry,
			   struct cpu_vfs_cap_data *cpu_caps);

int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
		      const void **ivalue, size_t size);

#endif /* !_LINUX_CAPABILITY_H */
Commit	Line	Data
	1	/* SPDX-License-Identifier: GPL-2.0 */
	2	/*
	3	* This is <linux/capability.h>
	4	*
	5	* Andrew G. Morgan <morgan@kernel.org>
	6	* Alexander Kjeldaas <astor@guardian.no>
	7	* with help from Aleph1, Roland Buresund and Andrew Main.
	8	*
	9	* See here for the libcap library ("POSIX draft" compliance):
	10	*
	11	* ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
	12	*/
	13	#ifndef _LINUX_CAPABILITY_H
	14	#define _LINUX_CAPABILITY_H
	15
	16	#include <uapi/linux/capability.h>
	17	#include <linux/uidgid.h>
	18
	19	#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
	20	#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
	21
	22	extern int file_caps_enabled;
	23
	24	typedef struct kernel_cap_struct {
	25	__u32 cap[_KERNEL_CAPABILITY_U32S];
	26	} kernel_cap_t;
	27
	28	/* same as vfs_ns_cap_data but in cpu endian and always filled completely */
	29	struct cpu_vfs_cap_data {
	30	__u32 magic_etc;
	31	kernel_cap_t permitted;
	32	kernel_cap_t inheritable;
	33	kuid_t rootid;
	34	};
	35
	36	#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
	37	#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
	38
	39
	40	struct file;
	41	struct inode;
	42	struct dentry;
	43	struct task_struct;
	44	struct user_namespace;
	45
	46	extern const kernel_cap_t __cap_empty_set;
	47	extern const kernel_cap_t __cap_init_eff_set;
	48
	49	/*
	50	* Internal kernel functions only
	51	*/
	52
	53	#define CAP_FOR_EACH_U32(__capi) \
	54	for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
	55
	56	/*
	57	* CAP_FS_MASK and CAP_NFSD_MASKS:
	58	*
	59	* The fs mask is all the privileges that fsuid==0 historically meant.
	60	* At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
	61	*
	62	* It has never meant setting security.* and trusted.* xattrs.
	63	*
	64	* We could also define fsmask as follows:
	65	* 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
	66	* 2. The security.* and trusted.* xattrs are fs-related MAC permissions
	67	*/
	68
	69	# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
	70	\| CAP_TO_MASK(CAP_MKNOD) \
	71	\| CAP_TO_MASK(CAP_DAC_OVERRIDE) \
	72	\| CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
	73	\| CAP_TO_MASK(CAP_FOWNER) \
	74	\| CAP_TO_MASK(CAP_FSETID))
	75
	76	# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
	77
	78	#if _KERNEL_CAPABILITY_U32S != 2
	79	# error Fix up hand-coded capability macro initializers
	80	#else /* HAND-CODED capability initializers */
	81
	82	#define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1)
	83	#define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1)
	84
	85	# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
	86	# define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
	87	# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
	88	\| CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
	89	CAP_FS_MASK_B1 } })
	90	# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
	91	\| CAP_TO_MASK(CAP_SYS_RESOURCE), \
	92	CAP_FS_MASK_B1 } })
	93
	94	#endif /* _KERNEL_CAPABILITY_U32S != 2 */
	95
	96	# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
	97
	98	#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] \|= CAP_TO_MASK(flag))
	99	#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
	100	#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
	101
	102	#define CAP_BOP_ALL(c, a, b, OP) \
	103	do { \
	104	unsigned __capi; \
	105	CAP_FOR_EACH_U32(__capi) { \
	106	c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
	107	} \
	108	} while (0)
	109
	110	#define CAP_UOP_ALL(c, a, OP) \
	111	do { \
	112	unsigned __capi; \
	113	CAP_FOR_EACH_U32(__capi) { \
	114	c.cap[__capi] = OP a.cap[__capi]; \
	115	} \
	116	} while (0)
	117
	118	static inline kernel_cap_t cap_combine(const kernel_cap_t a,
	119	const kernel_cap_t b)
	120	{
	121	kernel_cap_t dest;
	122	CAP_BOP_ALL(dest, a, b, \|);
	123	return dest;
	124	}
	125
	126	static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
	127	const kernel_cap_t b)
	128	{
	129	kernel_cap_t dest;
	130	CAP_BOP_ALL(dest, a, b, &);
	131	return dest;
	132	}
	133
	134	static inline kernel_cap_t cap_drop(const kernel_cap_t a,
	135	const kernel_cap_t drop)
	136	{
	137	kernel_cap_t dest;
	138	CAP_BOP_ALL(dest, a, drop, &~);
	139	return dest;
	140	}
	141
	142	static inline kernel_cap_t cap_invert(const kernel_cap_t c)
	143	{
	144	kernel_cap_t dest;
	145	CAP_UOP_ALL(dest, c, ~);
	146	return dest;
	147	}
	148
	149	static inline bool cap_isclear(const kernel_cap_t a)
	150	{
	151	unsigned __capi;
	152	CAP_FOR_EACH_U32(__capi) {
	153	if (a.cap[__capi] != 0)
	154	return false;
	155	}
	156	return true;
	157	}
	158
	159	/*
	160	* Check if "a" is a subset of "set".
	161	* return true if ALL of the capabilities in "a" are also in "set"
	162	* cap_issubset(0101, 1111) will return true
	163	* return false if ANY of the capabilities in "a" are not in "set"
	164	* cap_issubset(1111, 0101) will return false
	165	*/
	166	static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
	167	{
	168	kernel_cap_t dest;
	169	dest = cap_drop(a, set);
	170	return cap_isclear(dest);
	171	}
	172
	173	/* Used to decide between falling back on the old suser() or fsuser(). */
	174
	175	static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
	176	{
	177	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
	178	return cap_drop(a, __cap_fs_set);
	179	}
	180
	181	static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
	182	const kernel_cap_t permitted)
	183	{
	184	const kernel_cap_t __cap_fs_set = CAP_FS_SET;
	185	return cap_combine(a,
	186	cap_intersect(permitted, __cap_fs_set));
	187	}
	188
	189	static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
	190	{
	191	const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
	192	return cap_drop(a, __cap_fs_set);
	193	}
	194
	195	static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
	196	const kernel_cap_t permitted)
	197	{
	198	const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
	199	return cap_combine(a,
	200	cap_intersect(permitted, __cap_nfsd_set));
	201	}
	202
	203	#ifdef CONFIG_MULTIUSER
	204	extern bool has_capability(struct task_struct *t, int cap);
	205	extern bool has_ns_capability(struct task_struct *t,
	206	struct user_namespace *ns, int cap);
	207	extern bool has_capability_noaudit(struct task_struct *t, int cap);
	208	extern bool has_ns_capability_noaudit(struct task_struct *t,
	209	struct user_namespace *ns, int cap);
	210	extern bool capable(int cap);
	211	extern bool ns_capable(struct user_namespace *ns, int cap);
	212	extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
	213	extern bool ns_capable_setid(struct user_namespace *ns, int cap);
	214	#else
	215	static inline bool has_capability(struct task_struct *t, int cap)
	216	{
	217	return true;
	218	}
	219	static inline bool has_ns_capability(struct task_struct *t,
	220	struct user_namespace *ns, int cap)
	221	{
	222	return true;
	223	}
	224	static inline bool has_capability_noaudit(struct task_struct *t, int cap)
	225	{
	226	return true;
	227	}
	228	static inline bool has_ns_capability_noaudit(struct task_struct *t,
	229	struct user_namespace *ns, int cap)
	230	{
	231	return true;
	232	}
	233	static inline bool capable(int cap)
	234	{
	235	return true;
	236	}
	237	static inline bool ns_capable(struct user_namespace *ns, int cap)
	238	{
	239	return true;
	240	}
	241	static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
	242	{
	243	return true;
	244	}
	245	static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
	246	{
	247	return true;
	248	}
	249	#endif /* CONFIG_MULTIUSER */
	250	bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
	251	struct user_namespace *mnt_userns,
	252	const struct inode *inode);
	253	bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns,
	254	const struct inode *inode, int cap);
	255	extern bool file_ns_capable(const struct file file, struct user_namespace ns, int cap);
	256	extern bool ptracer_capable(struct task_struct tsk, struct user_namespace ns);
	257	static inline bool perfmon_capable(void)
	258	{
	259	return capable(CAP_PERFMON) \|\| capable(CAP_SYS_ADMIN);
	260	}
	261
	262	static inline bool bpf_capable(void)
	263	{
	264	return capable(CAP_BPF) \|\| capable(CAP_SYS_ADMIN);
	265	}
	266
	267	static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
	268	{
	269	return ns_capable(ns, CAP_CHECKPOINT_RESTORE) \|\|
	270	ns_capable(ns, CAP_SYS_ADMIN);
	271	}
	272
	273	/* audit system wants to get cap info from files as well */
	274	int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
	275	const struct dentry *dentry,
	276	struct cpu_vfs_cap_data *cpu_caps);
	277
	278	int cap_convert_nscap(struct user_namespace mnt_userns, struct dentry dentry,
	279	const void **ivalue, size_t size);
	280
	281	#endif /* !_LINUX_CAPABILITY_H */