]>
Commit | Line | Data |
---|---|---|
1 | /* SPDX-License-Identifier: GPL-2.0 */ | |
2 | /* | |
3 | * This is <linux/capability.h> | |
4 | * | |
5 | * Andrew G. Morgan <morgan@kernel.org> | |
6 | * Alexander Kjeldaas <astor@guardian.no> | |
7 | * with help from Aleph1, Roland Buresund and Andrew Main. | |
8 | * | |
9 | * See here for the libcap library ("POSIX draft" compliance): | |
10 | * | |
11 | * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ | |
12 | */ | |
13 | #ifndef _LINUX_CAPABILITY_H | |
14 | #define _LINUX_CAPABILITY_H | |
15 | ||
16 | #include <uapi/linux/capability.h> | |
17 | #include <linux/uidgid.h> | |
18 | ||
19 | #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 | |
20 | #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 | |
21 | ||
22 | extern int file_caps_enabled; | |
23 | ||
24 | typedef struct kernel_cap_struct { | |
25 | __u32 cap[_KERNEL_CAPABILITY_U32S]; | |
26 | } kernel_cap_t; | |
27 | ||
28 | /* same as vfs_ns_cap_data but in cpu endian and always filled completely */ | |
29 | struct cpu_vfs_cap_data { | |
30 | __u32 magic_etc; | |
31 | kernel_cap_t permitted; | |
32 | kernel_cap_t inheritable; | |
33 | kuid_t rootid; | |
34 | }; | |
35 | ||
36 | #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) | |
37 | #define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) | |
38 | ||
39 | ||
40 | struct file; | |
41 | struct inode; | |
42 | struct dentry; | |
43 | struct task_struct; | |
44 | struct user_namespace; | |
45 | ||
46 | extern const kernel_cap_t __cap_empty_set; | |
47 | extern const kernel_cap_t __cap_init_eff_set; | |
48 | ||
49 | /* | |
50 | * Internal kernel functions only | |
51 | */ | |
52 | ||
53 | #define CAP_FOR_EACH_U32(__capi) \ | |
54 | for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) | |
55 | ||
56 | /* | |
57 | * CAP_FS_MASK and CAP_NFSD_MASKS: | |
58 | * | |
59 | * The fs mask is all the privileges that fsuid==0 historically meant. | |
60 | * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. | |
61 | * | |
62 | * It has never meant setting security.* and trusted.* xattrs. | |
63 | * | |
64 | * We could also define fsmask as follows: | |
65 | * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions | |
66 | * 2. The security.* and trusted.* xattrs are fs-related MAC permissions | |
67 | */ | |
68 | ||
69 | # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ | |
70 | | CAP_TO_MASK(CAP_MKNOD) \ | |
71 | | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ | |
72 | | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ | |
73 | | CAP_TO_MASK(CAP_FOWNER) \ | |
74 | | CAP_TO_MASK(CAP_FSETID)) | |
75 | ||
76 | # define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) | |
77 | ||
78 | #if _KERNEL_CAPABILITY_U32S != 2 | |
79 | # error Fix up hand-coded capability macro initializers | |
80 | #else /* HAND-CODED capability initializers */ | |
81 | ||
82 | #define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1) | |
83 | #define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1) | |
84 | ||
85 | # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) | |
86 | # define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }}) | |
87 | # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ | |
88 | | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ | |
89 | CAP_FS_MASK_B1 } }) | |
90 | # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ | |
91 | | CAP_TO_MASK(CAP_SYS_RESOURCE), \ | |
92 | CAP_FS_MASK_B1 } }) | |
93 | ||
94 | #endif /* _KERNEL_CAPABILITY_U32S != 2 */ | |
95 | ||
96 | # define cap_clear(c) do { (c) = __cap_empty_set; } while (0) | |
97 | ||
98 | #define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag)) | |
99 | #define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag)) | |
100 | #define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag)) | |
101 | ||
102 | #define CAP_BOP_ALL(c, a, b, OP) \ | |
103 | do { \ | |
104 | unsigned __capi; \ | |
105 | CAP_FOR_EACH_U32(__capi) { \ | |
106 | c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \ | |
107 | } \ | |
108 | } while (0) | |
109 | ||
110 | #define CAP_UOP_ALL(c, a, OP) \ | |
111 | do { \ | |
112 | unsigned __capi; \ | |
113 | CAP_FOR_EACH_U32(__capi) { \ | |
114 | c.cap[__capi] = OP a.cap[__capi]; \ | |
115 | } \ | |
116 | } while (0) | |
117 | ||
118 | static inline kernel_cap_t cap_combine(const kernel_cap_t a, | |
119 | const kernel_cap_t b) | |
120 | { | |
121 | kernel_cap_t dest; | |
122 | CAP_BOP_ALL(dest, a, b, |); | |
123 | return dest; | |
124 | } | |
125 | ||
126 | static inline kernel_cap_t cap_intersect(const kernel_cap_t a, | |
127 | const kernel_cap_t b) | |
128 | { | |
129 | kernel_cap_t dest; | |
130 | CAP_BOP_ALL(dest, a, b, &); | |
131 | return dest; | |
132 | } | |
133 | ||
134 | static inline kernel_cap_t cap_drop(const kernel_cap_t a, | |
135 | const kernel_cap_t drop) | |
136 | { | |
137 | kernel_cap_t dest; | |
138 | CAP_BOP_ALL(dest, a, drop, &~); | |
139 | return dest; | |
140 | } | |
141 | ||
142 | static inline kernel_cap_t cap_invert(const kernel_cap_t c) | |
143 | { | |
144 | kernel_cap_t dest; | |
145 | CAP_UOP_ALL(dest, c, ~); | |
146 | return dest; | |
147 | } | |
148 | ||
149 | static inline bool cap_isclear(const kernel_cap_t a) | |
150 | { | |
151 | unsigned __capi; | |
152 | CAP_FOR_EACH_U32(__capi) { | |
153 | if (a.cap[__capi] != 0) | |
154 | return false; | |
155 | } | |
156 | return true; | |
157 | } | |
158 | ||
159 | /* | |
160 | * Check if "a" is a subset of "set". | |
161 | * return true if ALL of the capabilities in "a" are also in "set" | |
162 | * cap_issubset(0101, 1111) will return true | |
163 | * return false if ANY of the capabilities in "a" are not in "set" | |
164 | * cap_issubset(1111, 0101) will return false | |
165 | */ | |
166 | static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set) | |
167 | { | |
168 | kernel_cap_t dest; | |
169 | dest = cap_drop(a, set); | |
170 | return cap_isclear(dest); | |
171 | } | |
172 | ||
173 | /* Used to decide between falling back on the old suser() or fsuser(). */ | |
174 | ||
175 | static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) | |
176 | { | |
177 | const kernel_cap_t __cap_fs_set = CAP_FS_SET; | |
178 | return cap_drop(a, __cap_fs_set); | |
179 | } | |
180 | ||
181 | static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, | |
182 | const kernel_cap_t permitted) | |
183 | { | |
184 | const kernel_cap_t __cap_fs_set = CAP_FS_SET; | |
185 | return cap_combine(a, | |
186 | cap_intersect(permitted, __cap_fs_set)); | |
187 | } | |
188 | ||
189 | static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) | |
190 | { | |
191 | const kernel_cap_t __cap_fs_set = CAP_NFSD_SET; | |
192 | return cap_drop(a, __cap_fs_set); | |
193 | } | |
194 | ||
195 | static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, | |
196 | const kernel_cap_t permitted) | |
197 | { | |
198 | const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET; | |
199 | return cap_combine(a, | |
200 | cap_intersect(permitted, __cap_nfsd_set)); | |
201 | } | |
202 | ||
203 | #ifdef CONFIG_MULTIUSER | |
204 | extern bool has_capability(struct task_struct *t, int cap); | |
205 | extern bool has_ns_capability(struct task_struct *t, | |
206 | struct user_namespace *ns, int cap); | |
207 | extern bool has_capability_noaudit(struct task_struct *t, int cap); | |
208 | extern bool has_ns_capability_noaudit(struct task_struct *t, | |
209 | struct user_namespace *ns, int cap); | |
210 | extern bool capable(int cap); | |
211 | extern bool ns_capable(struct user_namespace *ns, int cap); | |
212 | extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); | |
213 | extern bool ns_capable_setid(struct user_namespace *ns, int cap); | |
214 | #else | |
215 | static inline bool has_capability(struct task_struct *t, int cap) | |
216 | { | |
217 | return true; | |
218 | } | |
219 | static inline bool has_ns_capability(struct task_struct *t, | |
220 | struct user_namespace *ns, int cap) | |
221 | { | |
222 | return true; | |
223 | } | |
224 | static inline bool has_capability_noaudit(struct task_struct *t, int cap) | |
225 | { | |
226 | return true; | |
227 | } | |
228 | static inline bool has_ns_capability_noaudit(struct task_struct *t, | |
229 | struct user_namespace *ns, int cap) | |
230 | { | |
231 | return true; | |
232 | } | |
233 | static inline bool capable(int cap) | |
234 | { | |
235 | return true; | |
236 | } | |
237 | static inline bool ns_capable(struct user_namespace *ns, int cap) | |
238 | { | |
239 | return true; | |
240 | } | |
241 | static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) | |
242 | { | |
243 | return true; | |
244 | } | |
245 | static inline bool ns_capable_setid(struct user_namespace *ns, int cap) | |
246 | { | |
247 | return true; | |
248 | } | |
249 | #endif /* CONFIG_MULTIUSER */ | |
250 | bool privileged_wrt_inode_uidgid(struct user_namespace *ns, | |
251 | struct user_namespace *mnt_userns, | |
252 | const struct inode *inode); | |
253 | bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns, | |
254 | const struct inode *inode, int cap); | |
255 | extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); | |
256 | extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); | |
257 | static inline bool perfmon_capable(void) | |
258 | { | |
259 | return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); | |
260 | } | |
261 | ||
262 | static inline bool bpf_capable(void) | |
263 | { | |
264 | return capable(CAP_BPF) || capable(CAP_SYS_ADMIN); | |
265 | } | |
266 | ||
267 | static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) | |
268 | { | |
269 | return ns_capable(ns, CAP_CHECKPOINT_RESTORE) || | |
270 | ns_capable(ns, CAP_SYS_ADMIN); | |
271 | } | |
272 | ||
273 | /* audit system wants to get cap info from files as well */ | |
274 | int get_vfs_caps_from_disk(struct user_namespace *mnt_userns, | |
275 | const struct dentry *dentry, | |
276 | struct cpu_vfs_cap_data *cpu_caps); | |
277 | ||
278 | int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry, | |
279 | const void **ivalue, size_t size); | |
280 | ||
281 | #endif /* !_LINUX_CAPABILITY_H */ |