1 /*
2  * Copyright (c) 1997-8,2007,11,19,20 Andrew G Morgan <morgan@kernel.org>
3  *
4  * This file deals with getting and setting capabilities on processes.
5  */
6 
7 #ifndef _GNU_SOURCE
8 #define _GNU_SOURCE
9 #endif
10 
11 #include <errno.h>
12 #include <fcntl.h>              /* Obtain O_* constant definitions */
13 #include <grp.h>
14 #include <sys/prctl.h>
15 #include <sys/securebits.h>
16 #include <sys/syscall.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <sys/wait.h>
20 
21 #include <linux/limits.h>
22 
23 #include "libcap.h"
24 
25 /*
26  * libcap uses this abstraction for all system calls that change
27  * kernel managed capability state. This permits the user to redirect
28  * it for testing and also to better implement posix semantics when
29  * using pthreads.
30  */
31 
_cap_syscall3(long int syscall_nr,long int arg1,long int arg2,long int arg3)32 static long int _cap_syscall3(long int syscall_nr,
33 			      long int arg1, long int arg2, long int arg3)
34 {
35     return syscall(syscall_nr, arg1, arg2, arg3);
36 }
37 
_cap_syscall6(long int syscall_nr,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5,long int arg6)38 static long int _cap_syscall6(long int syscall_nr,
39 			      long int arg1, long int arg2, long int arg3,
40 			      long int arg4, long int arg5, long int arg6)
41 {
42     return syscall(syscall_nr, arg1, arg2, arg3, arg4, arg5, arg6);
43 }
44 
45 /*
46  * to keep the structure of the code conceptually similar in C and Go
47  * implementations, we introduce this abstraction for invoking state
48  * writing system calls. In psx+pthreaded code, the fork
49  * implementation provided by nptl ensures that we can consistently
50  * use the multithreaded syscalls even in the child after a fork().
51  */
52 struct syscaller_s {
53     long int (*three)(long int syscall_nr,
54 		      long int arg1, long int arg2, long int arg3);
55     long int (*six)(long int syscall_nr,
56 		    long int arg1, long int arg2, long int arg3,
57 		    long int arg4, long int arg5, long int arg6);
58 };
59 
60 /* use this syscaller for multi-threaded code */
61 static struct syscaller_s multithread = {
62     .three = _cap_syscall3,
63     .six = _cap_syscall6
64 };
65 
66 /* use this syscaller for single-threaded code */
67 static struct syscaller_s singlethread = {
68     .three = _cap_syscall3,
69     .six = _cap_syscall6
70 };
71 
72 /*
73  * This gets reset to 0 if we are *not* linked with libpsx.
74  */
75 static int _libcap_overrode_syscalls = 1;
76 
77 /*
78  * psx_load_syscalls() is weakly defined so we can have it overridden
79  * by libpsx if that library is linked. Specifically, when libcap
80  * calls psx_load_sycalls() it is prepared to override the default
81  * values for the syscalls that libcap uses to change security state.
82  * As can be seen here this present function is mostly a
83  * no-op. However, if libpsx is linked, the one present in that
84  * library (not being weak) will replace this one and the
85  * _libcap_overrode_syscalls value isn't forced to zero.
86  *
87  * Note: we hardcode the prototype for the psx_load_syscalls()
88  * function here so the compiler isn't worried. If we force the build
89  * to include the header, we are close to requiring the optional
90  * libpsx to be linked.
91  */
92 void psx_load_syscalls(long int (**syscall_fn)(long int,
93 					      long int, long int, long int),
94 		       long int (**syscall6_fn)(long int,
95 						long int, long int, long int,
96 						long int, long int, long int));
97 
98 __attribute__((weak))
psx_load_syscalls(long int (** syscall_fn)(long int,long int,long int,long int),long int (** syscall6_fn)(long int,long int,long int,long int,long int,long int,long int))99 void psx_load_syscalls(long int (**syscall_fn)(long int,
100 					       long int, long int, long int),
101 		       long int (**syscall6_fn)(long int,
102 						long int, long int, long int,
103 						long int, long int, long int))
104 {
105     _libcap_overrode_syscalls = 0;
106 }
107 
108 /*
109  * cap_set_syscall overrides the state setting syscalls that libcap does.
110  * Generally, you don't need to call this manually: libcap tries hard to
111  * set things up appropriately.
112  */
cap_set_syscall(long int (* new_syscall)(long int,long int,long int,long int),long int (* new_syscall6)(long int,long int,long int,long int,long int,long int,long int))113 void cap_set_syscall(long int (*new_syscall)(long int,
114 					     long int, long int, long int),
115 			    long int (*new_syscall6)(long int, long int,
116 						     long int, long int,
117 						     long int, long int,
118 						     long int)) {
119     if (new_syscall == NULL) {
120 	psx_load_syscalls(&multithread.three, &multithread.six);
121     } else {
122 	multithread.three = new_syscall;
123 	multithread.six = new_syscall6;
124     }
125 }
126 
_libcap_capset(struct syscaller_s * sc,cap_user_header_t header,const cap_user_data_t data)127 static int _libcap_capset(struct syscaller_s *sc,
128 			  cap_user_header_t header, const cap_user_data_t data)
129 {
130     if (_libcap_overrode_syscalls) {
131 	return sc->three(SYS_capset, (long int) header, (long int) data, 0);
132     }
133     return capset(header, data);
134 }
135 
_libcap_wprctl3(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2)136 static int _libcap_wprctl3(struct syscaller_s *sc,
137 			   long int pr_cmd, long int arg1, long int arg2)
138 {
139     if (_libcap_overrode_syscalls) {
140 	return sc->three(SYS_prctl, pr_cmd, arg1, arg2);
141     }
142     return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
143 }
144 
_libcap_wprctl6(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)145 static int _libcap_wprctl6(struct syscaller_s *sc,
146 			   long int pr_cmd, long int arg1, long int arg2,
147 			   long int arg3, long int arg4, long int arg5)
148 {
149     if (_libcap_overrode_syscalls) {
150 	return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
151     }
152     return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
153 }
154 
155 /*
156  * cap_get_proc obtains the capability set for the current process.
157  */
cap_get_proc(void)158 cap_t cap_get_proc(void)
159 {
160     cap_t result;
161 
162     /* allocate a new capability set */
163     result = cap_init();
164     if (result) {
165 	_cap_debug("getting current process' capabilities");
166 
167 	/* fill the capability sets via a system call */
168 	if (capget(&result->head, &result->u[0].set)) {
169 	    cap_free(result);
170 	    result = NULL;
171 	}
172     }
173 
174     return result;
175 }
176 
_cap_set_proc(struct syscaller_s * sc,cap_t cap_d)177 static int _cap_set_proc(struct syscaller_s *sc, cap_t cap_d) {
178     int retval;
179 
180     if (!good_cap_t(cap_d)) {
181 	errno = EINVAL;
182 	return -1;
183     }
184 
185     _cap_debug("setting process capabilities");
186     retval = _libcap_capset(sc, &cap_d->head, &cap_d->u[0].set);
187 
188     return retval;
189 }
190 
cap_set_proc(cap_t cap_d)191 int cap_set_proc(cap_t cap_d)
192 {
193     return _cap_set_proc(&multithread, cap_d);
194 }
195 
196 /* the following two functions are not required by POSIX */
197 
198 /* read the caps on a specific process */
199 
capgetp(pid_t pid,cap_t cap_d)200 int capgetp(pid_t pid, cap_t cap_d)
201 {
202     int error;
203 
204     if (!good_cap_t(cap_d)) {
205 	errno = EINVAL;
206 	return -1;
207     }
208 
209     _cap_debug("getting process capabilities for proc %d", pid);
210 
211     cap_d->head.pid = pid;
212     error = capget(&cap_d->head, &cap_d->u[0].set);
213     cap_d->head.pid = 0;
214 
215     return error;
216 }
217 
218 /* allocate space for and return capabilities of target process */
219 
cap_get_pid(pid_t pid)220 cap_t cap_get_pid(pid_t pid)
221 {
222     cap_t result;
223 
224     result = cap_init();
225     if (result) {
226 	if (capgetp(pid, result) != 0) {
227 	    int my_errno;
228 
229 	    my_errno = errno;
230 	    cap_free(result);
231 	    errno = my_errno;
232 	    result = NULL;
233 	}
234     }
235 
236     return result;
237 }
238 
239 /*
240  * set the caps on a specific process/pg etc.. The kernel has long
241  * since deprecated this asynchronous interface. DON'T EXPECT THIS TO
242  * EVER WORK AGAIN.
243  */
244 
capsetp(pid_t pid,cap_t cap_d)245 int capsetp(pid_t pid, cap_t cap_d)
246 {
247     int error;
248 
249     if (!good_cap_t(cap_d)) {
250 	errno = EINVAL;
251 	return -1;
252     }
253 
254     _cap_debug("setting process capabilities for proc %d", pid);
255     cap_d->head.pid = pid;
256     error = capset(&cap_d->head, &cap_d->u[0].set);
257     cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
258     cap_d->head.pid = 0;
259 
260     return error;
261 }
262 
263 /* the kernel api requires unsigned long arguments */
264 #define pr_arg(x) ((unsigned long) x)
265 
266 /* get a capability from the bounding set */
267 
cap_get_bound(cap_value_t cap)268 int cap_get_bound(cap_value_t cap)
269 {
270     int result;
271 
272     result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
273     if (result < 0) {
274 	errno = -result;
275 	return -1;
276     }
277     return result;
278 }
279 
_cap_drop_bound(struct syscaller_s * sc,cap_value_t cap)280 static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
281 {
282     int result;
283 
284     result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
285     if (result < 0) {
286 	errno = -result;
287 	return -1;
288     }
289     return result;
290 }
291 
292 /* drop a capability from the bounding set */
293 
cap_drop_bound(cap_value_t cap)294 int cap_drop_bound(cap_value_t cap) {
295     return _cap_drop_bound(&multithread, cap);
296 }
297 
298 /* get a capability from the ambient set */
299 
cap_get_ambient(cap_value_t cap)300 int cap_get_ambient(cap_value_t cap)
301 {
302     int result;
303     result = prctl(PR_CAP_AMBIENT, pr_arg(PR_CAP_AMBIENT_IS_SET),
304 		   pr_arg(cap), pr_arg(0), pr_arg(0));
305     if (result < 0) {
306 	errno = -result;
307 	return -1;
308     }
309     return result;
310 }
311 
_cap_set_ambient(struct syscaller_s * sc,cap_value_t cap,cap_flag_value_t set)312 static int _cap_set_ambient(struct syscaller_s *sc,
313 			    cap_value_t cap, cap_flag_value_t set)
314 {
315     int result, val;
316     switch (set) {
317     case CAP_SET:
318 	val = PR_CAP_AMBIENT_RAISE;
319 	break;
320     case CAP_CLEAR:
321 	val = PR_CAP_AMBIENT_LOWER;
322 	break;
323     default:
324 	errno = EINVAL;
325 	return -1;
326     }
327     result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
328 			     pr_arg(0), pr_arg(0), pr_arg(0));
329     if (result < 0) {
330 	errno = -result;
331 	return -1;
332     }
333     return result;
334 }
335 
336 /*
337  * cap_set_ambient modifies a single ambient capability value.
338  */
cap_set_ambient(cap_value_t cap,cap_flag_value_t set)339 int cap_set_ambient(cap_value_t cap, cap_flag_value_t set)
340 {
341     return _cap_set_ambient(&multithread, cap, set);
342 }
343 
_cap_reset_ambient(struct syscaller_s * sc)344 static int _cap_reset_ambient(struct syscaller_s *sc)
345 {
346     int olderrno = errno;
347     cap_value_t c;
348     int result = 0;
349 
350     for (c = 0; !result; c++) {
351 	result = cap_get_ambient(c);
352 	if (result == -1) {
353 	    errno = olderrno;
354 	    return 0;
355 	}
356     }
357 
358     result = _libcap_wprctl6(sc, PR_CAP_AMBIENT,
359 			     pr_arg(PR_CAP_AMBIENT_CLEAR_ALL),
360 			     pr_arg(0), pr_arg(0), pr_arg(0), pr_arg(0));
361     if (result < 0) {
362 	errno = -result;
363 	return -1;
364     }
365     return result;
366 }
367 
368 /*
369  * cap_reset_ambient erases all ambient capabilities - this reads the
370  * ambient caps before performing the erase to workaround the corner
371  * case where the set is empty already but the ambient cap API is
372  * locked.
373  */
cap_reset_ambient()374 int cap_reset_ambient()
375 {
376     return _cap_reset_ambient(&multithread);
377 }
378 
379 /*
380  * Read the security mode of the current process.
381  */
cap_get_secbits(void)382 unsigned cap_get_secbits(void)
383 {
384     return (unsigned) prctl(PR_GET_SECUREBITS, pr_arg(0), pr_arg(0));
385 }
386 
_cap_set_secbits(struct syscaller_s * sc,unsigned bits)387 static int _cap_set_secbits(struct syscaller_s *sc, unsigned bits)
388 {
389     return _libcap_wprctl3(sc, PR_SET_SECUREBITS, bits, 0);
390 }
391 
392 /*
393  * Set the secbits of the current process.
394  */
cap_set_secbits(unsigned bits)395 int cap_set_secbits(unsigned bits)
396 {
397     return _cap_set_secbits(&multithread, bits);
398 }
399 
400 /*
401  * Attempt to raise the no new privs prctl value.
402  */
_cap_set_no_new_privs(struct syscaller_s * sc)403 static void _cap_set_no_new_privs(struct syscaller_s *sc)
404 {
405     (void) _libcap_wprctl6(sc, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0);
406 }
407 
408 /*
409  * cap_prctl performs a prctl() 6 argument call on the current
410  * thread. Use cap_prctlw() if you want to perform a POSIX semantics
411  * prctl() system call.
412  */
cap_prctl(long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)413 int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
414 	      long int arg3, long int arg4, long int arg5)
415 {
416     return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
417 }
418 
419 /*
420  * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg
421  * prctl() call that executes on all available threads when libpsx is
422  * linked. The suffix 'w' refers to the fact one only ever needs to
423  * invoke this is if the call will write some kernel state.
424  */
cap_prctlw(long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)425 int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
426 	       long int arg3, long int arg4, long int arg5)
427 {
428     return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5);
429 }
430 
431 /*
432  * Some predefined constants
433  */
434 #define CAP_SECURED_BITS_BASIC                                 \
435     (SECBIT_NOROOT | SECBIT_NOROOT_LOCKED |                    \
436      SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED |  \
437      SECBIT_KEEP_CAPS_LOCKED)
438 
439 #define CAP_SECURED_BITS_AMBIENT  (CAP_SECURED_BITS_BASIC |    \
440      SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED)
441 
442 static cap_value_t raise_cap_setpcap[] = {CAP_SETPCAP};
443 
_cap_set_mode(struct syscaller_s * sc,cap_mode_t flavor)444 static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor)
445 {
446     cap_t working = cap_get_proc();
447     unsigned secbits = CAP_SECURED_BITS_AMBIENT;
448 
449     int ret = cap_set_flag(working, CAP_EFFECTIVE,
450 			   1, raise_cap_setpcap, CAP_SET);
451     ret = ret | _cap_set_proc(sc, working);
452 
453     if (ret == 0) {
454 	cap_flag_t c;
455 
456 	switch (flavor) {
457 	case CAP_MODE_NOPRIV:
458 	    /* fall through */
459 	case CAP_MODE_PURE1E_INIT:
460 	    (void) cap_clear_flag(working, CAP_INHERITABLE);
461 	    /* fall through */
462 	case CAP_MODE_PURE1E:
463 	    if (!CAP_AMBIENT_SUPPORTED()) {
464 		secbits = CAP_SECURED_BITS_BASIC;
465 	    } else {
466 		ret = _cap_reset_ambient(sc);
467 		if (ret) {
468 		    break; /* ambient dropping failed */
469 		}
470 	    }
471 	    ret = _cap_set_secbits(sc, secbits);
472 	    if (flavor != CAP_MODE_NOPRIV) {
473 		break;
474 	    }
475 
476 	    /* just for "case CAP_MODE_NOPRIV:" */
477 
478 	    for (c = 0; cap_get_bound(c) >= 0; c++) {
479 		(void) _cap_drop_bound(sc, c);
480 	    }
481 	    (void) cap_clear_flag(working, CAP_PERMITTED);
482 
483 	    /* for good measure */
484 	    _cap_set_no_new_privs(sc);
485 	    break;
486 
487 	default:
488 	    errno = EINVAL;
489 	    ret = -1;
490 	    break;
491 	}
492     }
493 
494     (void) cap_clear_flag(working, CAP_EFFECTIVE);
495     ret = _cap_set_proc(sc, working) | ret;
496     (void) cap_free(working);
497     return ret;
498 }
499 
500 /*
501  * cap_set_mode locks the overarching capability framework of the
502  * present process and thus its children to a predefined flavor. Once
503  * set, these modes cannot be undone by the affected process tree and
504  * can only be done by "cap_setpcap" permitted processes. Note, a side
505  * effect of this function, whether it succeeds or fails, is to clear
506  * at least the CAP_EFFECTIVE flags for the current process.
507  */
cap_set_mode(cap_mode_t flavor)508 int cap_set_mode(cap_mode_t flavor)
509 {
510     return _cap_set_mode(&multithread, flavor);
511 }
512 
513 /*
514  * cap_get_mode attempts to determine what the current capability mode
515  * is. If it can find no match in the libcap pre-defined modes, it
516  * returns CAP_MODE_UNCERTAIN.
517  */
cap_get_mode(void)518 cap_mode_t cap_get_mode(void)
519 {
520     unsigned secbits = cap_get_secbits();
521 
522     if ((secbits & CAP_SECURED_BITS_BASIC) != CAP_SECURED_BITS_BASIC) {
523 	return CAP_MODE_UNCERTAIN;
524     }
525 
526     /* validate ambient is not set */
527     int olderrno = errno;
528     int ret = 0;
529     cap_value_t c;
530     for (c = 0; !ret; c++) {
531 	ret = cap_get_ambient(c);
532 	if (ret == -1) {
533 	    errno = olderrno;
534 	    if (c && secbits != CAP_SECURED_BITS_AMBIENT) {
535 		return CAP_MODE_UNCERTAIN;
536 	    }
537 	    break;
538 	}
539 	if (ret) {
540 	    return CAP_MODE_UNCERTAIN;
541 	}
542     }
543 
544     cap_t working = cap_get_proc();
545     cap_t empty = cap_init();
546     int cf = cap_compare(empty, working);
547     cap_free(empty);
548     cap_free(working);
549 
550     if (CAP_DIFFERS(cf, CAP_INHERITABLE)) {
551 	return CAP_MODE_PURE1E;
552     }
553     if (CAP_DIFFERS(cf, CAP_PERMITTED) || CAP_DIFFERS(cf, CAP_EFFECTIVE)) {
554 	return CAP_MODE_PURE1E_INIT;
555     }
556 
557     for (c = 0; ; c++) {
558 	int v = cap_get_bound(c);
559 	if (v == -1) {
560 	    break;
561 	}
562 	if (v) {
563 	    return CAP_MODE_PURE1E_INIT;
564 	}
565     }
566 
567     return CAP_MODE_NOPRIV;
568 }
569 
_cap_setuid(struct syscaller_s * sc,uid_t uid)570 static int _cap_setuid(struct syscaller_s *sc, uid_t uid)
571 {
572     const cap_value_t raise_cap_setuid[] = {CAP_SETUID};
573     cap_t working = cap_get_proc();
574     (void) cap_set_flag(working, CAP_EFFECTIVE,
575 			1, raise_cap_setuid, CAP_SET);
576     /*
577      * Note, we are cognizant of not using glibc's setuid in the case
578      * that we've modified the way libcap is doing setting
579      * syscalls. This is because prctl needs to be working in a POSIX
580      * compliant way for the code below to work, so we are either
581      * all-broken or not-broken and don't allow for "sort of working".
582      */
583     (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 1, 0);
584     int ret = _cap_set_proc(sc, working);
585     if (ret == 0) {
586 	if (_libcap_overrode_syscalls) {
587 	    ret = sc->three(SYS_setuid, (long int) uid, 0, 0);
588 	    if (ret < 0) {
589 		errno = -ret;
590 		ret = -1;
591 	    }
592 	} else {
593 	    ret = setuid(uid);
594 	}
595     }
596     int olderrno = errno;
597     (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 0, 0);
598     (void) cap_clear_flag(working, CAP_EFFECTIVE);
599     (void) _cap_set_proc(sc, working);
600     (void) cap_free(working);
601 
602     errno = olderrno;
603     return ret;
604 }
605 
606 /*
607  * cap_setuid attempts to set the uid of the process without dropping
608  * any permitted capabilities in the process. A side effect of a call
609  * to this function is that the effective set will be cleared by the
610  * time the function returns.
611  */
cap_setuid(uid_t uid)612 int cap_setuid(uid_t uid)
613 {
614     return _cap_setuid(&multithread, uid);
615 }
616 
617 #if defined(__arm__) || defined(__i386__) || \
618     defined(__i486__) || defined(__i586__) || defined(__i686__)
619 #define sys_setgroups_variant  SYS_setgroups32
620 #else
621 #define sys_setgroups_variant  SYS_setgroups
622 #endif
623 
_cap_setgroups(struct syscaller_s * sc,gid_t gid,size_t ngroups,const gid_t groups[])624 static int _cap_setgroups(struct syscaller_s *sc,
625 			  gid_t gid, size_t ngroups, const gid_t groups[])
626 {
627     const cap_value_t raise_cap_setgid[] = {CAP_SETGID};
628     cap_t working = cap_get_proc();
629     (void) cap_set_flag(working, CAP_EFFECTIVE,
630 			1, raise_cap_setgid, CAP_SET);
631     /*
632      * Note, we are cognizant of not using glibc's setgid etc in the
633      * case that we've modified the way libcap is doing setting
634      * syscalls. This is because prctl needs to be working in a POSIX
635      * compliant way for the other functions of this file so we are
636      * all-broken or not-broken and don't allow for "sort of working".
637      */
638     int ret = _cap_set_proc(sc, working);
639     if (_libcap_overrode_syscalls) {
640 	if (ret == 0) {
641 	    ret = sc->three(SYS_setgid, (long int) gid, 0, 0);
642 	}
643 	if (ret == 0) {
644 	    ret = sc->three(sys_setgroups_variant, (long int) ngroups,
645 			    (long int) groups, 0);
646 	}
647 	if (ret < 0) {
648 	    errno = -ret;
649 	    ret = -1;
650 	}
651     } else {
652 	if (ret == 0) {
653 	    ret = setgid(gid);
654 	}
655 	if (ret == 0) {
656 	    ret = setgroups(ngroups, groups);
657 	}
658     }
659     int olderrno = errno;
660 
661     (void) cap_clear_flag(working, CAP_EFFECTIVE);
662     (void) _cap_set_proc(sc, working);
663     (void) cap_free(working);
664 
665     errno = olderrno;
666     return ret;
667 }
668 
669 /*
670  * cap_setgroups combines setting the gid with changing the set of
671  * supplemental groups for a user into one call that raises the needed
672  * capabilities to do it for the duration of the call. A side effect
673  * of a call to this function is that the effective set will be
674  * cleared by the time the function returns.
675  */
cap_setgroups(gid_t gid,size_t ngroups,const gid_t groups[])676 int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[])
677 {
678     return _cap_setgroups(&multithread, gid, ngroups, groups);
679 }
680 
681 /*
682  * cap_iab_get_proc returns a cap_iab_t value initialized by the
683  * current process state related to these iab bits.
684  */
cap_iab_get_proc(void)685 cap_iab_t cap_iab_get_proc(void)
686 {
687     cap_iab_t iab = cap_iab_init();
688     cap_t current = cap_get_proc();
689     cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE);
690     cap_value_t c;
691     for (c = cap_max_bits(); c; ) {
692 	--c;
693 	int o = c >> 5;
694 	__u32 mask = 1U << (c & 31);
695 	if (cap_get_bound(c) == 0) {
696 	    iab->nb[o] |= mask;
697 	}
698 	if (cap_get_ambient(c) == 1) {
699 	    iab->a[o] |= mask;
700 	}
701     }
702     return iab;
703 }
704 
705 /*
706  * _cap_iab_set_proc sets the iab collection using the requested syscaller.
707  */
_cap_iab_set_proc(struct syscaller_s * sc,cap_iab_t iab)708 static int _cap_iab_set_proc(struct syscaller_s *sc, cap_iab_t iab)
709 {
710     int ret, i;
711     cap_t working, temp = cap_get_proc();
712     cap_value_t c;
713     int raising = 0;
714 
715     for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) {
716 	__u32 newI = iab->i[i];
717 	__u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] |
718 	    temp->u[i].flat[CAP_PERMITTED];
719 	raising |= (newI & ~oldIP) | iab->a[i] | iab->nb[i];
720 	temp->u[i].flat[CAP_INHERITABLE] = newI;
721 
722     }
723 
724     working = cap_dup(temp);
725     if (raising) {
726 	ret = cap_set_flag(working, CAP_EFFECTIVE,
727 			   1, raise_cap_setpcap, CAP_SET);
728 	if (ret) {
729 	    goto defer;
730 	}
731     }
732     if ((ret = _cap_set_proc(sc, working))) {
733 	goto defer;
734     }
735     if ((ret = _cap_reset_ambient(sc))) {
736 	goto done;
737     }
738 
739     for (c = cap_max_bits(); c-- != 0; ) {
740 	unsigned offset = c >> 5;
741 	__u32 mask = 1U << (c & 31);
742 	if (iab->a[offset] & mask) {
743 	    ret = _cap_set_ambient(sc, c, CAP_SET);
744 	    if (ret) {
745 		goto done;
746 	    }
747 	}
748 	if (iab->nb[offset] & mask) {
749 	    /* drop the bounding bit */
750 	    ret = _cap_drop_bound(sc, c);
751 	    if (ret) {
752 		goto done;
753 	    }
754 	}
755     }
756 
757 done:
758     (void) cap_set_proc(temp);
759 
760 defer:
761     cap_free(working);
762     cap_free(temp);
763 
764     return ret;
765 }
766 
767 /*
768  * cap_iab_set_proc sets the iab capability vectors of the current
769  * process.
770  */
cap_iab_set_proc(cap_iab_t iab)771 int cap_iab_set_proc(cap_iab_t iab)
772 {
773     return _cap_iab_set_proc(&multithread, iab);
774 }
775 
776 /*
777  * cap_launcher_callback primes the launcher with a callback that will
778  * be invoked after the fork() but before any privilege has changed
779  * and before the execve(). This can be used to augment the state of
780  * the child process within the cap_launch() process. You can cancel
781  * any callback associated with a launcher by calling this function
782  * with a callback_fn value NULL.
783  *
784  * If the callback function returns anything other than 0, it is
785  * considered to have failed and the launch will be aborted - further,
786  * errno will be communicated to the parent.
787  */
cap_launcher_callback(cap_launch_t attr,int (callback_fn)(void * detail))788 void cap_launcher_callback(cap_launch_t attr, int (callback_fn)(void *detail))
789 {
790     attr->custom_setup_fn = callback_fn;
791 }
792 
793 /*
794  * cap_launcher_setuid primes the launcher to attempt a change of uid.
795  */
cap_launcher_setuid(cap_launch_t attr,uid_t uid)796 void cap_launcher_setuid(cap_launch_t attr, uid_t uid)
797 {
798     attr->uid = uid;
799     attr->change_uids = 1;
800 }
801 
802 /*
803  * cap_launcher_setgroups primes the launcher to attempt a change of
804  * gid and groups.
805  */
cap_launcher_setgroups(cap_launch_t attr,gid_t gid,int ngroups,const gid_t * groups)806 void cap_launcher_setgroups(cap_launch_t attr, gid_t gid,
807 			    int ngroups, const gid_t *groups)
808 {
809     attr->gid = gid;
810     attr->ngroups = ngroups;
811     attr->groups = groups;
812     attr->change_gids = 1;
813 }
814 
815 /*
816  * cap_launcher_set_mode primes the launcher to attempt a change of
817  * mode.
818  */
cap_launcher_set_mode(cap_launch_t attr,cap_mode_t flavor)819 void cap_launcher_set_mode(cap_launch_t attr, cap_mode_t flavor)
820 {
821     attr->mode = flavor;
822     attr->change_mode = 1;
823 }
824 
825 /*
826  * cap_launcher_set_iab primes the launcher to attempt to change the iab bits of
827  * the launched child.
828  */
cap_launcher_set_iab(cap_launch_t attr,cap_iab_t iab)829 cap_iab_t cap_launcher_set_iab(cap_launch_t attr, cap_iab_t iab)
830 {
831     cap_iab_t old = attr->iab;
832     attr->iab = iab;
833     return old;
834 }
835 
836 /*
837  * cap_launcher_set_chroot sets the intended chroot for the launched
838  * child.
839  */
cap_launcher_set_chroot(cap_launch_t attr,const char * chroot)840 void cap_launcher_set_chroot(cap_launch_t attr, const char *chroot)
841 {
842     attr->chroot = _libcap_strdup(chroot);
843 }
844 
_cap_chroot(struct syscaller_s * sc,const char * root)845 static int _cap_chroot(struct syscaller_s *sc, const char *root)
846 {
847     const cap_value_t raise_cap_sys_chroot[] = {CAP_SYS_CHROOT};
848     cap_t working = cap_get_proc();
849     (void) cap_set_flag(working, CAP_EFFECTIVE,
850 			1, raise_cap_sys_chroot, CAP_SET);
851     int ret = _cap_set_proc(sc, working);
852     if (ret == 0) {
853 	if (_libcap_overrode_syscalls) {
854 	    ret = sc->three(SYS_chroot, (long int) root, 0, 0);
855 	    if (ret < 0) {
856 		errno = -ret;
857 		ret = -1;
858 	    }
859 	} else {
860 	    ret = chroot(root);
861 	}
862     }
863     int olderrno = errno;
864     (void) cap_clear_flag(working, CAP_EFFECTIVE);
865     (void) _cap_set_proc(sc, working);
866     (void) cap_free(working);
867 
868     errno = olderrno;
869     return ret;
870 }
871 
872 /*
873  * _cap_launch is invoked in the forked child, it cannot return but is
874  * required to exit, if the execve fails. It will write the errno
875  * value for any failure over the filedescriptor, fd, and exit with
876  * status 1.
877  */
878 __attribute__ ((noreturn))
_cap_launch(int fd,cap_launch_t attr,void * detail)879 static void _cap_launch(int fd, cap_launch_t attr, void *detail) {
880     struct syscaller_s *sc = &singlethread;
881     int my_errno;
882 
883     if (attr->custom_setup_fn && attr->custom_setup_fn(detail)) {
884 	goto defer;
885     }
886     if (attr->arg0 == NULL) {
887 	/* handle the successful cap_func_launcher completion */
888 	exit(0);
889     }
890 
891     if (attr->change_uids && _cap_setuid(sc, attr->uid)) {
892 	goto defer;
893     }
894     if (attr->change_gids &&
895 	_cap_setgroups(sc, attr->gid, attr->ngroups, attr->groups)) {
896 	goto defer;
897     }
898     if (attr->change_mode && _cap_set_mode(sc, attr->mode)) {
899 	goto defer;
900     }
901     if (attr->iab && _cap_iab_set_proc(sc, attr->iab)) {
902 	goto defer;
903     }
904     if (attr->chroot != NULL && _cap_chroot(sc, attr->chroot)) {
905 	goto defer;
906     }
907 
908     /*
909      * Some type wrangling to work around what the kernel API really
910      * means: not "const char **".
911      */
912     const void *temp_args = attr->argv;
913     const void *temp_envp = attr->envp;
914 
915     execve(attr->arg0, temp_args, temp_envp);
916     /* if the exec worked, execution will not reach here */
917 
918 defer:
919     /*
920      * getting here means an error has occurred and errno is
921      * communicated to the parent
922      */
923     my_errno = errno;
924     for (;;) {
925 	int n = write(fd, &my_errno, sizeof(my_errno));
926 	if (n < 0 && errno == EAGAIN) {
927 	    continue;
928 	}
929 	break;
930     }
931     close(fd);
932     exit(1);
933 }
934 
935 /*
936  * cap_launch performs a wrapped fork+(callback and/or exec) that
937  * works in both an unthreaded environment and also where libcap is
938  * linked with psx+pthreads. The function supports dropping privilege
939  * in the forked thread, but retaining privilege in the parent
940  * thread(s).
941  *
942  * When applying the IAB vector inside the fork, since the ambient set
943  * is fragile with respect to changes in I or P, the function
944  * carefully orders setting of these inheritable characteristics, to
945  * make sure they stick.
946  *
947  * This function will return an error of -1 setting errno if the
948  * launch failed.
949  */
cap_launch(cap_launch_t attr,void * detail)950 pid_t cap_launch(cap_launch_t attr, void *detail) {
951     int my_errno;
952     int ps[2];
953     pid_t child;
954 
955     /* The launch must have a purpose */
956     if (attr->custom_setup_fn == NULL &&
957 	(attr->arg0 == NULL || attr->argv == NULL)) {
958 	errno = EINVAL;
959 	return -1;
960     }
961 
962     if (pipe2(ps, O_CLOEXEC) != 0) {
963 	return -1;
964     }
965 
966     child = fork();
967     my_errno = errno;
968 
969     if (!child) {
970 	close(ps[0]);
971 	prctl(PR_SET_NAME, "cap-launcher", 0, 0, 0);
972 	_cap_launch(ps[1], attr, detail);
973 	/* no return from this function */
974 	_exit(1);
975     }
976     close(ps[1]);
977     if (child < 0) {
978 	goto defer;
979     }
980 
981     /*
982      * Extend this function's return codes to include setup failures
983      * in the child.
984      */
985     for (;;) {
986 	int ignored;
987 	int n = read(ps[0], &my_errno, sizeof(my_errno));
988 	if (n == 0) {
989 	    goto defer;
990 	}
991 	if (n < 0 && errno == EAGAIN) {
992 	    continue;
993 	}
994 	waitpid(child, &ignored, 0);
995 	child = -1;
996 	my_errno = ECHILD;
997 	break;
998     }
999 
1000 defer:
1001     close(ps[0]);
1002     errno = my_errno;
1003     return child;
1004 }
1005