Root/
Source at commit cdde9cf73945d547acd3e96f9508c79e84ad0bf1 created 12 years 9 months ago. By Maarten ter Huurne, MMC: JZ4740: Added support for CPU frequency changing | |
---|---|
1 | /* |
2 | * linux/kernel/capability.c |
3 | * |
4 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> |
5 | * |
6 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
7 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
8 | */ |
9 | |
10 | #include <linux/audit.h> |
11 | #include <linux/capability.h> |
12 | #include <linux/mm.h> |
13 | #include <linux/export.h> |
14 | #include <linux/security.h> |
15 | #include <linux/syscalls.h> |
16 | #include <linux/pid_namespace.h> |
17 | #include <linux/user_namespace.h> |
18 | #include <asm/uaccess.h> |
19 | |
20 | /* |
21 | * Leveraged for setting/resetting capabilities |
22 | */ |
23 | |
24 | const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
25 | |
26 | EXPORT_SYMBOL(__cap_empty_set); |
27 | |
28 | int file_caps_enabled = 1; |
29 | |
30 | static int __init file_caps_disable(char *str) |
31 | { |
32 | file_caps_enabled = 0; |
33 | return 1; |
34 | } |
35 | __setup("no_file_caps", file_caps_disable); |
36 | |
37 | /* |
38 | * More recent versions of libcap are available from: |
39 | * |
40 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ |
41 | */ |
42 | |
43 | static void warn_legacy_capability_use(void) |
44 | { |
45 | static int warned; |
46 | if (!warned) { |
47 | char name[sizeof(current->comm)]; |
48 | |
49 | printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" |
50 | " (legacy support in use)\n", |
51 | get_task_comm(name, current)); |
52 | warned = 1; |
53 | } |
54 | } |
55 | |
56 | /* |
57 | * Version 2 capabilities worked fine, but the linux/capability.h file |
58 | * that accompanied their introduction encouraged their use without |
59 | * the necessary user-space source code changes. As such, we have |
60 | * created a version 3 with equivalent functionality to version 2, but |
61 | * with a header change to protect legacy source code from using |
62 | * version 2 when it wanted to use version 1. If your system has code |
63 | * that trips the following warning, it is using version 2 specific |
64 | * capabilities and may be doing so insecurely. |
65 | * |
66 | * The remedy is to either upgrade your version of libcap (to 2.10+, |
67 | * if the application is linked against it), or recompile your |
68 | * application with modern kernel headers and this warning will go |
69 | * away. |
70 | */ |
71 | |
72 | static void warn_deprecated_v2(void) |
73 | { |
74 | static int warned; |
75 | |
76 | if (!warned) { |
77 | char name[sizeof(current->comm)]; |
78 | |
79 | printk(KERN_INFO "warning: `%s' uses deprecated v2" |
80 | " capabilities in a way that may be insecure.\n", |
81 | get_task_comm(name, current)); |
82 | warned = 1; |
83 | } |
84 | } |
85 | |
86 | /* |
87 | * Version check. Return the number of u32s in each capability flag |
88 | * array, or a negative value on error. |
89 | */ |
90 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) |
91 | { |
92 | __u32 version; |
93 | |
94 | if (get_user(version, &header->version)) |
95 | return -EFAULT; |
96 | |
97 | switch (version) { |
98 | case _LINUX_CAPABILITY_VERSION_1: |
99 | warn_legacy_capability_use(); |
100 | *tocopy = _LINUX_CAPABILITY_U32S_1; |
101 | break; |
102 | case _LINUX_CAPABILITY_VERSION_2: |
103 | warn_deprecated_v2(); |
104 | /* |
105 | * fall through - v3 is otherwise equivalent to v2. |
106 | */ |
107 | case _LINUX_CAPABILITY_VERSION_3: |
108 | *tocopy = _LINUX_CAPABILITY_U32S_3; |
109 | break; |
110 | default: |
111 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) |
112 | return -EFAULT; |
113 | return -EINVAL; |
114 | } |
115 | |
116 | return 0; |
117 | } |
118 | |
119 | /* |
120 | * The only thing that can change the capabilities of the current |
121 | * process is the current process. As such, we can't be in this code |
122 | * at the same time as we are in the process of setting capabilities |
123 | * in this process. The net result is that we can limit our use of |
124 | * locks to when we are reading the caps of another process. |
125 | */ |
126 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, |
127 | kernel_cap_t *pIp, kernel_cap_t *pPp) |
128 | { |
129 | int ret; |
130 | |
131 | if (pid && (pid != task_pid_vnr(current))) { |
132 | struct task_struct *target; |
133 | |
134 | rcu_read_lock(); |
135 | |
136 | target = find_task_by_vpid(pid); |
137 | if (!target) |
138 | ret = -ESRCH; |
139 | else |
140 | ret = security_capget(target, pEp, pIp, pPp); |
141 | |
142 | rcu_read_unlock(); |
143 | } else |
144 | ret = security_capget(current, pEp, pIp, pPp); |
145 | |
146 | return ret; |
147 | } |
148 | |
149 | /** |
150 | * sys_capget - get the capabilities of a given process. |
151 | * @header: pointer to struct that contains capability version and |
152 | * target pid data |
153 | * @dataptr: pointer to struct that contains the effective, permitted, |
154 | * and inheritable capabilities that are returned |
155 | * |
156 | * Returns 0 on success and < 0 on error. |
157 | */ |
158 | SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
159 | { |
160 | int ret = 0; |
161 | pid_t pid; |
162 | unsigned tocopy; |
163 | kernel_cap_t pE, pI, pP; |
164 | |
165 | ret = cap_validate_magic(header, &tocopy); |
166 | if ((dataptr == NULL) || (ret != 0)) |
167 | return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
168 | |
169 | if (get_user(pid, &header->pid)) |
170 | return -EFAULT; |
171 | |
172 | if (pid < 0) |
173 | return -EINVAL; |
174 | |
175 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
176 | if (!ret) { |
177 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
178 | unsigned i; |
179 | |
180 | for (i = 0; i < tocopy; i++) { |
181 | kdata[i].effective = pE.cap[i]; |
182 | kdata[i].permitted = pP.cap[i]; |
183 | kdata[i].inheritable = pI.cap[i]; |
184 | } |
185 | |
186 | /* |
187 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
188 | * we silently drop the upper capabilities here. This |
189 | * has the effect of making older libcap |
190 | * implementations implicitly drop upper capability |
191 | * bits when they perform a: capget/modify/capset |
192 | * sequence. |
193 | * |
194 | * This behavior is considered fail-safe |
195 | * behavior. Upgrading the application to a newer |
196 | * version of libcap will enable access to the newer |
197 | * capabilities. |
198 | * |
199 | * An alternative would be to return an error here |
200 | * (-ERANGE), but that causes legacy applications to |
201 | * unexpectidly fail; the capget/modify/capset aborts |
202 | * before modification is attempted and the application |
203 | * fails. |
204 | */ |
205 | if (copy_to_user(dataptr, kdata, tocopy |
206 | * sizeof(struct __user_cap_data_struct))) { |
207 | return -EFAULT; |
208 | } |
209 | } |
210 | |
211 | return ret; |
212 | } |
213 | |
214 | /** |
215 | * sys_capset - set capabilities for a process or (*) a group of processes |
216 | * @header: pointer to struct that contains capability version and |
217 | * target pid data |
218 | * @data: pointer to struct that contains the effective, permitted, |
219 | * and inheritable capabilities |
220 | * |
221 | * Set capabilities for the current process only. The ability to any other |
222 | * process(es) has been deprecated and removed. |
223 | * |
224 | * The restrictions on setting capabilities are specified as: |
225 | * |
226 | * I: any raised capabilities must be a subset of the old permitted |
227 | * P: any raised capabilities must be a subset of the old permitted |
228 | * E: must be set to a subset of new permitted |
229 | * |
230 | * Returns 0 on success and < 0 on error. |
231 | */ |
232 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
233 | { |
234 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
235 | unsigned i, tocopy, copybytes; |
236 | kernel_cap_t inheritable, permitted, effective; |
237 | struct cred *new; |
238 | int ret; |
239 | pid_t pid; |
240 | |
241 | ret = cap_validate_magic(header, &tocopy); |
242 | if (ret != 0) |
243 | return ret; |
244 | |
245 | if (get_user(pid, &header->pid)) |
246 | return -EFAULT; |
247 | |
248 | /* may only affect current now */ |
249 | if (pid != 0 && pid != task_pid_vnr(current)) |
250 | return -EPERM; |
251 | |
252 | copybytes = tocopy * sizeof(struct __user_cap_data_struct); |
253 | if (copybytes > sizeof(kdata)) |
254 | return -EFAULT; |
255 | |
256 | if (copy_from_user(&kdata, data, copybytes)) |
257 | return -EFAULT; |
258 | |
259 | for (i = 0; i < tocopy; i++) { |
260 | effective.cap[i] = kdata[i].effective; |
261 | permitted.cap[i] = kdata[i].permitted; |
262 | inheritable.cap[i] = kdata[i].inheritable; |
263 | } |
264 | while (i < _KERNEL_CAPABILITY_U32S) { |
265 | effective.cap[i] = 0; |
266 | permitted.cap[i] = 0; |
267 | inheritable.cap[i] = 0; |
268 | i++; |
269 | } |
270 | |
271 | new = prepare_creds(); |
272 | if (!new) |
273 | return -ENOMEM; |
274 | |
275 | ret = security_capset(new, current_cred(), |
276 | &effective, &inheritable, &permitted); |
277 | if (ret < 0) |
278 | goto error; |
279 | |
280 | audit_log_capset(pid, new, current_cred()); |
281 | |
282 | return commit_creds(new); |
283 | |
284 | error: |
285 | abort_creds(new); |
286 | return ret; |
287 | } |
288 | |
289 | /** |
290 | * has_ns_capability - Does a task have a capability in a specific user ns |
291 | * @t: The task in question |
292 | * @ns: target user namespace |
293 | * @cap: The capability to be tested for |
294 | * |
295 | * Return true if the specified task has the given superior capability |
296 | * currently in effect to the specified user namespace, false if not. |
297 | * |
298 | * Note that this does not set PF_SUPERPRIV on the task. |
299 | */ |
300 | bool has_ns_capability(struct task_struct *t, |
301 | struct user_namespace *ns, int cap) |
302 | { |
303 | int ret; |
304 | |
305 | rcu_read_lock(); |
306 | ret = security_capable(__task_cred(t), ns, cap); |
307 | rcu_read_unlock(); |
308 | |
309 | return (ret == 0); |
310 | } |
311 | |
312 | /** |
313 | * has_capability - Does a task have a capability in init_user_ns |
314 | * @t: The task in question |
315 | * @cap: The capability to be tested for |
316 | * |
317 | * Return true if the specified task has the given superior capability |
318 | * currently in effect to the initial user namespace, false if not. |
319 | * |
320 | * Note that this does not set PF_SUPERPRIV on the task. |
321 | */ |
322 | bool has_capability(struct task_struct *t, int cap) |
323 | { |
324 | return has_ns_capability(t, &init_user_ns, cap); |
325 | } |
326 | |
327 | /** |
328 | * has_ns_capability_noaudit - Does a task have a capability (unaudited) |
329 | * in a specific user ns. |
330 | * @t: The task in question |
331 | * @ns: target user namespace |
332 | * @cap: The capability to be tested for |
333 | * |
334 | * Return true if the specified task has the given superior capability |
335 | * currently in effect to the specified user namespace, false if not. |
336 | * Do not write an audit message for the check. |
337 | * |
338 | * Note that this does not set PF_SUPERPRIV on the task. |
339 | */ |
340 | bool has_ns_capability_noaudit(struct task_struct *t, |
341 | struct user_namespace *ns, int cap) |
342 | { |
343 | int ret; |
344 | |
345 | rcu_read_lock(); |
346 | ret = security_capable_noaudit(__task_cred(t), ns, cap); |
347 | rcu_read_unlock(); |
348 | |
349 | return (ret == 0); |
350 | } |
351 | |
352 | /** |
353 | * has_capability_noaudit - Does a task have a capability (unaudited) in the |
354 | * initial user ns |
355 | * @t: The task in question |
356 | * @cap: The capability to be tested for |
357 | * |
358 | * Return true if the specified task has the given superior capability |
359 | * currently in effect to init_user_ns, false if not. Don't write an |
360 | * audit message for the check. |
361 | * |
362 | * Note that this does not set PF_SUPERPRIV on the task. |
363 | */ |
364 | bool has_capability_noaudit(struct task_struct *t, int cap) |
365 | { |
366 | return has_ns_capability_noaudit(t, &init_user_ns, cap); |
367 | } |
368 | |
369 | /** |
370 | * ns_capable - Determine if the current task has a superior capability in effect |
371 | * @ns: The usernamespace we want the capability in |
372 | * @cap: The capability to be tested for |
373 | * |
374 | * Return true if the current task has the given superior capability currently |
375 | * available for use, false if not. |
376 | * |
377 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
378 | * assumption that it's about to be used. |
379 | */ |
380 | bool ns_capable(struct user_namespace *ns, int cap) |
381 | { |
382 | if (unlikely(!cap_valid(cap))) { |
383 | printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap); |
384 | BUG(); |
385 | } |
386 | |
387 | if (security_capable(current_cred(), ns, cap) == 0) { |
388 | current->flags |= PF_SUPERPRIV; |
389 | return true; |
390 | } |
391 | return false; |
392 | } |
393 | EXPORT_SYMBOL(ns_capable); |
394 | |
395 | /** |
396 | * capable - Determine if the current task has a superior capability in effect |
397 | * @cap: The capability to be tested for |
398 | * |
399 | * Return true if the current task has the given superior capability currently |
400 | * available for use, false if not. |
401 | * |
402 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
403 | * assumption that it's about to be used. |
404 | */ |
405 | bool capable(int cap) |
406 | { |
407 | return ns_capable(&init_user_ns, cap); |
408 | } |
409 | EXPORT_SYMBOL(capable); |
410 | |
411 | /** |
412 | * nsown_capable - Check superior capability to one's own user_ns |
413 | * @cap: The capability in question |
414 | * |
415 | * Return true if the current task has the given superior capability |
416 | * targeted at its own user namespace. |
417 | */ |
418 | bool nsown_capable(int cap) |
419 | { |
420 | return ns_capable(current_user_ns(), cap); |
421 | } |
422 | |
423 | /** |
424 | * inode_capable - Check superior capability over inode |
425 | * @inode: The inode in question |
426 | * @cap: The capability in question |
427 | * |
428 | * Return true if the current task has the given superior capability |
429 | * targeted at it's own user namespace and that the given inode is owned |
430 | * by the current user namespace or a child namespace. |
431 | * |
432 | * Currently we check to see if an inode is owned by the current |
433 | * user namespace by seeing if the inode's owner maps into the |
434 | * current user namespace. |
435 | * |
436 | */ |
437 | bool inode_capable(const struct inode *inode, int cap) |
438 | { |
439 | struct user_namespace *ns = current_user_ns(); |
440 | |
441 | return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid); |
442 | } |
443 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9