1 /*
2 * Copyright (c) 1997-8,2007,11,19,20 Andrew G Morgan <morgan@kernel.org>
3 *
4 * This file deals with getting and setting capabilities on processes.
5 */
6
7 #ifndef _GNU_SOURCE
8 #define _GNU_SOURCE
9 #endif
10
11 #include <errno.h>
12 #include <fcntl.h> /* Obtain O_* constant definitions */
13 #include <grp.h>
14 #include <sys/prctl.h>
15 #include <sys/securebits.h>
16 #include <sys/syscall.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <sys/wait.h>
20
21 #include <linux/limits.h>
22
23 #include "libcap.h"
24
25 /*
26 * libcap uses this abstraction for all system calls that change
27 * kernel managed capability state. This permits the user to redirect
28 * it for testing and also to better implement posix semantics when
29 * using pthreads.
30 */
31
_cap_syscall3(long int syscall_nr,long int arg1,long int arg2,long int arg3)32 static long int _cap_syscall3(long int syscall_nr,
33 long int arg1, long int arg2, long int arg3)
34 {
35 return syscall(syscall_nr, arg1, arg2, arg3);
36 }
37
_cap_syscall6(long int syscall_nr,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5,long int arg6)38 static long int _cap_syscall6(long int syscall_nr,
39 long int arg1, long int arg2, long int arg3,
40 long int arg4, long int arg5, long int arg6)
41 {
42 return syscall(syscall_nr, arg1, arg2, arg3, arg4, arg5, arg6);
43 }
44
45 /*
46 * to keep the structure of the code conceptually similar in C and Go
47 * implementations, we introduce this abstraction for invoking state
48 * writing system calls. In psx+pthreaded code, the fork
49 * implementation provided by nptl ensures that we can consistently
50 * use the multithreaded syscalls even in the child after a fork().
51 */
52 struct syscaller_s {
53 long int (*three)(long int syscall_nr,
54 long int arg1, long int arg2, long int arg3);
55 long int (*six)(long int syscall_nr,
56 long int arg1, long int arg2, long int arg3,
57 long int arg4, long int arg5, long int arg6);
58 };
59
60 /* use this syscaller for multi-threaded code */
61 static struct syscaller_s multithread = {
62 .three = _cap_syscall3,
63 .six = _cap_syscall6
64 };
65
66 /* use this syscaller for single-threaded code */
67 static struct syscaller_s singlethread = {
68 .three = _cap_syscall3,
69 .six = _cap_syscall6
70 };
71
72 /*
73 * This gets reset to 0 if we are *not* linked with libpsx.
74 */
75 static int _libcap_overrode_syscalls = 1;
76
77 /*
78 * psx_load_syscalls() is weakly defined so we can have it overridden
79 * by libpsx if that library is linked. Specifically, when libcap
80 * calls psx_load_sycalls() it is prepared to override the default
81 * values for the syscalls that libcap uses to change security state.
82 * As can be seen here this present function is mostly a
83 * no-op. However, if libpsx is linked, the one present in that
84 * library (not being weak) will replace this one and the
85 * _libcap_overrode_syscalls value isn't forced to zero.
86 *
87 * Note: we hardcode the prototype for the psx_load_syscalls()
88 * function here so the compiler isn't worried. If we force the build
89 * to include the header, we are close to requiring the optional
90 * libpsx to be linked.
91 */
92 void psx_load_syscalls(long int (**syscall_fn)(long int,
93 long int, long int, long int),
94 long int (**syscall6_fn)(long int,
95 long int, long int, long int,
96 long int, long int, long int));
97
98 __attribute__((weak))
psx_load_syscalls(long int (** syscall_fn)(long int,long int,long int,long int),long int (** syscall6_fn)(long int,long int,long int,long int,long int,long int,long int))99 void psx_load_syscalls(long int (**syscall_fn)(long int,
100 long int, long int, long int),
101 long int (**syscall6_fn)(long int,
102 long int, long int, long int,
103 long int, long int, long int))
104 {
105 _libcap_overrode_syscalls = 0;
106 }
107
108 /*
109 * cap_set_syscall overrides the state setting syscalls that libcap does.
110 * Generally, you don't need to call this manually: libcap tries hard to
111 * set things up appropriately.
112 */
cap_set_syscall(long int (* new_syscall)(long int,long int,long int,long int),long int (* new_syscall6)(long int,long int,long int,long int,long int,long int,long int))113 void cap_set_syscall(long int (*new_syscall)(long int,
114 long int, long int, long int),
115 long int (*new_syscall6)(long int, long int,
116 long int, long int,
117 long int, long int,
118 long int)) {
119 if (new_syscall == NULL) {
120 psx_load_syscalls(&multithread.three, &multithread.six);
121 } else {
122 multithread.three = new_syscall;
123 multithread.six = new_syscall6;
124 }
125 }
126
_libcap_capset(struct syscaller_s * sc,cap_user_header_t header,const cap_user_data_t data)127 static int _libcap_capset(struct syscaller_s *sc,
128 cap_user_header_t header, const cap_user_data_t data)
129 {
130 if (_libcap_overrode_syscalls) {
131 return sc->three(SYS_capset, (long int) header, (long int) data, 0);
132 }
133 return capset(header, data);
134 }
135
_libcap_wprctl3(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2)136 static int _libcap_wprctl3(struct syscaller_s *sc,
137 long int pr_cmd, long int arg1, long int arg2)
138 {
139 if (_libcap_overrode_syscalls) {
140 return sc->three(SYS_prctl, pr_cmd, arg1, arg2);
141 }
142 return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
143 }
144
_libcap_wprctl6(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)145 static int _libcap_wprctl6(struct syscaller_s *sc,
146 long int pr_cmd, long int arg1, long int arg2,
147 long int arg3, long int arg4, long int arg5)
148 {
149 if (_libcap_overrode_syscalls) {
150 return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
151 }
152 return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
153 }
154
155 /*
156 * cap_get_proc obtains the capability set for the current process.
157 */
cap_get_proc(void)158 cap_t cap_get_proc(void)
159 {
160 cap_t result;
161
162 /* allocate a new capability set */
163 result = cap_init();
164 if (result) {
165 _cap_debug("getting current process' capabilities");
166
167 /* fill the capability sets via a system call */
168 if (capget(&result->head, &result->u[0].set)) {
169 cap_free(result);
170 result = NULL;
171 }
172 }
173
174 return result;
175 }
176
_cap_set_proc(struct syscaller_s * sc,cap_t cap_d)177 static int _cap_set_proc(struct syscaller_s *sc, cap_t cap_d) {
178 int retval;
179
180 if (!good_cap_t(cap_d)) {
181 errno = EINVAL;
182 return -1;
183 }
184
185 _cap_debug("setting process capabilities");
186 retval = _libcap_capset(sc, &cap_d->head, &cap_d->u[0].set);
187
188 return retval;
189 }
190
cap_set_proc(cap_t cap_d)191 int cap_set_proc(cap_t cap_d)
192 {
193 return _cap_set_proc(&multithread, cap_d);
194 }
195
196 /* the following two functions are not required by POSIX */
197
198 /* read the caps on a specific process */
199
capgetp(pid_t pid,cap_t cap_d)200 int capgetp(pid_t pid, cap_t cap_d)
201 {
202 int error;
203
204 if (!good_cap_t(cap_d)) {
205 errno = EINVAL;
206 return -1;
207 }
208
209 _cap_debug("getting process capabilities for proc %d", pid);
210
211 cap_d->head.pid = pid;
212 error = capget(&cap_d->head, &cap_d->u[0].set);
213 cap_d->head.pid = 0;
214
215 return error;
216 }
217
218 /* allocate space for and return capabilities of target process */
219
cap_get_pid(pid_t pid)220 cap_t cap_get_pid(pid_t pid)
221 {
222 cap_t result;
223
224 result = cap_init();
225 if (result) {
226 if (capgetp(pid, result) != 0) {
227 int my_errno;
228
229 my_errno = errno;
230 cap_free(result);
231 errno = my_errno;
232 result = NULL;
233 }
234 }
235
236 return result;
237 }
238
239 /*
240 * set the caps on a specific process/pg etc.. The kernel has long
241 * since deprecated this asynchronous interface. DON'T EXPECT THIS TO
242 * EVER WORK AGAIN.
243 */
244
capsetp(pid_t pid,cap_t cap_d)245 int capsetp(pid_t pid, cap_t cap_d)
246 {
247 int error;
248
249 if (!good_cap_t(cap_d)) {
250 errno = EINVAL;
251 return -1;
252 }
253
254 _cap_debug("setting process capabilities for proc %d", pid);
255 cap_d->head.pid = pid;
256 error = capset(&cap_d->head, &cap_d->u[0].set);
257 cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
258 cap_d->head.pid = 0;
259
260 return error;
261 }
262
263 /* the kernel api requires unsigned long arguments */
264 #define pr_arg(x) ((unsigned long) x)
265
266 /* get a capability from the bounding set */
267
cap_get_bound(cap_value_t cap)268 int cap_get_bound(cap_value_t cap)
269 {
270 int result;
271
272 result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
273 if (result < 0) {
274 errno = -result;
275 return -1;
276 }
277 return result;
278 }
279
_cap_drop_bound(struct syscaller_s * sc,cap_value_t cap)280 static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
281 {
282 int result;
283
284 result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
285 if (result < 0) {
286 errno = -result;
287 return -1;
288 }
289 return result;
290 }
291
292 /* drop a capability from the bounding set */
293
cap_drop_bound(cap_value_t cap)294 int cap_drop_bound(cap_value_t cap) {
295 return _cap_drop_bound(&multithread, cap);
296 }
297
298 /* get a capability from the ambient set */
299
cap_get_ambient(cap_value_t cap)300 int cap_get_ambient(cap_value_t cap)
301 {
302 int result;
303 result = prctl(PR_CAP_AMBIENT, pr_arg(PR_CAP_AMBIENT_IS_SET),
304 pr_arg(cap), pr_arg(0), pr_arg(0));
305 if (result < 0) {
306 errno = -result;
307 return -1;
308 }
309 return result;
310 }
311
_cap_set_ambient(struct syscaller_s * sc,cap_value_t cap,cap_flag_value_t set)312 static int _cap_set_ambient(struct syscaller_s *sc,
313 cap_value_t cap, cap_flag_value_t set)
314 {
315 int result, val;
316 switch (set) {
317 case CAP_SET:
318 val = PR_CAP_AMBIENT_RAISE;
319 break;
320 case CAP_CLEAR:
321 val = PR_CAP_AMBIENT_LOWER;
322 break;
323 default:
324 errno = EINVAL;
325 return -1;
326 }
327 result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
328 pr_arg(0), pr_arg(0), pr_arg(0));
329 if (result < 0) {
330 errno = -result;
331 return -1;
332 }
333 return result;
334 }
335
336 /*
337 * cap_set_ambient modifies a single ambient capability value.
338 */
cap_set_ambient(cap_value_t cap,cap_flag_value_t set)339 int cap_set_ambient(cap_value_t cap, cap_flag_value_t set)
340 {
341 return _cap_set_ambient(&multithread, cap, set);
342 }
343
_cap_reset_ambient(struct syscaller_s * sc)344 static int _cap_reset_ambient(struct syscaller_s *sc)
345 {
346 int olderrno = errno;
347 cap_value_t c;
348 int result = 0;
349
350 for (c = 0; !result; c++) {
351 result = cap_get_ambient(c);
352 if (result == -1) {
353 errno = olderrno;
354 return 0;
355 }
356 }
357
358 result = _libcap_wprctl6(sc, PR_CAP_AMBIENT,
359 pr_arg(PR_CAP_AMBIENT_CLEAR_ALL),
360 pr_arg(0), pr_arg(0), pr_arg(0), pr_arg(0));
361 if (result < 0) {
362 errno = -result;
363 return -1;
364 }
365 return result;
366 }
367
368 /*
369 * cap_reset_ambient erases all ambient capabilities - this reads the
370 * ambient caps before performing the erase to workaround the corner
371 * case where the set is empty already but the ambient cap API is
372 * locked.
373 */
cap_reset_ambient()374 int cap_reset_ambient()
375 {
376 return _cap_reset_ambient(&multithread);
377 }
378
379 /*
380 * Read the security mode of the current process.
381 */
cap_get_secbits(void)382 unsigned cap_get_secbits(void)
383 {
384 return (unsigned) prctl(PR_GET_SECUREBITS, pr_arg(0), pr_arg(0));
385 }
386
_cap_set_secbits(struct syscaller_s * sc,unsigned bits)387 static int _cap_set_secbits(struct syscaller_s *sc, unsigned bits)
388 {
389 return _libcap_wprctl3(sc, PR_SET_SECUREBITS, bits, 0);
390 }
391
392 /*
393 * Set the secbits of the current process.
394 */
cap_set_secbits(unsigned bits)395 int cap_set_secbits(unsigned bits)
396 {
397 return _cap_set_secbits(&multithread, bits);
398 }
399
400 /*
401 * Attempt to raise the no new privs prctl value.
402 */
_cap_set_no_new_privs(struct syscaller_s * sc)403 static void _cap_set_no_new_privs(struct syscaller_s *sc)
404 {
405 (void) _libcap_wprctl6(sc, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0);
406 }
407
408 /*
409 * cap_prctl performs a prctl() 6 argument call on the current
410 * thread. Use cap_prctlw() if you want to perform a POSIX semantics
411 * prctl() system call.
412 */
cap_prctl(long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)413 int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
414 long int arg3, long int arg4, long int arg5)
415 {
416 return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
417 }
418
419 /*
420 * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg
421 * prctl() call that executes on all available threads when libpsx is
422 * linked. The suffix 'w' refers to the fact one only ever needs to
423 * invoke this is if the call will write some kernel state.
424 */
cap_prctlw(long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)425 int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
426 long int arg3, long int arg4, long int arg5)
427 {
428 return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5);
429 }
430
431 /*
432 * Some predefined constants
433 */
434 #define CAP_SECURED_BITS_BASIC \
435 (SECBIT_NOROOT | SECBIT_NOROOT_LOCKED | \
436 SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | \
437 SECBIT_KEEP_CAPS_LOCKED)
438
439 #define CAP_SECURED_BITS_AMBIENT (CAP_SECURED_BITS_BASIC | \
440 SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED)
441
442 static cap_value_t raise_cap_setpcap[] = {CAP_SETPCAP};
443
_cap_set_mode(struct syscaller_s * sc,cap_mode_t flavor)444 static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor)
445 {
446 cap_t working = cap_get_proc();
447 unsigned secbits = CAP_SECURED_BITS_AMBIENT;
448
449 int ret = cap_set_flag(working, CAP_EFFECTIVE,
450 1, raise_cap_setpcap, CAP_SET);
451 ret = ret | _cap_set_proc(sc, working);
452
453 if (ret == 0) {
454 cap_flag_t c;
455
456 switch (flavor) {
457 case CAP_MODE_NOPRIV:
458 /* fall through */
459 case CAP_MODE_PURE1E_INIT:
460 (void) cap_clear_flag(working, CAP_INHERITABLE);
461 /* fall through */
462 case CAP_MODE_PURE1E:
463 if (!CAP_AMBIENT_SUPPORTED()) {
464 secbits = CAP_SECURED_BITS_BASIC;
465 } else {
466 ret = _cap_reset_ambient(sc);
467 if (ret) {
468 break; /* ambient dropping failed */
469 }
470 }
471 ret = _cap_set_secbits(sc, secbits);
472 if (flavor != CAP_MODE_NOPRIV) {
473 break;
474 }
475
476 /* just for "case CAP_MODE_NOPRIV:" */
477
478 for (c = 0; cap_get_bound(c) >= 0; c++) {
479 (void) _cap_drop_bound(sc, c);
480 }
481 (void) cap_clear_flag(working, CAP_PERMITTED);
482
483 /* for good measure */
484 _cap_set_no_new_privs(sc);
485 break;
486
487 default:
488 errno = EINVAL;
489 ret = -1;
490 break;
491 }
492 }
493
494 (void) cap_clear_flag(working, CAP_EFFECTIVE);
495 ret = _cap_set_proc(sc, working) | ret;
496 (void) cap_free(working);
497 return ret;
498 }
499
500 /*
501 * cap_set_mode locks the overarching capability framework of the
502 * present process and thus its children to a predefined flavor. Once
503 * set, these modes cannot be undone by the affected process tree and
504 * can only be done by "cap_setpcap" permitted processes. Note, a side
505 * effect of this function, whether it succeeds or fails, is to clear
506 * at least the CAP_EFFECTIVE flags for the current process.
507 */
cap_set_mode(cap_mode_t flavor)508 int cap_set_mode(cap_mode_t flavor)
509 {
510 return _cap_set_mode(&multithread, flavor);
511 }
512
513 /*
514 * cap_get_mode attempts to determine what the current capability mode
515 * is. If it can find no match in the libcap pre-defined modes, it
516 * returns CAP_MODE_UNCERTAIN.
517 */
cap_get_mode(void)518 cap_mode_t cap_get_mode(void)
519 {
520 unsigned secbits = cap_get_secbits();
521
522 if ((secbits & CAP_SECURED_BITS_BASIC) != CAP_SECURED_BITS_BASIC) {
523 return CAP_MODE_UNCERTAIN;
524 }
525
526 /* validate ambient is not set */
527 int olderrno = errno;
528 int ret = 0;
529 cap_value_t c;
530 for (c = 0; !ret; c++) {
531 ret = cap_get_ambient(c);
532 if (ret == -1) {
533 errno = olderrno;
534 if (c && secbits != CAP_SECURED_BITS_AMBIENT) {
535 return CAP_MODE_UNCERTAIN;
536 }
537 break;
538 }
539 if (ret) {
540 return CAP_MODE_UNCERTAIN;
541 }
542 }
543
544 cap_t working = cap_get_proc();
545 cap_t empty = cap_init();
546 int cf = cap_compare(empty, working);
547 cap_free(empty);
548 cap_free(working);
549
550 if (CAP_DIFFERS(cf, CAP_INHERITABLE)) {
551 return CAP_MODE_PURE1E;
552 }
553 if (CAP_DIFFERS(cf, CAP_PERMITTED) || CAP_DIFFERS(cf, CAP_EFFECTIVE)) {
554 return CAP_MODE_PURE1E_INIT;
555 }
556
557 for (c = 0; ; c++) {
558 int v = cap_get_bound(c);
559 if (v == -1) {
560 break;
561 }
562 if (v) {
563 return CAP_MODE_PURE1E_INIT;
564 }
565 }
566
567 return CAP_MODE_NOPRIV;
568 }
569
_cap_setuid(struct syscaller_s * sc,uid_t uid)570 static int _cap_setuid(struct syscaller_s *sc, uid_t uid)
571 {
572 const cap_value_t raise_cap_setuid[] = {CAP_SETUID};
573 cap_t working = cap_get_proc();
574 (void) cap_set_flag(working, CAP_EFFECTIVE,
575 1, raise_cap_setuid, CAP_SET);
576 /*
577 * Note, we are cognizant of not using glibc's setuid in the case
578 * that we've modified the way libcap is doing setting
579 * syscalls. This is because prctl needs to be working in a POSIX
580 * compliant way for the code below to work, so we are either
581 * all-broken or not-broken and don't allow for "sort of working".
582 */
583 (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 1, 0);
584 int ret = _cap_set_proc(sc, working);
585 if (ret == 0) {
586 if (_libcap_overrode_syscalls) {
587 ret = sc->three(SYS_setuid, (long int) uid, 0, 0);
588 if (ret < 0) {
589 errno = -ret;
590 ret = -1;
591 }
592 } else {
593 ret = setuid(uid);
594 }
595 }
596 int olderrno = errno;
597 (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 0, 0);
598 (void) cap_clear_flag(working, CAP_EFFECTIVE);
599 (void) _cap_set_proc(sc, working);
600 (void) cap_free(working);
601
602 errno = olderrno;
603 return ret;
604 }
605
606 /*
607 * cap_setuid attempts to set the uid of the process without dropping
608 * any permitted capabilities in the process. A side effect of a call
609 * to this function is that the effective set will be cleared by the
610 * time the function returns.
611 */
cap_setuid(uid_t uid)612 int cap_setuid(uid_t uid)
613 {
614 return _cap_setuid(&multithread, uid);
615 }
616
617 #if defined(__arm__) || defined(__i386__) || \
618 defined(__i486__) || defined(__i586__) || defined(__i686__)
619 #define sys_setgroups_variant SYS_setgroups32
620 #else
621 #define sys_setgroups_variant SYS_setgroups
622 #endif
623
_cap_setgroups(struct syscaller_s * sc,gid_t gid,size_t ngroups,const gid_t groups[])624 static int _cap_setgroups(struct syscaller_s *sc,
625 gid_t gid, size_t ngroups, const gid_t groups[])
626 {
627 const cap_value_t raise_cap_setgid[] = {CAP_SETGID};
628 cap_t working = cap_get_proc();
629 (void) cap_set_flag(working, CAP_EFFECTIVE,
630 1, raise_cap_setgid, CAP_SET);
631 /*
632 * Note, we are cognizant of not using glibc's setgid etc in the
633 * case that we've modified the way libcap is doing setting
634 * syscalls. This is because prctl needs to be working in a POSIX
635 * compliant way for the other functions of this file so we are
636 * all-broken or not-broken and don't allow for "sort of working".
637 */
638 int ret = _cap_set_proc(sc, working);
639 if (_libcap_overrode_syscalls) {
640 if (ret == 0) {
641 ret = sc->three(SYS_setgid, (long int) gid, 0, 0);
642 }
643 if (ret == 0) {
644 ret = sc->three(sys_setgroups_variant, (long int) ngroups,
645 (long int) groups, 0);
646 }
647 if (ret < 0) {
648 errno = -ret;
649 ret = -1;
650 }
651 } else {
652 if (ret == 0) {
653 ret = setgid(gid);
654 }
655 if (ret == 0) {
656 ret = setgroups(ngroups, groups);
657 }
658 }
659 int olderrno = errno;
660
661 (void) cap_clear_flag(working, CAP_EFFECTIVE);
662 (void) _cap_set_proc(sc, working);
663 (void) cap_free(working);
664
665 errno = olderrno;
666 return ret;
667 }
668
669 /*
670 * cap_setgroups combines setting the gid with changing the set of
671 * supplemental groups for a user into one call that raises the needed
672 * capabilities to do it for the duration of the call. A side effect
673 * of a call to this function is that the effective set will be
674 * cleared by the time the function returns.
675 */
cap_setgroups(gid_t gid,size_t ngroups,const gid_t groups[])676 int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[])
677 {
678 return _cap_setgroups(&multithread, gid, ngroups, groups);
679 }
680
681 /*
682 * cap_iab_get_proc returns a cap_iab_t value initialized by the
683 * current process state related to these iab bits.
684 */
cap_iab_get_proc(void)685 cap_iab_t cap_iab_get_proc(void)
686 {
687 cap_iab_t iab = cap_iab_init();
688 cap_t current = cap_get_proc();
689 cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE);
690 cap_value_t c;
691 for (c = cap_max_bits(); c; ) {
692 --c;
693 int o = c >> 5;
694 __u32 mask = 1U << (c & 31);
695 if (cap_get_bound(c) == 0) {
696 iab->nb[o] |= mask;
697 }
698 if (cap_get_ambient(c) == 1) {
699 iab->a[o] |= mask;
700 }
701 }
702 return iab;
703 }
704
705 /*
706 * _cap_iab_set_proc sets the iab collection using the requested syscaller.
707 */
_cap_iab_set_proc(struct syscaller_s * sc,cap_iab_t iab)708 static int _cap_iab_set_proc(struct syscaller_s *sc, cap_iab_t iab)
709 {
710 int ret, i;
711 cap_t working, temp = cap_get_proc();
712 cap_value_t c;
713 int raising = 0;
714
715 for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) {
716 __u32 newI = iab->i[i];
717 __u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] |
718 temp->u[i].flat[CAP_PERMITTED];
719 raising |= (newI & ~oldIP) | iab->a[i] | iab->nb[i];
720 temp->u[i].flat[CAP_INHERITABLE] = newI;
721
722 }
723
724 working = cap_dup(temp);
725 if (raising) {
726 ret = cap_set_flag(working, CAP_EFFECTIVE,
727 1, raise_cap_setpcap, CAP_SET);
728 if (ret) {
729 goto defer;
730 }
731 }
732 if ((ret = _cap_set_proc(sc, working))) {
733 goto defer;
734 }
735 if ((ret = _cap_reset_ambient(sc))) {
736 goto done;
737 }
738
739 for (c = cap_max_bits(); c-- != 0; ) {
740 unsigned offset = c >> 5;
741 __u32 mask = 1U << (c & 31);
742 if (iab->a[offset] & mask) {
743 ret = _cap_set_ambient(sc, c, CAP_SET);
744 if (ret) {
745 goto done;
746 }
747 }
748 if (iab->nb[offset] & mask) {
749 /* drop the bounding bit */
750 ret = _cap_drop_bound(sc, c);
751 if (ret) {
752 goto done;
753 }
754 }
755 }
756
757 done:
758 (void) cap_set_proc(temp);
759
760 defer:
761 cap_free(working);
762 cap_free(temp);
763
764 return ret;
765 }
766
767 /*
768 * cap_iab_set_proc sets the iab capability vectors of the current
769 * process.
770 */
cap_iab_set_proc(cap_iab_t iab)771 int cap_iab_set_proc(cap_iab_t iab)
772 {
773 return _cap_iab_set_proc(&multithread, iab);
774 }
775
776 /*
777 * cap_launcher_callback primes the launcher with a callback that will
778 * be invoked after the fork() but before any privilege has changed
779 * and before the execve(). This can be used to augment the state of
780 * the child process within the cap_launch() process. You can cancel
781 * any callback associated with a launcher by calling this function
782 * with a callback_fn value NULL.
783 *
784 * If the callback function returns anything other than 0, it is
785 * considered to have failed and the launch will be aborted - further,
786 * errno will be communicated to the parent.
787 */
cap_launcher_callback(cap_launch_t attr,int (callback_fn)(void * detail))788 void cap_launcher_callback(cap_launch_t attr, int (callback_fn)(void *detail))
789 {
790 attr->custom_setup_fn = callback_fn;
791 }
792
793 /*
794 * cap_launcher_setuid primes the launcher to attempt a change of uid.
795 */
cap_launcher_setuid(cap_launch_t attr,uid_t uid)796 void cap_launcher_setuid(cap_launch_t attr, uid_t uid)
797 {
798 attr->uid = uid;
799 attr->change_uids = 1;
800 }
801
802 /*
803 * cap_launcher_setgroups primes the launcher to attempt a change of
804 * gid and groups.
805 */
cap_launcher_setgroups(cap_launch_t attr,gid_t gid,int ngroups,const gid_t * groups)806 void cap_launcher_setgroups(cap_launch_t attr, gid_t gid,
807 int ngroups, const gid_t *groups)
808 {
809 attr->gid = gid;
810 attr->ngroups = ngroups;
811 attr->groups = groups;
812 attr->change_gids = 1;
813 }
814
815 /*
816 * cap_launcher_set_mode primes the launcher to attempt a change of
817 * mode.
818 */
cap_launcher_set_mode(cap_launch_t attr,cap_mode_t flavor)819 void cap_launcher_set_mode(cap_launch_t attr, cap_mode_t flavor)
820 {
821 attr->mode = flavor;
822 attr->change_mode = 1;
823 }
824
825 /*
826 * cap_launcher_set_iab primes the launcher to attempt to change the iab bits of
827 * the launched child.
828 */
cap_launcher_set_iab(cap_launch_t attr,cap_iab_t iab)829 cap_iab_t cap_launcher_set_iab(cap_launch_t attr, cap_iab_t iab)
830 {
831 cap_iab_t old = attr->iab;
832 attr->iab = iab;
833 return old;
834 }
835
836 /*
837 * cap_launcher_set_chroot sets the intended chroot for the launched
838 * child.
839 */
cap_launcher_set_chroot(cap_launch_t attr,const char * chroot)840 void cap_launcher_set_chroot(cap_launch_t attr, const char *chroot)
841 {
842 attr->chroot = _libcap_strdup(chroot);
843 }
844
_cap_chroot(struct syscaller_s * sc,const char * root)845 static int _cap_chroot(struct syscaller_s *sc, const char *root)
846 {
847 const cap_value_t raise_cap_sys_chroot[] = {CAP_SYS_CHROOT};
848 cap_t working = cap_get_proc();
849 (void) cap_set_flag(working, CAP_EFFECTIVE,
850 1, raise_cap_sys_chroot, CAP_SET);
851 int ret = _cap_set_proc(sc, working);
852 if (ret == 0) {
853 if (_libcap_overrode_syscalls) {
854 ret = sc->three(SYS_chroot, (long int) root, 0, 0);
855 if (ret < 0) {
856 errno = -ret;
857 ret = -1;
858 }
859 } else {
860 ret = chroot(root);
861 }
862 }
863 int olderrno = errno;
864 (void) cap_clear_flag(working, CAP_EFFECTIVE);
865 (void) _cap_set_proc(sc, working);
866 (void) cap_free(working);
867
868 errno = olderrno;
869 return ret;
870 }
871
872 /*
873 * _cap_launch is invoked in the forked child, it cannot return but is
874 * required to exit, if the execve fails. It will write the errno
875 * value for any failure over the filedescriptor, fd, and exit with
876 * status 1.
877 */
878 __attribute__ ((noreturn))
_cap_launch(int fd,cap_launch_t attr,void * detail)879 static void _cap_launch(int fd, cap_launch_t attr, void *detail) {
880 struct syscaller_s *sc = &singlethread;
881 int my_errno;
882
883 if (attr->custom_setup_fn && attr->custom_setup_fn(detail)) {
884 goto defer;
885 }
886 if (attr->arg0 == NULL) {
887 /* handle the successful cap_func_launcher completion */
888 exit(0);
889 }
890
891 if (attr->change_uids && _cap_setuid(sc, attr->uid)) {
892 goto defer;
893 }
894 if (attr->change_gids &&
895 _cap_setgroups(sc, attr->gid, attr->ngroups, attr->groups)) {
896 goto defer;
897 }
898 if (attr->change_mode && _cap_set_mode(sc, attr->mode)) {
899 goto defer;
900 }
901 if (attr->iab && _cap_iab_set_proc(sc, attr->iab)) {
902 goto defer;
903 }
904 if (attr->chroot != NULL && _cap_chroot(sc, attr->chroot)) {
905 goto defer;
906 }
907
908 /*
909 * Some type wrangling to work around what the kernel API really
910 * means: not "const char **".
911 */
912 const void *temp_args = attr->argv;
913 const void *temp_envp = attr->envp;
914
915 execve(attr->arg0, temp_args, temp_envp);
916 /* if the exec worked, execution will not reach here */
917
918 defer:
919 /*
920 * getting here means an error has occurred and errno is
921 * communicated to the parent
922 */
923 my_errno = errno;
924 for (;;) {
925 int n = write(fd, &my_errno, sizeof(my_errno));
926 if (n < 0 && errno == EAGAIN) {
927 continue;
928 }
929 break;
930 }
931 close(fd);
932 exit(1);
933 }
934
935 /*
936 * cap_launch performs a wrapped fork+(callback and/or exec) that
937 * works in both an unthreaded environment and also where libcap is
938 * linked with psx+pthreads. The function supports dropping privilege
939 * in the forked thread, but retaining privilege in the parent
940 * thread(s).
941 *
942 * When applying the IAB vector inside the fork, since the ambient set
943 * is fragile with respect to changes in I or P, the function
944 * carefully orders setting of these inheritable characteristics, to
945 * make sure they stick.
946 *
947 * This function will return an error of -1 setting errno if the
948 * launch failed.
949 */
cap_launch(cap_launch_t attr,void * detail)950 pid_t cap_launch(cap_launch_t attr, void *detail) {
951 int my_errno;
952 int ps[2];
953 pid_t child;
954
955 /* The launch must have a purpose */
956 if (attr->custom_setup_fn == NULL &&
957 (attr->arg0 == NULL || attr->argv == NULL)) {
958 errno = EINVAL;
959 return -1;
960 }
961
962 if (pipe2(ps, O_CLOEXEC) != 0) {
963 return -1;
964 }
965
966 child = fork();
967 my_errno = errno;
968
969 if (!child) {
970 close(ps[0]);
971 prctl(PR_SET_NAME, "cap-launcher", 0, 0, 0);
972 _cap_launch(ps[1], attr, detail);
973 /* no return from this function */
974 _exit(1);
975 }
976 close(ps[1]);
977 if (child < 0) {
978 goto defer;
979 }
980
981 /*
982 * Extend this function's return codes to include setup failures
983 * in the child.
984 */
985 for (;;) {
986 int ignored;
987 int n = read(ps[0], &my_errno, sizeof(my_errno));
988 if (n == 0) {
989 goto defer;
990 }
991 if (n < 0 && errno == EAGAIN) {
992 continue;
993 }
994 waitpid(child, &ignored, 0);
995 child = -1;
996 my_errno = ECHILD;
997 break;
998 }
999
1000 defer:
1001 close(ps[0]);
1002 errno = my_errno;
1003 return child;
1004 }
1005