Back to home page

LXR

 
 

    


0001 /*
0002  * linux/kernel/capability.c
0003  *
0004  * Copyright (C) 1997  Andrew Main <zefram@fysh.org>
0005  *
0006  * Integrated into 2.1.97+,  Andrew G. Morgan <morgan@kernel.org>
0007  * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
0008  */
0009 
0010 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0011 
0012 #include <linux/audit.h>
0013 #include <linux/capability.h>
0014 #include <linux/mm.h>
0015 #include <linux/export.h>
0016 #include <linux/security.h>
0017 #include <linux/syscalls.h>
0018 #include <linux/pid_namespace.h>
0019 #include <linux/user_namespace.h>
0020 #include <linux/uaccess.h>
0021 
0022 /*
0023  * Leveraged for setting/resetting capabilities
0024  */
0025 
0026 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
0027 EXPORT_SYMBOL(__cap_empty_set);
0028 
0029 int file_caps_enabled = 1;
0030 
0031 static int __init file_caps_disable(char *str)
0032 {
0033     file_caps_enabled = 0;
0034     return 1;
0035 }
0036 __setup("no_file_caps", file_caps_disable);
0037 
0038 #ifdef CONFIG_MULTIUSER
0039 /*
0040  * More recent versions of libcap are available from:
0041  *
0042  *   http://www.kernel.org/pub/linux/libs/security/linux-privs/
0043  */
0044 
0045 static void warn_legacy_capability_use(void)
0046 {
0047     char name[sizeof(current->comm)];
0048 
0049     pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n",
0050              get_task_comm(name, current));
0051 }
0052 
0053 /*
0054  * Version 2 capabilities worked fine, but the linux/capability.h file
0055  * that accompanied their introduction encouraged their use without
0056  * the necessary user-space source code changes. As such, we have
0057  * created a version 3 with equivalent functionality to version 2, but
0058  * with a header change to protect legacy source code from using
0059  * version 2 when it wanted to use version 1. If your system has code
0060  * that trips the following warning, it is using version 2 specific
0061  * capabilities and may be doing so insecurely.
0062  *
0063  * The remedy is to either upgrade your version of libcap (to 2.10+,
0064  * if the application is linked against it), or recompile your
0065  * application with modern kernel headers and this warning will go
0066  * away.
0067  */
0068 
0069 static void warn_deprecated_v2(void)
0070 {
0071     char name[sizeof(current->comm)];
0072 
0073     pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n",
0074              get_task_comm(name, current));
0075 }
0076 
0077 /*
0078  * Version check. Return the number of u32s in each capability flag
0079  * array, or a negative value on error.
0080  */
0081 static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
0082 {
0083     __u32 version;
0084 
0085     if (get_user(version, &header->version))
0086         return -EFAULT;
0087 
0088     switch (version) {
0089     case _LINUX_CAPABILITY_VERSION_1:
0090         warn_legacy_capability_use();
0091         *tocopy = _LINUX_CAPABILITY_U32S_1;
0092         break;
0093     case _LINUX_CAPABILITY_VERSION_2:
0094         warn_deprecated_v2();
0095         /*
0096          * fall through - v3 is otherwise equivalent to v2.
0097          */
0098     case _LINUX_CAPABILITY_VERSION_3:
0099         *tocopy = _LINUX_CAPABILITY_U32S_3;
0100         break;
0101     default:
0102         if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
0103             return -EFAULT;
0104         return -EINVAL;
0105     }
0106 
0107     return 0;
0108 }
0109 
0110 /*
0111  * The only thing that can change the capabilities of the current
0112  * process is the current process. As such, we can't be in this code
0113  * at the same time as we are in the process of setting capabilities
0114  * in this process. The net result is that we can limit our use of
0115  * locks to when we are reading the caps of another process.
0116  */
0117 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
0118                      kernel_cap_t *pIp, kernel_cap_t *pPp)
0119 {
0120     int ret;
0121 
0122     if (pid && (pid != task_pid_vnr(current))) {
0123         struct task_struct *target;
0124 
0125         rcu_read_lock();
0126 
0127         target = find_task_by_vpid(pid);
0128         if (!target)
0129             ret = -ESRCH;
0130         else
0131             ret = security_capget(target, pEp, pIp, pPp);
0132 
0133         rcu_read_unlock();
0134     } else
0135         ret = security_capget(current, pEp, pIp, pPp);
0136 
0137     return ret;
0138 }
0139 
0140 /**
0141  * sys_capget - get the capabilities of a given process.
0142  * @header: pointer to struct that contains capability version and
0143  *  target pid data
0144  * @dataptr: pointer to struct that contains the effective, permitted,
0145  *  and inheritable capabilities that are returned
0146  *
0147  * Returns 0 on success and < 0 on error.
0148  */
0149 SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
0150 {
0151     int ret = 0;
0152     pid_t pid;
0153     unsigned tocopy;
0154     kernel_cap_t pE, pI, pP;
0155 
0156     ret = cap_validate_magic(header, &tocopy);
0157     if ((dataptr == NULL) || (ret != 0))
0158         return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
0159 
0160     if (get_user(pid, &header->pid))
0161         return -EFAULT;
0162 
0163     if (pid < 0)
0164         return -EINVAL;
0165 
0166     ret = cap_get_target_pid(pid, &pE, &pI, &pP);
0167     if (!ret) {
0168         struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
0169         unsigned i;
0170 
0171         for (i = 0; i < tocopy; i++) {
0172             kdata[i].effective = pE.cap[i];
0173             kdata[i].permitted = pP.cap[i];
0174             kdata[i].inheritable = pI.cap[i];
0175         }
0176 
0177         /*
0178          * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
0179          * we silently drop the upper capabilities here. This
0180          * has the effect of making older libcap
0181          * implementations implicitly drop upper capability
0182          * bits when they perform a: capget/modify/capset
0183          * sequence.
0184          *
0185          * This behavior is considered fail-safe
0186          * behavior. Upgrading the application to a newer
0187          * version of libcap will enable access to the newer
0188          * capabilities.
0189          *
0190          * An alternative would be to return an error here
0191          * (-ERANGE), but that causes legacy applications to
0192          * unexpectedly fail; the capget/modify/capset aborts
0193          * before modification is attempted and the application
0194          * fails.
0195          */
0196         if (copy_to_user(dataptr, kdata, tocopy
0197                  * sizeof(struct __user_cap_data_struct))) {
0198             return -EFAULT;
0199         }
0200     }
0201 
0202     return ret;
0203 }
0204 
0205 /**
0206  * sys_capset - set capabilities for a process or (*) a group of processes
0207  * @header: pointer to struct that contains capability version and
0208  *  target pid data
0209  * @data: pointer to struct that contains the effective, permitted,
0210  *  and inheritable capabilities
0211  *
0212  * Set capabilities for the current process only.  The ability to any other
0213  * process(es) has been deprecated and removed.
0214  *
0215  * The restrictions on setting capabilities are specified as:
0216  *
0217  * I: any raised capabilities must be a subset of the old permitted
0218  * P: any raised capabilities must be a subset of the old permitted
0219  * E: must be set to a subset of new permitted
0220  *
0221  * Returns 0 on success and < 0 on error.
0222  */
0223 SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
0224 {
0225     struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
0226     unsigned i, tocopy, copybytes;
0227     kernel_cap_t inheritable, permitted, effective;
0228     struct cred *new;
0229     int ret;
0230     pid_t pid;
0231 
0232     ret = cap_validate_magic(header, &tocopy);
0233     if (ret != 0)
0234         return ret;
0235 
0236     if (get_user(pid, &header->pid))
0237         return -EFAULT;
0238 
0239     /* may only affect current now */
0240     if (pid != 0 && pid != task_pid_vnr(current))
0241         return -EPERM;
0242 
0243     copybytes = tocopy * sizeof(struct __user_cap_data_struct);
0244     if (copybytes > sizeof(kdata))
0245         return -EFAULT;
0246 
0247     if (copy_from_user(&kdata, data, copybytes))
0248         return -EFAULT;
0249 
0250     for (i = 0; i < tocopy; i++) {
0251         effective.cap[i] = kdata[i].effective;
0252         permitted.cap[i] = kdata[i].permitted;
0253         inheritable.cap[i] = kdata[i].inheritable;
0254     }
0255     while (i < _KERNEL_CAPABILITY_U32S) {
0256         effective.cap[i] = 0;
0257         permitted.cap[i] = 0;
0258         inheritable.cap[i] = 0;
0259         i++;
0260     }
0261 
0262     effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
0263     permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
0264     inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
0265 
0266     new = prepare_creds();
0267     if (!new)
0268         return -ENOMEM;
0269 
0270     ret = security_capset(new, current_cred(),
0271                   &effective, &inheritable, &permitted);
0272     if (ret < 0)
0273         goto error;
0274 
0275     audit_log_capset(new, current_cred());
0276 
0277     return commit_creds(new);
0278 
0279 error:
0280     abort_creds(new);
0281     return ret;
0282 }
0283 
0284 /**
0285  * has_ns_capability - Does a task have a capability in a specific user ns
0286  * @t: The task in question
0287  * @ns: target user namespace
0288  * @cap: The capability to be tested for
0289  *
0290  * Return true if the specified task has the given superior capability
0291  * currently in effect to the specified user namespace, false if not.
0292  *
0293  * Note that this does not set PF_SUPERPRIV on the task.
0294  */
0295 bool has_ns_capability(struct task_struct *t,
0296                struct user_namespace *ns, int cap)
0297 {
0298     int ret;
0299 
0300     rcu_read_lock();
0301     ret = security_capable(__task_cred(t), ns, cap);
0302     rcu_read_unlock();
0303 
0304     return (ret == 0);
0305 }
0306 
0307 /**
0308  * has_capability - Does a task have a capability in init_user_ns
0309  * @t: The task in question
0310  * @cap: The capability to be tested for
0311  *
0312  * Return true if the specified task has the given superior capability
0313  * currently in effect to the initial user namespace, false if not.
0314  *
0315  * Note that this does not set PF_SUPERPRIV on the task.
0316  */
0317 bool has_capability(struct task_struct *t, int cap)
0318 {
0319     return has_ns_capability(t, &init_user_ns, cap);
0320 }
0321 EXPORT_SYMBOL(has_capability);
0322 
0323 /**
0324  * has_ns_capability_noaudit - Does a task have a capability (unaudited)
0325  * in a specific user ns.
0326  * @t: The task in question
0327  * @ns: target user namespace
0328  * @cap: The capability to be tested for
0329  *
0330  * Return true if the specified task has the given superior capability
0331  * currently in effect to the specified user namespace, false if not.
0332  * Do not write an audit message for the check.
0333  *
0334  * Note that this does not set PF_SUPERPRIV on the task.
0335  */
0336 bool has_ns_capability_noaudit(struct task_struct *t,
0337                    struct user_namespace *ns, int cap)
0338 {
0339     int ret;
0340 
0341     rcu_read_lock();
0342     ret = security_capable_noaudit(__task_cred(t), ns, cap);
0343     rcu_read_unlock();
0344 
0345     return (ret == 0);
0346 }
0347 
0348 /**
0349  * has_capability_noaudit - Does a task have a capability (unaudited) in the
0350  * initial user ns
0351  * @t: The task in question
0352  * @cap: The capability to be tested for
0353  *
0354  * Return true if the specified task has the given superior capability
0355  * currently in effect to init_user_ns, false if not.  Don't write an
0356  * audit message for the check.
0357  *
0358  * Note that this does not set PF_SUPERPRIV on the task.
0359  */
0360 bool has_capability_noaudit(struct task_struct *t, int cap)
0361 {
0362     return has_ns_capability_noaudit(t, &init_user_ns, cap);
0363 }
0364 
0365 static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
0366 {
0367     int capable;
0368 
0369     if (unlikely(!cap_valid(cap))) {
0370         pr_crit("capable() called with invalid cap=%u\n", cap);
0371         BUG();
0372     }
0373 
0374     capable = audit ? security_capable(current_cred(), ns, cap) :
0375               security_capable_noaudit(current_cred(), ns, cap);
0376     if (capable == 0) {
0377         current->flags |= PF_SUPERPRIV;
0378         return true;
0379     }
0380     return false;
0381 }
0382 
0383 /**
0384  * ns_capable - Determine if the current task has a superior capability in effect
0385  * @ns:  The usernamespace we want the capability in
0386  * @cap: The capability to be tested for
0387  *
0388  * Return true if the current task has the given superior capability currently
0389  * available for use, false if not.
0390  *
0391  * This sets PF_SUPERPRIV on the task if the capability is available on the
0392  * assumption that it's about to be used.
0393  */
0394 bool ns_capable(struct user_namespace *ns, int cap)
0395 {
0396     return ns_capable_common(ns, cap, true);
0397 }
0398 EXPORT_SYMBOL(ns_capable);
0399 
0400 /**
0401  * ns_capable_noaudit - Determine if the current task has a superior capability
0402  * (unaudited) in effect
0403  * @ns:  The usernamespace we want the capability in
0404  * @cap: The capability to be tested for
0405  *
0406  * Return true if the current task has the given superior capability currently
0407  * available for use, false if not.
0408  *
0409  * This sets PF_SUPERPRIV on the task if the capability is available on the
0410  * assumption that it's about to be used.
0411  */
0412 bool ns_capable_noaudit(struct user_namespace *ns, int cap)
0413 {
0414     return ns_capable_common(ns, cap, false);
0415 }
0416 EXPORT_SYMBOL(ns_capable_noaudit);
0417 
0418 /**
0419  * capable - Determine if the current task has a superior capability in effect
0420  * @cap: The capability to be tested for
0421  *
0422  * Return true if the current task has the given superior capability currently
0423  * available for use, false if not.
0424  *
0425  * This sets PF_SUPERPRIV on the task if the capability is available on the
0426  * assumption that it's about to be used.
0427  */
0428 bool capable(int cap)
0429 {
0430     return ns_capable(&init_user_ns, cap);
0431 }
0432 EXPORT_SYMBOL(capable);
0433 #endif /* CONFIG_MULTIUSER */
0434 
0435 /**
0436  * file_ns_capable - Determine if the file's opener had a capability in effect
0437  * @file:  The file we want to check
0438  * @ns:  The usernamespace we want the capability in
0439  * @cap: The capability to be tested for
0440  *
0441  * Return true if task that opened the file had a capability in effect
0442  * when the file was opened.
0443  *
0444  * This does not set PF_SUPERPRIV because the caller may not
0445  * actually be privileged.
0446  */
0447 bool file_ns_capable(const struct file *file, struct user_namespace *ns,
0448              int cap)
0449 {
0450     if (WARN_ON_ONCE(!cap_valid(cap)))
0451         return false;
0452 
0453     if (security_capable(file->f_cred, ns, cap) == 0)
0454         return true;
0455 
0456     return false;
0457 }
0458 EXPORT_SYMBOL(file_ns_capable);
0459 
0460 /**
0461  * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
0462  * @ns: The user namespace in question
0463  * @inode: The inode in question
0464  *
0465  * Return true if the inode uid and gid are within the namespace.
0466  */
0467 bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode)
0468 {
0469     return kuid_has_mapping(ns, inode->i_uid) &&
0470         kgid_has_mapping(ns, inode->i_gid);
0471 }
0472 
0473 /**
0474  * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
0475  * @inode: The inode in question
0476  * @cap: The capability in question
0477  *
0478  * Return true if the current task has the given capability targeted at
0479  * its own user namespace and that the given inode's uid and gid are
0480  * mapped into the current user namespace.
0481  */
0482 bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
0483 {
0484     struct user_namespace *ns = current_user_ns();
0485 
0486     return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode);
0487 }
0488 EXPORT_SYMBOL(capable_wrt_inode_uidgid);
0489 
0490 /**
0491  * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace
0492  * @tsk: The task that may be ptraced
0493  * @ns: The user namespace to search for CAP_SYS_PTRACE in
0494  *
0495  * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE
0496  * in the specified user namespace.
0497  */
0498 bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
0499 {
0500     int ret = 0;  /* An absent tracer adds no restrictions */
0501     const struct cred *cred;
0502     rcu_read_lock();
0503     cred = rcu_dereference(tsk->ptracer_cred);
0504     if (cred)
0505         ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE);
0506     rcu_read_unlock();
0507     return (ret == 0);
0508 }