1 /* Common capabilities, needed by capability.o.
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 */
9
10 #include <linux/capability.h>
11 #include <linux/audit.h>
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/security.h>
16 #include <linux/file.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/pagemap.h>
20 #include <linux/swap.h>
21 #include <linux/skbuff.h>
22 #include <linux/netlink.h>
23 #include <linux/ptrace.h>
24 #include <linux/xattr.h>
25 #include <linux/hugetlb.h>
26 #include <linux/mount.h>
27 #include <linux/sched.h>
28 #include <linux/prctl.h>
29 #include <linux/securebits.h>
30 #include <linux/user_namespace.h>
31 #include <linux/binfmts.h>
32 #include <linux/personality.h>
33
34 #ifdef CONFIG_ANDROID_PARANOID_NETWORK
35 #include <linux/android_aid.h>
36 #endif
37
38 /*
39 * If a non-root user executes a setuid-root binary in
40 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
41 * However if fE is also set, then the intent is for only
42 * the file capabilities to be applied, and the setuid-root
43 * bit is left on either to change the uid (plausible) or
44 * to get full privilege on a kernel without file capabilities
45 * support. So in that case we do not raise capabilities.
46 *
47 * Warn if that happens, once per boot.
48 */
warn_setuid_and_fcaps_mixed(const char * fname)49 static void warn_setuid_and_fcaps_mixed(const char *fname)
50 {
51 static int warned;
52 if (!warned) {
53 printk(KERN_INFO "warning: `%s' has both setuid-root and"
54 " effective capabilities. Therefore not raising all"
55 " capabilities.\n", fname);
56 warned = 1;
57 }
58 }
59
cap_netlink_send(struct sock * sk,struct sk_buff * skb)60 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
61 {
62 return 0;
63 }
64
65 /**
66 * cap_capable - Determine whether a task has a particular effective capability
67 * @cred: The credentials to use
68 * @ns: The user namespace in which we need the capability
69 * @cap: The capability to check for
70 * @audit: Whether to write an audit message or not
71 *
72 * Determine whether the nominated task has the specified capability amongst
73 * its effective set, returning 0 if it does, -ve if it does not.
74 *
75 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
76 * and has_capability() functions. That is, it has the reverse semantics:
77 * cap_has_capability() returns 0 when a task has a capability, but the
78 * kernel's capable() and has_capability() returns 1 for this case.
79 */
cap_capable(const struct cred * cred,struct user_namespace * targ_ns,int cap,int audit)80 int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
81 int cap, int audit)
82 {
83 struct user_namespace *ns = targ_ns;
84
85 #ifdef CONFIG_ANDROID_PARANOID_NETWORK
86 if (cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW))
87 return 0;
88 if (cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN))
89 return 0;
90 #endif
91
92 /* See if cred has the capability in the target user namespace
93 * by examining the target user namespace and all of the target
94 * user namespace's parents.
95 */
96 for (;;) {
97 /* Do we have the necessary capabilities? */
98 if (ns == cred->user_ns)
99 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
100
101 /* Have we tried all of the parent namespaces? */
102 if (ns == &init_user_ns)
103 return -EPERM;
104
105 /*
106 * The owner of the user namespace in the parent of the
107 * user namespace has all caps.
108 */
109 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
110 return 0;
111
112 /*
113 * If you have a capability in a parent user ns, then you have
114 * it over all children user namespaces as well.
115 */
116 ns = ns->parent;
117 }
118
119 /* We never get here */
120 }
121
122 /**
123 * cap_settime - Determine whether the current process may set the system clock
124 * @ts: The time to set
125 * @tz: The timezone to set
126 *
127 * Determine whether the current process may set the system clock and timezone
128 * information, returning 0 if permission granted, -ve if denied.
129 */
cap_settime(const struct timespec * ts,const struct timezone * tz)130 int cap_settime(const struct timespec *ts, const struct timezone *tz)
131 {
132 if (!capable(CAP_SYS_TIME))
133 return -EPERM;
134 return 0;
135 }
136
137 /**
138 * cap_ptrace_access_check - Determine whether the current process may access
139 * another
140 * @child: The process to be accessed
141 * @mode: The mode of attachment.
142 *
143 * If we are in the same or an ancestor user_ns and have all the target
144 * task's capabilities, then ptrace access is allowed.
145 * If we have the ptrace capability to the target user_ns, then ptrace
146 * access is allowed.
147 * Else denied.
148 *
149 * Determine whether a process may access another, returning 0 if permission
150 * granted, -ve if denied.
151 */
cap_ptrace_access_check(struct task_struct * child,unsigned int mode)152 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
153 {
154 int ret = 0;
155 const struct cred *cred, *child_cred;
156
157 rcu_read_lock();
158 cred = current_cred();
159 child_cred = __task_cred(child);
160 if (cred->user_ns == child_cred->user_ns &&
161 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
162 goto out;
163 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
164 goto out;
165 ret = -EPERM;
166 out:
167 rcu_read_unlock();
168 return ret;
169 }
170
171 /**
172 * cap_ptrace_traceme - Determine whether another process may trace the current
173 * @parent: The task proposed to be the tracer
174 *
175 * If parent is in the same or an ancestor user_ns and has all current's
176 * capabilities, then ptrace access is allowed.
177 * If parent has the ptrace capability to current's user_ns, then ptrace
178 * access is allowed.
179 * Else denied.
180 *
181 * Determine whether the nominated task is permitted to trace the current
182 * process, returning 0 if permission is granted, -ve if denied.
183 */
cap_ptrace_traceme(struct task_struct * parent)184 int cap_ptrace_traceme(struct task_struct *parent)
185 {
186 int ret = 0;
187 const struct cred *cred, *child_cred;
188
189 rcu_read_lock();
190 cred = __task_cred(parent);
191 child_cred = current_cred();
192 if (cred->user_ns == child_cred->user_ns &&
193 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
194 goto out;
195 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
196 goto out;
197 ret = -EPERM;
198 out:
199 rcu_read_unlock();
200 return ret;
201 }
202
203 /**
204 * cap_capget - Retrieve a task's capability sets
205 * @target: The task from which to retrieve the capability sets
206 * @effective: The place to record the effective set
207 * @inheritable: The place to record the inheritable set
208 * @permitted: The place to record the permitted set
209 *
210 * This function retrieves the capabilities of the nominated task and returns
211 * them to the caller.
212 */
cap_capget(struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)213 int cap_capget(struct task_struct *target, kernel_cap_t *effective,
214 kernel_cap_t *inheritable, kernel_cap_t *permitted)
215 {
216 const struct cred *cred;
217
218 /* Derived from kernel/capability.c:sys_capget. */
219 rcu_read_lock();
220 cred = __task_cred(target);
221 *effective = cred->cap_effective;
222 *inheritable = cred->cap_inheritable;
223 *permitted = cred->cap_permitted;
224 rcu_read_unlock();
225 return 0;
226 }
227
228 /*
229 * Determine whether the inheritable capabilities are limited to the old
230 * permitted set. Returns 1 if they are limited, 0 if they are not.
231 */
cap_inh_is_capped(void)232 static inline int cap_inh_is_capped(void)
233 {
234
235 /* they are so limited unless the current task has the CAP_SETPCAP
236 * capability
237 */
238 if (cap_capable(current_cred(), current_cred()->user_ns,
239 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
240 return 0;
241 return 1;
242 }
243
244 /**
245 * cap_capset - Validate and apply proposed changes to current's capabilities
246 * @new: The proposed new credentials; alterations should be made here
247 * @old: The current task's current credentials
248 * @effective: A pointer to the proposed new effective capabilities set
249 * @inheritable: A pointer to the proposed new inheritable capabilities set
250 * @permitted: A pointer to the proposed new permitted capabilities set
251 *
252 * This function validates and applies a proposed mass change to the current
253 * process's capability sets. The changes are made to the proposed new
254 * credentials, and assuming no error, will be committed by the caller of LSM.
255 */
cap_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)256 int cap_capset(struct cred *new,
257 const struct cred *old,
258 const kernel_cap_t *effective,
259 const kernel_cap_t *inheritable,
260 const kernel_cap_t *permitted)
261 {
262 if (cap_inh_is_capped() &&
263 !cap_issubset(*inheritable,
264 cap_combine(old->cap_inheritable,
265 old->cap_permitted)))
266 /* incapable of using this inheritable set */
267 return -EPERM;
268
269 if (!cap_issubset(*inheritable,
270 cap_combine(old->cap_inheritable,
271 old->cap_bset)))
272 /* no new pI capabilities outside bounding set */
273 return -EPERM;
274
275 /* verify restrictions on target's new Permitted set */
276 if (!cap_issubset(*permitted, old->cap_permitted))
277 return -EPERM;
278
279 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
280 if (!cap_issubset(*effective, *permitted))
281 return -EPERM;
282
283 new->cap_effective = *effective;
284 new->cap_inheritable = *inheritable;
285 new->cap_permitted = *permitted;
286
287 /*
288 * Mask off ambient bits that are no longer both permitted and
289 * inheritable.
290 */
291 new->cap_ambient = cap_intersect(new->cap_ambient,
292 cap_intersect(*permitted,
293 *inheritable));
294 if (WARN_ON(!cap_ambient_invariant_ok(new)))
295 return -EINVAL;
296 return 0;
297 }
298
299 /*
300 * Clear proposed capability sets for execve().
301 */
bprm_clear_caps(struct linux_binprm * bprm)302 static inline void bprm_clear_caps(struct linux_binprm *bprm)
303 {
304 cap_clear(bprm->cred->cap_permitted);
305 bprm->cap_effective = false;
306 }
307
308 /**
309 * cap_inode_need_killpriv - Determine if inode change affects privileges
310 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
311 *
312 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
313 * affects the security markings on that inode, and if it is, should
314 * inode_killpriv() be invoked or the change rejected?
315 *
316 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
317 * -ve to deny the change.
318 */
cap_inode_need_killpriv(struct dentry * dentry)319 int cap_inode_need_killpriv(struct dentry *dentry)
320 {
321 struct inode *inode = dentry->d_inode;
322 int error;
323
324 if (!inode->i_op->getxattr)
325 return 0;
326
327 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
328 if (error <= 0)
329 return 0;
330 return 1;
331 }
332
333 /**
334 * cap_inode_killpriv - Erase the security markings on an inode
335 * @dentry: The inode/dentry to alter
336 *
337 * Erase the privilege-enhancing security markings on an inode.
338 *
339 * Returns 0 if successful, -ve on error.
340 */
cap_inode_killpriv(struct dentry * dentry)341 int cap_inode_killpriv(struct dentry *dentry)
342 {
343 struct inode *inode = dentry->d_inode;
344
345 if (!inode->i_op->removexattr)
346 return 0;
347
348 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
349 }
350
351 /*
352 * Calculate the new process capability sets from the capability sets attached
353 * to a file.
354 */
bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data * caps,struct linux_binprm * bprm,bool * effective,bool * has_cap)355 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
356 struct linux_binprm *bprm,
357 bool *effective,
358 bool *has_cap)
359 {
360 struct cred *new = bprm->cred;
361 unsigned i;
362 int ret = 0;
363
364 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
365 *effective = true;
366
367 if (caps->magic_etc & VFS_CAP_REVISION_MASK)
368 *has_cap = true;
369
370 CAP_FOR_EACH_U32(i) {
371 __u32 permitted = caps->permitted.cap[i];
372 __u32 inheritable = caps->inheritable.cap[i];
373
374 /*
375 * pP' = (X & fP) | (pI & fI)
376 * The addition of pA' is handled later.
377 */
378 new->cap_permitted.cap[i] =
379 (new->cap_bset.cap[i] & permitted) |
380 (new->cap_inheritable.cap[i] & inheritable);
381
382 if (permitted & ~new->cap_permitted.cap[i])
383 /* insufficient to execute correctly */
384 ret = -EPERM;
385 }
386
387 /*
388 * For legacy apps, with no internal support for recognizing they
389 * do not have enough capabilities, we return an error if they are
390 * missing some "forced" (aka file-permitted) capabilities.
391 */
392 return *effective ? ret : 0;
393 }
394
395 /*
396 * Extract the on-exec-apply capability sets for an executable file.
397 */
get_vfs_caps_from_disk(const struct dentry * dentry,struct cpu_vfs_cap_data * cpu_caps)398 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
399 {
400 struct inode *inode = dentry->d_inode;
401 __u32 magic_etc;
402 unsigned tocopy, i;
403 int size;
404 struct vfs_cap_data caps;
405
406 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
407
408 if (!inode || !inode->i_op->getxattr)
409 return -ENODATA;
410
411 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
412 XATTR_CAPS_SZ);
413 if (size == -ENODATA || size == -EOPNOTSUPP)
414 /* no data, that's ok */
415 return -ENODATA;
416 if (size < 0)
417 return size;
418
419 if (size < sizeof(magic_etc))
420 return -EINVAL;
421
422 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
423
424 switch (magic_etc & VFS_CAP_REVISION_MASK) {
425 case VFS_CAP_REVISION_1:
426 if (size != XATTR_CAPS_SZ_1)
427 return -EINVAL;
428 tocopy = VFS_CAP_U32_1;
429 break;
430 case VFS_CAP_REVISION_2:
431 if (size != XATTR_CAPS_SZ_2)
432 return -EINVAL;
433 tocopy = VFS_CAP_U32_2;
434 break;
435 default:
436 return -EINVAL;
437 }
438
439 CAP_FOR_EACH_U32(i) {
440 if (i >= tocopy)
441 break;
442 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
443 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
444 }
445
446 return 0;
447 }
448
449 /*
450 * Attempt to get the on-exec apply capability sets for an executable file from
451 * its xattrs and, if present, apply them to the proposed credentials being
452 * constructed by execve().
453 */
get_file_caps(struct linux_binprm * bprm,bool * effective,bool * has_cap)454 static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
455 {
456 struct dentry *dentry;
457 int rc = 0;
458 struct cpu_vfs_cap_data vcaps;
459
460 bprm_clear_caps(bprm);
461
462 if (!file_caps_enabled)
463 return 0;
464
465 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
466 return 0;
467
468 dentry = dget(bprm->file->f_dentry);
469
470 rc = get_vfs_caps_from_disk(dentry, &vcaps);
471 if (rc < 0) {
472 if (rc == -EINVAL)
473 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
474 __func__, rc, bprm->filename);
475 else if (rc == -ENODATA)
476 rc = 0;
477 goto out;
478 }
479
480 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
481 if (rc == -EINVAL)
482 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
483 __func__, rc, bprm->filename);
484
485 out:
486 dput(dentry);
487 if (rc)
488 bprm_clear_caps(bprm);
489
490 return rc;
491 }
492
493 /**
494 * cap_bprm_set_creds - Set up the proposed credentials for execve().
495 * @bprm: The execution parameters, including the proposed creds
496 *
497 * Set up the proposed credentials for a new execution context being
498 * constructed by execve(). The proposed creds in @bprm->cred is altered,
499 * which won't take effect immediately. Returns 0 if successful, -ve on error.
500 */
cap_bprm_set_creds(struct linux_binprm * bprm)501 int cap_bprm_set_creds(struct linux_binprm *bprm)
502 {
503 const struct cred *old = current_cred();
504 struct cred *new = bprm->cred;
505 bool effective, has_cap = false, is_setid;
506 int ret;
507 kuid_t root_uid;
508
509 if (WARN_ON(!cap_ambient_invariant_ok(old)))
510 return -EPERM;
511
512 effective = false;
513 ret = get_file_caps(bprm, &effective, &has_cap);
514 if (ret < 0)
515 return ret;
516
517 root_uid = make_kuid(new->user_ns, 0);
518
519 if (!issecure(SECURE_NOROOT)) {
520 /*
521 * If the legacy file capability is set, then don't set privs
522 * for a setuid root binary run by a non-root user. Do set it
523 * for a root user just to cause least surprise to an admin.
524 */
525 if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
526 warn_setuid_and_fcaps_mixed(bprm->filename);
527 goto skip;
528 }
529 /*
530 * To support inheritance of root-permissions and suid-root
531 * executables under compatibility mode, we override the
532 * capability sets for the file.
533 *
534 * If only the real uid is 0, we do not set the effective bit.
535 */
536 if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
537 /* pP' = (cap_bset & ~0) | (pI & ~0) */
538 new->cap_permitted = cap_combine(old->cap_bset,
539 old->cap_inheritable);
540 }
541 if (uid_eq(new->euid, root_uid))
542 effective = true;
543 }
544 skip:
545
546 /* if we have fs caps, clear dangerous personality flags */
547 if (!cap_issubset(new->cap_permitted, old->cap_permitted))
548 bprm->per_clear |= PER_CLEAR_ON_SETID;
549
550
551 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
552 * credentials unless they have the appropriate permit.
553 *
554 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
555 */
556 is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);
557
558 if ((is_setid ||
559 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
560 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
561 /* downgrade; they get no more than they had, and maybe less */
562 if (!capable(CAP_SETUID) ||
563 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
564 new->euid = new->uid;
565 new->egid = new->gid;
566 }
567 new->cap_permitted = cap_intersect(new->cap_permitted,
568 old->cap_permitted);
569 }
570
571 new->suid = new->fsuid = new->euid;
572 new->sgid = new->fsgid = new->egid;
573
574 /* File caps or setid cancels ambient. */
575 if (has_cap || is_setid)
576 cap_clear(new->cap_ambient);
577
578 /*
579 * Now that we've computed pA', update pP' to give:
580 * pP' = (X & fP) | (pI & fI) | pA'
581 */
582 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
583
584 /*
585 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
586 * this is the same as pE' = (fE ? pP' : 0) | pA'.
587 */
588 if (effective)
589 new->cap_effective = new->cap_permitted;
590 else
591 new->cap_effective = new->cap_ambient;
592
593 if (WARN_ON(!cap_ambient_invariant_ok(new)))
594 return -EPERM;
595
596 bprm->cap_effective = effective;
597
598 /*
599 * Audit candidate if current->cap_effective is set
600 *
601 * We do not bother to audit if 3 things are true:
602 * 1) cap_effective has all caps
603 * 2) we are root
604 * 3) root is supposed to have all caps (SECURE_NOROOT)
605 * Since this is just a normal root execing a process.
606 *
607 * Number 1 above might fail if you don't have a full bset, but I think
608 * that is interesting information to audit.
609 */
610 if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
611 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
612 !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
613 issecure(SECURE_NOROOT)) {
614 ret = audit_log_bprm_fcaps(bprm, new, old);
615 if (ret < 0)
616 return ret;
617 }
618 }
619
620 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
621
622 if (WARN_ON(!cap_ambient_invariant_ok(new)))
623 return -EPERM;
624
625 return 0;
626 }
627
628 /**
629 * cap_bprm_secureexec - Determine whether a secure execution is required
630 * @bprm: The execution parameters
631 *
632 * Determine whether a secure execution is required, return 1 if it is, and 0
633 * if it is not.
634 *
635 * The credentials have been committed by this point, and so are no longer
636 * available through @bprm->cred.
637 */
cap_bprm_secureexec(struct linux_binprm * bprm)638 int cap_bprm_secureexec(struct linux_binprm *bprm)
639 {
640 const struct cred *cred = current_cred();
641 kuid_t root_uid = make_kuid(cred->user_ns, 0);
642
643 if (!uid_eq(cred->uid, root_uid)) {
644 if (bprm->cap_effective)
645 return 1;
646 if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
647 return 1;
648 }
649
650 return (!uid_eq(cred->euid, cred->uid) ||
651 !gid_eq(cred->egid, cred->gid));
652 }
653
654 /**
655 * cap_inode_setxattr - Determine whether an xattr may be altered
656 * @dentry: The inode/dentry being altered
657 * @name: The name of the xattr to be changed
658 * @value: The value that the xattr will be changed to
659 * @size: The size of value
660 * @flags: The replacement flag
661 *
662 * Determine whether an xattr may be altered or set on an inode, returning 0 if
663 * permission is granted, -ve if denied.
664 *
665 * This is used to make sure security xattrs don't get updated or set by those
666 * who aren't privileged to do so.
667 */
cap_inode_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)668 int cap_inode_setxattr(struct dentry *dentry, const char *name,
669 const void *value, size_t size, int flags)
670 {
671 if (!strcmp(name, XATTR_NAME_CAPS)) {
672 if (!capable(CAP_SETFCAP))
673 return -EPERM;
674 return 0;
675 }
676
677 if (!strncmp(name, XATTR_SECURITY_PREFIX,
678 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
679 !capable(CAP_SYS_ADMIN))
680 return -EPERM;
681 return 0;
682 }
683
684 /**
685 * cap_inode_removexattr - Determine whether an xattr may be removed
686 * @dentry: The inode/dentry being altered
687 * @name: The name of the xattr to be changed
688 *
689 * Determine whether an xattr may be removed from an inode, returning 0 if
690 * permission is granted, -ve if denied.
691 *
692 * This is used to make sure security xattrs don't get removed by those who
693 * aren't privileged to remove them.
694 */
cap_inode_removexattr(struct dentry * dentry,const char * name)695 int cap_inode_removexattr(struct dentry *dentry, const char *name)
696 {
697 if (!strcmp(name, XATTR_NAME_CAPS)) {
698 if (!capable(CAP_SETFCAP))
699 return -EPERM;
700 return 0;
701 }
702
703 if (!strncmp(name, XATTR_SECURITY_PREFIX,
704 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
705 !capable(CAP_SYS_ADMIN))
706 return -EPERM;
707 return 0;
708 }
709
710 /*
711 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
712 * a process after a call to setuid, setreuid, or setresuid.
713 *
714 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
715 * {r,e,s}uid != 0, the permitted and effective capabilities are
716 * cleared.
717 *
718 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
719 * capabilities of the process are cleared.
720 *
721 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
722 * capabilities are set to the permitted capabilities.
723 *
724 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
725 * never happen.
726 *
727 * -astor
728 *
729 * cevans - New behaviour, Oct '99
730 * A process may, via prctl(), elect to keep its capabilities when it
731 * calls setuid() and switches away from uid==0. Both permitted and
732 * effective sets will be retained.
733 * Without this change, it was impossible for a daemon to drop only some
734 * of its privilege. The call to setuid(!=0) would drop all privileges!
735 * Keeping uid 0 is not an option because uid 0 owns too many vital
736 * files..
737 * Thanks to Olaf Kirch and Peter Benie for spotting this.
738 */
cap_emulate_setxuid(struct cred * new,const struct cred * old)739 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
740 {
741 kuid_t root_uid = make_kuid(old->user_ns, 0);
742
743 if ((uid_eq(old->uid, root_uid) ||
744 uid_eq(old->euid, root_uid) ||
745 uid_eq(old->suid, root_uid)) &&
746 (!uid_eq(new->uid, root_uid) &&
747 !uid_eq(new->euid, root_uid) &&
748 !uid_eq(new->suid, root_uid))) {
749 if (!issecure(SECURE_KEEP_CAPS)) {
750 cap_clear(new->cap_permitted);
751 cap_clear(new->cap_effective);
752 }
753
754 /*
755 * Pre-ambient programs expect setresuid to nonroot followed
756 * by exec to drop capabilities. We should make sure that
757 * this remains the case.
758 */
759 cap_clear(new->cap_ambient);
760 }
761 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
762 cap_clear(new->cap_effective);
763 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
764 new->cap_effective = new->cap_permitted;
765 }
766
767 /**
768 * cap_task_fix_setuid - Fix up the results of setuid() call
769 * @new: The proposed credentials
770 * @old: The current task's current credentials
771 * @flags: Indications of what has changed
772 *
773 * Fix up the results of setuid() call before the credential changes are
774 * actually applied, returning 0 to grant the changes, -ve to deny them.
775 */
cap_task_fix_setuid(struct cred * new,const struct cred * old,int flags)776 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
777 {
778 switch (flags) {
779 case LSM_SETID_RE:
780 case LSM_SETID_ID:
781 case LSM_SETID_RES:
782 /* juggle the capabilities to follow [RES]UID changes unless
783 * otherwise suppressed */
784 if (!issecure(SECURE_NO_SETUID_FIXUP))
785 cap_emulate_setxuid(new, old);
786 break;
787
788 case LSM_SETID_FS:
789 /* juggle the capabilties to follow FSUID changes, unless
790 * otherwise suppressed
791 *
792 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
793 * if not, we might be a bit too harsh here.
794 */
795 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
796 kuid_t root_uid = make_kuid(old->user_ns, 0);
797 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
798 new->cap_effective =
799 cap_drop_fs_set(new->cap_effective);
800
801 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
802 new->cap_effective =
803 cap_raise_fs_set(new->cap_effective,
804 new->cap_permitted);
805 }
806 break;
807
808 default:
809 return -EINVAL;
810 }
811
812 return 0;
813 }
814
815 /*
816 * Rationale: code calling task_setscheduler, task_setioprio, and
817 * task_setnice, assumes that
818 * . if capable(cap_sys_nice), then those actions should be allowed
819 * . if not capable(cap_sys_nice), but acting on your own processes,
820 * then those actions should be allowed
821 * This is insufficient now since you can call code without suid, but
822 * yet with increased caps.
823 * So we check for increased caps on the target process.
824 */
cap_safe_nice(struct task_struct * p)825 static int cap_safe_nice(struct task_struct *p)
826 {
827 int is_subset;
828
829 rcu_read_lock();
830 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
831 current_cred()->cap_permitted);
832 rcu_read_unlock();
833
834 if (!is_subset && !capable(CAP_SYS_NICE))
835 return -EPERM;
836 return 0;
837 }
838
839 /**
840 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
841 * @p: The task to affect
842 *
843 * Detemine if the requested scheduler policy change is permitted for the
844 * specified task, returning 0 if permission is granted, -ve if denied.
845 */
cap_task_setscheduler(struct task_struct * p)846 int cap_task_setscheduler(struct task_struct *p)
847 {
848 return cap_safe_nice(p);
849 }
850
851 /**
852 * cap_task_ioprio - Detemine if I/O priority change is permitted
853 * @p: The task to affect
854 * @ioprio: The I/O priority to set
855 *
856 * Detemine if the requested I/O priority change is permitted for the specified
857 * task, returning 0 if permission is granted, -ve if denied.
858 */
cap_task_setioprio(struct task_struct * p,int ioprio)859 int cap_task_setioprio(struct task_struct *p, int ioprio)
860 {
861 return cap_safe_nice(p);
862 }
863
864 /**
865 * cap_task_ioprio - Detemine if task priority change is permitted
866 * @p: The task to affect
867 * @nice: The nice value to set
868 *
869 * Detemine if the requested task priority change is permitted for the
870 * specified task, returning 0 if permission is granted, -ve if denied.
871 */
cap_task_setnice(struct task_struct * p,int nice)872 int cap_task_setnice(struct task_struct *p, int nice)
873 {
874 return cap_safe_nice(p);
875 }
876
877 /*
878 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
879 * the current task's bounding set. Returns 0 on success, -ve on error.
880 */
cap_prctl_drop(unsigned long cap)881 static int cap_prctl_drop(unsigned long cap)
882 {
883 struct cred *new;
884
885 if (!ns_capable(current_user_ns(), CAP_SETPCAP))
886 return -EPERM;
887 if (!cap_valid(cap))
888 return -EINVAL;
889
890 new = prepare_creds();
891 if (!new)
892 return -ENOMEM;
893 cap_lower(new->cap_bset, cap);
894 return commit_creds(new);
895 }
896
897 /**
898 * cap_task_prctl - Implement process control functions for this security module
899 * @option: The process control function requested
900 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
901 *
902 * Allow process control functions (sys_prctl()) to alter capabilities; may
903 * also deny access to other functions not otherwise implemented here.
904 *
905 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
906 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
907 * modules will consider performing the function.
908 */
cap_task_prctl(int option,unsigned long arg2,unsigned long arg3,unsigned long arg4,unsigned long arg5)909 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
910 unsigned long arg4, unsigned long arg5)
911 {
912 const struct cred *old = current_cred();
913 struct cred *new;
914
915 switch (option) {
916 case PR_CAPBSET_READ:
917 if (!cap_valid(arg2))
918 return -EINVAL;
919 return !!cap_raised(old->cap_bset, arg2);
920
921 case PR_CAPBSET_DROP:
922 return cap_prctl_drop(arg2);
923
924 /*
925 * The next four prctl's remain to assist with transitioning a
926 * system from legacy UID=0 based privilege (when filesystem
927 * capabilities are not in use) to a system using filesystem
928 * capabilities only - as the POSIX.1e draft intended.
929 *
930 * Note:
931 *
932 * PR_SET_SECUREBITS =
933 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
934 * | issecure_mask(SECURE_NOROOT)
935 * | issecure_mask(SECURE_NOROOT_LOCKED)
936 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
937 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
938 *
939 * will ensure that the current process and all of its
940 * children will be locked into a pure
941 * capability-based-privilege environment.
942 */
943 case PR_SET_SECUREBITS:
944 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
945 & (old->securebits ^ arg2)) /*[1]*/
946 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
947 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
948 || (cap_capable(current_cred(),
949 current_cred()->user_ns, CAP_SETPCAP,
950 SECURITY_CAP_AUDIT) != 0) /*[4]*/
951 /*
952 * [1] no changing of bits that are locked
953 * [2] no unlocking of locks
954 * [3] no setting of unsupported bits
955 * [4] doing anything requires privilege (go read about
956 * the "sendmail capabilities bug")
957 */
958 )
959 /* cannot change a locked bit */
960 return -EPERM;
961
962 new = prepare_creds();
963 if (!new)
964 return -ENOMEM;
965 new->securebits = arg2;
966 return commit_creds(new);
967
968 case PR_GET_SECUREBITS:
969 return old->securebits;
970
971 case PR_GET_KEEPCAPS:
972 return !!issecure(SECURE_KEEP_CAPS);
973
974 case PR_SET_KEEPCAPS:
975 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
976 return -EINVAL;
977 if (issecure(SECURE_KEEP_CAPS_LOCKED))
978 return -EPERM;
979
980 new = prepare_creds();
981 if (!new)
982 return -ENOMEM;
983 if (arg2)
984 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
985 else
986 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
987 return commit_creds(new);
988
989 case PR_CAP_AMBIENT:
990 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
991 if (arg3 | arg4 | arg5)
992 return -EINVAL;
993
994 new = prepare_creds();
995 if (!new)
996 return -ENOMEM;
997 cap_clear(new->cap_ambient);
998 return commit_creds(new);
999 }
1000
1001 if (((!cap_valid(arg3)) | arg4 | arg5))
1002 return -EINVAL;
1003
1004 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
1005 return !!cap_raised(current_cred()->cap_ambient, arg3);
1006 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
1007 arg2 != PR_CAP_AMBIENT_LOWER) {
1008 return -EINVAL;
1009 } else {
1010 if (arg2 == PR_CAP_AMBIENT_RAISE &&
1011 (!cap_raised(current_cred()->cap_permitted, arg3) ||
1012 !cap_raised(current_cred()->cap_inheritable,
1013 arg3)))
1014 return -EPERM;
1015
1016 new = prepare_creds();
1017 if (!new)
1018 return -ENOMEM;
1019 if (arg2 == PR_CAP_AMBIENT_RAISE)
1020 cap_raise(new->cap_ambient, arg3);
1021 else
1022 cap_lower(new->cap_ambient, arg3);
1023 return commit_creds(new);
1024 }
1025
1026 default:
1027 /* No functionality available - continue with default */
1028 return -ENOSYS;
1029 }
1030 }
1031
1032 /**
1033 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1034 * @mm: The VM space in which the new mapping is to be made
1035 * @pages: The size of the mapping
1036 *
1037 * Determine whether the allocation of a new virtual mapping by the current
1038 * task is permitted, returning 0 if permission is granted, -ve if not.
1039 */
cap_vm_enough_memory(struct mm_struct * mm,long pages)1040 int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1041 {
1042 int cap_sys_admin = 0;
1043
1044 if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
1045 SECURITY_CAP_NOAUDIT) == 0)
1046 cap_sys_admin = 1;
1047 return __vm_enough_memory(mm, pages, cap_sys_admin);
1048 }
1049
1050 /*
1051 * cap_mmap_addr - check if able to map given addr
1052 * @addr: address attempting to be mapped
1053 *
1054 * If the process is attempting to map memory below dac_mmap_min_addr they need
1055 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
1056 * capability security module. Returns 0 if this mapping should be allowed
1057 * -EPERM if not.
1058 */
cap_mmap_addr(unsigned long addr)1059 int cap_mmap_addr(unsigned long addr)
1060 {
1061 int ret = 0;
1062
1063 if (addr < dac_mmap_min_addr) {
1064 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
1065 SECURITY_CAP_AUDIT);
1066 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
1067 if (ret == 0)
1068 current->flags |= PF_SUPERPRIV;
1069 }
1070 return ret;
1071 }
1072
cap_mmap_file(struct file * file,unsigned long reqprot,unsigned long prot,unsigned long flags)1073 int cap_mmap_file(struct file *file, unsigned long reqprot,
1074 unsigned long prot, unsigned long flags)
1075 {
1076 return 0;
1077 }
1078