1 /*
2 * Copyright (c) 1997-8,2007,11,19,20 Andrew G Morgan <morgan@kernel.org>
3 *
4 * This file deals with getting and setting capabilities on processes.
5 */
6
7 #ifndef _GNU_SOURCE
8 #define _GNU_SOURCE
9 #endif
10
11 #include <errno.h>
12 #include <fcntl.h> /* Obtain O_* constant definitions */
13 #include <grp.h>
14 #include <sys/prctl.h>
15 #include <sys/securebits.h>
16 #include <sys/syscall.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <sys/wait.h>
20
21 #include <linux/limits.h>
22
23 #include "libcap.h"
24
25 /*
26 * libcap uses this abstraction for all system calls that change
27 * kernel managed capability state. This permits the user to redirect
28 * it for testing and also to better implement posix semantics when
29 * using pthreads.
30 */
31
_cap_syscall3(long int syscall_nr,long int arg1,long int arg2,long int arg3)32 static long int _cap_syscall3(long int syscall_nr,
33 long int arg1, long int arg2, long int arg3)
34 {
35 return syscall(syscall_nr, arg1, arg2, arg3);
36 }
37
_cap_syscall6(long int syscall_nr,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5,long int arg6)38 static long int _cap_syscall6(long int syscall_nr,
39 long int arg1, long int arg2, long int arg3,
40 long int arg4, long int arg5, long int arg6)
41 {
42 return syscall(syscall_nr, arg1, arg2, arg3, arg4, arg5, arg6);
43 }
44
45 /*
46 * to keep the structure of the code conceptually similar in C and Go
47 * implementations, we introduce this abstraction for invoking state
48 * writing system calls. In psx+pthreaded code, the fork
49 * implementation provided by nptl ensures that we can consistently
50 * use the multithreaded syscalls even in the child after a fork().
51 */
52 struct syscaller_s {
53 long int (*three)(long int syscall_nr,
54 long int arg1, long int arg2, long int arg3);
55 long int (*six)(long int syscall_nr,
56 long int arg1, long int arg2, long int arg3,
57 long int arg4, long int arg5, long int arg6);
58 };
59
60 /* use this syscaller for multi-threaded code */
61 static struct syscaller_s multithread = {
62 .three = _cap_syscall3,
63 .six = _cap_syscall6
64 };
65
66 /* use this syscaller for single-threaded code */
67 static struct syscaller_s singlethread = {
68 .three = _cap_syscall3,
69 .six = _cap_syscall6
70 };
71
72 /*
73 * This gets reset to 0 if we are *not* linked with libpsx.
74 */
75 static int _libcap_overrode_syscalls = 1;
76
77 /*
78 * psx_load_syscalls() is weakly defined so we can have it overridden
79 * by libpsx if that library is linked. Specifically, when libcap
80 * calls psx_load_sycalls() it is prepared to override the default
81 * values for the syscalls that libcap uses to change security state.
82 * As can be seen here this present function is mostly a
83 * no-op. However, if libpsx is linked, the one present in that
84 * library (not being weak) will replace this one and the
85 * _libcap_overrode_syscalls value isn't forced to zero.
86 *
87 * Note: we hardcode the prototype for the psx_load_syscalls()
88 * function here so the compiler isn't worried. If we force the build
89 * to include the header, we are close to requiring the optional
90 * libpsx to be linked.
91 */
92 void psx_load_syscalls(long int (**syscall_fn)(long int,
93 long int, long int, long int),
94 long int (**syscall6_fn)(long int,
95 long int, long int, long int,
96 long int, long int, long int));
97
98 __attribute__((weak))
psx_load_syscalls(long int (** syscall_fn)(long int,long int,long int,long int),long int (** syscall6_fn)(long int,long int,long int,long int,long int,long int,long int))99 void psx_load_syscalls(long int (**syscall_fn)(long int,
100 long int, long int, long int),
101 long int (**syscall6_fn)(long int,
102 long int, long int, long int,
103 long int, long int, long int))
104 {
105 _libcap_overrode_syscalls = 0;
106 }
107
108 /*
109 * cap_set_syscall overrides the state setting syscalls that libcap does.
110 * Generally, you don't need to call this manually: libcap tries hard to
111 * set things up appropriately.
112 */
cap_set_syscall(long int (* new_syscall)(long int,long int,long int,long int),long int (* new_syscall6)(long int,long int,long int,long int,long int,long int,long int))113 void cap_set_syscall(long int (*new_syscall)(long int,
114 long int, long int, long int),
115 long int (*new_syscall6)(long int, long int,
116 long int, long int,
117 long int, long int,
118 long int)) {
119 if (new_syscall == NULL) {
120 psx_load_syscalls(&multithread.three, &multithread.six);
121 } else {
122 multithread.three = new_syscall;
123 multithread.six = new_syscall6;
124 }
125 }
126
_libcap_capset(struct syscaller_s * sc,cap_user_header_t header,const cap_user_data_t data)127 static int _libcap_capset(struct syscaller_s *sc,
128 cap_user_header_t header, const cap_user_data_t data)
129 {
130 if (_libcap_overrode_syscalls) {
131 return sc->three(SYS_capset, (long int) header, (long int) data, 0);
132 }
133 return capset(header, data);
134 }
135
_libcap_wprctl3(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2)136 static int _libcap_wprctl3(struct syscaller_s *sc,
137 long int pr_cmd, long int arg1, long int arg2)
138 {
139 if (_libcap_overrode_syscalls) {
140 return sc->three(SYS_prctl, pr_cmd, arg1, arg2);
141 }
142 return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
143 }
144
_libcap_wprctl6(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)145 static int _libcap_wprctl6(struct syscaller_s *sc,
146 long int pr_cmd, long int arg1, long int arg2,
147 long int arg3, long int arg4, long int arg5)
148 {
149 if (_libcap_overrode_syscalls) {
150 return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
151 }
152 return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
153 }
154
155 /*
156 * cap_get_proc obtains the capability set for the current process.
157 */
cap_get_proc(void)158 cap_t cap_get_proc(void)
159 {
160 cap_t result;
161
162 /* allocate a new capability set */
163 result = cap_init();
164 if (result) {
165 _cap_debug("getting current process' capabilities");
166
167 /* fill the capability sets via a system call */
168 if (capget(&result->head, &result->u[0].set)) {
169 cap_free(result);
170 result = NULL;
171 }
172 }
173
174 return result;
175 }
176
_cap_set_proc(struct syscaller_s * sc,cap_t cap_d)177 static int _cap_set_proc(struct syscaller_s *sc, cap_t cap_d) {
178 int retval;
179
180 if (!good_cap_t(cap_d)) {
181 errno = EINVAL;
182 return -1;
183 }
184
185 _cap_debug("setting process capabilities");
186 retval = _libcap_capset(sc, &cap_d->head, &cap_d->u[0].set);
187
188 return retval;
189 }
190
cap_set_proc(cap_t cap_d)191 int cap_set_proc(cap_t cap_d)
192 {
193 return _cap_set_proc(&multithread, cap_d);
194 }
195
196 /* the following two functions are not required by POSIX */
197
198 /* read the caps on a specific process */
199
capgetp(pid_t pid,cap_t cap_d)200 int capgetp(pid_t pid, cap_t cap_d)
201 {
202 int error;
203
204 if (!good_cap_t(cap_d)) {
205 errno = EINVAL;
206 return -1;
207 }
208
209 _cap_debug("getting process capabilities for proc %d", pid);
210
211 cap_d->head.pid = pid;
212 error = capget(&cap_d->head, &cap_d->u[0].set);
213 cap_d->head.pid = 0;
214
215 return error;
216 }
217
218 /* allocate space for and return capabilities of target process */
219
cap_get_pid(pid_t pid)220 cap_t cap_get_pid(pid_t pid)
221 {
222 cap_t result;
223
224 result = cap_init();
225 if (result) {
226 if (capgetp(pid, result) != 0) {
227 int my_errno;
228
229 my_errno = errno;
230 cap_free(result);
231 errno = my_errno;
232 result = NULL;
233 }
234 }
235
236 return result;
237 }
238
239 /*
240 * set the caps on a specific process/pg etc.. The kernel has long
241 * since deprecated this asynchronous interface. DON'T EXPECT THIS TO
242 * EVER WORK AGAIN.
243 */
244
capsetp(pid_t pid,cap_t cap_d)245 int capsetp(pid_t pid, cap_t cap_d)
246 {
247 int error;
248
249 if (!good_cap_t(cap_d)) {
250 errno = EINVAL;
251 return -1;
252 }
253
254 _cap_debug("setting process capabilities for proc %d", pid);
255 cap_d->head.pid = pid;
256 error = capset(&cap_d->head, &cap_d->u[0].set);
257 cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
258 cap_d->head.pid = 0;
259
260 return error;
261 }
262
263 /* the kernel api requires unsigned long arguments */
264 #define pr_arg(x) ((unsigned long) x)
265
266 /* get a capability from the bounding set */
267
cap_get_bound(cap_value_t cap)268 int cap_get_bound(cap_value_t cap)
269 {
270 int result;
271
272 result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
273 if (result < 0) {
274 errno = -result;
275 return -1;
276 }
277 return result;
278 }
279
_cap_drop_bound(struct syscaller_s * sc,cap_value_t cap)280 static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
281 {
282 int result;
283
284 result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
285 if (result < 0) {
286 errno = -result;
287 return -1;
288 }
289 return result;
290 }
291
292 /* drop a capability from the bounding set */
293
cap_drop_bound(cap_value_t cap)294 int cap_drop_bound(cap_value_t cap) {
295 return _cap_drop_bound(&multithread, cap);
296 }
297
298 /* get a capability from the ambient set */
299
cap_get_ambient(cap_value_t cap)300 int cap_get_ambient(cap_value_t cap)
301 {
302 int result;
303 result = prctl(PR_CAP_AMBIENT, pr_arg(PR_CAP_AMBIENT_IS_SET),
304 pr_arg(cap), pr_arg(0), pr_arg(0));
305 if (result < 0) {
306 errno = -result;
307 return -1;
308 }
309 return result;
310 }
311
_cap_set_ambient(struct syscaller_s * sc,cap_value_t cap,cap_flag_value_t set)312 static int _cap_set_ambient(struct syscaller_s *sc,
313 cap_value_t cap, cap_flag_value_t set)
314 {
315 int result, val;
316 switch (set) {
317 case CAP_SET:
318 val = PR_CAP_AMBIENT_RAISE;
319 break;
320 case CAP_CLEAR:
321 val = PR_CAP_AMBIENT_LOWER;
322 break;
323 default:
324 errno = EINVAL;
325 return -1;
326 }
327 result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
328 pr_arg(0), pr_arg(0), pr_arg(0));
329 if (result < 0) {
330 errno = -result;
331 return -1;
332 }
333 return result;
334 }
335
336 /*
337 * cap_set_ambient modifies a single ambient capability value.
338 */
cap_set_ambient(cap_value_t cap,cap_flag_value_t set)339 int cap_set_ambient(cap_value_t cap, cap_flag_value_t set)
340 {
341 return _cap_set_ambient(&multithread, cap, set);
342 }
343
_cap_reset_ambient(struct syscaller_s * sc)344 static int _cap_reset_ambient(struct syscaller_s *sc)
345 {
346 int olderrno = errno;
347 cap_value_t c;
348 int result = 0;
349
350 for (c = 0; !result; c++) {
351 result = cap_get_ambient(c);
352 if (result == -1) {
353 errno = olderrno;
354 return 0;
355 }
356 }
357
358 result = _libcap_wprctl6(sc, PR_CAP_AMBIENT,
359 pr_arg(PR_CAP_AMBIENT_CLEAR_ALL),
360 pr_arg(0), pr_arg(0), pr_arg(0), pr_arg(0));
361 if (result < 0) {
362 errno = -result;
363 return -1;
364 }
365 return result;
366 }
367
368 /*
369 * cap_reset_ambient erases all ambient capabilities - this reads the
370 * ambient caps before performing the erase to workaround the corner
371 * case where the set is empty already but the ambient cap API is
372 * locked.
373 */
cap_reset_ambient()374 int cap_reset_ambient()
375 {
376 return _cap_reset_ambient(&multithread);
377 }
378
379 /*
380 * Read the security mode of the current process.
381 */
cap_get_secbits(void)382 unsigned cap_get_secbits(void)
383 {
384 return (unsigned) prctl(PR_GET_SECUREBITS, pr_arg(0), pr_arg(0));
385 }
386
_cap_set_secbits(struct syscaller_s * sc,unsigned bits)387 static int _cap_set_secbits(struct syscaller_s *sc, unsigned bits)
388 {
389 return _libcap_wprctl3(sc, PR_SET_SECUREBITS, bits, 0);
390 }
391
392 /*
393 * Set the secbits of the current process.
394 */
cap_set_secbits(unsigned bits)395 int cap_set_secbits(unsigned bits)
396 {
397 return _cap_set_secbits(&multithread, bits);
398 }
399
400 /*
401 * Attempt to raise the no new privs prctl value.
402 */
_cap_set_no_new_privs(struct syscaller_s * sc)403 static void _cap_set_no_new_privs(struct syscaller_s *sc)
404 {
405 (void) _libcap_wprctl6(sc, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0);
406 }
407
408 /*
409 * Some predefined constants
410 */
411 #define CAP_SECURED_BITS_BASIC \
412 (SECBIT_NOROOT | SECBIT_NOROOT_LOCKED | \
413 SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | \
414 SECBIT_KEEP_CAPS_LOCKED)
415
416 #define CAP_SECURED_BITS_AMBIENT (CAP_SECURED_BITS_BASIC | \
417 SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED)
418
419 static cap_value_t raise_cap_setpcap[] = {CAP_SETPCAP};
420
_cap_set_mode(struct syscaller_s * sc,cap_mode_t flavor)421 static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor)
422 {
423 cap_t working = cap_get_proc();
424 unsigned secbits = CAP_SECURED_BITS_AMBIENT;
425
426 int ret = cap_set_flag(working, CAP_EFFECTIVE,
427 1, raise_cap_setpcap, CAP_SET);
428 ret = ret | _cap_set_proc(sc, working);
429
430 if (ret == 0) {
431 cap_flag_t c;
432
433 switch (flavor) {
434 case CAP_MODE_NOPRIV:
435 /* fall through */
436 case CAP_MODE_PURE1E_INIT:
437 (void) cap_clear_flag(working, CAP_INHERITABLE);
438 /* fall through */
439 case CAP_MODE_PURE1E:
440 if (!CAP_AMBIENT_SUPPORTED()) {
441 secbits = CAP_SECURED_BITS_BASIC;
442 } else {
443 ret = _cap_reset_ambient(sc);
444 if (ret) {
445 break; /* ambient dropping failed */
446 }
447 }
448 ret = _cap_set_secbits(sc, secbits);
449 if (flavor != CAP_MODE_NOPRIV) {
450 break;
451 }
452
453 /* just for "case CAP_MODE_NOPRIV:" */
454
455 for (c = 0; cap_get_bound(c) >= 0; c++) {
456 (void) _cap_drop_bound(sc, c);
457 }
458 (void) cap_clear_flag(working, CAP_PERMITTED);
459
460 /* for good measure */
461 _cap_set_no_new_privs(sc);
462 break;
463
464 default:
465 errno = EINVAL;
466 ret = -1;
467 break;
468 }
469 }
470
471 (void) cap_clear_flag(working, CAP_EFFECTIVE);
472 ret = _cap_set_proc(sc, working) | ret;
473 (void) cap_free(working);
474 return ret;
475 }
476
477 /*
478 * cap_set_mode locks the overarching capability framework of the
479 * present process and thus its children to a predefined flavor. Once
480 * set, these modes cannot be undone by the affected process tree and
481 * can only be done by "cap_setpcap" permitted processes. Note, a side
482 * effect of this function, whether it succeeds or fails, is to clear
483 * at least the CAP_EFFECTIVE flags for the current process.
484 */
cap_set_mode(cap_mode_t flavor)485 int cap_set_mode(cap_mode_t flavor)
486 {
487 return _cap_set_mode(&multithread, flavor);
488 }
489
490 /*
491 * cap_get_mode attempts to determine what the current capability mode
492 * is. If it can find no match in the libcap pre-defined modes, it
493 * returns CAP_MODE_UNCERTAIN.
494 */
cap_get_mode(void)495 cap_mode_t cap_get_mode(void)
496 {
497 unsigned secbits = cap_get_secbits();
498
499 if ((secbits & CAP_SECURED_BITS_BASIC) != CAP_SECURED_BITS_BASIC) {
500 return CAP_MODE_UNCERTAIN;
501 }
502
503 /* validate ambient is not set */
504 int olderrno = errno;
505 int ret = 0;
506 cap_value_t c;
507 for (c = 0; !ret; c++) {
508 ret = cap_get_ambient(c);
509 if (ret == -1) {
510 errno = olderrno;
511 if (c && secbits != CAP_SECURED_BITS_AMBIENT) {
512 return CAP_MODE_UNCERTAIN;
513 }
514 break;
515 }
516 if (ret) {
517 return CAP_MODE_UNCERTAIN;
518 }
519 }
520
521 cap_t working = cap_get_proc();
522 cap_t empty = cap_init();
523 int cf = cap_compare(empty, working);
524 cap_free(empty);
525 cap_free(working);
526
527 if (CAP_DIFFERS(cf, CAP_INHERITABLE)) {
528 return CAP_MODE_PURE1E;
529 }
530 if (CAP_DIFFERS(cf, CAP_PERMITTED) || CAP_DIFFERS(cf, CAP_EFFECTIVE)) {
531 return CAP_MODE_PURE1E_INIT;
532 }
533
534 for (c = 0; ; c++) {
535 int v = cap_get_bound(c);
536 if (v == -1) {
537 break;
538 }
539 if (v) {
540 return CAP_MODE_PURE1E_INIT;
541 }
542 }
543
544 return CAP_MODE_NOPRIV;
545 }
546
_cap_setuid(struct syscaller_s * sc,uid_t uid)547 static int _cap_setuid(struct syscaller_s *sc, uid_t uid)
548 {
549 const cap_value_t raise_cap_setuid[] = {CAP_SETUID};
550 cap_t working = cap_get_proc();
551 (void) cap_set_flag(working, CAP_EFFECTIVE,
552 1, raise_cap_setuid, CAP_SET);
553 /*
554 * Note, we are cognizant of not using glibc's setuid in the case
555 * that we've modified the way libcap is doing setting
556 * syscalls. This is because prctl needs to be working in a POSIX
557 * compliant way for the code below to work, so we are either
558 * all-broken or not-broken and don't allow for "sort of working".
559 */
560 (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 1, 0);
561 int ret = _cap_set_proc(sc, working);
562 if (ret == 0) {
563 if (_libcap_overrode_syscalls) {
564 ret = sc->three(SYS_setuid, (long int) uid, 0, 0);
565 if (ret < 0) {
566 errno = -ret;
567 ret = -1;
568 }
569 } else {
570 ret = setuid(uid);
571 }
572 }
573 int olderrno = errno;
574 (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 0, 0);
575 (void) cap_clear_flag(working, CAP_EFFECTIVE);
576 (void) _cap_set_proc(sc, working);
577 (void) cap_free(working);
578
579 errno = olderrno;
580 return ret;
581 }
582
583 /*
584 * cap_setuid attempts to set the uid of the process without dropping
585 * any permitted capabilities in the process. A side effect of a call
586 * to this function is that the effective set will be cleared by the
587 * time the function returns.
588 */
cap_setuid(uid_t uid)589 int cap_setuid(uid_t uid)
590 {
591 return _cap_setuid(&multithread, uid);
592 }
593
594 #if defined(__arm__) || defined(__i386__) || \
595 defined(__i486__) || defined(__i586__) || defined(__i686__)
596 #define sys_setgroups_variant SYS_setgroups32
597 #else
598 #define sys_setgroups_variant SYS_setgroups
599 #endif
600
_cap_setgroups(struct syscaller_s * sc,gid_t gid,size_t ngroups,const gid_t groups[])601 static int _cap_setgroups(struct syscaller_s *sc,
602 gid_t gid, size_t ngroups, const gid_t groups[])
603 {
604 const cap_value_t raise_cap_setgid[] = {CAP_SETGID};
605 cap_t working = cap_get_proc();
606 (void) cap_set_flag(working, CAP_EFFECTIVE,
607 1, raise_cap_setgid, CAP_SET);
608 /*
609 * Note, we are cognizant of not using glibc's setgid etc in the
610 * case that we've modified the way libcap is doing setting
611 * syscalls. This is because prctl needs to be working in a POSIX
612 * compliant way for the other functions of this file so we are
613 * all-broken or not-broken and don't allow for "sort of working".
614 */
615 int ret = _cap_set_proc(sc, working);
616 if (_libcap_overrode_syscalls) {
617 if (ret == 0) {
618 ret = sc->three(SYS_setgid, (long int) gid, 0, 0);
619 }
620 if (ret == 0) {
621 ret = sc->three(sys_setgroups_variant, (long int) ngroups,
622 (long int) groups, 0);
623 }
624 if (ret < 0) {
625 errno = -ret;
626 ret = -1;
627 }
628 } else {
629 if (ret == 0) {
630 ret = setgid(gid);
631 }
632 if (ret == 0) {
633 ret = setgroups(ngroups, groups);
634 }
635 }
636 int olderrno = errno;
637
638 (void) cap_clear_flag(working, CAP_EFFECTIVE);
639 (void) _cap_set_proc(sc, working);
640 (void) cap_free(working);
641
642 errno = olderrno;
643 return ret;
644 }
645
646 /*
647 * cap_setgroups combines setting the gid with changing the set of
648 * supplemental groups for a user into one call that raises the needed
649 * capabilities to do it for the duration of the call. A side effect
650 * of a call to this function is that the effective set will be
651 * cleared by the time the function returns.
652 */
cap_setgroups(gid_t gid,size_t ngroups,const gid_t groups[])653 int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[])
654 {
655 return _cap_setgroups(&multithread, gid, ngroups, groups);
656 }
657
658 /*
659 * cap_iab_get_proc returns a cap_iab_t value initialized by the
660 * current process state related to these iab bits.
661 */
cap_iab_get_proc(void)662 cap_iab_t cap_iab_get_proc(void)
663 {
664 cap_iab_t iab = cap_iab_init();
665 cap_t current = cap_get_proc();
666 cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE);
667 cap_value_t c;
668 for (c = cap_max_bits(); c; ) {
669 --c;
670 int o = c >> 5;
671 __u32 mask = 1U << (c & 31);
672 if (cap_get_bound(c) == 0) {
673 iab->nb[o] |= mask;
674 }
675 if (cap_get_ambient(c) == 1) {
676 iab->a[o] |= mask;
677 }
678 }
679 return iab;
680 }
681
682 /*
683 * _cap_iab_set_proc sets the iab collection using the requested syscaller.
684 */
_cap_iab_set_proc(struct syscaller_s * sc,cap_iab_t iab)685 static int _cap_iab_set_proc(struct syscaller_s *sc, cap_iab_t iab)
686 {
687 int ret, i;
688 cap_t working, temp = cap_get_proc();
689 cap_value_t c;
690 int raising = 0;
691
692 for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) {
693 __u32 newI = iab->i[i];
694 __u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] |
695 temp->u[i].flat[CAP_PERMITTED];
696 raising |= (newI & ~oldIP) | iab->a[i] | iab->nb[i];
697 temp->u[i].flat[CAP_INHERITABLE] = newI;
698
699 }
700
701 working = cap_dup(temp);
702 if (raising) {
703 ret = cap_set_flag(working, CAP_EFFECTIVE,
704 1, raise_cap_setpcap, CAP_SET);
705 if (ret) {
706 goto defer;
707 }
708 }
709 if ((ret = _cap_set_proc(sc, working))) {
710 goto defer;
711 }
712 if ((ret = _cap_reset_ambient(sc))) {
713 goto done;
714 }
715
716 for (c = cap_max_bits(); c-- != 0; ) {
717 unsigned offset = c >> 5;
718 __u32 mask = 1U << (c & 31);
719 if (iab->a[offset] & mask) {
720 ret = _cap_set_ambient(sc, c, CAP_SET);
721 if (ret) {
722 goto done;
723 }
724 }
725 if (iab->nb[offset] & mask) {
726 /* drop the bounding bit */
727 ret = _cap_drop_bound(sc, c);
728 if (ret) {
729 goto done;
730 }
731 }
732 }
733
734 done:
735 (void) cap_set_proc(temp);
736
737 defer:
738 cap_free(working);
739 cap_free(temp);
740
741 return ret;
742 }
743
744 /*
745 * cap_iab_set_proc sets the iab capability vectors of the current
746 * process.
747 */
cap_iab_set_proc(cap_iab_t iab)748 int cap_iab_set_proc(cap_iab_t iab)
749 {
750 return _cap_iab_set_proc(&multithread, iab);
751 }
752
753 /*
754 * cap_launcher_callback primes the launcher with a callback that will
755 * be invoked after the fork() but before any privilege has changed
756 * and before the execve(). This can be used to augment the state of
757 * the child process within the cap_launch() process. You can cancel
758 * any callback associated with a launcher by calling this function
759 * with a callback_fn value NULL.
760 *
761 * If the callback function returns anything other than 0, it is
762 * considered to have failed and the launch will be aborted - further,
763 * errno will be communicated to the parent.
764 */
cap_launcher_callback(cap_launch_t attr,int (callback_fn)(void * detail))765 void cap_launcher_callback(cap_launch_t attr, int (callback_fn)(void *detail))
766 {
767 attr->custom_setup_fn = callback_fn;
768 }
769
770 /*
771 * cap_launcher_setuid primes the launcher to attempt a change of uid.
772 */
cap_launcher_setuid(cap_launch_t attr,uid_t uid)773 void cap_launcher_setuid(cap_launch_t attr, uid_t uid)
774 {
775 attr->uid = uid;
776 attr->change_uids = 1;
777 }
778
779 /*
780 * cap_launcher_setgroups primes the launcher to attempt a change of
781 * gid and groups.
782 */
cap_launcher_setgroups(cap_launch_t attr,gid_t gid,int ngroups,const gid_t * groups)783 void cap_launcher_setgroups(cap_launch_t attr, gid_t gid,
784 int ngroups, const gid_t *groups)
785 {
786 attr->gid = gid;
787 attr->ngroups = ngroups;
788 attr->groups = groups;
789 attr->change_gids = 1;
790 }
791
792 /*
793 * cap_launcher_set_mode primes the launcher to attempt a change of
794 * mode.
795 */
cap_launcher_set_mode(cap_launch_t attr,cap_mode_t flavor)796 void cap_launcher_set_mode(cap_launch_t attr, cap_mode_t flavor)
797 {
798 attr->mode = flavor;
799 attr->change_mode = 1;
800 }
801
802 /*
803 * cap_launcher_set_iab primes the launcher to attempt to change the iab bits of
804 * the launched child.
805 */
cap_launcher_set_iab(cap_launch_t attr,cap_iab_t iab)806 cap_iab_t cap_launcher_set_iab(cap_launch_t attr, cap_iab_t iab)
807 {
808 cap_iab_t old = attr->iab;
809 attr->iab = iab;
810 return old;
811 }
812
813 /*
814 * cap_launcher_set_chroot sets the intended chroot for the launched
815 * child.
816 */
cap_launcher_set_chroot(cap_launch_t attr,const char * chroot)817 void cap_launcher_set_chroot(cap_launch_t attr, const char *chroot)
818 {
819 attr->chroot = _libcap_strdup(chroot);
820 }
821
_cap_chroot(struct syscaller_s * sc,const char * root)822 static int _cap_chroot(struct syscaller_s *sc, const char *root)
823 {
824 const cap_value_t raise_cap_sys_chroot[] = {CAP_SYS_CHROOT};
825 cap_t working = cap_get_proc();
826 (void) cap_set_flag(working, CAP_EFFECTIVE,
827 1, raise_cap_sys_chroot, CAP_SET);
828 int ret = _cap_set_proc(sc, working);
829 if (ret == 0) {
830 if (_libcap_overrode_syscalls) {
831 ret = sc->three(SYS_chroot, (long int) root, 0, 0);
832 if (ret < 0) {
833 errno = -ret;
834 ret = -1;
835 }
836 } else {
837 ret = chroot(root);
838 }
839 }
840 int olderrno = errno;
841 (void) cap_clear_flag(working, CAP_EFFECTIVE);
842 (void) _cap_set_proc(sc, working);
843 (void) cap_free(working);
844
845 errno = olderrno;
846 return ret;
847 }
848
849 /*
850 * _cap_launch is invoked in the forked child, it cannot return but is
851 * required to exit. If the execve fails, it will write the errno value
852 * over the filedescriptor, fd, and exit with status 0.
853 */
854 __attribute__ ((noreturn))
_cap_launch(int fd,cap_launch_t attr,void * detail)855 static void _cap_launch(int fd, cap_launch_t attr, void *detail) {
856 struct syscaller_s *sc = &singlethread;
857
858 if (attr->custom_setup_fn && attr->custom_setup_fn(detail)) {
859 goto defer;
860 }
861
862 if (attr->change_uids && _cap_setuid(sc, attr->uid)) {
863 goto defer;
864 }
865 if (attr->change_gids &&
866 _cap_setgroups(sc, attr->gid, attr->ngroups, attr->groups)) {
867 goto defer;
868 }
869 if (attr->change_mode && _cap_set_mode(sc, attr->mode)) {
870 goto defer;
871 }
872 if (attr->iab && _cap_iab_set_proc(sc, attr->iab)) {
873 goto defer;
874 }
875 if (attr->chroot != NULL && _cap_chroot(sc, attr->chroot)) {
876 goto defer;
877 }
878
879 /*
880 * Some type wrangling to work around what the kernel API really
881 * means: not "const char **".
882 */
883 const void *temp_args = attr->argv;
884 const void *temp_envp = attr->envp;
885
886 execve(attr->arg0, temp_args, temp_envp);
887 /* if the exec worked, execution will not reach here */
888
889 defer:
890 /*
891 * getting here means an error has occurred and errno is
892 * communicated to the parent
893 */
894 for (;;) {
895 int n = write(fd, &errno, sizeof(errno));
896 if (n < 0 && errno == EAGAIN) {
897 continue;
898 }
899 break;
900 }
901 close(fd);
902 exit(1);
903 }
904
905 /*
906 * cap_launch performs a wrapped fork+exec that works in both an
907 * unthreaded environment and also where libcap is linked with
908 * psx+pthreads. The function supports dropping privilege in the
909 * forked thread, but retaining privilege in the parent thread(s).
910 *
911 * Since the ambient set is fragile with respect to changes in I or P,
912 * the function carefully orders setting of these inheritable
913 * characteristics, to make sure they stick, or return an error
914 * of -1 setting errno because the launch failed.
915 */
cap_launch(cap_launch_t attr,void * data)916 pid_t cap_launch(cap_launch_t attr, void *data) {
917 int my_errno;
918 int ps[2];
919
920 if (pipe2(ps, O_CLOEXEC) != 0) {
921 return -1;
922 }
923
924 int child = fork();
925 my_errno = errno;
926
927 close(ps[1]);
928 if (child < 0) {
929 goto defer;
930 }
931 if (!child) {
932 close(ps[0]);
933 /* noreturn from this function: */
934 _cap_launch(ps[1], attr, data);
935 }
936
937 /*
938 * Extend this function's return codes to include setup failures
939 * in the child.
940 */
941 for (;;) {
942 int ignored;
943 int n = read(ps[0], &my_errno, sizeof(my_errno));
944 if (n == 0) {
945 goto defer;
946 }
947 if (n < 0 && errno == EAGAIN) {
948 continue;
949 }
950 waitpid(child, &ignored, 0);
951 child = -1;
952 my_errno = ECHILD;
953 break;
954 }
955
956 defer:
957 close(ps[0]);
958 errno = my_errno;
959 return (pid_t) child;
960 }
961