1
2
3
4
5
6
7
8
9
10#include <linux/capability.h>
11#include <linux/audit.h>
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/kernel.h>
15#include <linux/security.h>
16#include <linux/file.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/pagemap.h>
20#include <linux/swap.h>
21#include <linux/skbuff.h>
22#include <linux/netlink.h>
23#include <linux/ptrace.h>
24#include <linux/xattr.h>
25#include <linux/hugetlb.h>
26#include <linux/mount.h>
27#include <linux/sched.h>
28#include <linux/prctl.h>
29#include <linux/securebits.h>
30
31
32
33
34
35
36
37
38
39
40
41
42static void warn_setuid_and_fcaps_mixed(const char *fname)
43{
44 static int warned;
45 if (!warned) {
46 printk(KERN_INFO "warning: `%s' has both setuid-root and"
47 " effective capabilities. Therefore not raising all"
48 " capabilities.\n", fname);
49 warned = 1;
50 }
51}
52
53int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
54{
55 NETLINK_CB(skb).eff_cap = current_cap();
56 return 0;
57}
58
59int cap_netlink_recv(struct sk_buff *skb, int cap)
60{
61 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
62 return -EPERM;
63 return 0;
64}
65EXPORT_SYMBOL(cap_netlink_recv);
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap,
83 int audit)
84{
85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
86}
87
88
89
90
91
92
93
94
95
96int cap_settime(struct timespec *ts, struct timezone *tz)
97{
98 if (!capable(CAP_SYS_TIME))
99 return -EPERM;
100 return 0;
101}
102
103
104
105
106
107
108
109
110
111
112int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
113{
114 int ret = 0;
115
116 rcu_read_lock();
117 if (!cap_issubset(__task_cred(child)->cap_permitted,
118 current_cred()->cap_permitted) &&
119 !capable(CAP_SYS_PTRACE))
120 ret = -EPERM;
121 rcu_read_unlock();
122 return ret;
123}
124
125
126
127
128
129
130
131
132int cap_ptrace_traceme(struct task_struct *parent)
133{
134 int ret = 0;
135
136 rcu_read_lock();
137 if (!cap_issubset(current_cred()->cap_permitted,
138 __task_cred(parent)->cap_permitted) &&
139 !has_capability(parent, CAP_SYS_PTRACE))
140 ret = -EPERM;
141 rcu_read_unlock();
142 return ret;
143}
144
145
146
147
148
149
150
151
152
153
154
155int cap_capget(struct task_struct *target, kernel_cap_t *effective,
156 kernel_cap_t *inheritable, kernel_cap_t *permitted)
157{
158 const struct cred *cred;
159
160
161 rcu_read_lock();
162 cred = __task_cred(target);
163 *effective = cred->cap_effective;
164 *inheritable = cred->cap_inheritable;
165 *permitted = cred->cap_permitted;
166 rcu_read_unlock();
167 return 0;
168}
169
170
171
172
173
174static inline int cap_inh_is_capped(void)
175{
176
177
178
179
180 if (cap_capable(current, current_cred(), CAP_SETPCAP,
181 SECURITY_CAP_AUDIT) == 0)
182 return 0;
183 return 1;
184}
185
186
187
188
189
190
191
192
193
194
195
196
197
198int cap_capset(struct cred *new,
199 const struct cred *old,
200 const kernel_cap_t *effective,
201 const kernel_cap_t *inheritable,
202 const kernel_cap_t *permitted)
203{
204 if (cap_inh_is_capped() &&
205 !cap_issubset(*inheritable,
206 cap_combine(old->cap_inheritable,
207 old->cap_permitted)))
208
209 return -EPERM;
210
211 if (!cap_issubset(*inheritable,
212 cap_combine(old->cap_inheritable,
213 old->cap_bset)))
214
215 return -EPERM;
216
217
218 if (!cap_issubset(*permitted, old->cap_permitted))
219 return -EPERM;
220
221
222 if (!cap_issubset(*effective, *permitted))
223 return -EPERM;
224
225 new->cap_effective = *effective;
226 new->cap_inheritable = *inheritable;
227 new->cap_permitted = *permitted;
228 return 0;
229}
230
231
232
233
234static inline void bprm_clear_caps(struct linux_binprm *bprm)
235{
236 cap_clear(bprm->cred->cap_permitted);
237 bprm->cap_effective = false;
238}
239
240
241
242
243
244
245
246
247
248
249
250
251int cap_inode_need_killpriv(struct dentry *dentry)
252{
253 struct inode *inode = dentry->d_inode;
254 int error;
255
256 if (!inode->i_op->getxattr)
257 return 0;
258
259 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
260 if (error <= 0)
261 return 0;
262 return 1;
263}
264
265
266
267
268
269
270
271
272
273int cap_inode_killpriv(struct dentry *dentry)
274{
275 struct inode *inode = dentry->d_inode;
276
277 if (!inode->i_op->removexattr)
278 return 0;
279
280 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
281}
282
283
284
285
286
287static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
288 struct linux_binprm *bprm,
289 bool *effective)
290{
291 struct cred *new = bprm->cred;
292 unsigned i;
293 int ret = 0;
294
295 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
296 *effective = true;
297
298 CAP_FOR_EACH_U32(i) {
299 __u32 permitted = caps->permitted.cap[i];
300 __u32 inheritable = caps->inheritable.cap[i];
301
302
303
304
305 new->cap_permitted.cap[i] =
306 (new->cap_bset.cap[i] & permitted) |
307 (new->cap_inheritable.cap[i] & inheritable);
308
309 if (permitted & ~new->cap_permitted.cap[i])
310
311 ret = -EPERM;
312 }
313
314
315
316
317
318
319 return *effective ? ret : 0;
320}
321
322
323
324
325int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
326{
327 struct inode *inode = dentry->d_inode;
328 __u32 magic_etc;
329 unsigned tocopy, i;
330 int size;
331 struct vfs_cap_data caps;
332
333 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
334
335 if (!inode || !inode->i_op->getxattr)
336 return -ENODATA;
337
338 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
339 XATTR_CAPS_SZ);
340 if (size == -ENODATA || size == -EOPNOTSUPP)
341
342 return -ENODATA;
343 if (size < 0)
344 return size;
345
346 if (size < sizeof(magic_etc))
347 return -EINVAL;
348
349 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
350
351 switch (magic_etc & VFS_CAP_REVISION_MASK) {
352 case VFS_CAP_REVISION_1:
353 if (size != XATTR_CAPS_SZ_1)
354 return -EINVAL;
355 tocopy = VFS_CAP_U32_1;
356 break;
357 case VFS_CAP_REVISION_2:
358 if (size != XATTR_CAPS_SZ_2)
359 return -EINVAL;
360 tocopy = VFS_CAP_U32_2;
361 break;
362 default:
363 return -EINVAL;
364 }
365
366 CAP_FOR_EACH_U32(i) {
367 if (i >= tocopy)
368 break;
369 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
370 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
371 }
372
373 return 0;
374}
375
376
377
378
379
380
381static int get_file_caps(struct linux_binprm *bprm, bool *effective)
382{
383 struct dentry *dentry;
384 int rc = 0;
385 struct cpu_vfs_cap_data vcaps;
386
387 bprm_clear_caps(bprm);
388
389 if (!file_caps_enabled)
390 return 0;
391
392 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
393 return 0;
394
395 dentry = dget(bprm->file->f_dentry);
396
397 rc = get_vfs_caps_from_disk(dentry, &vcaps);
398 if (rc < 0) {
399 if (rc == -EINVAL)
400 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
401 __func__, rc, bprm->filename);
402 else if (rc == -ENODATA)
403 rc = 0;
404 goto out;
405 }
406
407 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective);
408 if (rc == -EINVAL)
409 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
410 __func__, rc, bprm->filename);
411
412out:
413 dput(dentry);
414 if (rc)
415 bprm_clear_caps(bprm);
416
417 return rc;
418}
419
420
421
422
423
424
425
426
427
428int cap_bprm_set_creds(struct linux_binprm *bprm)
429{
430 const struct cred *old = current_cred();
431 struct cred *new = bprm->cred;
432 bool effective;
433 int ret;
434
435 effective = false;
436 ret = get_file_caps(bprm, &effective);
437 if (ret < 0)
438 return ret;
439
440 if (!issecure(SECURE_NOROOT)) {
441
442
443
444
445
446 if (effective && new->uid != 0 && new->euid == 0) {
447 warn_setuid_and_fcaps_mixed(bprm->filename);
448 goto skip;
449 }
450
451
452
453
454
455
456
457 if (new->euid == 0 || new->uid == 0) {
458
459 new->cap_permitted = cap_combine(old->cap_bset,
460 old->cap_inheritable);
461 }
462 if (new->euid == 0)
463 effective = true;
464 }
465skip:
466
467
468
469
470 if ((new->euid != old->uid ||
471 new->egid != old->gid ||
472 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
473 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
474
475 if (!capable(CAP_SETUID)) {
476 new->euid = new->uid;
477 new->egid = new->gid;
478 }
479 new->cap_permitted = cap_intersect(new->cap_permitted,
480 old->cap_permitted);
481 }
482
483 new->suid = new->fsuid = new->euid;
484 new->sgid = new->fsgid = new->egid;
485
486
487
488
489 if (!is_global_init(current)) {
490 if (effective)
491 new->cap_effective = new->cap_permitted;
492 else
493 cap_clear(new->cap_effective);
494 }
495 bprm->cap_effective = effective;
496
497
498
499
500
501
502
503
504
505
506
507
508
509 if (!cap_isclear(new->cap_effective)) {
510 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
511 new->euid != 0 || new->uid != 0 ||
512 issecure(SECURE_NOROOT)) {
513 ret = audit_log_bprm_fcaps(bprm, new, old);
514 if (ret < 0)
515 return ret;
516 }
517 }
518
519 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
520 return 0;
521}
522
523
524
525
526
527
528
529
530
531
532
533int cap_bprm_secureexec(struct linux_binprm *bprm)
534{
535 const struct cred *cred = current_cred();
536
537 if (cred->uid != 0) {
538 if (bprm->cap_effective)
539 return 1;
540 if (!cap_isclear(cred->cap_permitted))
541 return 1;
542 }
543
544 return (cred->euid != cred->uid ||
545 cred->egid != cred->gid);
546}
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562int cap_inode_setxattr(struct dentry *dentry, const char *name,
563 const void *value, size_t size, int flags)
564{
565 if (!strcmp(name, XATTR_NAME_CAPS)) {
566 if (!capable(CAP_SETFCAP))
567 return -EPERM;
568 return 0;
569 }
570
571 if (!strncmp(name, XATTR_SECURITY_PREFIX,
572 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
573 !capable(CAP_SYS_ADMIN))
574 return -EPERM;
575 return 0;
576}
577
578
579
580
581
582
583
584
585
586
587
588
589int cap_inode_removexattr(struct dentry *dentry, const char *name)
590{
591 if (!strcmp(name, XATTR_NAME_CAPS)) {
592 if (!capable(CAP_SETFCAP))
593 return -EPERM;
594 return 0;
595 }
596
597 if (!strncmp(name, XATTR_SECURITY_PREFIX,
598 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
599 !capable(CAP_SYS_ADMIN))
600 return -EPERM;
601 return 0;
602}
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
634{
635 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
636 (new->uid != 0 && new->euid != 0 && new->suid != 0) &&
637 !issecure(SECURE_KEEP_CAPS)) {
638 cap_clear(new->cap_permitted);
639 cap_clear(new->cap_effective);
640 }
641 if (old->euid == 0 && new->euid != 0)
642 cap_clear(new->cap_effective);
643 if (old->euid != 0 && new->euid == 0)
644 new->cap_effective = new->cap_permitted;
645}
646
647
648
649
650
651
652
653
654
655
656int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
657{
658 switch (flags) {
659 case LSM_SETID_RE:
660 case LSM_SETID_ID:
661 case LSM_SETID_RES:
662
663
664 if (!issecure(SECURE_NO_SETUID_FIXUP))
665 cap_emulate_setxuid(new, old);
666 break;
667
668 case LSM_SETID_FS:
669
670
671
672
673
674
675 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
676 if (old->fsuid == 0 && new->fsuid != 0)
677 new->cap_effective =
678 cap_drop_fs_set(new->cap_effective);
679
680 if (old->fsuid != 0 && new->fsuid == 0)
681 new->cap_effective =
682 cap_raise_fs_set(new->cap_effective,
683 new->cap_permitted);
684 }
685 break;
686
687 default:
688 return -EINVAL;
689 }
690
691 return 0;
692}
693
694
695
696
697
698
699
700
701
702
703
704static int cap_safe_nice(struct task_struct *p)
705{
706 int is_subset;
707
708 rcu_read_lock();
709 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
710 current_cred()->cap_permitted);
711 rcu_read_unlock();
712
713 if (!is_subset && !capable(CAP_SYS_NICE))
714 return -EPERM;
715 return 0;
716}
717
718
719
720
721
722
723
724
725int cap_task_setscheduler(struct task_struct *p)
726{
727 return cap_safe_nice(p);
728}
729
730
731
732
733
734
735
736
737
738int cap_task_setioprio(struct task_struct *p, int ioprio)
739{
740 return cap_safe_nice(p);
741}
742
743
744
745
746
747
748
749
750
751int cap_task_setnice(struct task_struct *p, int nice)
752{
753 return cap_safe_nice(p);
754}
755
756
757
758
759
760static long cap_prctl_drop(struct cred *new, unsigned long cap)
761{
762 if (!capable(CAP_SETPCAP))
763 return -EPERM;
764 if (!cap_valid(cap))
765 return -EINVAL;
766
767 cap_lower(new->cap_bset, cap);
768 return 0;
769}
770
771
772
773
774
775
776
777
778
779
780
781
782
783int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
784 unsigned long arg4, unsigned long arg5)
785{
786 struct cred *new;
787 long error = 0;
788
789 new = prepare_creds();
790 if (!new)
791 return -ENOMEM;
792
793 switch (option) {
794 case PR_CAPBSET_READ:
795 error = -EINVAL;
796 if (!cap_valid(arg2))
797 goto error;
798 error = !!cap_raised(new->cap_bset, arg2);
799 goto no_change;
800
801 case PR_CAPBSET_DROP:
802 error = cap_prctl_drop(new, arg2);
803 if (error < 0)
804 goto error;
805 goto changed;
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826 case PR_SET_SECUREBITS:
827 error = -EPERM;
828 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
829 & (new->securebits ^ arg2))
830 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))
831 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))
832 || (cap_capable(current, current_cred(), CAP_SETPCAP,
833 SECURITY_CAP_AUDIT) != 0)
834
835
836
837
838
839
840
841 )
842
843 goto error;
844 new->securebits = arg2;
845 goto changed;
846
847 case PR_GET_SECUREBITS:
848 error = new->securebits;
849 goto no_change;
850
851 case PR_GET_KEEPCAPS:
852 if (issecure(SECURE_KEEP_CAPS))
853 error = 1;
854 goto no_change;
855
856 case PR_SET_KEEPCAPS:
857 error = -EINVAL;
858 if (arg2 > 1)
859 goto error;
860 error = -EPERM;
861 if (issecure(SECURE_KEEP_CAPS_LOCKED))
862 goto error;
863 if (arg2)
864 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
865 else
866 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
867 goto changed;
868
869 default:
870
871 error = -ENOSYS;
872 goto error;
873 }
874
875
876changed:
877 return commit_creds(new);
878
879no_change:
880error:
881 abort_creds(new);
882 return error;
883}
884
885
886
887
888
889
890
891
892
893int cap_vm_enough_memory(struct mm_struct *mm, long pages)
894{
895 int cap_sys_admin = 0;
896
897 if (cap_capable(current, current_cred(), CAP_SYS_ADMIN,
898 SECURITY_CAP_NOAUDIT) == 0)
899 cap_sys_admin = 1;
900 return __vm_enough_memory(mm, pages, cap_sys_admin);
901}
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917int cap_file_mmap(struct file *file, unsigned long reqprot,
918 unsigned long prot, unsigned long flags,
919 unsigned long addr, unsigned long addr_only)
920{
921 int ret = 0;
922
923 if (addr < dac_mmap_min_addr) {
924 ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
925 SECURITY_CAP_AUDIT);
926
927 if (ret == 0)
928 current->flags |= PF_SUPERPRIV;
929 }
930 return ret;
931}
932