Branch data Line data Source code
1 : : /* Common capabilities, needed by capability.o.
2 : : *
3 : : * This program is free software; you can redistribute it and/or modify
4 : : * it under the terms of the GNU General Public License as published by
5 : : * the Free Software Foundation; either version 2 of the License, or
6 : : * (at your option) any later version.
7 : : *
8 : : */
9 : :
10 : : #include <linux/capability.h>
11 : : #include <linux/audit.h>
12 : : #include <linux/module.h>
13 : : #include <linux/init.h>
14 : : #include <linux/kernel.h>
15 : : #include <linux/security.h>
16 : : #include <linux/file.h>
17 : : #include <linux/mm.h>
18 : : #include <linux/mman.h>
19 : : #include <linux/pagemap.h>
20 : : #include <linux/swap.h>
21 : : #include <linux/skbuff.h>
22 : : #include <linux/netlink.h>
23 : : #include <linux/ptrace.h>
24 : : #include <linux/xattr.h>
25 : : #include <linux/hugetlb.h>
26 : : #include <linux/mount.h>
27 : : #include <linux/sched.h>
28 : : #include <linux/prctl.h>
29 : : #include <linux/securebits.h>
30 : : #include <linux/user_namespace.h>
31 : : #include <linux/binfmts.h>
32 : : #include <linux/personality.h>
33 : :
34 : : #ifdef CONFIG_ANDROID_PARANOID_NETWORK
35 : : #include <linux/android_aid.h>
36 : : #endif
37 : :
38 : : /*
39 : : * If a non-root user executes a setuid-root binary in
40 : : * !secure(SECURE_NOROOT) mode, then we raise capabilities.
41 : : * However if fE is also set, then the intent is for only
42 : : * the file capabilities to be applied, and the setuid-root
43 : : * bit is left on either to change the uid (plausible) or
44 : : * to get full privilege on a kernel without file capabilities
45 : : * support. So in that case we do not raise capabilities.
46 : : *
47 : : * Warn if that happens, once per boot.
48 : : */
49 : : static void warn_setuid_and_fcaps_mixed(const char *fname)
50 : : {
51 : : static int warned;
52 [ # # ]: 0 : if (!warned) {
53 : 0 : printk(KERN_INFO "warning: `%s' has both setuid-root and"
54 : : " effective capabilities. Therefore not raising all"
55 : : " capabilities.\n", fname);
56 : 0 : warned = 1;
57 : : }
58 : : }
59 : :
60 : 0 : int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
61 : : {
62 : 4149 : return 0;
63 : : }
64 : :
65 : : /**
66 : : * cap_capable - Determine whether a task has a particular effective capability
67 : : * @cred: The credentials to use
68 : : * @ns: The user namespace in which we need the capability
69 : : * @cap: The capability to check for
70 : : * @audit: Whether to write an audit message or not
71 : : *
72 : : * Determine whether the nominated task has the specified capability amongst
73 : : * its effective set, returning 0 if it does, -ve if it does not.
74 : : *
75 : : * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
76 : : * and has_capability() functions. That is, it has the reverse semantics:
77 : : * cap_has_capability() returns 0 when a task has a capability, but the
78 : : * kernel's capable() and has_capability() returns 1 for this case.
79 : : */
80 : 15784485 : int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
81 : : int cap, int audit)
82 : : {
83 : : struct user_namespace *ns = targ_ns;
84 : :
85 : : #ifdef CONFIG_ANDROID_PARANOID_NETWORK
86 : : if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW))
87 : : return 0;
88 : : if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN))
89 : : return 0;
90 : : #endif
91 : :
92 : : /* See if cred has the capability in the target user namespace
93 : : * by examining the target user namespace and all of the target
94 : : * user namespace's parents.
95 : : */
96 : : for (;;) {
97 : : /* Do we have the necessary capabilities? */
98 [ + - ]: 15784485 : if (ns == cred->user_ns)
99 [ + + ]: 15784485 : return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
100 : :
101 : : /* Have we tried all of the parent namespaces? */
102 [ # # ]: 0 : if (ns == &init_user_ns)
103 : : return -EPERM;
104 : :
105 : : /*
106 : : * The owner of the user namespace in the parent of the
107 : : * user namespace has all caps.
108 : : */
109 [ # # ][ # # ]: 0 : if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
110 : : return 0;
111 : :
112 : : /*
113 : : * If you have a capability in a parent user ns, then you have
114 : : * it over all children user namespaces as well.
115 : : */
116 : : ns = ns->parent;
117 : : }
118 : :
119 : : /* We never get here */
120 : : }
121 : :
122 : : /**
123 : : * cap_settime - Determine whether the current process may set the system clock
124 : : * @ts: The time to set
125 : : * @tz: The timezone to set
126 : : *
127 : : * Determine whether the current process may set the system clock and timezone
128 : : * information, returning 0 if permission granted, -ve if denied.
129 : : */
130 : 0 : int cap_settime(const struct timespec *ts, const struct timezone *tz)
131 : : {
132 [ + + ]: 13 : if (!capable(CAP_SYS_TIME))
133 : : return -EPERM;
134 : 10 : return 0;
135 : : }
136 : :
137 : : /**
138 : : * cap_ptrace_access_check - Determine whether the current process may access
139 : : * another
140 : : * @child: The process to be accessed
141 : : * @mode: The mode of attachment.
142 : : *
143 : : * If we are in the same or an ancestor user_ns and have all the target
144 : : * task's capabilities, then ptrace access is allowed.
145 : : * If we have the ptrace capability to the target user_ns, then ptrace
146 : : * access is allowed.
147 : : * Else denied.
148 : : *
149 : : * Determine whether a process may access another, returning 0 if permission
150 : : * granted, -ve if denied.
151 : : */
152 : 0 : int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
153 : : {
154 : : int ret = 0;
155 : : const struct cred *cred, *child_cred;
156 : :
157 : : rcu_read_lock();
158 : 89758 : cred = current_cred();
159 : 89758 : child_cred = __task_cred(child);
160 [ + - ][ - + ]: 179516 : if (cred->user_ns == child_cred->user_ns &&
161 : : cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
162 : : goto out;
163 [ # # ]: 0 : if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
164 : : goto out;
165 : : ret = -EPERM;
166 : : out:
167 : : rcu_read_unlock();
168 : 89758 : return ret;
169 : : }
170 : :
171 : : /**
172 : : * cap_ptrace_traceme - Determine whether another process may trace the current
173 : : * @parent: The task proposed to be the tracer
174 : : *
175 : : * If parent is in the same or an ancestor user_ns and has all current's
176 : : * capabilities, then ptrace access is allowed.
177 : : * If parent has the ptrace capability to current's user_ns, then ptrace
178 : : * access is allowed.
179 : : * Else denied.
180 : : *
181 : : * Determine whether the nominated task is permitted to trace the current
182 : : * process, returning 0 if permission is granted, -ve if denied.
183 : : */
184 : 0 : int cap_ptrace_traceme(struct task_struct *parent)
185 : : {
186 : : int ret = 0;
187 : : const struct cred *cred, *child_cred;
188 : :
189 : : rcu_read_lock();
190 : 102 : cred = __task_cred(parent);
191 : 102 : child_cred = current_cred();
192 [ + - ][ - + ]: 204 : if (cred->user_ns == child_cred->user_ns &&
193 : : cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
194 : : goto out;
195 [ # # ]: 0 : if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
196 : : goto out;
197 : : ret = -EPERM;
198 : : out:
199 : : rcu_read_unlock();
200 : 102 : return ret;
201 : : }
202 : :
203 : : /**
204 : : * cap_capget - Retrieve a task's capability sets
205 : : * @target: The task from which to retrieve the capability sets
206 : : * @effective: The place to record the effective set
207 : : * @inheritable: The place to record the inheritable set
208 : : * @permitted: The place to record the permitted set
209 : : *
210 : : * This function retrieves the capabilities of the nominated task and returns
211 : : * them to the caller.
212 : : */
213 : 0 : int cap_capget(struct task_struct *target, kernel_cap_t *effective,
214 : : kernel_cap_t *inheritable, kernel_cap_t *permitted)
215 : : {
216 : : const struct cred *cred;
217 : :
218 : : /* Derived from kernel/capability.c:sys_capget. */
219 : : rcu_read_lock();
220 : 0 : cred = __task_cred(target);
221 : 0 : *effective = cred->cap_effective;
222 : 0 : *inheritable = cred->cap_inheritable;
223 : 0 : *permitted = cred->cap_permitted;
224 : : rcu_read_unlock();
225 : 0 : return 0;
226 : : }
227 : :
228 : : /*
229 : : * Determine whether the inheritable capabilities are limited to the old
230 : : * permitted set. Returns 1 if they are limited, 0 if they are not.
231 : : */
232 : : static inline int cap_inh_is_capped(void)
233 : : {
234 : :
235 : : /* they are so limited unless the current task has the CAP_SETPCAP
236 : : * capability
237 : : */
238 [ - + ]: 1 : if (cap_capable(current_cred(), current_cred()->user_ns,
239 : : CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
240 : : return 0;
241 : : return 1;
242 : : }
243 : :
244 : : /**
245 : : * cap_capset - Validate and apply proposed changes to current's capabilities
246 : : * @new: The proposed new credentials; alterations should be made here
247 : : * @old: The current task's current credentials
248 : : * @effective: A pointer to the proposed new effective capabilities set
249 : : * @inheritable: A pointer to the proposed new inheritable capabilities set
250 : : * @permitted: A pointer to the proposed new permitted capabilities set
251 : : *
252 : : * This function validates and applies a proposed mass change to the current
253 : : * process's capability sets. The changes are made to the proposed new
254 : : * credentials, and assuming no error, will be committed by the caller of LSM.
255 : : */
256 : 0 : int cap_capset(struct cred *new,
257 : : const struct cred *old,
258 : : const kernel_cap_t *effective,
259 : : const kernel_cap_t *inheritable,
260 : : const kernel_cap_t *permitted)
261 : : {
262 [ - + ][ # # ]: 1 : if (cap_inh_is_capped() &&
263 : : !cap_issubset(*inheritable,
264 : : cap_combine(old->cap_inheritable,
265 : : old->cap_permitted)))
266 : : /* incapable of using this inheritable set */
267 : : return -EPERM;
268 : :
269 [ + - ]: 1 : if (!cap_issubset(*inheritable,
270 : : cap_combine(old->cap_inheritable,
271 : : old->cap_bset)))
272 : : /* no new pI capabilities outside bounding set */
273 : : return -EPERM;
274 : :
275 : : /* verify restrictions on target's new Permitted set */
276 [ + - ]: 1 : if (!cap_issubset(*permitted, old->cap_permitted))
277 : : return -EPERM;
278 : :
279 : : /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
280 [ + - ]: 1 : if (!cap_issubset(*effective, *permitted))
281 : : return -EPERM;
282 : :
283 : 1 : new->cap_effective = *effective;
284 : 1 : new->cap_inheritable = *inheritable;
285 : 1 : new->cap_permitted = *permitted;
286 : 1 : return 0;
287 : : }
288 : :
289 : : /*
290 : : * Clear proposed capability sets for execve().
291 : : */
292 : : static inline void bprm_clear_caps(struct linux_binprm *bprm)
293 : : {
294 : 27602 : cap_clear(bprm->cred->cap_permitted);
295 : 0 : bprm->cap_effective = false;
296 : : }
297 : :
298 : : /**
299 : : * cap_inode_need_killpriv - Determine if inode change affects privileges
300 : : * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
301 : : *
302 : : * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
303 : : * affects the security markings on that inode, and if it is, should
304 : : * inode_killpriv() be invoked or the change rejected?
305 : : *
306 : : * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
307 : : * -ve to deny the change.
308 : : */
309 : 0 : int cap_inode_need_killpriv(struct dentry *dentry)
310 : : {
311 : 24097 : struct inode *inode = dentry->d_inode;
312 : : int error;
313 : :
314 [ + ]: 24097 : if (!inode->i_op->getxattr)
315 : : return 0;
316 : :
317 : 24151 : error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
318 [ - + ]: 24072 : if (error <= 0)
319 : : return 0;
320 : 0 : return 1;
321 : : }
322 : :
323 : : /**
324 : : * cap_inode_killpriv - Erase the security markings on an inode
325 : : * @dentry: The inode/dentry to alter
326 : : *
327 : : * Erase the privilege-enhancing security markings on an inode.
328 : : *
329 : : * Returns 0 if successful, -ve on error.
330 : : */
331 : 0 : int cap_inode_killpriv(struct dentry *dentry)
332 : : {
333 : 0 : struct inode *inode = dentry->d_inode;
334 : :
335 [ # # ]: 0 : if (!inode->i_op->removexattr)
336 : : return 0;
337 : :
338 : 0 : return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
339 : : }
340 : :
341 : : /*
342 : : * Calculate the new process capability sets from the capability sets attached
343 : : * to a file.
344 : : */
345 : : static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
346 : : struct linux_binprm *bprm,
347 : : bool *effective,
348 : : bool *has_cap)
349 : : {
350 : : struct cred *new = bprm->cred;
351 : : unsigned i;
352 : : int ret = 0;
353 : :
354 [ # # ]: 27602 : if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
355 : 0 : *effective = true;
356 : :
357 [ # # ]: 0 : if (caps->magic_etc & VFS_CAP_REVISION_MASK)
358 : 0 : *has_cap = true;
359 : :
360 [ # # ]: 0 : CAP_FOR_EACH_U32(i) {
361 : 0 : __u32 permitted = caps->permitted.cap[i];
362 : 0 : __u32 inheritable = caps->inheritable.cap[i];
363 : :
364 : : /*
365 : : * pP' = (X & fP) | (pI & fI)
366 : : */
367 : 0 : new->cap_permitted.cap[i] =
368 : 0 : (new->cap_bset.cap[i] & permitted) |
369 : 0 : (new->cap_inheritable.cap[i] & inheritable);
370 : :
371 [ # # ]: 0 : if (permitted & ~new->cap_permitted.cap[i])
372 : : /* insufficient to execute correctly */
373 : : ret = -EPERM;
374 : : }
375 : :
376 : : /*
377 : : * For legacy apps, with no internal support for recognizing they
378 : : * do not have enough capabilities, we return an error if they are
379 : : * missing some "forced" (aka file-permitted) capabilities.
380 : : */
381 [ # # ]: 0 : return *effective ? ret : 0;
382 : : }
383 : :
384 : : /*
385 : : * Extract the on-exec-apply capability sets for an executable file.
386 : : */
387 : 0 : int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
388 : : {
389 : 27825 : struct inode *inode = dentry->d_inode;
390 : : __u32 magic_etc;
391 : : unsigned tocopy, i;
392 : : int size;
393 : : struct vfs_cap_data caps;
394 : :
395 : 27825 : memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
396 : :
397 [ + - ][ + + ]: 27824 : if (!inode || !inode->i_op->getxattr)
398 : : return -ENODATA;
399 : :
400 : 27813 : size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
401 : : XATTR_CAPS_SZ);
402 [ - + ]: 27804 : if (size == -ENODATA || size == -EOPNOTSUPP)
403 : : /* no data, that's ok */
404 : : return -ENODATA;
405 [ # # ]: 0 : if (size < 0)
406 : : return size;
407 : :
408 [ # # ]: 0 : if (size < sizeof(magic_etc))
409 : : return -EINVAL;
410 : :
411 : 0 : cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
412 : :
413 [ # # # ]: 0 : switch (magic_etc & VFS_CAP_REVISION_MASK) {
414 : : case VFS_CAP_REVISION_1:
415 [ # # ]: 0 : if (size != XATTR_CAPS_SZ_1)
416 : : return -EINVAL;
417 : : tocopy = VFS_CAP_U32_1;
418 : : break;
419 : : case VFS_CAP_REVISION_2:
420 [ # # ]: 0 : if (size != XATTR_CAPS_SZ_2)
421 : : return -EINVAL;
422 : : tocopy = VFS_CAP_U32_2;
423 : : break;
424 : : default:
425 : : return -EINVAL;
426 : : }
427 : :
428 [ # # ]: 0 : CAP_FOR_EACH_U32(i) {
429 [ # # ]: 0 : if (i >= tocopy)
430 : : break;
431 : 0 : cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
432 : 0 : cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
433 : : }
434 : :
435 : : return 0;
436 : : }
437 : :
438 : : /*
439 : : * Attempt to get the on-exec apply capability sets for an executable file from
440 : : * its xattrs and, if present, apply them to the proposed credentials being
441 : : * constructed by execve().
442 : : */
443 : 0 : static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
444 : : {
445 : : struct dentry *dentry;
446 : : int rc = 0;
447 : : struct cpu_vfs_cap_data vcaps;
448 : :
449 : : bprm_clear_caps(bprm);
450 : :
451 [ + + ]: 27602 : if (!file_caps_enabled)
452 : : return 0;
453 : :
454 [ + ]: 27586 : if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
455 : : return 0;
456 : :
457 : 27606 : dentry = dget(bprm->file->f_dentry);
458 : :
459 : 27604 : rc = get_vfs_caps_from_disk(dentry, &vcaps);
460 [ + + ]: 55190 : if (rc < 0) {
461 [ - + ]: 27588 : if (rc == -EINVAL)
462 : 0 : printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
463 : : __func__, rc, bprm->filename);
464 [ + + ]: 27588 : else if (rc == -ENODATA)
465 : : rc = 0;
466 : : goto out;
467 : : }
468 : :
469 : : rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
470 [ # # ]: 0 : if (rc == -EINVAL)
471 : 0 : printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
472 : : __func__, rc, bprm->filename);
473 : :
474 : : out:
475 : 27588 : dput(dentry);
476 [ - + ]: 27604 : if (rc)
477 : : bprm_clear_caps(bprm);
478 : :
479 : 27604 : return rc;
480 : : }
481 : :
482 : : /**
483 : : * cap_bprm_set_creds - Set up the proposed credentials for execve().
484 : : * @bprm: The execution parameters, including the proposed creds
485 : : *
486 : : * Set up the proposed credentials for a new execution context being
487 : : * constructed by execve(). The proposed creds in @bprm->cred is altered,
488 : : * which won't take effect immediately. Returns 0 if successful, -ve on error.
489 : : */
490 : 0 : int cap_bprm_set_creds(struct linux_binprm *bprm)
491 : : {
492 : 27601 : const struct cred *old = current_cred();
493 : 27601 : struct cred *new = bprm->cred;
494 : 27601 : bool effective, has_cap = false;
495 : : int ret;
496 : : kuid_t root_uid;
497 : :
498 : 27601 : effective = false;
499 : 27601 : ret = get_file_caps(bprm, &effective, &has_cap);
500 [ + ]: 27587 : if (ret < 0)
501 : : return ret;
502 : :
503 : : root_uid = make_kuid(new->user_ns, 0);
504 : :
505 [ + + ]: 55180 : if (!issecure(SECURE_NOROOT)) {
506 : : /*
507 : : * If the legacy file capability is set, then don't set privs
508 : : * for a setuid root binary run by a non-root user. Do set it
509 : : * for a root user just to cause least surprise to an admin.
510 : : */
511 [ - + ][ # # ]: 27584 : if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
[ # # ]
512 : 0 : warn_setuid_and_fcaps_mixed(bprm->filename);
513 : : goto skip;
514 : : }
515 : : /*
516 : : * To support inheritance of root-permissions and suid-root
517 : : * executables under compatibility mode, we override the
518 : : * capability sets for the file.
519 : : *
520 : : * If only the real uid is 0, we do not set the effective bit.
521 : : */
522 [ + + ][ + + ]: 27584 : if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
523 : : /* pP' = (cap_bset & ~0) | (pI & ~0) */
524 : 27336 : new->cap_permitted = cap_combine(old->cap_bset,
525 : : old->cap_inheritable);
526 : : }
527 [ + + ]: 27584 : if (uid_eq(new->euid, root_uid))
528 : 55180 : effective = true;
529 : : }
530 : : skip:
531 : :
532 : : /* if we have fs caps, clear dangerous personality flags */
533 [ - + ]: 27579 : if (!cap_issubset(new->cap_permitted, old->cap_permitted))
534 : 0 : bprm->per_clear |= PER_CLEAR_ON_SETID;
535 : :
536 : :
537 : : /* Don't let someone trace a set[ug]id/setpcap binary with the revised
538 : : * credentials unless they have the appropriate permit.
539 : : *
540 : : * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
541 : : */
542 [ + ][ + + ]: 27579 : if ((!uid_eq(new->euid, old->uid) ||
543 [ + + ]: 27572 : !gid_eq(new->egid, old->gid) ||
544 [ - + ]: 24 : !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
545 : 24 : bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
546 : : /* downgrade; they get no more than they had, and maybe less */
547 [ # # ][ # # ]: 0 : if (!capable(CAP_SETUID) ||
548 : 0 : (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
549 : 0 : new->euid = new->uid;
550 : 0 : new->egid = new->gid;
551 : : }
552 : 0 : new->cap_permitted = cap_intersect(new->cap_permitted,
553 : : old->cap_permitted);
554 : : }
555 : :
556 : 27579 : new->suid = new->fsuid = new->euid;
557 : 27579 : new->sgid = new->fsgid = new->egid;
558 : :
559 [ + + ]: 27579 : if (effective)
560 : 27309 : new->cap_effective = new->cap_permitted;
561 : : else
562 : 270 : cap_clear(new->cap_effective);
563 : 27579 : bprm->cap_effective = effective;
564 : :
565 : : /*
566 : : * Audit candidate if current->cap_effective is set
567 : : *
568 : : * We do not bother to audit if 3 things are true:
569 : : * 1) cap_effective has all caps
570 : : * 2) we are root
571 : : * 3) root is supposed to have all caps (SECURE_NOROOT)
572 : : * Since this is just a normal root execing a process.
573 : : *
574 : : * Number 1 above might fail if you don't have a full bset, but I think
575 : : * that is interesting information to audit.
576 : : */
577 [ + + ]: 27579 : if (!cap_isclear(new->cap_effective)) {
578 [ + ][ + ]: 54628 : if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
579 [ + + ][ + ]: 27333 : !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
580 : 27327 : issecure(SECURE_NOROOT)) {
581 : : ret = audit_log_bprm_fcaps(bprm, new, old);
582 [ # # ]: 0 : if (ret < 0)
583 : : return ret;
584 : : }
585 : : }
586 : :
587 : 27594 : new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
588 : 27594 : return 0;
589 : : }
590 : :
591 : : /**
592 : : * cap_bprm_secureexec - Determine whether a secure execution is required
593 : : * @bprm: The execution parameters
594 : : *
595 : : * Determine whether a secure execution is required, return 1 if it is, and 0
596 : : * if it is not.
597 : : *
598 : : * The credentials have been committed by this point, and so are no longer
599 : : * available through @bprm->cred.
600 : : */
601 : 0 : int cap_bprm_secureexec(struct linux_binprm *bprm)
602 : : {
603 : 27245 : const struct cred *cred = current_cred();
604 : : kuid_t root_uid = make_kuid(cred->user_ns, 0);
605 : :
606 [ + + ]: 27245 : if (!uid_eq(cred->uid, root_uid)) {
607 [ + - ]: 254 : if (bprm->cap_effective)
608 : : return 1;
609 [ + ]: 254 : if (!cap_isclear(cred->cap_permitted))
610 : : return 1;
611 : : }
612 : :
613 [ + - ][ + + ]: 54491 : return (!uid_eq(cred->euid, cred->uid) ||
614 : : !gid_eq(cred->egid, cred->gid));
615 : : }
616 : :
617 : : /**
618 : : * cap_inode_setxattr - Determine whether an xattr may be altered
619 : : * @dentry: The inode/dentry being altered
620 : : * @name: The name of the xattr to be changed
621 : : * @value: The value that the xattr will be changed to
622 : : * @size: The size of value
623 : : * @flags: The replacement flag
624 : : *
625 : : * Determine whether an xattr may be altered or set on an inode, returning 0 if
626 : : * permission is granted, -ve if denied.
627 : : *
628 : : * This is used to make sure security xattrs don't get updated or set by those
629 : : * who aren't privileged to do so.
630 : : */
631 : 0 : int cap_inode_setxattr(struct dentry *dentry, const char *name,
632 : : const void *value, size_t size, int flags)
633 : : {
634 [ - + ]: 2 : if (!strcmp(name, XATTR_NAME_CAPS)) {
635 [ # # ]: 0 : if (!capable(CAP_SETFCAP))
636 : : return -EPERM;
637 : 0 : return 0;
638 : : }
639 : :
640 [ - + ]: 2 : if (!strncmp(name, XATTR_SECURITY_PREFIX,
641 [ # # ]: 0 : sizeof(XATTR_SECURITY_PREFIX) - 1) &&
642 : 0 : !capable(CAP_SYS_ADMIN))
643 : : return -EPERM;
644 : : return 0;
645 : : }
646 : :
647 : : /**
648 : : * cap_inode_removexattr - Determine whether an xattr may be removed
649 : : * @dentry: The inode/dentry being altered
650 : : * @name: The name of the xattr to be changed
651 : : *
652 : : * Determine whether an xattr may be removed from an inode, returning 0 if
653 : : * permission is granted, -ve if denied.
654 : : *
655 : : * This is used to make sure security xattrs don't get removed by those who
656 : : * aren't privileged to remove them.
657 : : */
658 : 0 : int cap_inode_removexattr(struct dentry *dentry, const char *name)
659 : : {
660 [ # # ]: 0 : if (!strcmp(name, XATTR_NAME_CAPS)) {
661 [ # # ]: 0 : if (!capable(CAP_SETFCAP))
662 : : return -EPERM;
663 : 0 : return 0;
664 : : }
665 : :
666 [ # # ]: 0 : if (!strncmp(name, XATTR_SECURITY_PREFIX,
667 [ # # ]: 0 : sizeof(XATTR_SECURITY_PREFIX) - 1) &&
668 : 0 : !capable(CAP_SYS_ADMIN))
669 : : return -EPERM;
670 : : return 0;
671 : : }
672 : :
673 : : /*
674 : : * cap_emulate_setxuid() fixes the effective / permitted capabilities of
675 : : * a process after a call to setuid, setreuid, or setresuid.
676 : : *
677 : : * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
678 : : * {r,e,s}uid != 0, the permitted and effective capabilities are
679 : : * cleared.
680 : : *
681 : : * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
682 : : * capabilities of the process are cleared.
683 : : *
684 : : * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
685 : : * capabilities are set to the permitted capabilities.
686 : : *
687 : : * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
688 : : * never happen.
689 : : *
690 : : * -astor
691 : : *
692 : : * cevans - New behaviour, Oct '99
693 : : * A process may, via prctl(), elect to keep its capabilities when it
694 : : * calls setuid() and switches away from uid==0. Both permitted and
695 : : * effective sets will be retained.
696 : : * Without this change, it was impossible for a daemon to drop only some
697 : : * of its privilege. The call to setuid(!=0) would drop all privileges!
698 : : * Keeping uid 0 is not an option because uid 0 owns too many vital
699 : : * files..
700 : : * Thanks to Olaf Kirch and Peter Benie for spotting this.
701 : : */
702 : : static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
703 : : {
704 : : kuid_t root_uid = make_kuid(old->user_ns, 0);
705 : :
706 [ + + ][ + + ]: 8362 : if ((uid_eq(old->uid, root_uid) ||
707 [ + + ]: 32 : uid_eq(old->euid, root_uid) ||
708 [ + + ]: 8332 : uid_eq(old->suid, root_uid)) &&
709 [ + + ]: 329 : (!uid_eq(new->uid, root_uid) &&
710 [ + + ]: 315 : !uid_eq(new->euid, root_uid) &&
711 [ + - ]: 313 : !uid_eq(new->suid, root_uid)) &&
712 : 313 : !issecure(SECURE_KEEP_CAPS)) {
713 : 313 : cap_clear(new->cap_permitted);
714 : 313 : cap_clear(new->cap_effective);
715 : : }
716 [ + + ][ + + ]: 8362 : if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
717 : 2047 : cap_clear(new->cap_effective);
718 [ + + ][ + + ]: 8362 : if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
719 : 1715 : new->cap_effective = new->cap_permitted;
720 : : }
721 : :
722 : : /**
723 : : * cap_task_fix_setuid - Fix up the results of setuid() call
724 : : * @new: The proposed credentials
725 : : * @old: The current task's current credentials
726 : : * @flags: Indications of what has changed
727 : : *
728 : : * Fix up the results of setuid() call before the credential changes are
729 : : * actually applied, returning 0 to grant the changes, -ve to deny them.
730 : : */
731 : 0 : int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
732 : : {
733 [ + + - ]: 8370 : switch (flags) {
734 : : case LSM_SETID_RE:
735 : : case LSM_SETID_ID:
736 : : case LSM_SETID_RES:
737 : : /* juggle the capabilities to follow [RES]UID changes unless
738 : : * otherwise suppressed */
739 [ + - ]: 8362 : if (!issecure(SECURE_NO_SETUID_FIXUP))
740 : : cap_emulate_setxuid(new, old);
741 : : break;
742 : :
743 : : case LSM_SETID_FS:
744 : : /* juggle the capabilties to follow FSUID changes, unless
745 : : * otherwise suppressed
746 : : *
747 : : * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
748 : : * if not, we might be a bit too harsh here.
749 : : */
750 [ + - ]: 8 : if (!issecure(SECURE_NO_SETUID_FIXUP)) {
751 : : kuid_t root_uid = make_kuid(old->user_ns, 0);
752 [ + + ][ + - ]: 8 : if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
753 : 4 : new->cap_effective =
754 : : cap_drop_fs_set(new->cap_effective);
755 : :
756 [ + + ][ + ]: 8 : if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
757 : 4 : new->cap_effective =
758 : : cap_raise_fs_set(new->cap_effective,
759 : : new->cap_permitted);
760 : : }
761 : : break;
762 : :
763 : : default:
764 : : return -EINVAL;
765 : : }
766 : :
767 : : return 0;
768 : : }
769 : :
770 : : /*
771 : : * Rationale: code calling task_setscheduler, task_setioprio, and
772 : : * task_setnice, assumes that
773 : : * . if capable(cap_sys_nice), then those actions should be allowed
774 : : * . if not capable(cap_sys_nice), but acting on your own processes,
775 : : * then those actions should be allowed
776 : : * This is insufficient now since you can call code without suid, but
777 : : * yet with increased caps.
778 : : * So we check for increased caps on the target process.
779 : : */
780 : 0 : static int cap_safe_nice(struct task_struct *p)
781 : : {
782 : : int is_subset, ret = 0;
783 : :
784 : : rcu_read_lock();
785 : 3125 : is_subset = cap_issubset(__task_cred(p)->cap_permitted,
786 : 3125 : current_cred()->cap_permitted);
787 [ - + ][ # # ]: 3125 : if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
788 : : ret = -EPERM;
789 : : rcu_read_unlock();
790 : :
791 : 3125 : return ret;
792 : : }
793 : :
794 : : /**
795 : : * cap_task_setscheduler - Detemine if scheduler policy change is permitted
796 : : * @p: The task to affect
797 : : *
798 : : * Detemine if the requested scheduler policy change is permitted for the
799 : : * specified task, returning 0 if permission is granted, -ve if denied.
800 : : */
801 : 0 : int cap_task_setscheduler(struct task_struct *p)
802 : : {
803 : 217 : return cap_safe_nice(p);
804 : : }
805 : :
806 : : /**
807 : : * cap_task_ioprio - Detemine if I/O priority change is permitted
808 : : * @p: The task to affect
809 : : * @ioprio: The I/O priority to set
810 : : *
811 : : * Detemine if the requested I/O priority change is permitted for the specified
812 : : * task, returning 0 if permission is granted, -ve if denied.
813 : : */
814 : 0 : int cap_task_setioprio(struct task_struct *p, int ioprio)
815 : : {
816 : 4 : return cap_safe_nice(p);
817 : : }
818 : :
819 : : /**
820 : : * cap_task_ioprio - Detemine if task priority change is permitted
821 : : * @p: The task to affect
822 : : * @nice: The nice value to set
823 : : *
824 : : * Detemine if the requested task priority change is permitted for the
825 : : * specified task, returning 0 if permission is granted, -ve if denied.
826 : : */
827 : 0 : int cap_task_setnice(struct task_struct *p, int nice)
828 : : {
829 : 2904 : return cap_safe_nice(p);
830 : : }
831 : :
832 : : /*
833 : : * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
834 : : * the current task's bounding set. Returns 0 on success, -ve on error.
835 : : */
836 : 0 : static long cap_prctl_drop(struct cred *new, unsigned long cap)
837 : : {
838 [ # # ]: 0 : if (!ns_capable(current_user_ns(), CAP_SETPCAP))
839 : : return -EPERM;
840 [ # # ]: 0 : if (!cap_valid(cap))
841 : : return -EINVAL;
842 : :
843 : 0 : cap_lower(new->cap_bset, cap);
844 : 0 : return 0;
845 : : }
846 : :
847 : : /**
848 : : * cap_task_prctl - Implement process control functions for this security module
849 : : * @option: The process control function requested
850 : : * @arg2, @arg3, @arg4, @arg5: The argument data for this function
851 : : *
852 : : * Allow process control functions (sys_prctl()) to alter capabilities; may
853 : : * also deny access to other functions not otherwise implemented here.
854 : : *
855 : : * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
856 : : * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
857 : : * modules will consider performing the function.
858 : : */
859 : 0 : int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
860 : : unsigned long arg4, unsigned long arg5)
861 : : {
862 : : struct cred *new;
863 : : long error = 0;
864 : :
865 : 9249 : new = prepare_creds();
866 [ + - ]: 9249 : if (!new)
867 : : return -ENOMEM;
868 : :
869 [ - - - - : 9249 : switch (option) {
- - + ]
870 : : case PR_CAPBSET_READ:
871 : : error = -EINVAL;
872 [ # # ]: 0 : if (!cap_valid(arg2))
873 : : goto error;
874 : 0 : error = !!cap_raised(new->cap_bset, arg2);
875 : 0 : goto no_change;
876 : :
877 : : case PR_CAPBSET_DROP:
878 : 0 : error = cap_prctl_drop(new, arg2);
879 [ # # ]: 0 : if (error < 0)
880 : : goto error;
881 : : goto changed;
882 : :
883 : : /*
884 : : * The next four prctl's remain to assist with transitioning a
885 : : * system from legacy UID=0 based privilege (when filesystem
886 : : * capabilities are not in use) to a system using filesystem
887 : : * capabilities only - as the POSIX.1e draft intended.
888 : : *
889 : : * Note:
890 : : *
891 : : * PR_SET_SECUREBITS =
892 : : * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
893 : : * | issecure_mask(SECURE_NOROOT)
894 : : * | issecure_mask(SECURE_NOROOT_LOCKED)
895 : : * | issecure_mask(SECURE_NO_SETUID_FIXUP)
896 : : * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
897 : : *
898 : : * will ensure that the current process and all of its
899 : : * children will be locked into a pure
900 : : * capability-based-privilege environment.
901 : : */
902 : : case PR_SET_SECUREBITS:
903 : : error = -EPERM;
904 [ # # ]: 0 : if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
905 : 0 : & (new->securebits ^ arg2)) /*[1]*/
906 [ # # ]: 0 : || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
907 [ # # ]: 0 : || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
908 [ # # ]: 0 : || (cap_capable(current_cred(),
909 : : current_cred()->user_ns, CAP_SETPCAP,
910 : : SECURITY_CAP_AUDIT) != 0) /*[4]*/
911 : : /*
912 : : * [1] no changing of bits that are locked
913 : : * [2] no unlocking of locks
914 : : * [3] no setting of unsupported bits
915 : : * [4] doing anything requires privilege (go read about
916 : : * the "sendmail capabilities bug")
917 : : */
918 : : )
919 : : /* cannot change a locked bit */
920 : : goto error;
921 : 0 : new->securebits = arg2;
922 : 0 : goto changed;
923 : :
924 : : case PR_GET_SECUREBITS:
925 : 0 : error = new->securebits;
926 : 0 : goto no_change;
927 : :
928 : : case PR_GET_KEEPCAPS:
929 [ # # ]: 0 : if (issecure(SECURE_KEEP_CAPS))
930 : : error = 1;
931 : : goto no_change;
932 : :
933 : : case PR_SET_KEEPCAPS:
934 : : error = -EINVAL;
935 [ # # ]: 0 : if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
936 : : goto error;
937 : : error = -EPERM;
938 [ # # ]: 0 : if (issecure(SECURE_KEEP_CAPS_LOCKED))
939 : : goto error;
940 [ # # ]: 0 : if (arg2)
941 : 0 : new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
942 : : else
943 : 0 : new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
944 : : goto changed;
945 : :
946 : : default:
947 : : /* No functionality available - continue with default */
948 : : error = -ENOSYS;
949 : : goto error;
950 : : }
951 : :
952 : : /* Functionality provided */
953 : : changed:
954 : 0 : return commit_creds(new);
955 : :
956 : : no_change:
957 : : error:
958 : 9249 : abort_creds(new);
959 : 9249 : return error;
960 : : }
961 : :
962 : : /**
963 : : * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
964 : : * @mm: The VM space in which the new mapping is to be made
965 : : * @pages: The size of the mapping
966 : : *
967 : : * Determine whether the allocation of a new virtual mapping by the current
968 : : * task is permitted, returning 0 if permission is granted, -ve if not.
969 : : */
970 : 0 : int cap_vm_enough_memory(struct mm_struct *mm, long pages)
971 : : {
972 : : int cap_sys_admin = 0;
973 : :
974 [ + + ]: 15624391 : if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
975 : : SECURITY_CAP_NOAUDIT) == 0)
976 : : cap_sys_admin = 1;
977 : 15624424 : return __vm_enough_memory(mm, pages, cap_sys_admin);
978 : : }
979 : :
980 : : /*
981 : : * cap_mmap_addr - check if able to map given addr
982 : : * @addr: address attempting to be mapped
983 : : *
984 : : * If the process is attempting to map memory below dac_mmap_min_addr they need
985 : : * CAP_SYS_RAWIO. The other parameters to this function are unused by the
986 : : * capability security module. Returns 0 if this mapping should be allowed
987 : : * -EPERM if not.
988 : : */
989 : 0 : int cap_mmap_addr(unsigned long addr)
990 : : {
991 : : int ret = 0;
992 : :
993 [ - + ]: 3863823 : if (addr < dac_mmap_min_addr) {
994 : 0 : ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
995 : : SECURITY_CAP_AUDIT);
996 : : /* set PF_SUPERPRIV if it turns out we allow the low mmap */
997 [ # # ]: 0 : if (ret == 0)
998 : 0 : current->flags |= PF_SUPERPRIV;
999 : : }
1000 : 0 : return ret;
1001 : : }
1002 : :
1003 : 0 : int cap_mmap_file(struct file *file, unsigned long reqprot,
1004 : : unsigned long prot, unsigned long flags)
1005 : : {
1006 : 0 : return 0;
1007 : : }
|
