commoncap.c 44 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /* Common capabilities, needed by capability.o.
  3. */
  4. #include <linux/capability.h>
  5. #include <linux/audit.h>
  6. #include <linux/init.h>
  7. #include <linux/kernel.h>
  8. #include <linux/lsm_hooks.h>
  9. #include <linux/file.h>
  10. #include <linux/mm.h>
  11. #include <linux/mman.h>
  12. #include <linux/pagemap.h>
  13. #include <linux/swap.h>
  14. #include <linux/skbuff.h>
  15. #include <linux/netlink.h>
  16. #include <linux/ptrace.h>
  17. #include <linux/xattr.h>
  18. #include <linux/hugetlb.h>
  19. #include <linux/mount.h>
  20. #include <linux/sched.h>
  21. #include <linux/prctl.h>
  22. #include <linux/securebits.h>
  23. #include <linux/user_namespace.h>
  24. #include <linux/binfmts.h>
  25. #include <linux/personality.h>
  26. #include <linux/mnt_idmapping.h>
  27. #include <uapi/linux/lsm.h>
  28. #define CREATE_TRACE_POINTS
  29. #include <trace/events/capability.h>
  30. /*
  31. * If a non-root user executes a setuid-root binary in
  32. * !secure(SECURE_NOROOT) mode, then we raise capabilities.
  33. * However if fE is also set, then the intent is for only
  34. * the file capabilities to be applied, and the setuid-root
  35. * bit is left on either to change the uid (plausible) or
  36. * to get full privilege on a kernel without file capabilities
  37. * support. So in that case we do not raise capabilities.
  38. *
  39. * Warn if that happens, once per boot.
  40. */
  41. static void warn_setuid_and_fcaps_mixed(const char *fname)
  42. {
  43. static int warned;
  44. if (!warned) {
  45. printk(KERN_INFO "warning: `%s' has both setuid-root and"
  46. " effective capabilities. Therefore not raising all"
  47. " capabilities.\n", fname);
  48. warned = 1;
  49. }
  50. }
  51. /**
  52. * cap_capable_helper - Determine whether a task has a particular effective
  53. * capability.
  54. * @cred: The credentials to use
  55. * @target_ns: The user namespace of the resource being accessed
  56. * @cred_ns: The user namespace of the credentials
  57. * @cap: The capability to check for
  58. *
  59. * Determine whether the nominated task has the specified capability amongst
  60. * its effective set, returning 0 if it does, -ve if it does not.
  61. *
  62. * See cap_capable for more details.
  63. */
  64. static inline int cap_capable_helper(const struct cred *cred,
  65. struct user_namespace *target_ns,
  66. const struct user_namespace *cred_ns,
  67. int cap)
  68. {
  69. struct user_namespace *ns = target_ns;
  70. /* See if cred has the capability in the target user namespace
  71. * by examining the target user namespace and all of the target
  72. * user namespace's parents.
  73. */
  74. for (;;) {
  75. /* Do we have the necessary capabilities? */
  76. if (likely(ns == cred_ns))
  77. return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
  78. /*
  79. * If we're already at a lower level than we're looking for,
  80. * we're done searching.
  81. */
  82. if (ns->level <= cred_ns->level)
  83. return -EPERM;
  84. /*
  85. * The owner of the user namespace in the parent of the
  86. * user namespace has all caps.
  87. */
  88. if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid))
  89. return 0;
  90. /*
  91. * If you have a capability in a parent user ns, then you have
  92. * it over all children user namespaces as well.
  93. */
  94. ns = ns->parent;
  95. }
  96. /* We never get here */
  97. }
  98. /**
  99. * cap_capable - Determine whether a task has a particular effective capability
  100. * @cred: The credentials to use
  101. * @target_ns: The user namespace of the resource being accessed
  102. * @cap: The capability to check for
  103. * @opts: Bitmask of options defined in include/linux/security.h (unused)
  104. *
  105. * Determine whether the nominated task has the specified capability amongst
  106. * its effective set, returning 0 if it does, -ve if it does not.
  107. *
  108. * NOTE WELL: cap_capable() has reverse semantics to the capable() call
  109. * and friends. That is cap_capable() returns an int 0 when a task has
  110. * a capability, while the kernel's capable(), has_ns_capability(),
  111. * has_ns_capability_noaudit(), and has_capability_noaudit() return a
  112. * bool true (1) for this case.
  113. */
  114. int cap_capable(const struct cred *cred, struct user_namespace *target_ns,
  115. int cap, unsigned int opts)
  116. {
  117. const struct user_namespace *cred_ns = cred->user_ns;
  118. int ret = cap_capable_helper(cred, target_ns, cred_ns, cap);
  119. trace_cap_capable(cred, target_ns, cred_ns, cap, ret);
  120. return ret;
  121. }
  122. /**
  123. * cap_settime - Determine whether the current process may set the system clock
  124. * @ts: The time to set
  125. * @tz: The timezone to set
  126. *
  127. * Determine whether the current process may set the system clock and timezone
  128. * information, returning 0 if permission granted, -ve if denied.
  129. */
  130. int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
  131. {
  132. if (!capable(CAP_SYS_TIME))
  133. return -EPERM;
  134. return 0;
  135. }
  136. /**
  137. * cap_ptrace_access_check - Determine whether the current process may access
  138. * another
  139. * @child: The process to be accessed
  140. * @mode: The mode of attachment.
  141. *
  142. * If we are in the same or an ancestor user_ns and have all the target
  143. * task's capabilities, then ptrace access is allowed.
  144. * If we have the ptrace capability to the target user_ns, then ptrace
  145. * access is allowed.
  146. * Else denied.
  147. *
  148. * Determine whether a process may access another, returning 0 if permission
  149. * granted, -ve if denied.
  150. */
  151. int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
  152. {
  153. int ret = 0;
  154. const struct cred *cred, *child_cred;
  155. const kernel_cap_t *caller_caps;
  156. rcu_read_lock();
  157. cred = current_cred();
  158. child_cred = __task_cred(child);
  159. if (mode & PTRACE_MODE_FSCREDS)
  160. caller_caps = &cred->cap_effective;
  161. else
  162. caller_caps = &cred->cap_permitted;
  163. if (cred->user_ns == child_cred->user_ns &&
  164. cap_issubset(child_cred->cap_permitted, *caller_caps))
  165. goto out;
  166. if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
  167. goto out;
  168. ret = -EPERM;
  169. out:
  170. rcu_read_unlock();
  171. return ret;
  172. }
  173. /**
  174. * cap_ptrace_traceme - Determine whether another process may trace the current
  175. * @parent: The task proposed to be the tracer
  176. *
  177. * If parent is in the same or an ancestor user_ns and has all current's
  178. * capabilities, then ptrace access is allowed.
  179. * If parent has the ptrace capability to current's user_ns, then ptrace
  180. * access is allowed.
  181. * Else denied.
  182. *
  183. * Determine whether the nominated task is permitted to trace the current
  184. * process, returning 0 if permission is granted, -ve if denied.
  185. */
  186. int cap_ptrace_traceme(struct task_struct *parent)
  187. {
  188. int ret = 0;
  189. const struct cred *cred, *child_cred;
  190. rcu_read_lock();
  191. cred = __task_cred(parent);
  192. child_cred = current_cred();
  193. if (cred->user_ns == child_cred->user_ns &&
  194. cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
  195. goto out;
  196. if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
  197. goto out;
  198. ret = -EPERM;
  199. out:
  200. rcu_read_unlock();
  201. return ret;
  202. }
  203. /**
  204. * cap_capget - Retrieve a task's capability sets
  205. * @target: The task from which to retrieve the capability sets
  206. * @effective: The place to record the effective set
  207. * @inheritable: The place to record the inheritable set
  208. * @permitted: The place to record the permitted set
  209. *
  210. * This function retrieves the capabilities of the nominated task and returns
  211. * them to the caller.
  212. */
  213. int cap_capget(const struct task_struct *target, kernel_cap_t *effective,
  214. kernel_cap_t *inheritable, kernel_cap_t *permitted)
  215. {
  216. const struct cred *cred;
  217. /* Derived from kernel/capability.c:sys_capget. */
  218. rcu_read_lock();
  219. cred = __task_cred(target);
  220. *effective = cred->cap_effective;
  221. *inheritable = cred->cap_inheritable;
  222. *permitted = cred->cap_permitted;
  223. rcu_read_unlock();
  224. return 0;
  225. }
  226. /*
  227. * Determine whether the inheritable capabilities are limited to the old
  228. * permitted set. Returns 1 if they are limited, 0 if they are not.
  229. */
  230. static inline int cap_inh_is_capped(void)
  231. {
  232. /* they are so limited unless the current task has the CAP_SETPCAP
  233. * capability
  234. */
  235. if (cap_capable(current_cred(), current_cred()->user_ns,
  236. CAP_SETPCAP, CAP_OPT_NONE) == 0)
  237. return 0;
  238. return 1;
  239. }
  240. /**
  241. * cap_capset - Validate and apply proposed changes to current's capabilities
  242. * @new: The proposed new credentials; alterations should be made here
  243. * @old: The current task's current credentials
  244. * @effective: A pointer to the proposed new effective capabilities set
  245. * @inheritable: A pointer to the proposed new inheritable capabilities set
  246. * @permitted: A pointer to the proposed new permitted capabilities set
  247. *
  248. * This function validates and applies a proposed mass change to the current
  249. * process's capability sets. The changes are made to the proposed new
  250. * credentials, and assuming no error, will be committed by the caller of LSM.
  251. */
  252. int cap_capset(struct cred *new,
  253. const struct cred *old,
  254. const kernel_cap_t *effective,
  255. const kernel_cap_t *inheritable,
  256. const kernel_cap_t *permitted)
  257. {
  258. if (cap_inh_is_capped() &&
  259. !cap_issubset(*inheritable,
  260. cap_combine(old->cap_inheritable,
  261. old->cap_permitted)))
  262. /* incapable of using this inheritable set */
  263. return -EPERM;
  264. if (!cap_issubset(*inheritable,
  265. cap_combine(old->cap_inheritable,
  266. old->cap_bset)))
  267. /* no new pI capabilities outside bounding set */
  268. return -EPERM;
  269. /* verify restrictions on target's new Permitted set */
  270. if (!cap_issubset(*permitted, old->cap_permitted))
  271. return -EPERM;
  272. /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
  273. if (!cap_issubset(*effective, *permitted))
  274. return -EPERM;
  275. new->cap_effective = *effective;
  276. new->cap_inheritable = *inheritable;
  277. new->cap_permitted = *permitted;
  278. /*
  279. * Mask off ambient bits that are no longer both permitted and
  280. * inheritable.
  281. */
  282. new->cap_ambient = cap_intersect(new->cap_ambient,
  283. cap_intersect(*permitted,
  284. *inheritable));
  285. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  286. return -EINVAL;
  287. return 0;
  288. }
  289. /**
  290. * cap_inode_need_killpriv - Determine if inode change affects privileges
  291. * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
  292. *
  293. * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
  294. * affects the security markings on that inode, and if it is, should
  295. * inode_killpriv() be invoked or the change rejected.
  296. *
  297. * Return: 1 if security.capability has a value, meaning inode_killpriv()
  298. * is required, 0 otherwise, meaning inode_killpriv() is not required.
  299. */
  300. int cap_inode_need_killpriv(struct dentry *dentry)
  301. {
  302. struct inode *inode = d_backing_inode(dentry);
  303. int error;
  304. error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
  305. return error > 0;
  306. }
  307. /**
  308. * cap_inode_killpriv - Erase the security markings on an inode
  309. *
  310. * @idmap: idmap of the mount the inode was found from
  311. * @dentry: The inode/dentry to alter
  312. *
  313. * Erase the privilege-enhancing security markings on an inode.
  314. *
  315. * If the inode has been found through an idmapped mount the idmap of
  316. * the vfsmount must be passed through @idmap. This function will then
  317. * take care to map the inode according to @idmap before checking
  318. * permissions. On non-idmapped mounts or if permission checking is to be
  319. * performed on the raw inode simply pass @nop_mnt_idmap.
  320. *
  321. * Return: 0 if successful, -ve on error.
  322. */
  323. int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry)
  324. {
  325. int error;
  326. error = __vfs_removexattr(idmap, dentry, XATTR_NAME_CAPS);
  327. if (error == -EOPNOTSUPP)
  328. error = 0;
  329. return error;
  330. }
  331. /**
  332. * kuid_root_in_ns - check whether the given kuid is root in the given ns
  333. * @kuid: the kuid to be tested
  334. * @ns: the user namespace to test against
  335. *
  336. * Returns true if @kuid represents the root user in @ns, false otherwise.
  337. */
  338. static bool kuid_root_in_ns(kuid_t kuid, struct user_namespace *ns)
  339. {
  340. for (;; ns = ns->parent) {
  341. if (from_kuid(ns, kuid) == 0)
  342. return true;
  343. if (ns == &init_user_ns)
  344. break;
  345. }
  346. return false;
  347. }
  348. static bool vfsuid_root_in_currentns(vfsuid_t vfsuid)
  349. {
  350. kuid_t kuid;
  351. if (!vfsuid_valid(vfsuid))
  352. return false;
  353. kuid = vfsuid_into_kuid(vfsuid);
  354. return kuid_root_in_ns(kuid, current_user_ns());
  355. }
  356. static __u32 sansflags(__u32 m)
  357. {
  358. return m & ~VFS_CAP_FLAGS_EFFECTIVE;
  359. }
  360. static bool is_v2header(int size, const struct vfs_cap_data *cap)
  361. {
  362. if (size != XATTR_CAPS_SZ_2)
  363. return false;
  364. return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
  365. }
  366. static bool is_v3header(int size, const struct vfs_cap_data *cap)
  367. {
  368. if (size != XATTR_CAPS_SZ_3)
  369. return false;
  370. return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
  371. }
  372. /*
  373. * getsecurity: We are called for security.* before any attempt to read the
  374. * xattr from the inode itself.
  375. *
  376. * This gives us a chance to read the on-disk value and convert it. If we
  377. * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
  378. *
  379. * Note we are not called by vfs_getxattr_alloc(), but that is only called
  380. * by the integrity subsystem, which really wants the unconverted values -
  381. * so that's good.
  382. */
  383. int cap_inode_getsecurity(struct mnt_idmap *idmap,
  384. struct inode *inode, const char *name, void **buffer,
  385. bool alloc)
  386. {
  387. int size;
  388. kuid_t kroot;
  389. vfsuid_t vfsroot;
  390. u32 nsmagic, magic;
  391. uid_t root, mappedroot;
  392. char *tmpbuf = NULL;
  393. struct vfs_cap_data *cap;
  394. struct vfs_ns_cap_data *nscap = NULL;
  395. struct dentry *dentry;
  396. struct user_namespace *fs_ns;
  397. if (strcmp(name, "capability") != 0)
  398. return -EOPNOTSUPP;
  399. dentry = d_find_any_alias(inode);
  400. if (!dentry)
  401. return -EINVAL;
  402. size = vfs_getxattr_alloc(idmap, dentry, XATTR_NAME_CAPS, &tmpbuf,
  403. sizeof(struct vfs_ns_cap_data), GFP_NOFS);
  404. dput(dentry);
  405. /* gcc11 complains if we don't check for !tmpbuf */
  406. if (size < 0 || !tmpbuf)
  407. goto out_free;
  408. fs_ns = inode->i_sb->s_user_ns;
  409. cap = (struct vfs_cap_data *) tmpbuf;
  410. if (is_v2header(size, cap)) {
  411. root = 0;
  412. } else if (is_v3header(size, cap)) {
  413. nscap = (struct vfs_ns_cap_data *) tmpbuf;
  414. root = le32_to_cpu(nscap->rootid);
  415. } else {
  416. size = -EINVAL;
  417. goto out_free;
  418. }
  419. kroot = make_kuid(fs_ns, root);
  420. /* If this is an idmapped mount shift the kuid. */
  421. vfsroot = make_vfsuid(idmap, fs_ns, kroot);
  422. /* If the root kuid maps to a valid uid in current ns, then return
  423. * this as a nscap. */
  424. mappedroot = from_kuid(current_user_ns(), vfsuid_into_kuid(vfsroot));
  425. if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
  426. size = sizeof(struct vfs_ns_cap_data);
  427. if (alloc) {
  428. if (!nscap) {
  429. /* v2 -> v3 conversion */
  430. nscap = kzalloc(size, GFP_ATOMIC);
  431. if (!nscap) {
  432. size = -ENOMEM;
  433. goto out_free;
  434. }
  435. nsmagic = VFS_CAP_REVISION_3;
  436. magic = le32_to_cpu(cap->magic_etc);
  437. if (magic & VFS_CAP_FLAGS_EFFECTIVE)
  438. nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
  439. memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
  440. nscap->magic_etc = cpu_to_le32(nsmagic);
  441. } else {
  442. /* use allocated v3 buffer */
  443. tmpbuf = NULL;
  444. }
  445. nscap->rootid = cpu_to_le32(mappedroot);
  446. *buffer = nscap;
  447. }
  448. goto out_free;
  449. }
  450. if (!vfsuid_root_in_currentns(vfsroot)) {
  451. size = -EOVERFLOW;
  452. goto out_free;
  453. }
  454. /* This comes from a parent namespace. Return as a v2 capability */
  455. size = sizeof(struct vfs_cap_data);
  456. if (alloc) {
  457. if (nscap) {
  458. /* v3 -> v2 conversion */
  459. cap = kzalloc(size, GFP_ATOMIC);
  460. if (!cap) {
  461. size = -ENOMEM;
  462. goto out_free;
  463. }
  464. magic = VFS_CAP_REVISION_2;
  465. nsmagic = le32_to_cpu(nscap->magic_etc);
  466. if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
  467. magic |= VFS_CAP_FLAGS_EFFECTIVE;
  468. memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
  469. cap->magic_etc = cpu_to_le32(magic);
  470. } else {
  471. /* use unconverted v2 */
  472. tmpbuf = NULL;
  473. }
  474. *buffer = cap;
  475. }
  476. out_free:
  477. kfree(tmpbuf);
  478. return size;
  479. }
  480. /**
  481. * rootid_from_xattr - translate root uid of vfs caps
  482. *
  483. * @value: vfs caps value which may be modified by this function
  484. * @size: size of @ivalue
  485. * @task_ns: user namespace of the caller
  486. */
  487. static vfsuid_t rootid_from_xattr(const void *value, size_t size,
  488. struct user_namespace *task_ns)
  489. {
  490. const struct vfs_ns_cap_data *nscap = value;
  491. uid_t rootid = 0;
  492. if (size == XATTR_CAPS_SZ_3)
  493. rootid = le32_to_cpu(nscap->rootid);
  494. return VFSUIDT_INIT(make_kuid(task_ns, rootid));
  495. }
  496. static bool validheader(size_t size, const struct vfs_cap_data *cap)
  497. {
  498. return is_v2header(size, cap) || is_v3header(size, cap);
  499. }
  500. /**
  501. * cap_convert_nscap - check vfs caps
  502. *
  503. * @idmap: idmap of the mount the inode was found from
  504. * @dentry: used to retrieve inode to check permissions on
  505. * @ivalue: vfs caps value which may be modified by this function
  506. * @size: size of @ivalue
  507. *
  508. * User requested a write of security.capability. If needed, update the
  509. * xattr to change from v2 to v3, or to fixup the v3 rootid.
  510. *
  511. * If the inode has been found through an idmapped mount the idmap of
  512. * the vfsmount must be passed through @idmap. This function will then
  513. * take care to map the inode according to @idmap before checking
  514. * permissions. On non-idmapped mounts or if permission checking is to be
  515. * performed on the raw inode simply pass @nop_mnt_idmap.
  516. *
  517. * Return: On success, return the new size; on error, return < 0.
  518. */
  519. int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry,
  520. const void **ivalue, size_t size)
  521. {
  522. struct vfs_ns_cap_data *nscap;
  523. uid_t nsrootid;
  524. const struct vfs_cap_data *cap = *ivalue;
  525. __u32 magic, nsmagic;
  526. struct inode *inode = d_backing_inode(dentry);
  527. struct user_namespace *task_ns = current_user_ns(),
  528. *fs_ns = inode->i_sb->s_user_ns;
  529. kuid_t rootid;
  530. vfsuid_t vfsrootid;
  531. size_t newsize;
  532. if (!*ivalue)
  533. return -EINVAL;
  534. if (!validheader(size, cap))
  535. return -EINVAL;
  536. if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
  537. return -EPERM;
  538. if (size == XATTR_CAPS_SZ_2 && (idmap == &nop_mnt_idmap))
  539. if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
  540. /* user is privileged, just write the v2 */
  541. return size;
  542. vfsrootid = rootid_from_xattr(*ivalue, size, task_ns);
  543. if (!vfsuid_valid(vfsrootid))
  544. return -EINVAL;
  545. rootid = from_vfsuid(idmap, fs_ns, vfsrootid);
  546. if (!uid_valid(rootid))
  547. return -EINVAL;
  548. nsrootid = from_kuid(fs_ns, rootid);
  549. if (nsrootid == -1)
  550. return -EINVAL;
  551. newsize = sizeof(struct vfs_ns_cap_data);
  552. nscap = kmalloc(newsize, GFP_ATOMIC);
  553. if (!nscap)
  554. return -ENOMEM;
  555. nscap->rootid = cpu_to_le32(nsrootid);
  556. nsmagic = VFS_CAP_REVISION_3;
  557. magic = le32_to_cpu(cap->magic_etc);
  558. if (magic & VFS_CAP_FLAGS_EFFECTIVE)
  559. nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
  560. nscap->magic_etc = cpu_to_le32(nsmagic);
  561. memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
  562. *ivalue = nscap;
  563. return newsize;
  564. }
  565. /*
  566. * Calculate the new process capability sets from the capability sets attached
  567. * to a file.
  568. */
  569. static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
  570. struct linux_binprm *bprm,
  571. bool *effective,
  572. bool *has_fcap)
  573. {
  574. struct cred *new = bprm->cred;
  575. int ret = 0;
  576. if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
  577. *effective = true;
  578. if (caps->magic_etc & VFS_CAP_REVISION_MASK)
  579. *has_fcap = true;
  580. /*
  581. * pP' = (X & fP) | (pI & fI)
  582. * The addition of pA' is handled later.
  583. */
  584. new->cap_permitted.val =
  585. (new->cap_bset.val & caps->permitted.val) |
  586. (new->cap_inheritable.val & caps->inheritable.val);
  587. if (caps->permitted.val & ~new->cap_permitted.val)
  588. /* insufficient to execute correctly */
  589. ret = -EPERM;
  590. /*
  591. * For legacy apps, with no internal support for recognizing they
  592. * do not have enough capabilities, we return an error if they are
  593. * missing some "forced" (aka file-permitted) capabilities.
  594. */
  595. return *effective ? ret : 0;
  596. }
  597. /**
  598. * get_vfs_caps_from_disk - retrieve vfs caps from disk
  599. *
  600. * @idmap: idmap of the mount the inode was found from
  601. * @dentry: dentry from which @inode is retrieved
  602. * @cpu_caps: vfs capabilities
  603. *
  604. * Extract the on-exec-apply capability sets for an executable file.
  605. *
  606. * If the inode has been found through an idmapped mount the idmap of
  607. * the vfsmount must be passed through @idmap. This function will then
  608. * take care to map the inode according to @idmap before checking
  609. * permissions. On non-idmapped mounts or if permission checking is to be
  610. * performed on the raw inode simply pass @nop_mnt_idmap.
  611. */
  612. int get_vfs_caps_from_disk(struct mnt_idmap *idmap,
  613. const struct dentry *dentry,
  614. struct cpu_vfs_cap_data *cpu_caps)
  615. {
  616. struct inode *inode = d_backing_inode(dentry);
  617. __u32 magic_etc;
  618. int size;
  619. struct vfs_ns_cap_data data, *nscaps = &data;
  620. struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
  621. kuid_t rootkuid;
  622. vfsuid_t rootvfsuid;
  623. struct user_namespace *fs_ns;
  624. memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
  625. if (!inode)
  626. return -ENODATA;
  627. fs_ns = inode->i_sb->s_user_ns;
  628. size = __vfs_getxattr((struct dentry *)dentry, inode,
  629. XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);
  630. if (size == -ENODATA || size == -EOPNOTSUPP)
  631. /* no data, that's ok */
  632. return -ENODATA;
  633. if (size < 0)
  634. return size;
  635. if (size < sizeof(magic_etc))
  636. return -EINVAL;
  637. cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc);
  638. rootkuid = make_kuid(fs_ns, 0);
  639. switch (magic_etc & VFS_CAP_REVISION_MASK) {
  640. case VFS_CAP_REVISION_1:
  641. if (size != XATTR_CAPS_SZ_1)
  642. return -EINVAL;
  643. break;
  644. case VFS_CAP_REVISION_2:
  645. if (size != XATTR_CAPS_SZ_2)
  646. return -EINVAL;
  647. break;
  648. case VFS_CAP_REVISION_3:
  649. if (size != XATTR_CAPS_SZ_3)
  650. return -EINVAL;
  651. rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid));
  652. break;
  653. default:
  654. return -EINVAL;
  655. }
  656. rootvfsuid = make_vfsuid(idmap, fs_ns, rootkuid);
  657. if (!vfsuid_valid(rootvfsuid))
  658. return -ENODATA;
  659. /* Limit the caps to the mounter of the filesystem
  660. * or the more limited uid specified in the xattr.
  661. */
  662. if (!vfsuid_root_in_currentns(rootvfsuid))
  663. return -ENODATA;
  664. cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted);
  665. cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable);
  666. /*
  667. * Rev1 had just a single 32-bit word, later expanded
  668. * to a second one for the high bits
  669. */
  670. if ((magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) {
  671. cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32;
  672. cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32;
  673. }
  674. cpu_caps->permitted.val &= CAP_VALID_MASK;
  675. cpu_caps->inheritable.val &= CAP_VALID_MASK;
  676. cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid);
  677. return 0;
  678. }
  679. /*
  680. * Attempt to get the on-exec apply capability sets for an executable file from
  681. * its xattrs and, if present, apply them to the proposed credentials being
  682. * constructed by execve().
  683. */
  684. static int get_file_caps(struct linux_binprm *bprm, const struct file *file,
  685. bool *effective, bool *has_fcap)
  686. {
  687. int rc = 0;
  688. struct cpu_vfs_cap_data vcaps;
  689. cap_clear(bprm->cred->cap_permitted);
  690. if (!file_caps_enabled)
  691. return 0;
  692. if (!mnt_may_suid(file->f_path.mnt))
  693. return 0;
  694. /*
  695. * This check is redundant with mnt_may_suid() but is kept to make
  696. * explicit that capability bits are limited to s_user_ns and its
  697. * descendants.
  698. */
  699. if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
  700. return 0;
  701. rc = get_vfs_caps_from_disk(file_mnt_idmap(file),
  702. file->f_path.dentry, &vcaps);
  703. if (rc < 0) {
  704. if (rc == -EINVAL)
  705. printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
  706. bprm->filename);
  707. else if (rc == -ENODATA)
  708. rc = 0;
  709. goto out;
  710. }
  711. rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
  712. out:
  713. if (rc)
  714. cap_clear(bprm->cred->cap_permitted);
  715. return rc;
  716. }
  717. static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
  718. static inline bool __is_real(kuid_t uid, struct cred *cred)
  719. { return uid_eq(cred->uid, uid); }
  720. static inline bool __is_eff(kuid_t uid, struct cred *cred)
  721. { return uid_eq(cred->euid, uid); }
  722. static inline bool __is_suid(kuid_t uid, struct cred *cred)
  723. { return !__is_real(uid, cred) && __is_eff(uid, cred); }
  724. /*
  725. * handle_privileged_root - Handle case of privileged root
  726. * @bprm: The execution parameters, including the proposed creds
  727. * @has_fcap: Are any file capabilities set?
  728. * @effective: Do we have effective root privilege?
  729. * @root_uid: This namespace' root UID WRT initial USER namespace
  730. *
  731. * Handle the case where root is privileged and hasn't been neutered by
  732. * SECURE_NOROOT. If file capabilities are set, they won't be combined with
  733. * set UID root and nothing is changed. If we are root, cap_permitted is
  734. * updated. If we have become set UID root, the effective bit is set.
  735. */
  736. static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
  737. bool *effective, kuid_t root_uid)
  738. {
  739. const struct cred *old = current_cred();
  740. struct cred *new = bprm->cred;
  741. if (!root_privileged())
  742. return;
  743. /*
  744. * If the legacy file capability is set, then don't set privs
  745. * for a setuid root binary run by a non-root user. Do set it
  746. * for a root user just to cause least surprise to an admin.
  747. */
  748. if (has_fcap && __is_suid(root_uid, new)) {
  749. warn_setuid_and_fcaps_mixed(bprm->filename);
  750. return;
  751. }
  752. /*
  753. * To support inheritance of root-permissions and suid-root
  754. * executables under compatibility mode, we override the
  755. * capability sets for the file.
  756. */
  757. if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
  758. /* pP' = (cap_bset & ~0) | (pI & ~0) */
  759. new->cap_permitted = cap_combine(old->cap_bset,
  760. old->cap_inheritable);
  761. }
  762. /*
  763. * If only the real uid is 0, we do not set the effective bit.
  764. */
  765. if (__is_eff(root_uid, new))
  766. *effective = true;
  767. }
  768. #define __cap_gained(field, target, source) \
  769. !cap_issubset(target->cap_##field, source->cap_##field)
  770. #define __cap_grew(target, source, cred) \
  771. !cap_issubset(cred->cap_##target, cred->cap_##source)
  772. #define __cap_full(field, cred) \
  773. cap_issubset(CAP_FULL_SET, cred->cap_##field)
  774. /*
  775. * 1) Audit candidate if current->cap_effective is set
  776. *
  777. * We do not bother to audit if 3 things are true:
  778. * 1) cap_effective has all caps
  779. * 2) we became root *OR* are were already root
  780. * 3) root is supposed to have all caps (SECURE_NOROOT)
  781. * Since this is just a normal root execing a process.
  782. *
  783. * Number 1 above might fail if you don't have a full bset, but I think
  784. * that is interesting information to audit.
  785. *
  786. * A number of other conditions require logging:
  787. * 2) something prevented setuid root getting all caps
  788. * 3) non-setuid root gets fcaps
  789. * 4) non-setuid root gets ambient
  790. */
  791. static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
  792. kuid_t root, bool has_fcap)
  793. {
  794. bool ret = false;
  795. if ((__cap_grew(effective, ambient, new) &&
  796. !(__cap_full(effective, new) &&
  797. (__is_eff(root, new) || __is_real(root, new)) &&
  798. root_privileged())) ||
  799. (root_privileged() &&
  800. __is_suid(root, new) &&
  801. !__cap_full(effective, new)) ||
  802. (uid_eq(new->euid, old->euid) &&
  803. ((has_fcap &&
  804. __cap_gained(permitted, new, old)) ||
  805. __cap_gained(ambient, new, old))))
  806. ret = true;
  807. return ret;
  808. }
  809. /**
  810. * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
  811. * @bprm: The execution parameters, including the proposed creds
  812. * @file: The file to pull the credentials from
  813. *
  814. * Set up the proposed credentials for a new execution context being
  815. * constructed by execve(). The proposed creds in @bprm->cred is altered,
  816. * which won't take effect immediately.
  817. *
  818. * Return: 0 if successful, -ve on error.
  819. */
  820. int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
  821. {
  822. /* Process setpcap binaries and capabilities for uid 0 */
  823. const struct cred *old = current_cred();
  824. struct cred *new = bprm->cred;
  825. bool effective = false, has_fcap = false, id_changed;
  826. int ret;
  827. kuid_t root_uid;
  828. if (WARN_ON(!cap_ambient_invariant_ok(old)))
  829. return -EPERM;
  830. ret = get_file_caps(bprm, file, &effective, &has_fcap);
  831. if (ret < 0)
  832. return ret;
  833. root_uid = make_kuid(new->user_ns, 0);
  834. handle_privileged_root(bprm, has_fcap, &effective, root_uid);
  835. /* if we have fs caps, clear dangerous personality flags */
  836. if (__cap_gained(permitted, new, old))
  837. bprm->per_clear |= PER_CLEAR_ON_SETID;
  838. /* Don't let someone trace a set[ug]id/setpcap binary with the revised
  839. * credentials unless they have the appropriate permit.
  840. *
  841. * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
  842. */
  843. id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);
  844. if ((id_changed || __cap_gained(permitted, new, old)) &&
  845. ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
  846. !ptracer_capable(current, new->user_ns))) {
  847. /* downgrade; they get no more than they had, and maybe less */
  848. if (!ns_capable(new->user_ns, CAP_SETUID) ||
  849. (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
  850. new->euid = new->uid;
  851. new->egid = new->gid;
  852. }
  853. new->cap_permitted = cap_intersect(new->cap_permitted,
  854. old->cap_permitted);
  855. }
  856. new->suid = new->fsuid = new->euid;
  857. new->sgid = new->fsgid = new->egid;
  858. /* File caps or setid cancels ambient. */
  859. if (has_fcap || id_changed)
  860. cap_clear(new->cap_ambient);
  861. /*
  862. * Now that we've computed pA', update pP' to give:
  863. * pP' = (X & fP) | (pI & fI) | pA'
  864. */
  865. new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
  866. /*
  867. * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
  868. * this is the same as pE' = (fE ? pP' : 0) | pA'.
  869. */
  870. if (effective)
  871. new->cap_effective = new->cap_permitted;
  872. else
  873. new->cap_effective = new->cap_ambient;
  874. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  875. return -EPERM;
  876. if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
  877. ret = audit_log_bprm_fcaps(bprm, new, old);
  878. if (ret < 0)
  879. return ret;
  880. }
  881. new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
  882. if (WARN_ON(!cap_ambient_invariant_ok(new)))
  883. return -EPERM;
  884. /* Check for privilege-elevated exec. */
  885. if (id_changed ||
  886. !uid_eq(new->euid, old->uid) ||
  887. !gid_eq(new->egid, old->gid) ||
  888. (!__is_real(root_uid, new) &&
  889. (effective ||
  890. __cap_grew(permitted, ambient, new))))
  891. bprm->secureexec = 1;
  892. return 0;
  893. }
  894. /**
  895. * cap_inode_setxattr - Determine whether an xattr may be altered
  896. * @dentry: The inode/dentry being altered
  897. * @name: The name of the xattr to be changed
  898. * @value: The value that the xattr will be changed to
  899. * @size: The size of value
  900. * @flags: The replacement flag
  901. *
  902. * Determine whether an xattr may be altered or set on an inode, returning 0 if
  903. * permission is granted, -ve if denied.
  904. *
  905. * This is used to make sure security xattrs don't get updated or set by those
  906. * who aren't privileged to do so.
  907. */
  908. int cap_inode_setxattr(struct dentry *dentry, const char *name,
  909. const void *value, size_t size, int flags)
  910. {
  911. struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
  912. /* Ignore non-security xattrs */
  913. if (strncmp(name, XATTR_SECURITY_PREFIX,
  914. XATTR_SECURITY_PREFIX_LEN) != 0)
  915. return 0;
  916. /*
  917. * For XATTR_NAME_CAPS the check will be done in
  918. * cap_convert_nscap(), called by setxattr()
  919. */
  920. if (strcmp(name, XATTR_NAME_CAPS) == 0)
  921. return 0;
  922. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  923. return -EPERM;
  924. return 0;
  925. }
  926. /**
  927. * cap_inode_removexattr - Determine whether an xattr may be removed
  928. *
  929. * @idmap: idmap of the mount the inode was found from
  930. * @dentry: The inode/dentry being altered
  931. * @name: The name of the xattr to be changed
  932. *
  933. * Determine whether an xattr may be removed from an inode, returning 0 if
  934. * permission is granted, -ve if denied.
  935. *
  936. * If the inode has been found through an idmapped mount the idmap of
  937. * the vfsmount must be passed through @idmap. This function will then
  938. * take care to map the inode according to @idmap before checking
  939. * permissions. On non-idmapped mounts or if permission checking is to be
  940. * performed on the raw inode simply pass @nop_mnt_idmap.
  941. *
  942. * This is used to make sure security xattrs don't get removed by those who
  943. * aren't privileged to remove them.
  944. */
  945. int cap_inode_removexattr(struct mnt_idmap *idmap,
  946. struct dentry *dentry, const char *name)
  947. {
  948. struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
  949. /* Ignore non-security xattrs */
  950. if (strncmp(name, XATTR_SECURITY_PREFIX,
  951. XATTR_SECURITY_PREFIX_LEN) != 0)
  952. return 0;
  953. if (strcmp(name, XATTR_NAME_CAPS) == 0) {
  954. /* security.capability gets namespaced */
  955. struct inode *inode = d_backing_inode(dentry);
  956. if (!inode)
  957. return -EINVAL;
  958. if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
  959. return -EPERM;
  960. return 0;
  961. }
  962. if (!ns_capable(user_ns, CAP_SYS_ADMIN))
  963. return -EPERM;
  964. return 0;
  965. }
  966. /*
  967. * cap_emulate_setxuid() fixes the effective / permitted capabilities of
  968. * a process after a call to setuid, setreuid, or setresuid.
  969. *
  970. * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
  971. * {r,e,s}uid != 0, the permitted and effective capabilities are
  972. * cleared.
  973. *
  974. * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
  975. * capabilities of the process are cleared.
  976. *
  977. * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
  978. * capabilities are set to the permitted capabilities.
  979. *
  980. * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
  981. * never happen.
  982. *
  983. * -astor
  984. *
  985. * cevans - New behaviour, Oct '99
  986. * A process may, via prctl(), elect to keep its capabilities when it
  987. * calls setuid() and switches away from uid==0. Both permitted and
  988. * effective sets will be retained.
  989. * Without this change, it was impossible for a daemon to drop only some
  990. * of its privilege. The call to setuid(!=0) would drop all privileges!
  991. * Keeping uid 0 is not an option because uid 0 owns too many vital
  992. * files..
  993. * Thanks to Olaf Kirch and Peter Benie for spotting this.
  994. */
  995. static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
  996. {
  997. kuid_t root_uid = make_kuid(old->user_ns, 0);
  998. if ((uid_eq(old->uid, root_uid) ||
  999. uid_eq(old->euid, root_uid) ||
  1000. uid_eq(old->suid, root_uid)) &&
  1001. (!uid_eq(new->uid, root_uid) &&
  1002. !uid_eq(new->euid, root_uid) &&
  1003. !uid_eq(new->suid, root_uid))) {
  1004. if (!issecure(SECURE_KEEP_CAPS)) {
  1005. cap_clear(new->cap_permitted);
  1006. cap_clear(new->cap_effective);
  1007. }
  1008. /*
  1009. * Pre-ambient programs expect setresuid to nonroot followed
  1010. * by exec to drop capabilities. We should make sure that
  1011. * this remains the case.
  1012. */
  1013. cap_clear(new->cap_ambient);
  1014. }
  1015. if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
  1016. cap_clear(new->cap_effective);
  1017. if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
  1018. new->cap_effective = new->cap_permitted;
  1019. }
  1020. /**
  1021. * cap_task_fix_setuid - Fix up the results of setuid() call
  1022. * @new: The proposed credentials
  1023. * @old: The current task's current credentials
  1024. * @flags: Indications of what has changed
  1025. *
  1026. * Fix up the results of setuid() call before the credential changes are
  1027. * actually applied.
  1028. *
  1029. * Return: 0 to grant the changes, -ve to deny them.
  1030. */
  1031. int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
  1032. {
  1033. switch (flags) {
  1034. case LSM_SETID_RE:
  1035. case LSM_SETID_ID:
  1036. case LSM_SETID_RES:
  1037. /* juggle the capabilities to follow [RES]UID changes unless
  1038. * otherwise suppressed */
  1039. if (!issecure(SECURE_NO_SETUID_FIXUP))
  1040. cap_emulate_setxuid(new, old);
  1041. break;
  1042. case LSM_SETID_FS:
  1043. /* juggle the capabilities to follow FSUID changes, unless
  1044. * otherwise suppressed
  1045. *
  1046. * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
  1047. * if not, we might be a bit too harsh here.
  1048. */
  1049. if (!issecure(SECURE_NO_SETUID_FIXUP)) {
  1050. kuid_t root_uid = make_kuid(old->user_ns, 0);
  1051. if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
  1052. new->cap_effective =
  1053. cap_drop_fs_set(new->cap_effective);
  1054. if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
  1055. new->cap_effective =
  1056. cap_raise_fs_set(new->cap_effective,
  1057. new->cap_permitted);
  1058. }
  1059. break;
  1060. default:
  1061. return -EINVAL;
  1062. }
  1063. return 0;
  1064. }
  1065. /*
  1066. * Rationale: code calling task_setscheduler, task_setioprio, and
  1067. * task_setnice, assumes that
  1068. * . if capable(cap_sys_nice), then those actions should be allowed
  1069. * . if not capable(cap_sys_nice), but acting on your own processes,
  1070. * then those actions should be allowed
  1071. * This is insufficient now since you can call code without suid, but
  1072. * yet with increased caps.
  1073. * So we check for increased caps on the target process.
  1074. */
  1075. static int cap_safe_nice(struct task_struct *p)
  1076. {
  1077. int is_subset, ret = 0;
  1078. rcu_read_lock();
  1079. is_subset = cap_issubset(__task_cred(p)->cap_permitted,
  1080. current_cred()->cap_permitted);
  1081. if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
  1082. ret = -EPERM;
  1083. rcu_read_unlock();
  1084. return ret;
  1085. }
  1086. /**
  1087. * cap_task_setscheduler - Determine if scheduler policy change is permitted
  1088. * @p: The task to affect
  1089. *
  1090. * Determine if the requested scheduler policy change is permitted for the
  1091. * specified task.
  1092. *
  1093. * Return: 0 if permission is granted, -ve if denied.
  1094. */
  1095. int cap_task_setscheduler(struct task_struct *p)
  1096. {
  1097. return cap_safe_nice(p);
  1098. }
  1099. /**
  1100. * cap_task_setioprio - Determine if I/O priority change is permitted
  1101. * @p: The task to affect
  1102. * @ioprio: The I/O priority to set
  1103. *
  1104. * Determine if the requested I/O priority change is permitted for the specified
  1105. * task.
  1106. *
  1107. * Return: 0 if permission is granted, -ve if denied.
  1108. */
  1109. int cap_task_setioprio(struct task_struct *p, int ioprio)
  1110. {
  1111. return cap_safe_nice(p);
  1112. }
  1113. /**
  1114. * cap_task_setnice - Determine if task priority change is permitted
  1115. * @p: The task to affect
  1116. * @nice: The nice value to set
  1117. *
  1118. * Determine if the requested task priority change is permitted for the
  1119. * specified task.
  1120. *
  1121. * Return: 0 if permission is granted, -ve if denied.
  1122. */
  1123. int cap_task_setnice(struct task_struct *p, int nice)
  1124. {
  1125. return cap_safe_nice(p);
  1126. }
  1127. /*
  1128. * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
  1129. * the current task's bounding set. Returns 0 on success, -ve on error.
  1130. */
  1131. static int cap_prctl_drop(unsigned long cap)
  1132. {
  1133. struct cred *new;
  1134. if (!ns_capable(current_user_ns(), CAP_SETPCAP))
  1135. return -EPERM;
  1136. if (!cap_valid(cap))
  1137. return -EINVAL;
  1138. new = prepare_creds();
  1139. if (!new)
  1140. return -ENOMEM;
  1141. cap_lower(new->cap_bset, cap);
  1142. return commit_creds(new);
  1143. }
  1144. /**
  1145. * cap_task_prctl - Implement process control functions for this security module
  1146. * @option: The process control function requested
  1147. * @arg2: The argument data for this function
  1148. * @arg3: The argument data for this function
  1149. * @arg4: The argument data for this function
  1150. * @arg5: The argument data for this function
  1151. *
  1152. * Allow process control functions (sys_prctl()) to alter capabilities; may
  1153. * also deny access to other functions not otherwise implemented here.
  1154. *
  1155. * Return: 0 or +ve on success, -ENOSYS if this function is not implemented
  1156. * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
  1157. * modules will consider performing the function.
  1158. */
  1159. int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  1160. unsigned long arg4, unsigned long arg5)
  1161. {
  1162. const struct cred *old = current_cred();
  1163. struct cred *new;
  1164. switch (option) {
  1165. case PR_CAPBSET_READ:
  1166. if (!cap_valid(arg2))
  1167. return -EINVAL;
  1168. return !!cap_raised(old->cap_bset, arg2);
  1169. case PR_CAPBSET_DROP:
  1170. return cap_prctl_drop(arg2);
  1171. /*
  1172. * The next four prctl's remain to assist with transitioning a
  1173. * system from legacy UID=0 based privilege (when filesystem
  1174. * capabilities are not in use) to a system using filesystem
  1175. * capabilities only - as the POSIX.1e draft intended.
  1176. *
  1177. * Note:
  1178. *
  1179. * PR_SET_SECUREBITS =
  1180. * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
  1181. * | issecure_mask(SECURE_NOROOT)
  1182. * | issecure_mask(SECURE_NOROOT_LOCKED)
  1183. * | issecure_mask(SECURE_NO_SETUID_FIXUP)
  1184. * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
  1185. *
  1186. * will ensure that the current process and all of its
  1187. * children will be locked into a pure
  1188. * capability-based-privilege environment.
  1189. */
  1190. case PR_SET_SECUREBITS:
  1191. if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
  1192. & (old->securebits ^ arg2)) /*[1]*/
  1193. || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
  1194. || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
  1195. /*
  1196. * [1] no changing of bits that are locked
  1197. * [2] no unlocking of locks
  1198. * [3] no setting of unsupported bits
  1199. */
  1200. )
  1201. /* cannot change a locked bit */
  1202. return -EPERM;
  1203. /*
  1204. * Doing anything requires privilege (go read about the
  1205. * "sendmail capabilities bug"), except for unprivileged bits.
  1206. * Indeed, the SECURE_ALL_UNPRIVILEGED bits are not
  1207. * restrictions enforced by the kernel but by user space on
  1208. * itself.
  1209. */
  1210. if (cap_capable(current_cred(), current_cred()->user_ns,
  1211. CAP_SETPCAP, CAP_OPT_NONE) != 0) {
  1212. const unsigned long unpriv_and_locks =
  1213. SECURE_ALL_UNPRIVILEGED |
  1214. SECURE_ALL_UNPRIVILEGED << 1;
  1215. const unsigned long changed = old->securebits ^ arg2;
  1216. /* For legacy reason, denies non-change. */
  1217. if (!changed)
  1218. return -EPERM;
  1219. /* Denies privileged changes. */
  1220. if (changed & ~unpriv_and_locks)
  1221. return -EPERM;
  1222. }
  1223. new = prepare_creds();
  1224. if (!new)
  1225. return -ENOMEM;
  1226. new->securebits = arg2;
  1227. return commit_creds(new);
  1228. case PR_GET_SECUREBITS:
  1229. return old->securebits;
  1230. case PR_GET_KEEPCAPS:
  1231. return !!issecure(SECURE_KEEP_CAPS);
  1232. case PR_SET_KEEPCAPS:
  1233. if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
  1234. return -EINVAL;
  1235. if (issecure(SECURE_KEEP_CAPS_LOCKED))
  1236. return -EPERM;
  1237. new = prepare_creds();
  1238. if (!new)
  1239. return -ENOMEM;
  1240. if (arg2)
  1241. new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
  1242. else
  1243. new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
  1244. return commit_creds(new);
  1245. case PR_CAP_AMBIENT:
  1246. if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
  1247. if (arg3 | arg4 | arg5)
  1248. return -EINVAL;
  1249. new = prepare_creds();
  1250. if (!new)
  1251. return -ENOMEM;
  1252. cap_clear(new->cap_ambient);
  1253. return commit_creds(new);
  1254. }
  1255. if (((!cap_valid(arg3)) | arg4 | arg5))
  1256. return -EINVAL;
  1257. if (arg2 == PR_CAP_AMBIENT_IS_SET) {
  1258. return !!cap_raised(current_cred()->cap_ambient, arg3);
  1259. } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
  1260. arg2 != PR_CAP_AMBIENT_LOWER) {
  1261. return -EINVAL;
  1262. } else {
  1263. if (arg2 == PR_CAP_AMBIENT_RAISE &&
  1264. (!cap_raised(current_cred()->cap_permitted, arg3) ||
  1265. !cap_raised(current_cred()->cap_inheritable,
  1266. arg3) ||
  1267. issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
  1268. return -EPERM;
  1269. new = prepare_creds();
  1270. if (!new)
  1271. return -ENOMEM;
  1272. if (arg2 == PR_CAP_AMBIENT_RAISE)
  1273. cap_raise(new->cap_ambient, arg3);
  1274. else
  1275. cap_lower(new->cap_ambient, arg3);
  1276. return commit_creds(new);
  1277. }
  1278. default:
  1279. /* No functionality available - continue with default */
  1280. return -ENOSYS;
  1281. }
  1282. }
  1283. /**
  1284. * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
  1285. * @mm: The VM space in which the new mapping is to be made
  1286. * @pages: The size of the mapping
  1287. *
  1288. * Determine whether the allocation of a new virtual mapping by the current
  1289. * task is permitted.
  1290. *
  1291. * Return: 0 if permission granted, negative error code if not.
  1292. */
  1293. int cap_vm_enough_memory(struct mm_struct *mm, long pages)
  1294. {
  1295. return cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
  1296. CAP_OPT_NOAUDIT);
  1297. }
  1298. /**
  1299. * cap_mmap_addr - check if able to map given addr
  1300. * @addr: address attempting to be mapped
  1301. *
  1302. * If the process is attempting to map memory below dac_mmap_min_addr they need
  1303. * CAP_SYS_RAWIO. The other parameters to this function are unused by the
  1304. * capability security module.
  1305. *
  1306. * Return: 0 if this mapping should be allowed or -EPERM if not.
  1307. */
  1308. int cap_mmap_addr(unsigned long addr)
  1309. {
  1310. int ret = 0;
  1311. if (addr < dac_mmap_min_addr) {
  1312. ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
  1313. CAP_OPT_NONE);
  1314. /* set PF_SUPERPRIV if it turns out we allow the low mmap */
  1315. if (ret == 0)
  1316. current->flags |= PF_SUPERPRIV;
  1317. }
  1318. return ret;
  1319. }
  1320. #ifdef CONFIG_SECURITY
  1321. static const struct lsm_id capability_lsmid = {
  1322. .name = "capability",
  1323. .id = LSM_ID_CAPABILITY,
  1324. };
  1325. static struct security_hook_list capability_hooks[] __ro_after_init = {
  1326. LSM_HOOK_INIT(capable, cap_capable),
  1327. LSM_HOOK_INIT(settime, cap_settime),
  1328. LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
  1329. LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
  1330. LSM_HOOK_INIT(capget, cap_capget),
  1331. LSM_HOOK_INIT(capset, cap_capset),
  1332. LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file),
  1333. LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
  1334. LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
  1335. LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
  1336. LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
  1337. LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
  1338. LSM_HOOK_INIT(task_prctl, cap_task_prctl),
  1339. LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
  1340. LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
  1341. LSM_HOOK_INIT(task_setnice, cap_task_setnice),
  1342. LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
  1343. };
  1344. static int __init capability_init(void)
  1345. {
  1346. security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
  1347. &capability_lsmid);
  1348. return 0;
  1349. }
  1350. DEFINE_LSM(capability) = {
  1351. .id = &capability_lsmid,
  1352. .order = LSM_ORDER_FIRST,
  1353. .init = capability_init,
  1354. };
  1355. #endif /* CONFIG_SECURITY */
  1356. #ifdef CONFIG_SECURITY_COMMONCAP_KUNIT_TEST
  1357. #include "commoncap_test.c"
  1358. #endif