Branch data Line data Source code
1 : : /*
2 : : * linux/kernel/capability.c
3 : : *
4 : : * Copyright (C) 1997 Andrew Main <zefram@fysh.org>
5 : : *
6 : : * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org>
7 : : * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
8 : : */
9 : :
10 : : #include <linux/audit.h>
11 : : #include <linux/capability.h>
12 : : #include <linux/mm.h>
13 : : #include <linux/export.h>
14 : : #include <linux/security.h>
15 : : #include <linux/syscalls.h>
16 : : #include <linux/pid_namespace.h>
17 : : #include <linux/user_namespace.h>
18 : : #include <asm/uaccess.h>
19 : :
20 : : /*
21 : : * Leveraged for setting/resetting capabilities
22 : : */
23 : :
24 : : const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
25 : :
26 : : EXPORT_SYMBOL(__cap_empty_set);
27 : :
28 : : int file_caps_enabled = 1;
29 : :
30 : 0 : static int __init file_caps_disable(char *str)
31 : : {
32 : 0 : file_caps_enabled = 0;
33 : 0 : return 1;
34 : : }
35 : : __setup("no_file_caps", file_caps_disable);
36 : :
37 : : /*
38 : : * More recent versions of libcap are available from:
39 : : *
40 : : * http://www.kernel.org/pub/linux/libs/security/linux-privs/
41 : : */
42 : :
43 : 0 : static void warn_legacy_capability_use(void)
44 : : {
45 : : static int warned;
46 [ + + ]: 9 : if (!warned) {
47 : : char name[sizeof(current->comm)];
48 : :
49 : 1 : printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"
50 : : " (legacy support in use)\n",
51 : : get_task_comm(name, current));
52 : 1 : warned = 1;
53 : : }
54 : 0 : }
55 : :
56 : : /*
57 : : * Version 2 capabilities worked fine, but the linux/capability.h file
58 : : * that accompanied their introduction encouraged their use without
59 : : * the necessary user-space source code changes. As such, we have
60 : : * created a version 3 with equivalent functionality to version 2, but
61 : : * with a header change to protect legacy source code from using
62 : : * version 2 when it wanted to use version 1. If your system has code
63 : : * that trips the following warning, it is using version 2 specific
64 : : * capabilities and may be doing so insecurely.
65 : : *
66 : : * The remedy is to either upgrade your version of libcap (to 2.10+,
67 : : * if the application is linked against it), or recompile your
68 : : * application with modern kernel headers and this warning will go
69 : : * away.
70 : : */
71 : :
72 : 0 : static void warn_deprecated_v2(void)
73 : : {
74 : : static int warned;
75 : :
76 [ # # ]: 0 : if (!warned) {
77 : : char name[sizeof(current->comm)];
78 : :
79 : 0 : printk(KERN_INFO "warning: `%s' uses deprecated v2"
80 : : " capabilities in a way that may be insecure.\n",
81 : : get_task_comm(name, current));
82 : 0 : warned = 1;
83 : : }
84 : 0 : }
85 : :
86 : : /*
87 : : * Version check. Return the number of u32s in each capability flag
88 : : * array, or a negative value on error.
89 : : */
90 : 0 : static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
91 : : {
92 : : __u32 version;
93 : :
94 [ + + ]: 13 : if (get_user(version, &header->version))
95 : : return -EFAULT;
96 : :
97 [ + - - + ]: 11 : switch (version) {
98 : : case _LINUX_CAPABILITY_VERSION_1:
99 : 9 : warn_legacy_capability_use();
100 : 9 : *tocopy = _LINUX_CAPABILITY_U32S_1;
101 : 9 : break;
102 : : case _LINUX_CAPABILITY_VERSION_2:
103 : 0 : warn_deprecated_v2();
104 : : /*
105 : : * fall through - v3 is otherwise equivalent to v2.
106 : : */
107 : : case _LINUX_CAPABILITY_VERSION_3:
108 : 0 : *tocopy = _LINUX_CAPABILITY_U32S_3;
109 : 0 : break;
110 : : default:
111 [ + - ]: 2 : if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
112 : : return -EFAULT;
113 : 2 : return -EINVAL;
114 : : }
115 : :
116 : : return 0;
117 : : }
118 : :
119 : : /*
120 : : * The only thing that can change the capabilities of the current
121 : : * process is the current process. As such, we can't be in this code
122 : : * at the same time as we are in the process of setting capabilities
123 : : * in this process. The net result is that we can limit our use of
124 : : * locks to when we are reading the caps of another process.
125 : : */
126 : : static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
127 : : kernel_cap_t *pIp, kernel_cap_t *pPp)
128 : : {
129 : : int ret;
130 : :
131 [ + + + + ]: 7 : if (pid && (pid != task_pid_vnr(current))) {
132 : : struct task_struct *target;
133 : :
134 : : rcu_read_lock();
135 : :
136 : 1 : target = find_task_by_vpid(pid);
137 [ - + ]: 1 : if (!target)
138 : : ret = -ESRCH;
139 : : else
140 : 0 : ret = security_capget(target, pEp, pIp, pPp);
141 : :
142 : : rcu_read_unlock();
143 : : } else
144 : 4 : ret = security_capget(current, pEp, pIp, pPp);
145 : :
146 : : return ret;
147 : : }
148 : :
149 : : /**
150 : : * sys_capget - get the capabilities of a given process.
151 : : * @header: pointer to struct that contains capability version and
152 : : * target pid data
153 : : * @dataptr: pointer to struct that contains the effective, permitted,
154 : : * and inheritable capabilities that are returned
155 : : *
156 : : * Returns 0 on success and < 0 on error.
157 : : */
158 : 0 : SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
159 : : {
160 : : int ret = 0;
161 : : pid_t pid;
162 : : unsigned tocopy;
163 : : kernel_cap_t pE, pI, pP;
164 : :
165 : 8 : ret = cap_validate_magic(header, &tocopy);
166 [ + + ]: 8 : if ((dataptr == NULL) || (ret != 0))
167 [ + - ]: 2 : return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
168 : :
169 [ + - ]: 6 : if (get_user(pid, &header->pid))
170 : : return -EFAULT;
171 : :
172 [ + + ]: 6 : if (pid < 0)
173 : : return -EINVAL;
174 : :
175 : : ret = cap_get_target_pid(pid, &pE, &pI, &pP);
176 [ + + ]: 13 : if (!ret) {
177 : : struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
178 : : unsigned i;
179 : :
180 [ + + ]: 8 : for (i = 0; i < tocopy; i++) {
181 : 4 : kdata[i].effective = pE.cap[i];
182 : 4 : kdata[i].permitted = pP.cap[i];
183 : 4 : kdata[i].inheritable = pI.cap[i];
184 : : }
185 : :
186 : : /*
187 : : * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
188 : : * we silently drop the upper capabilities here. This
189 : : * has the effect of making older libcap
190 : : * implementations implicitly drop upper capability
191 : : * bits when they perform a: capget/modify/capset
192 : : * sequence.
193 : : *
194 : : * This behavior is considered fail-safe
195 : : * behavior. Upgrading the application to a newer
196 : : * version of libcap will enable access to the newer
197 : : * capabilities.
198 : : *
199 : : * An alternative would be to return an error here
200 : : * (-ERANGE), but that causes legacy applications to
201 : : * unexpectidly fail; the capget/modify/capset aborts
202 : : * before modification is attempted and the application
203 : : * fails.
204 : : */
205 [ + + ]: 4 : if (copy_to_user(dataptr, kdata, tocopy
206 : 4 : * sizeof(struct __user_cap_data_struct))) {
207 : 4 : return -EFAULT;
208 : : }
209 : : }
210 : :
211 : : return ret;
212 : : }
213 : :
214 : : /**
215 : : * sys_capset - set capabilities for a process or (*) a group of processes
216 : : * @header: pointer to struct that contains capability version and
217 : : * target pid data
218 : : * @data: pointer to struct that contains the effective, permitted,
219 : : * and inheritable capabilities
220 : : *
221 : : * Set capabilities for the current process only. The ability to any other
222 : : * process(es) has been deprecated and removed.
223 : : *
224 : : * The restrictions on setting capabilities are specified as:
225 : : *
226 : : * I: any raised capabilities must be a subset of the old permitted
227 : : * P: any raised capabilities must be a subset of the old permitted
228 : : * E: must be set to a subset of new permitted
229 : : *
230 : : * Returns 0 on success and < 0 on error.
231 : : */
232 : 0 : SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
233 : : {
234 : : struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
235 : : unsigned i, tocopy, copybytes;
236 : : kernel_cap_t inheritable, permitted, effective;
237 : : struct cred *new;
238 : : int ret;
239 : : pid_t pid;
240 : :
241 : 5 : ret = cap_validate_magic(header, &tocopy);
242 [ + + ]: 5 : if (ret != 0)
243 : : return ret;
244 : :
245 [ + - ]: 3 : if (get_user(pid, &header->pid))
246 : : return -EFAULT;
247 : :
248 : : /* may only affect current now */
249 [ + + - + ]: 4 : if (pid != 0 && pid != task_pid_vnr(current))
250 : : return -EPERM;
251 : :
252 : 2 : copybytes = tocopy * sizeof(struct __user_cap_data_struct);
253 [ + - ]: 2 : if (copybytes > sizeof(kdata))
254 : : return -EFAULT;
255 : :
256 [ + + ]: 7 : if (copy_from_user(&kdata, data, copybytes))
257 : : return -EFAULT;
258 : :
259 [ + + ]: 2 : for (i = 0; i < tocopy; i++) {
260 : 1 : effective.cap[i] = kdata[i].effective;
261 : 1 : permitted.cap[i] = kdata[i].permitted;
262 : 1 : inheritable.cap[i] = kdata[i].inheritable;
263 : : }
264 [ + + ]: 2 : while (i < _KERNEL_CAPABILITY_U32S) {
265 : 1 : effective.cap[i] = 0;
266 : 1 : permitted.cap[i] = 0;
267 : 1 : inheritable.cap[i] = 0;
268 : 1 : i++;
269 : : }
270 : :
271 : 1 : new = prepare_creds();
272 [ + - ]: 1 : if (!new)
273 : : return -ENOMEM;
274 : :
275 : 1 : ret = security_capset(new, current_cred(),
276 : : &effective, &inheritable, &permitted);
277 [ + - ]: 1 : if (ret < 0)
278 : : goto error;
279 : :
280 : 1 : audit_log_capset(pid, new, current_cred());
281 : :
282 : 1 : return commit_creds(new);
283 : :
284 : : error:
285 : 0 : abort_creds(new);
286 : : return ret;
287 : : }
288 : :
289 : : /**
290 : : * has_ns_capability - Does a task have a capability in a specific user ns
291 : : * @t: The task in question
292 : : * @ns: target user namespace
293 : : * @cap: The capability to be tested for
294 : : *
295 : : * Return true if the specified task has the given superior capability
296 : : * currently in effect to the specified user namespace, false if not.
297 : : *
298 : : * Note that this does not set PF_SUPERPRIV on the task.
299 : : */
300 : 0 : bool has_ns_capability(struct task_struct *t,
301 : : struct user_namespace *ns, int cap)
302 : : {
303 : : int ret;
304 : :
305 : : rcu_read_lock();
306 : 473 : ret = security_capable(__task_cred(t), ns, cap);
307 : : rcu_read_unlock();
308 : :
309 : 473 : return (ret == 0);
310 : : }
311 : :
312 : : /**
313 : : * has_capability - Does a task have a capability in init_user_ns
314 : : * @t: The task in question
315 : : * @cap: The capability to be tested for
316 : : *
317 : : * Return true if the specified task has the given superior capability
318 : : * currently in effect to the initial user namespace, false if not.
319 : : *
320 : : * Note that this does not set PF_SUPERPRIV on the task.
321 : : */
322 : 0 : bool has_capability(struct task_struct *t, int cap)
323 : : {
324 : 0 : return has_ns_capability(t, &init_user_ns, cap);
325 : : }
326 : :
327 : : /**
328 : : * has_ns_capability_noaudit - Does a task have a capability (unaudited)
329 : : * in a specific user ns.
330 : : * @t: The task in question
331 : : * @ns: target user namespace
332 : : * @cap: The capability to be tested for
333 : : *
334 : : * Return true if the specified task has the given superior capability
335 : : * currently in effect to the specified user namespace, false if not.
336 : : * Do not write an audit message for the check.
337 : : *
338 : : * Note that this does not set PF_SUPERPRIV on the task.
339 : : */
340 : 0 : bool has_ns_capability_noaudit(struct task_struct *t,
341 : : struct user_namespace *ns, int cap)
342 : : {
343 : : int ret;
344 : :
345 : : rcu_read_lock();
346 : 61508 : ret = security_capable_noaudit(__task_cred(t), ns, cap);
347 : : rcu_read_unlock();
348 : :
349 : 61508 : return (ret == 0);
350 : : }
351 : :
352 : : /**
353 : : * has_capability_noaudit - Does a task have a capability (unaudited) in the
354 : : * initial user ns
355 : : * @t: The task in question
356 : : * @cap: The capability to be tested for
357 : : *
358 : : * Return true if the specified task has the given superior capability
359 : : * currently in effect to init_user_ns, false if not. Don't write an
360 : : * audit message for the check.
361 : : *
362 : : * Note that this does not set PF_SUPERPRIV on the task.
363 : : */
364 : 0 : bool has_capability_noaudit(struct task_struct *t, int cap)
365 : : {
366 : 44426 : return has_ns_capability_noaudit(t, &init_user_ns, cap);
367 : : }
368 : :
369 : : /**
370 : : * ns_capable - Determine if the current task has a superior capability in effect
371 : : * @ns: The usernamespace we want the capability in
372 : : * @cap: The capability to be tested for
373 : : *
374 : : * Return true if the current task has the given superior capability currently
375 : : * available for use, false if not.
376 : : *
377 : : * This sets PF_SUPERPRIV on the task if the capability is available on the
378 : : * assumption that it's about to be used.
379 : : */
380 : 0 : bool ns_capable(struct user_namespace *ns, int cap)
381 : : {
382 [ - + ]: 303776 : if (unlikely(!cap_valid(cap))) {
383 : 0 : printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
384 : 0 : BUG();
385 : : }
386 : :
387 [ + + ]: 303776 : if (security_capable(current_cred(), ns, cap) == 0) {
388 : 301024 : current->flags |= PF_SUPERPRIV;
389 : 301024 : return true;
390 : : }
391 : : return false;
392 : : }
393 : : EXPORT_SYMBOL(ns_capable);
394 : :
395 : : /**
396 : : * file_ns_capable - Determine if the file's opener had a capability in effect
397 : : * @file: The file we want to check
398 : : * @ns: The usernamespace we want the capability in
399 : : * @cap: The capability to be tested for
400 : : *
401 : : * Return true if task that opened the file had a capability in effect
402 : : * when the file was opened.
403 : : *
404 : : * This does not set PF_SUPERPRIV because the caller may not
405 : : * actually be privileged.
406 : : */
407 : 0 : bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap)
408 : : {
409 [ # # ][ # # ]: 0 : if (WARN_ON_ONCE(!cap_valid(cap)))
[ # # ][ # # ]
410 : : return false;
411 : :
412 [ # # ]: 0 : if (security_capable(file->f_cred, ns, cap) == 0)
413 : : return true;
414 : :
415 : 0 : return false;
416 : : }
417 : : EXPORT_SYMBOL(file_ns_capable);
418 : :
419 : : /**
420 : : * capable - Determine if the current task has a superior capability in effect
421 : : * @cap: The capability to be tested for
422 : : *
423 : : * Return true if the current task has the given superior capability currently
424 : : * available for use, false if not.
425 : : *
426 : : * This sets PF_SUPERPRIV on the task if the capability is available on the
427 : : * assumption that it's about to be used.
428 : : */
429 : 0 : bool capable(int cap)
430 : : {
431 : 5858 : return ns_capable(&init_user_ns, cap);
432 : : }
433 : : EXPORT_SYMBOL(capable);
434 : :
435 : : /**
436 : : * inode_capable - Check superior capability over inode
437 : : * @inode: The inode in question
438 : : * @cap: The capability in question
439 : : *
440 : : * Return true if the current task has the given superior capability
441 : : * targeted at it's own user namespace and that the given inode is owned
442 : : * by the current user namespace or a child namespace.
443 : : *
444 : : * Currently we check to see if an inode is owned by the current
445 : : * user namespace by seeing if the inode's owner maps into the
446 : : * current user namespace.
447 : : *
448 : : */
449 : 0 : bool inode_capable(const struct inode *inode, int cap)
450 : : {
451 : : struct user_namespace *ns = current_user_ns();
452 : :
453 [ + + ]: 255757 : return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
454 : : }
455 : : EXPORT_SYMBOL(inode_capable);
|
