]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * linux/kernel/capability.c | |
3 | * | |
4 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> | |
5 | * | |
6 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> | |
7 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> | |
8 | */ | |
9 | ||
10 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
11 | ||
12 | #include <linux/audit.h> | |
13 | #include <linux/capability.h> | |
14 | #include <linux/mm.h> | |
15 | #include <linux/export.h> | |
16 | #include <linux/security.h> | |
17 | #include <linux/syscalls.h> | |
18 | #include <linux/pid_namespace.h> | |
19 | #include <linux/user_namespace.h> | |
20 | #include <linux/uaccess.h> | |
21 | ||
22 | /* | |
23 | * Leveraged for setting/resetting capabilities | |
24 | */ | |
25 | ||
26 | const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; | |
27 | EXPORT_SYMBOL(__cap_empty_set); | |
28 | ||
29 | int file_caps_enabled = 1; | |
30 | ||
31 | static int __init file_caps_disable(char *str) | |
32 | { | |
33 | file_caps_enabled = 0; | |
34 | return 1; | |
35 | } | |
36 | __setup("no_file_caps", file_caps_disable); | |
37 | ||
38 | #ifdef CONFIG_MULTIUSER | |
39 | /* | |
40 | * More recent versions of libcap are available from: | |
41 | * | |
42 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ | |
43 | */ | |
44 | ||
45 | static void warn_legacy_capability_use(void) | |
46 | { | |
47 | char name[sizeof(current->comm)]; | |
48 | ||
49 | pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n", | |
50 | get_task_comm(name, current)); | |
51 | } | |
52 | ||
53 | /* | |
54 | * Version 2 capabilities worked fine, but the linux/capability.h file | |
55 | * that accompanied their introduction encouraged their use without | |
56 | * the necessary user-space source code changes. As such, we have | |
57 | * created a version 3 with equivalent functionality to version 2, but | |
58 | * with a header change to protect legacy source code from using | |
59 | * version 2 when it wanted to use version 1. If your system has code | |
60 | * that trips the following warning, it is using version 2 specific | |
61 | * capabilities and may be doing so insecurely. | |
62 | * | |
63 | * The remedy is to either upgrade your version of libcap (to 2.10+, | |
64 | * if the application is linked against it), or recompile your | |
65 | * application with modern kernel headers and this warning will go | |
66 | * away. | |
67 | */ | |
68 | ||
69 | static void warn_deprecated_v2(void) | |
70 | { | |
71 | char name[sizeof(current->comm)]; | |
72 | ||
73 | pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n", | |
74 | get_task_comm(name, current)); | |
75 | } | |
76 | ||
77 | /* | |
78 | * Version check. Return the number of u32s in each capability flag | |
79 | * array, or a negative value on error. | |
80 | */ | |
81 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) | |
82 | { | |
83 | __u32 version; | |
84 | ||
85 | if (get_user(version, &header->version)) | |
86 | return -EFAULT; | |
87 | ||
88 | switch (version) { | |
89 | case _LINUX_CAPABILITY_VERSION_1: | |
90 | warn_legacy_capability_use(); | |
91 | *tocopy = _LINUX_CAPABILITY_U32S_1; | |
92 | break; | |
93 | case _LINUX_CAPABILITY_VERSION_2: | |
94 | warn_deprecated_v2(); | |
95 | /* | |
96 | * fall through - v3 is otherwise equivalent to v2. | |
97 | */ | |
98 | case _LINUX_CAPABILITY_VERSION_3: | |
99 | *tocopy = _LINUX_CAPABILITY_U32S_3; | |
100 | break; | |
101 | default: | |
102 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) | |
103 | return -EFAULT; | |
104 | return -EINVAL; | |
105 | } | |
106 | ||
107 | return 0; | |
108 | } | |
109 | ||
110 | /* | |
111 | * The only thing that can change the capabilities of the current | |
112 | * process is the current process. As such, we can't be in this code | |
113 | * at the same time as we are in the process of setting capabilities | |
114 | * in this process. The net result is that we can limit our use of | |
115 | * locks to when we are reading the caps of another process. | |
116 | */ | |
117 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, | |
118 | kernel_cap_t *pIp, kernel_cap_t *pPp) | |
119 | { | |
120 | int ret; | |
121 | ||
122 | if (pid && (pid != task_pid_vnr(current))) { | |
123 | struct task_struct *target; | |
124 | ||
125 | rcu_read_lock(); | |
126 | ||
127 | target = find_task_by_vpid(pid); | |
128 | if (!target) | |
129 | ret = -ESRCH; | |
130 | else | |
131 | ret = security_capget(target, pEp, pIp, pPp); | |
132 | ||
133 | rcu_read_unlock(); | |
134 | } else | |
135 | ret = security_capget(current, pEp, pIp, pPp); | |
136 | ||
137 | return ret; | |
138 | } | |
139 | ||
140 | /** | |
141 | * sys_capget - get the capabilities of a given process. | |
142 | * @header: pointer to struct that contains capability version and | |
143 | * target pid data | |
144 | * @dataptr: pointer to struct that contains the effective, permitted, | |
145 | * and inheritable capabilities that are returned | |
146 | * | |
147 | * Returns 0 on success and < 0 on error. | |
148 | */ | |
149 | SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) | |
150 | { | |
151 | int ret = 0; | |
152 | pid_t pid; | |
153 | unsigned tocopy; | |
154 | kernel_cap_t pE, pI, pP; | |
155 | ||
156 | ret = cap_validate_magic(header, &tocopy); | |
157 | if ((dataptr == NULL) || (ret != 0)) | |
158 | return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; | |
159 | ||
160 | if (get_user(pid, &header->pid)) | |
161 | return -EFAULT; | |
162 | ||
163 | if (pid < 0) | |
164 | return -EINVAL; | |
165 | ||
166 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); | |
167 | if (!ret) { | |
168 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; | |
169 | unsigned i; | |
170 | ||
171 | for (i = 0; i < tocopy; i++) { | |
172 | kdata[i].effective = pE.cap[i]; | |
173 | kdata[i].permitted = pP.cap[i]; | |
174 | kdata[i].inheritable = pI.cap[i]; | |
175 | } | |
176 | ||
177 | /* | |
178 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, | |
179 | * we silently drop the upper capabilities here. This | |
180 | * has the effect of making older libcap | |
181 | * implementations implicitly drop upper capability | |
182 | * bits when they perform a: capget/modify/capset | |
183 | * sequence. | |
184 | * | |
185 | * This behavior is considered fail-safe | |
186 | * behavior. Upgrading the application to a newer | |
187 | * version of libcap will enable access to the newer | |
188 | * capabilities. | |
189 | * | |
190 | * An alternative would be to return an error here | |
191 | * (-ERANGE), but that causes legacy applications to | |
192 | * unexpectedly fail; the capget/modify/capset aborts | |
193 | * before modification is attempted and the application | |
194 | * fails. | |
195 | */ | |
196 | if (copy_to_user(dataptr, kdata, tocopy | |
197 | * sizeof(struct __user_cap_data_struct))) { | |
198 | return -EFAULT; | |
199 | } | |
200 | } | |
201 | ||
202 | return ret; | |
203 | } | |
204 | ||
205 | /** | |
206 | * sys_capset - set capabilities for a process or (*) a group of processes | |
207 | * @header: pointer to struct that contains capability version and | |
208 | * target pid data | |
209 | * @data: pointer to struct that contains the effective, permitted, | |
210 | * and inheritable capabilities | |
211 | * | |
212 | * Set capabilities for the current process only. The ability to any other | |
213 | * process(es) has been deprecated and removed. | |
214 | * | |
215 | * The restrictions on setting capabilities are specified as: | |
216 | * | |
217 | * I: any raised capabilities must be a subset of the old permitted | |
218 | * P: any raised capabilities must be a subset of the old permitted | |
219 | * E: must be set to a subset of new permitted | |
220 | * | |
221 | * Returns 0 on success and < 0 on error. | |
222 | */ | |
223 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) | |
224 | { | |
225 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; | |
226 | unsigned i, tocopy, copybytes; | |
227 | kernel_cap_t inheritable, permitted, effective; | |
228 | struct cred *new; | |
229 | int ret; | |
230 | pid_t pid; | |
231 | ||
232 | ret = cap_validate_magic(header, &tocopy); | |
233 | if (ret != 0) | |
234 | return ret; | |
235 | ||
236 | if (get_user(pid, &header->pid)) | |
237 | return -EFAULT; | |
238 | ||
239 | /* may only affect current now */ | |
240 | if (pid != 0 && pid != task_pid_vnr(current)) | |
241 | return -EPERM; | |
242 | ||
243 | copybytes = tocopy * sizeof(struct __user_cap_data_struct); | |
244 | if (copybytes > sizeof(kdata)) | |
245 | return -EFAULT; | |
246 | ||
247 | if (copy_from_user(&kdata, data, copybytes)) | |
248 | return -EFAULT; | |
249 | ||
250 | for (i = 0; i < tocopy; i++) { | |
251 | effective.cap[i] = kdata[i].effective; | |
252 | permitted.cap[i] = kdata[i].permitted; | |
253 | inheritable.cap[i] = kdata[i].inheritable; | |
254 | } | |
255 | while (i < _KERNEL_CAPABILITY_U32S) { | |
256 | effective.cap[i] = 0; | |
257 | permitted.cap[i] = 0; | |
258 | inheritable.cap[i] = 0; | |
259 | i++; | |
260 | } | |
261 | ||
262 | effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | |
263 | permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | |
264 | inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | |
265 | ||
266 | new = prepare_creds(); | |
267 | if (!new) | |
268 | return -ENOMEM; | |
269 | ||
270 | ret = security_capset(new, current_cred(), | |
271 | &effective, &inheritable, &permitted); | |
272 | if (ret < 0) | |
273 | goto error; | |
274 | ||
275 | audit_log_capset(new, current_cred()); | |
276 | ||
277 | return commit_creds(new); | |
278 | ||
279 | error: | |
280 | abort_creds(new); | |
281 | return ret; | |
282 | } | |
283 | ||
284 | /** | |
285 | * has_ns_capability - Does a task have a capability in a specific user ns | |
286 | * @t: The task in question | |
287 | * @ns: target user namespace | |
288 | * @cap: The capability to be tested for | |
289 | * | |
290 | * Return true if the specified task has the given superior capability | |
291 | * currently in effect to the specified user namespace, false if not. | |
292 | * | |
293 | * Note that this does not set PF_SUPERPRIV on the task. | |
294 | */ | |
295 | bool has_ns_capability(struct task_struct *t, | |
296 | struct user_namespace *ns, int cap) | |
297 | { | |
298 | int ret; | |
299 | ||
300 | rcu_read_lock(); | |
301 | ret = security_capable(__task_cred(t), ns, cap); | |
302 | rcu_read_unlock(); | |
303 | ||
304 | return (ret == 0); | |
305 | } | |
306 | ||
307 | /** | |
308 | * has_capability - Does a task have a capability in init_user_ns | |
309 | * @t: The task in question | |
310 | * @cap: The capability to be tested for | |
311 | * | |
312 | * Return true if the specified task has the given superior capability | |
313 | * currently in effect to the initial user namespace, false if not. | |
314 | * | |
315 | * Note that this does not set PF_SUPERPRIV on the task. | |
316 | */ | |
317 | bool has_capability(struct task_struct *t, int cap) | |
318 | { | |
319 | return has_ns_capability(t, &init_user_ns, cap); | |
320 | } | |
321 | EXPORT_SYMBOL(has_capability); | |
322 | ||
323 | /** | |
324 | * has_ns_capability_noaudit - Does a task have a capability (unaudited) | |
325 | * in a specific user ns. | |
326 | * @t: The task in question | |
327 | * @ns: target user namespace | |
328 | * @cap: The capability to be tested for | |
329 | * | |
330 | * Return true if the specified task has the given superior capability | |
331 | * currently in effect to the specified user namespace, false if not. | |
332 | * Do not write an audit message for the check. | |
333 | * | |
334 | * Note that this does not set PF_SUPERPRIV on the task. | |
335 | */ | |
336 | bool has_ns_capability_noaudit(struct task_struct *t, | |
337 | struct user_namespace *ns, int cap) | |
338 | { | |
339 | int ret; | |
340 | ||
341 | rcu_read_lock(); | |
342 | ret = security_capable_noaudit(__task_cred(t), ns, cap); | |
343 | rcu_read_unlock(); | |
344 | ||
345 | return (ret == 0); | |
346 | } | |
347 | ||
348 | /** | |
349 | * has_capability_noaudit - Does a task have a capability (unaudited) in the | |
350 | * initial user ns | |
351 | * @t: The task in question | |
352 | * @cap: The capability to be tested for | |
353 | * | |
354 | * Return true if the specified task has the given superior capability | |
355 | * currently in effect to init_user_ns, false if not. Don't write an | |
356 | * audit message for the check. | |
357 | * | |
358 | * Note that this does not set PF_SUPERPRIV on the task. | |
359 | */ | |
360 | bool has_capability_noaudit(struct task_struct *t, int cap) | |
361 | { | |
362 | return has_ns_capability_noaudit(t, &init_user_ns, cap); | |
363 | } | |
364 | ||
365 | static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit) | |
366 | { | |
367 | int capable; | |
368 | ||
369 | if (unlikely(!cap_valid(cap))) { | |
370 | pr_crit("capable() called with invalid cap=%u\n", cap); | |
371 | BUG(); | |
372 | } | |
373 | ||
374 | capable = audit ? security_capable(current_cred(), ns, cap) : | |
375 | security_capable_noaudit(current_cred(), ns, cap); | |
376 | if (capable == 0) { | |
377 | current->flags |= PF_SUPERPRIV; | |
378 | return true; | |
379 | } | |
380 | return false; | |
381 | } | |
382 | ||
383 | /** | |
384 | * ns_capable - Determine if the current task has a superior capability in effect | |
385 | * @ns: The usernamespace we want the capability in | |
386 | * @cap: The capability to be tested for | |
387 | * | |
388 | * Return true if the current task has the given superior capability currently | |
389 | * available for use, false if not. | |
390 | * | |
391 | * This sets PF_SUPERPRIV on the task if the capability is available on the | |
392 | * assumption that it's about to be used. | |
393 | */ | |
394 | bool ns_capable(struct user_namespace *ns, int cap) | |
395 | { | |
396 | return ns_capable_common(ns, cap, true); | |
397 | } | |
398 | EXPORT_SYMBOL(ns_capable); | |
399 | ||
400 | /** | |
401 | * ns_capable_noaudit - Determine if the current task has a superior capability | |
402 | * (unaudited) in effect | |
403 | * @ns: The usernamespace we want the capability in | |
404 | * @cap: The capability to be tested for | |
405 | * | |
406 | * Return true if the current task has the given superior capability currently | |
407 | * available for use, false if not. | |
408 | * | |
409 | * This sets PF_SUPERPRIV on the task if the capability is available on the | |
410 | * assumption that it's about to be used. | |
411 | */ | |
412 | bool ns_capable_noaudit(struct user_namespace *ns, int cap) | |
413 | { | |
414 | return ns_capable_common(ns, cap, false); | |
415 | } | |
416 | EXPORT_SYMBOL(ns_capable_noaudit); | |
417 | ||
418 | /** | |
419 | * capable - Determine if the current task has a superior capability in effect | |
420 | * @cap: The capability to be tested for | |
421 | * | |
422 | * Return true if the current task has the given superior capability currently | |
423 | * available for use, false if not. | |
424 | * | |
425 | * This sets PF_SUPERPRIV on the task if the capability is available on the | |
426 | * assumption that it's about to be used. | |
427 | */ | |
428 | bool capable(int cap) | |
429 | { | |
430 | return ns_capable(&init_user_ns, cap); | |
431 | } | |
432 | EXPORT_SYMBOL(capable); | |
433 | #endif /* CONFIG_MULTIUSER */ | |
434 | ||
435 | /** | |
436 | * file_ns_capable - Determine if the file's opener had a capability in effect | |
437 | * @file: The file we want to check | |
438 | * @ns: The usernamespace we want the capability in | |
439 | * @cap: The capability to be tested for | |
440 | * | |
441 | * Return true if task that opened the file had a capability in effect | |
442 | * when the file was opened. | |
443 | * | |
444 | * This does not set PF_SUPERPRIV because the caller may not | |
445 | * actually be privileged. | |
446 | */ | |
447 | bool file_ns_capable(const struct file *file, struct user_namespace *ns, | |
448 | int cap) | |
449 | { | |
450 | if (WARN_ON_ONCE(!cap_valid(cap))) | |
451 | return false; | |
452 | ||
453 | if (security_capable(file->f_cred, ns, cap) == 0) | |
454 | return true; | |
455 | ||
456 | return false; | |
457 | } | |
458 | EXPORT_SYMBOL(file_ns_capable); | |
459 | ||
460 | /** | |
461 | * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? | |
462 | * @ns: The user namespace in question | |
463 | * @inode: The inode in question | |
464 | * | |
465 | * Return true if the inode uid and gid are within the namespace. | |
466 | */ | |
467 | bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode) | |
468 | { | |
469 | return kuid_has_mapping(ns, inode->i_uid) && | |
470 | kgid_has_mapping(ns, inode->i_gid); | |
471 | } | |
472 | ||
473 | /** | |
474 | * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped | |
475 | * @inode: The inode in question | |
476 | * @cap: The capability in question | |
477 | * | |
478 | * Return true if the current task has the given capability targeted at | |
479 | * its own user namespace and that the given inode's uid and gid are | |
480 | * mapped into the current user namespace. | |
481 | */ | |
482 | bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) | |
483 | { | |
484 | struct user_namespace *ns = current_user_ns(); | |
485 | ||
486 | return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); | |
487 | } | |
488 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); | |
489 | ||
490 | /** | |
491 | * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace | |
492 | * @tsk: The task that may be ptraced | |
493 | * @ns: The user namespace to search for CAP_SYS_PTRACE in | |
494 | * | |
495 | * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE | |
496 | * in the specified user namespace. | |
497 | */ | |
498 | bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns) | |
499 | { | |
500 | int ret = 0; /* An absent tracer adds no restrictions */ | |
501 | const struct cred *cred; | |
502 | rcu_read_lock(); | |
503 | cred = rcu_dereference(tsk->ptracer_cred); | |
504 | if (cred) | |
505 | ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE); | |
506 | rcu_read_unlock(); | |
507 | return (ret == 0); | |
508 | } |