• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 1997,2020 Andrew G Morgan <morgan@kernel.org>
3  *
4  * This file contains internal definitions for the various functions in
5  * this small capability library.
6  */
7 
8 #ifndef LIBCAP_H
9 #define LIBCAP_H
10 
11 #include <errno.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <stdint.h>
16 #include <sys/capability.h>
17 
18 #ifndef __u8
19 #define __u8    uint8_t
20 #endif /* __8 */
21 
22 #ifndef __u32
23 #define __u32   uint32_t
24 #endif /* __u32 */
25 
26 /* include the names for the caps and a definition of __CAP_BITS */
27 #include "cap_names.h"
28 
29 #ifndef _LINUX_CAPABILITY_U32S_1
30 # define _LINUX_CAPABILITY_U32S_1          1
31 #endif /* ndef _LINUX_CAPABILITY_U32S_1 */
32 
33 /*
34  * Do we match the local kernel?
35  */
36 
37 #if !defined(_LINUX_CAPABILITY_VERSION)
38 
39 # error Kernel <linux/capability.h> does not support library
40 # error file "libcap.h" --> fix and recompile libcap
41 
42 #elif !defined(_LINUX_CAPABILITY_VERSION_2)
43 
44 # warning Kernel <linux/capability.h> does not support 64-bit capabilities
45 # warning and libcap is being built with no support for 64-bit capabilities
46 
47 # ifndef _LINUX_CAPABILITY_VERSION_1
48 #  define _LINUX_CAPABILITY_VERSION_1 0x19980330
49 # endif
50 
51 # _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_1
52 # _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_1
53 
54 #elif defined(_LINUX_CAPABILITY_VERSION_3)
55 
56 # if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522)
57 #  error Kernel <linux/capability.h> v3 does not match library
58 #  error file "libcap.h" --> fix and recompile libcap
59 # else
60 #  define _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_3
61 #  define _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_3
62 # endif
63 
64 #elif (_LINUX_CAPABILITY_VERSION_2 != 0x20071026)
65 
66 # error Kernel <linux/capability.h> does not match library
67 # error file "libcap.h" --> fix and recompile libcap
68 
69 #else
70 
71 # define _LIBCAP_CAPABILITY_VERSION  _LINUX_CAPABILITY_VERSION_2
72 # define _LIBCAP_CAPABILITY_U32S     _LINUX_CAPABILITY_U32S_2
73 
74 #endif
75 
76 #undef _LINUX_CAPABILITY_VERSION
77 #undef _LINUX_CAPABILITY_U32S
78 
79 /*
80  * This is a pointer to a struct containing three consecutive
81  * capability sets in the order of the cap_flag_t type: the are
82  * effective,inheritable and permitted.  This is the type that the
83  * user-space routines think of as 'internal' capabilities - this is
84  * the type that is passed to the kernel with the system calls related
85  * to processes.
86  */
87 
88 #if defined(VFS_CAP_REVISION_MASK) && !defined(VFS_CAP_U32)
89 # define VFS_CAP_U32_1                   1
90 # define XATTR_CAPS_SZ_1                 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
91 # define VFS_CAP_U32                     VFS_CAP_U32_1
92 struct _cap_vfs_cap_data {
93     __le32 magic_etc;
94     struct {
95 	__le32 permitted;
96 	__le32 inheritable;
97     } data[VFS_CAP_U32_1];
98 };
99 # define vfs_cap_data                    _cap_vfs_cap_data
100 #endif
101 
102 #ifndef CAP_TO_INDEX
103 # define CAP_TO_INDEX(x)     ((x) >> 5)  /* 1 << 5 == bits in __u32 */
104 #endif /* ndef CAP_TO_INDEX */
105 
106 #ifndef CAP_TO_MASK
107 # define CAP_TO_MASK(x)      (1 << ((x) & 31))
108 #endif /* ndef CAP_TO_MASK */
109 
110 #define NUMBER_OF_CAP_SETS      3   /* effective, inheritable, permitted */
111 #define __CAP_BLKS   (_LIBCAP_CAPABILITY_U32S)
112 #define CAP_SET_SIZE (__CAP_BLKS * sizeof(__u32))
113 
114 #define CAP_T_MAGIC 0xCA90D0
115 struct _cap_struct {
116     struct __user_cap_header_struct head;
117     union {
118 	struct __user_cap_data_struct set;
119 	__u32 flat[NUMBER_OF_CAP_SETS];
120     } u[_LIBCAP_CAPABILITY_U32S];
121     uid_t rootid;
122 };
123 
124 /* the maximum bits supportable */
125 #define __CAP_MAXBITS (__CAP_BLKS * 32)
126 
127 /* string magic for cap_free */
128 #define CAP_S_MAGIC 0xCA95D0
129 
130 /* iab set magic for cap_free */
131 #define CAP_IAB_MAGIC 0xCA9AB
132 
133 /* launcher magic for cap_free */
134 #define CAP_LAUNCH_MAGIC 0xCA91A
135 
136 /*
137  * kernel API cap set abstraction
138  */
139 
140 #define raise_cap(x, set)    u[(x) >> 5].flat[set]       |=  (1u << ((x)&31))
141 #define lower_cap(x, set)    u[(x) >> 5].flat[set]       &= ~(1u << ((x)&31))
142 #define isset_cap(y, x, set) ((y)->u[(x) >> 5].flat[set] &   (1u << ((x)&31)))
143 
144 /*
145  * Private definitions for internal use by the library.
146  */
147 
148 #define __libcap_check_magic(c,magic) ((c) && *(-1+(__u32 *)(c)) == (magic))
149 #define good_cap_t(c)        __libcap_check_magic(c, CAP_T_MAGIC)
150 #define good_cap_string(c)   __libcap_check_magic(c, CAP_S_MAGIC)
151 #define good_cap_iab_t(c)    __libcap_check_magic(c, CAP_IAB_MAGIC)
152 #define good_cap_launch_t(c) __libcap_check_magic(c, CAP_LAUNCH_MAGIC)
153 
154 /*
155  * These match CAP_DIFFERS() expectations
156  */
157 #define LIBCAP_EFF   (1 << CAP_EFFECTIVE)
158 #define LIBCAP_INH   (1 << CAP_INHERITABLE)
159 #define LIBCAP_PER   (1 << CAP_PERMITTED)
160 
161 /*
162  * library debugging
163  */
164 #ifdef DEBUG
165 
166 #include <stdio.h>
167 # define _cap_debug(f, x...)  do { \
168     fprintf(stderr, "%s(%s:%d): ", __FUNCTION__, __FILE__, __LINE__); \
169     fprintf(stderr, f, ## x); \
170     fprintf(stderr, "\n"); \
171 } while (0)
172 
173 # define _cap_debugcap(s, c, set) do { \
174     unsigned _cap_index; \
175     fprintf(stderr, "%s(%s:%d): %s", __FUNCTION__, __FILE__, __LINE__, s); \
176     for (_cap_index=_LIBCAP_CAPABILITY_U32S; _cap_index-- > 0; ) { \
177        fprintf(stderr, "%08x", (c).u[_cap_index].flat[set]); \
178     } \
179     fprintf(stderr, "\n"); \
180 } while (0)
181 
182 #else /* !DEBUG */
183 
184 # define _cap_debug(f, x...)
185 # define _cap_debugcap(s, c, set)
186 
187 #endif /* DEBUG */
188 
189 extern char *_libcap_strdup(const char *text);
190 
191 /*
192  * These are semi-public prototypes, they will only be defined in
193  * <sys/capability.h> if _POSIX_SOURCE is not #define'd, so we
194  * place them here too.
195  */
196 
197 extern int capget(cap_user_header_t header, cap_user_data_t data);
198 extern int capgetp(pid_t pid, cap_t cap_d);
199 extern int capsetp(pid_t pid, cap_t cap_d);
200 
201 /* prctl based API for altering character of current process */
202 #define PR_GET_KEEPCAPS    7
203 #define PR_SET_KEEPCAPS    8
204 #define PR_CAPBSET_READ   23
205 #define PR_CAPBSET_DROP   24
206 #define PR_GET_SECUREBITS 27
207 #define PR_SET_SECUREBITS 28
208 
209 /*
210  * The library compares sizeof() with integer return values. To avoid
211  * signed/unsigned comparisons, leading to unfortunate
212  * misinterpretations of -1, we provide a convenient cast-to-signed-integer
213  * version of sizeof().
214  */
215 #define ssizeof(x) ((ssize_t) sizeof(x))
216 
217 /*
218  * Put this here as a macro so we can unit test it.
219  */
220 #define _binary_search(val, fn, low, high, fallback) do {	\
221 	cap_value_t min = low, max = high;			\
222 	while (min <= max) {					\
223 	    cap_value_t mid = (min+max) / 2;			\
224 	    if (fn(mid) < 0) {					\
225 		max = mid - 1;					\
226 	    } else {						\
227 		min = mid + 1;					\
228 	    }							\
229 	}							\
230 	val = min ? min : fallback;				\
231     } while(0)
232 
233 /*
234  * cap_iab_s holds a collection of inheritable capability bits. The i
235  * bits are inheritable (these are the same as those in cap_t), the a
236  * bits are ambient bits (which cannot be a superset of i&p), and nb
237  * are the bits that will be dropped from the bounding set when
238  * applied.
239  */
240 struct cap_iab_s {
241     __u32 i[_LIBCAP_CAPABILITY_U32S];
242     __u32 a[_LIBCAP_CAPABILITY_U32S];
243     __u32 nb[_LIBCAP_CAPABILITY_U32S];
244 };
245 
246 #define LIBCAP_IAB_I_FLAG (1U << CAP_IAB_INH)
247 #define LIBCAP_IAB_A_FLAG (1U << CAP_IAB_AMB)
248 #define LIBCAP_IAB_IA_FLAG (LIBCAP_IAB_I_FLAG | LIBCAP_IAB_A_FLAG)
249 #define LIBCAP_IAB_NB_FLAG (1U << CAP_IAB_BOUND)
250 
251 /*
252  * The following support launching another process without destroying
253  * the state of the current process. This is especially useful for
254  * multithreaded applications.
255  */
256 struct cap_launch_s {
257     /*
258      * Once forked but before active privilege is changed, this
259      * function (if non-NULL) is called.
260      */
261     int (*custom_setup_fn)(void *detail);
262 
263     /*
264      * user and groups to be used by the forked child.
265      */
266     int change_uids;
267     uid_t uid;
268 
269     int change_gids;
270     gid_t gid;
271     int ngroups;
272     const gid_t *groups;
273 
274     /*
275      * mode holds the preferred capability mode. Any non-uncertain
276      * setting here will require an empty ambient set.
277      */
278     int change_mode;
279     cap_mode_t mode;
280 
281     /*
282      * i,a,[n]b caps. These bitmaps hold all of the capability sets that
283      * cap_launch will affect. nb holds values to be lowered in the bounding
284      * set.
285      */
286     struct cap_iab_s *iab;
287 
288     /* chroot holds a preferred chroot for the launched child. */
289     char *chroot;
290 
291     /*
292      * execve style arguments
293      */
294     const char *arg0;
295     const char *const *argv;
296     const char *const *envp;
297 };
298 
299 #endif /* LIBCAP_H */
300