1
2
3
4
5
6
7
8
9
10#include <linux/capability.h>
11#include <linux/audit.h>
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/kernel.h>
15#include <linux/security.h>
16#include <linux/file.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/pagemap.h>
20#include <linux/swap.h>
21#include <linux/skbuff.h>
22#include <linux/netlink.h>
23#include <linux/ptrace.h>
24#include <linux/xattr.h>
25#include <linux/hugetlb.h>
26#include <linux/mount.h>
27#include <linux/sched.h>
28#include <linux/prctl.h>
29#include <linux/securebits.h>
30
31
32
33
34
35
36
37
38
39
40
41
42static void warn_setuid_and_fcaps_mixed(char *fname)
43{
44 static int warned;
45 if (!warned) {
46 printk(KERN_INFO "warning: `%s' has both setuid-root and"
47 " effective capabilities. Therefore not raising all"
48 " capabilities.\n", fname);
49 warned = 1;
50 }
51}
52
53int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
54{
55 NETLINK_CB(skb).eff_cap = current_cap();
56 return 0;
57}
58
59int cap_netlink_recv(struct sk_buff *skb, int cap)
60{
61 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
62 return -EPERM;
63 return 0;
64}
65EXPORT_SYMBOL(cap_netlink_recv);
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap,
83 int audit)
84{
85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
86}
87
88
89
90
91
92
93
94
95
96int cap_settime(struct timespec *ts, struct timezone *tz)
97{
98 if (!capable(CAP_SYS_TIME))
99 return -EPERM;
100 return 0;
101}
102
103
104
105
106
107
108
109
110
111
112int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
113{
114 int ret = 0;
115
116 rcu_read_lock();
117 if (!cap_issubset(__task_cred(child)->cap_permitted,
118 current_cred()->cap_permitted) &&
119 !capable(CAP_SYS_PTRACE))
120 ret = -EPERM;
121 rcu_read_unlock();
122 return ret;
123}
124
125
126
127
128
129
130
131
132int cap_ptrace_traceme(struct task_struct *parent)
133{
134 int ret = 0;
135
136 rcu_read_lock();
137 if (!cap_issubset(current_cred()->cap_permitted,
138 __task_cred(parent)->cap_permitted) &&
139 !has_capability(parent, CAP_SYS_PTRACE))
140 ret = -EPERM;
141 rcu_read_unlock();
142 return ret;
143}
144
145
146
147
148
149
150
151
152
153
154
155int cap_capget(struct task_struct *target, kernel_cap_t *effective,
156 kernel_cap_t *inheritable, kernel_cap_t *permitted)
157{
158 const struct cred *cred;
159
160
161 rcu_read_lock();
162 cred = __task_cred(target);
163 *effective = cred->cap_effective;
164 *inheritable = cred->cap_inheritable;
165 *permitted = cred->cap_permitted;
166 rcu_read_unlock();
167 return 0;
168}
169
170
171
172
173
174static inline int cap_inh_is_capped(void)
175{
176#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
177
178
179
180
181 if (cap_capable(current, current_cred(), CAP_SETPCAP,
182 SECURITY_CAP_AUDIT) == 0)
183 return 0;
184#endif
185 return 1;
186}
187
188
189
190
191
192
193
194
195
196
197
198
199
200int cap_capset(struct cred *new,
201 const struct cred *old,
202 const kernel_cap_t *effective,
203 const kernel_cap_t *inheritable,
204 const kernel_cap_t *permitted)
205{
206 if (cap_inh_is_capped() &&
207 !cap_issubset(*inheritable,
208 cap_combine(old->cap_inheritable,
209 old->cap_permitted)))
210
211 return -EPERM;
212
213 if (!cap_issubset(*inheritable,
214 cap_combine(old->cap_inheritable,
215 old->cap_bset)))
216
217 return -EPERM;
218
219
220 if (!cap_issubset(*permitted, old->cap_permitted))
221 return -EPERM;
222
223
224 if (!cap_issubset(*effective, *permitted))
225 return -EPERM;
226
227 new->cap_effective = *effective;
228 new->cap_inheritable = *inheritable;
229 new->cap_permitted = *permitted;
230 return 0;
231}
232
233
234
235
236static inline void bprm_clear_caps(struct linux_binprm *bprm)
237{
238 cap_clear(bprm->cred->cap_permitted);
239 bprm->cap_effective = false;
240}
241
242#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
243
244
245
246
247
248
249
250
251
252
253
254
255int cap_inode_need_killpriv(struct dentry *dentry)
256{
257 struct inode *inode = dentry->d_inode;
258 int error;
259
260 if (!inode->i_op->getxattr)
261 return 0;
262
263 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
264 if (error <= 0)
265 return 0;
266 return 1;
267}
268
269
270
271
272
273
274
275
276
277int cap_inode_killpriv(struct dentry *dentry)
278{
279 struct inode *inode = dentry->d_inode;
280
281 if (!inode->i_op->removexattr)
282 return 0;
283
284 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
285}
286
287
288
289
290
291static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
292 struct linux_binprm *bprm,
293 bool *effective)
294{
295 struct cred *new = bprm->cred;
296 unsigned i;
297 int ret = 0;
298
299 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
300 *effective = true;
301
302 CAP_FOR_EACH_U32(i) {
303 __u32 permitted = caps->permitted.cap[i];
304 __u32 inheritable = caps->inheritable.cap[i];
305
306
307
308
309 new->cap_permitted.cap[i] =
310 (new->cap_bset.cap[i] & permitted) |
311 (new->cap_inheritable.cap[i] & inheritable);
312
313 if (permitted & ~new->cap_permitted.cap[i])
314
315 ret = -EPERM;
316 }
317
318
319
320
321
322
323 return *effective ? ret : 0;
324}
325
326
327
328
329int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
330{
331 struct inode *inode = dentry->d_inode;
332 __u32 magic_etc;
333 unsigned tocopy, i;
334 int size;
335 struct vfs_cap_data caps;
336
337 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
338
339 if (!inode || !inode->i_op->getxattr)
340 return -ENODATA;
341
342 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
343 XATTR_CAPS_SZ);
344 if (size == -ENODATA || size == -EOPNOTSUPP)
345
346 return -ENODATA;
347 if (size < 0)
348 return size;
349
350 if (size < sizeof(magic_etc))
351 return -EINVAL;
352
353 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
354
355 switch (magic_etc & VFS_CAP_REVISION_MASK) {
356 case VFS_CAP_REVISION_1:
357 if (size != XATTR_CAPS_SZ_1)
358 return -EINVAL;
359 tocopy = VFS_CAP_U32_1;
360 break;
361 case VFS_CAP_REVISION_2:
362 if (size != XATTR_CAPS_SZ_2)
363 return -EINVAL;
364 tocopy = VFS_CAP_U32_2;
365 break;
366 default:
367 return -EINVAL;
368 }
369
370 CAP_FOR_EACH_U32(i) {
371 if (i >= tocopy)
372 break;
373 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
374 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
375 }
376
377 return 0;
378}
379
380
381
382
383
384
385static int get_file_caps(struct linux_binprm *bprm, bool *effective)
386{
387 struct dentry *dentry;
388 int rc = 0;
389 struct cpu_vfs_cap_data vcaps;
390
391 bprm_clear_caps(bprm);
392
393 if (!file_caps_enabled)
394 return 0;
395
396 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
397 return 0;
398
399 dentry = dget(bprm->file->f_dentry);
400
401 rc = get_vfs_caps_from_disk(dentry, &vcaps);
402 if (rc < 0) {
403 if (rc == -EINVAL)
404 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
405 __func__, rc, bprm->filename);
406 else if (rc == -ENODATA)
407 rc = 0;
408 goto out;
409 }
410
411 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective);
412 if (rc == -EINVAL)
413 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
414 __func__, rc, bprm->filename);
415
416out:
417 dput(dentry);
418 if (rc)
419 bprm_clear_caps(bprm);
420
421 return rc;
422}
423
424#else
425int cap_inode_need_killpriv(struct dentry *dentry)
426{
427 return 0;
428}
429
430int cap_inode_killpriv(struct dentry *dentry)
431{
432 return 0;
433}
434
435int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
436{
437 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
438 return -ENODATA;
439}
440
441static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
442{
443 bprm_clear_caps(bprm);
444 return 0;
445}
446#endif
447
448
449
450
451
452
453
454
455
456
457
458static inline int cap_limit_ptraced_target(void)
459{
460#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
461 if (capable(CAP_SETPCAP))
462 return 0;
463#endif
464 return 1;
465}
466
467
468
469
470
471
472
473
474
475int cap_bprm_set_creds(struct linux_binprm *bprm)
476{
477 const struct cred *old = current_cred();
478 struct cred *new = bprm->cred;
479 bool effective;
480 int ret;
481
482 effective = false;
483 ret = get_file_caps(bprm, &effective);
484 if (ret < 0)
485 return ret;
486
487 if (!issecure(SECURE_NOROOT)) {
488
489
490
491
492
493 if (effective && new->uid != 0 && new->euid == 0) {
494 warn_setuid_and_fcaps_mixed(bprm->filename);
495 goto skip;
496 }
497
498
499
500
501
502
503
504 if (new->euid == 0 || new->uid == 0) {
505
506 new->cap_permitted = cap_combine(old->cap_bset,
507 old->cap_inheritable);
508 }
509 if (new->euid == 0)
510 effective = true;
511 }
512skip:
513
514
515
516
517 if ((new->euid != old->uid ||
518 new->egid != old->gid ||
519 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
520 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
521
522 if (!capable(CAP_SETUID)) {
523 new->euid = new->uid;
524 new->egid = new->gid;
525 }
526 if (cap_limit_ptraced_target())
527 new->cap_permitted = cap_intersect(new->cap_permitted,
528 old->cap_permitted);
529 }
530
531 new->suid = new->fsuid = new->euid;
532 new->sgid = new->fsgid = new->egid;
533
534
535
536
537 if (!is_global_init(current)) {
538 if (effective)
539 new->cap_effective = new->cap_permitted;
540 else
541 cap_clear(new->cap_effective);
542 }
543 bprm->cap_effective = effective;
544
545
546
547
548
549
550
551
552
553
554
555
556
557 if (!cap_isclear(new->cap_effective)) {
558 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
559 new->euid != 0 || new->uid != 0 ||
560 issecure(SECURE_NOROOT)) {
561 ret = audit_log_bprm_fcaps(bprm, new, old);
562 if (ret < 0)
563 return ret;
564 }
565 }
566
567 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
568 return 0;
569}
570
571
572
573
574
575
576
577
578
579
580
581int cap_bprm_secureexec(struct linux_binprm *bprm)
582{
583 const struct cred *cred = current_cred();
584
585 if (cred->uid != 0) {
586 if (bprm->cap_effective)
587 return 1;
588 if (!cap_isclear(cred->cap_permitted))
589 return 1;
590 }
591
592 return (cred->euid != cred->uid ||
593 cred->egid != cred->gid);
594}
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610int cap_inode_setxattr(struct dentry *dentry, const char *name,
611 const void *value, size_t size, int flags)
612{
613 if (!strcmp(name, XATTR_NAME_CAPS)) {
614 if (!capable(CAP_SETFCAP))
615 return -EPERM;
616 return 0;
617 }
618
619 if (!strncmp(name, XATTR_SECURITY_PREFIX,
620 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
621 !capable(CAP_SYS_ADMIN))
622 return -EPERM;
623 return 0;
624}
625
626
627
628
629
630
631
632
633
634
635
636
637int cap_inode_removexattr(struct dentry *dentry, const char *name)
638{
639 if (!strcmp(name, XATTR_NAME_CAPS)) {
640 if (!capable(CAP_SETFCAP))
641 return -EPERM;
642 return 0;
643 }
644
645 if (!strncmp(name, XATTR_SECURITY_PREFIX,
646 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
647 !capable(CAP_SYS_ADMIN))
648 return -EPERM;
649 return 0;
650}
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
682{
683 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
684 (new->uid != 0 && new->euid != 0 && new->suid != 0) &&
685 !issecure(SECURE_KEEP_CAPS)) {
686 cap_clear(new->cap_permitted);
687 cap_clear(new->cap_effective);
688 }
689 if (old->euid == 0 && new->euid != 0)
690 cap_clear(new->cap_effective);
691 if (old->euid != 0 && new->euid == 0)
692 new->cap_effective = new->cap_permitted;
693}
694
695
696
697
698
699
700
701
702
703
704int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
705{
706 switch (flags) {
707 case LSM_SETID_RE:
708 case LSM_SETID_ID:
709 case LSM_SETID_RES:
710
711
712 if (!issecure(SECURE_NO_SETUID_FIXUP))
713 cap_emulate_setxuid(new, old);
714 break;
715
716 case LSM_SETID_FS:
717
718
719
720
721
722
723 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
724 if (old->fsuid == 0 && new->fsuid != 0)
725 new->cap_effective =
726 cap_drop_fs_set(new->cap_effective);
727
728 if (old->fsuid != 0 && new->fsuid == 0)
729 new->cap_effective =
730 cap_raise_fs_set(new->cap_effective,
731 new->cap_permitted);
732 }
733 break;
734
735 default:
736 return -EINVAL;
737 }
738
739 return 0;
740}
741
742#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
743
744
745
746
747
748
749
750
751
752
753static int cap_safe_nice(struct task_struct *p)
754{
755 int is_subset;
756
757 rcu_read_lock();
758 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
759 current_cred()->cap_permitted);
760 rcu_read_unlock();
761
762 if (!is_subset && !capable(CAP_SYS_NICE))
763 return -EPERM;
764 return 0;
765}
766
767
768
769
770
771
772
773
774
775
776int cap_task_setscheduler(struct task_struct *p, int policy,
777 struct sched_param *lp)
778{
779 return cap_safe_nice(p);
780}
781
782
783
784
785
786
787
788
789
790int cap_task_setioprio(struct task_struct *p, int ioprio)
791{
792 return cap_safe_nice(p);
793}
794
795
796
797
798
799
800
801
802
803int cap_task_setnice(struct task_struct *p, int nice)
804{
805 return cap_safe_nice(p);
806}
807
808
809
810
811
812static long cap_prctl_drop(struct cred *new, unsigned long cap)
813{
814 if (!capable(CAP_SETPCAP))
815 return -EPERM;
816 if (!cap_valid(cap))
817 return -EINVAL;
818
819 cap_lower(new->cap_bset, cap);
820 return 0;
821}
822
823#else
824int cap_task_setscheduler (struct task_struct *p, int policy,
825 struct sched_param *lp)
826{
827 return 0;
828}
829int cap_task_setioprio (struct task_struct *p, int ioprio)
830{
831 return 0;
832}
833int cap_task_setnice (struct task_struct *p, int nice)
834{
835 return 0;
836}
837#endif
838
839
840
841
842
843
844
845
846
847
848
849
850
851int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
852 unsigned long arg4, unsigned long arg5)
853{
854 struct cred *new;
855 long error = 0;
856
857 new = prepare_creds();
858 if (!new)
859 return -ENOMEM;
860
861 switch (option) {
862 case PR_CAPBSET_READ:
863 error = -EINVAL;
864 if (!cap_valid(arg2))
865 goto error;
866 error = !!cap_raised(new->cap_bset, arg2);
867 goto no_change;
868
869#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
870 case PR_CAPBSET_DROP:
871 error = cap_prctl_drop(new, arg2);
872 if (error < 0)
873 goto error;
874 goto changed;
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895 case PR_SET_SECUREBITS:
896 error = -EPERM;
897 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
898 & (new->securebits ^ arg2))
899 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))
900 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))
901 || (cap_capable(current, current_cred(), CAP_SETPCAP,
902 SECURITY_CAP_AUDIT) != 0)
903
904
905
906
907
908
909
910 )
911
912 goto error;
913 new->securebits = arg2;
914 goto changed;
915
916 case PR_GET_SECUREBITS:
917 error = new->securebits;
918 goto no_change;
919
920#endif
921
922 case PR_GET_KEEPCAPS:
923 if (issecure(SECURE_KEEP_CAPS))
924 error = 1;
925 goto no_change;
926
927 case PR_SET_KEEPCAPS:
928 error = -EINVAL;
929 if (arg2 > 1)
930 goto error;
931 error = -EPERM;
932 if (issecure(SECURE_KEEP_CAPS_LOCKED))
933 goto error;
934 if (arg2)
935 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
936 else
937 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
938 goto changed;
939
940 default:
941
942 error = -ENOSYS;
943 goto error;
944 }
945
946
947changed:
948 return commit_creds(new);
949
950no_change:
951error:
952 abort_creds(new);
953 return error;
954}
955
956
957
958
959
960
961
962
963int cap_syslog(int type)
964{
965 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
966 return -EPERM;
967 return 0;
968}
969
970
971
972
973
974
975
976
977
978int cap_vm_enough_memory(struct mm_struct *mm, long pages)
979{
980 int cap_sys_admin = 0;
981
982 if (cap_capable(current, current_cred(), CAP_SYS_ADMIN,
983 SECURITY_CAP_NOAUDIT) == 0)
984 cap_sys_admin = 1;
985 return __vm_enough_memory(mm, pages, cap_sys_admin);
986}
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002int cap_file_mmap(struct file *file, unsigned long reqprot,
1003 unsigned long prot, unsigned long flags,
1004 unsigned long addr, unsigned long addr_only)
1005{
1006 int ret = 0;
1007
1008 if (addr < dac_mmap_min_addr) {
1009 ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
1010 SECURITY_CAP_AUDIT);
1011
1012 if (ret == 0)
1013 current->flags |= PF_SUPERPRIV;
1014 }
1015 return ret;
1016}
1017