Root/security/commoncap.c

1/* Common capabilities, needed by capability.o.
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 */
9
10#include <linux/capability.h>
11#include <linux/audit.h>
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/kernel.h>
15#include <linux/security.h>
16#include <linux/file.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/pagemap.h>
20#include <linux/swap.h>
21#include <linux/skbuff.h>
22#include <linux/netlink.h>
23#include <linux/ptrace.h>
24#include <linux/xattr.h>
25#include <linux/hugetlb.h>
26#include <linux/mount.h>
27#include <linux/sched.h>
28#include <linux/prctl.h>
29#include <linux/securebits.h>
30#include <linux/syslog.h>
31
32/*
33 * If a non-root user executes a setuid-root binary in
34 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
35 * However if fE is also set, then the intent is for only
36 * the file capabilities to be applied, and the setuid-root
37 * bit is left on either to change the uid (plausible) or
38 * to get full privilege on a kernel without file capabilities
39 * support. So in that case we do not raise capabilities.
40 *
41 * Warn if that happens, once per boot.
42 */
43static void warn_setuid_and_fcaps_mixed(const char *fname)
44{
45    static int warned;
46    if (!warned) {
47        printk(KERN_INFO "warning: `%s' has both setuid-root and"
48            " effective capabilities. Therefore not raising all"
49            " capabilities.\n", fname);
50        warned = 1;
51    }
52}
53
54int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
55{
56    NETLINK_CB(skb).eff_cap = current_cap();
57    return 0;
58}
59
60int cap_netlink_recv(struct sk_buff *skb, int cap)
61{
62    if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
63        return -EPERM;
64    return 0;
65}
66EXPORT_SYMBOL(cap_netlink_recv);
67
68/**
69 * cap_capable - Determine whether a task has a particular effective capability
70 * @tsk: The task to query
71 * @cred: The credentials to use
72 * @cap: The capability to check for
73 * @audit: Whether to write an audit message or not
74 *
75 * Determine whether the nominated task has the specified capability amongst
76 * its effective set, returning 0 if it does, -ve if it does not.
77 *
78 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
79 * and has_capability() functions. That is, it has the reverse semantics:
80 * cap_has_capability() returns 0 when a task has a capability, but the
81 * kernel's capable() and has_capability() returns 1 for this case.
82 */
83int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap,
84        int audit)
85{
86    return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
87}
88
89/**
90 * cap_settime - Determine whether the current process may set the system clock
91 * @ts: The time to set
92 * @tz: The timezone to set
93 *
94 * Determine whether the current process may set the system clock and timezone
95 * information, returning 0 if permission granted, -ve if denied.
96 */
97int cap_settime(struct timespec *ts, struct timezone *tz)
98{
99    if (!capable(CAP_SYS_TIME))
100        return -EPERM;
101    return 0;
102}
103
104/**
105 * cap_ptrace_access_check - Determine whether the current process may access
106 * another
107 * @child: The process to be accessed
108 * @mode: The mode of attachment.
109 *
110 * Determine whether a process may access another, returning 0 if permission
111 * granted, -ve if denied.
112 */
113int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
114{
115    int ret = 0;
116
117    rcu_read_lock();
118    if (!cap_issubset(__task_cred(child)->cap_permitted,
119              current_cred()->cap_permitted) &&
120        !capable(CAP_SYS_PTRACE))
121        ret = -EPERM;
122    rcu_read_unlock();
123    return ret;
124}
125
126/**
127 * cap_ptrace_traceme - Determine whether another process may trace the current
128 * @parent: The task proposed to be the tracer
129 *
130 * Determine whether the nominated task is permitted to trace the current
131 * process, returning 0 if permission is granted, -ve if denied.
132 */
133int cap_ptrace_traceme(struct task_struct *parent)
134{
135    int ret = 0;
136
137    rcu_read_lock();
138    if (!cap_issubset(current_cred()->cap_permitted,
139              __task_cred(parent)->cap_permitted) &&
140        !has_capability(parent, CAP_SYS_PTRACE))
141        ret = -EPERM;
142    rcu_read_unlock();
143    return ret;
144}
145
146/**
147 * cap_capget - Retrieve a task's capability sets
148 * @target: The task from which to retrieve the capability sets
149 * @effective: The place to record the effective set
150 * @inheritable: The place to record the inheritable set
151 * @permitted: The place to record the permitted set
152 *
153 * This function retrieves the capabilities of the nominated task and returns
154 * them to the caller.
155 */
156int cap_capget(struct task_struct *target, kernel_cap_t *effective,
157           kernel_cap_t *inheritable, kernel_cap_t *permitted)
158{
159    const struct cred *cred;
160
161    /* Derived from kernel/capability.c:sys_capget. */
162    rcu_read_lock();
163    cred = __task_cred(target);
164    *effective = cred->cap_effective;
165    *inheritable = cred->cap_inheritable;
166    *permitted = cred->cap_permitted;
167    rcu_read_unlock();
168    return 0;
169}
170
171/*
172 * Determine whether the inheritable capabilities are limited to the old
173 * permitted set. Returns 1 if they are limited, 0 if they are not.
174 */
175static inline int cap_inh_is_capped(void)
176{
177
178    /* they are so limited unless the current task has the CAP_SETPCAP
179     * capability
180     */
181    if (cap_capable(current, current_cred(), CAP_SETPCAP,
182            SECURITY_CAP_AUDIT) == 0)
183        return 0;
184    return 1;
185}
186
187/**
188 * cap_capset - Validate and apply proposed changes to current's capabilities
189 * @new: The proposed new credentials; alterations should be made here
190 * @old: The current task's current credentials
191 * @effective: A pointer to the proposed new effective capabilities set
192 * @inheritable: A pointer to the proposed new inheritable capabilities set
193 * @permitted: A pointer to the proposed new permitted capabilities set
194 *
195 * This function validates and applies a proposed mass change to the current
196 * process's capability sets. The changes are made to the proposed new
197 * credentials, and assuming no error, will be committed by the caller of LSM.
198 */
199int cap_capset(struct cred *new,
200           const struct cred *old,
201           const kernel_cap_t *effective,
202           const kernel_cap_t *inheritable,
203           const kernel_cap_t *permitted)
204{
205    if (cap_inh_is_capped() &&
206        !cap_issubset(*inheritable,
207              cap_combine(old->cap_inheritable,
208                      old->cap_permitted)))
209        /* incapable of using this inheritable set */
210        return -EPERM;
211
212    if (!cap_issubset(*inheritable,
213              cap_combine(old->cap_inheritable,
214                      old->cap_bset)))
215        /* no new pI capabilities outside bounding set */
216        return -EPERM;
217
218    /* verify restrictions on target's new Permitted set */
219    if (!cap_issubset(*permitted, old->cap_permitted))
220        return -EPERM;
221
222    /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
223    if (!cap_issubset(*effective, *permitted))
224        return -EPERM;
225
226    new->cap_effective = *effective;
227    new->cap_inheritable = *inheritable;
228    new->cap_permitted = *permitted;
229    return 0;
230}
231
232/*
233 * Clear proposed capability sets for execve().
234 */
235static inline void bprm_clear_caps(struct linux_binprm *bprm)
236{
237    cap_clear(bprm->cred->cap_permitted);
238    bprm->cap_effective = false;
239}
240
241/**
242 * cap_inode_need_killpriv - Determine if inode change affects privileges
243 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
244 *
245 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
246 * affects the security markings on that inode, and if it is, should
247 * inode_killpriv() be invoked or the change rejected?
248 *
249 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
250 * -ve to deny the change.
251 */
252int cap_inode_need_killpriv(struct dentry *dentry)
253{
254    struct inode *inode = dentry->d_inode;
255    int error;
256
257    if (!inode->i_op->getxattr)
258           return 0;
259
260    error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
261    if (error <= 0)
262        return 0;
263    return 1;
264}
265
266/**
267 * cap_inode_killpriv - Erase the security markings on an inode
268 * @dentry: The inode/dentry to alter
269 *
270 * Erase the privilege-enhancing security markings on an inode.
271 *
272 * Returns 0 if successful, -ve on error.
273 */
274int cap_inode_killpriv(struct dentry *dentry)
275{
276    struct inode *inode = dentry->d_inode;
277
278    if (!inode->i_op->removexattr)
279           return 0;
280
281    return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
282}
283
284/*
285 * Calculate the new process capability sets from the capability sets attached
286 * to a file.
287 */
288static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
289                      struct linux_binprm *bprm,
290                      bool *effective)
291{
292    struct cred *new = bprm->cred;
293    unsigned i;
294    int ret = 0;
295
296    if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
297        *effective = true;
298
299    CAP_FOR_EACH_U32(i) {
300        __u32 permitted = caps->permitted.cap[i];
301        __u32 inheritable = caps->inheritable.cap[i];
302
303        /*
304         * pP' = (X & fP) | (pI & fI)
305         */
306        new->cap_permitted.cap[i] =
307            (new->cap_bset.cap[i] & permitted) |
308            (new->cap_inheritable.cap[i] & inheritable);
309
310        if (permitted & ~new->cap_permitted.cap[i])
311            /* insufficient to execute correctly */
312            ret = -EPERM;
313    }
314
315    /*
316     * For legacy apps, with no internal support for recognizing they
317     * do not have enough capabilities, we return an error if they are
318     * missing some "forced" (aka file-permitted) capabilities.
319     */
320    return *effective ? ret : 0;
321}
322
323/*
324 * Extract the on-exec-apply capability sets for an executable file.
325 */
326int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
327{
328    struct inode *inode = dentry->d_inode;
329    __u32 magic_etc;
330    unsigned tocopy, i;
331    int size;
332    struct vfs_cap_data caps;
333
334    memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
335
336    if (!inode || !inode->i_op->getxattr)
337        return -ENODATA;
338
339    size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps,
340                   XATTR_CAPS_SZ);
341    if (size == -ENODATA || size == -EOPNOTSUPP)
342        /* no data, that's ok */
343        return -ENODATA;
344    if (size < 0)
345        return size;
346
347    if (size < sizeof(magic_etc))
348        return -EINVAL;
349
350    cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
351
352    switch (magic_etc & VFS_CAP_REVISION_MASK) {
353    case VFS_CAP_REVISION_1:
354        if (size != XATTR_CAPS_SZ_1)
355            return -EINVAL;
356        tocopy = VFS_CAP_U32_1;
357        break;
358    case VFS_CAP_REVISION_2:
359        if (size != XATTR_CAPS_SZ_2)
360            return -EINVAL;
361        tocopy = VFS_CAP_U32_2;
362        break;
363    default:
364        return -EINVAL;
365    }
366
367    CAP_FOR_EACH_U32(i) {
368        if (i >= tocopy)
369            break;
370        cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
371        cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
372    }
373
374    return 0;
375}
376
377/*
378 * Attempt to get the on-exec apply capability sets for an executable file from
379 * its xattrs and, if present, apply them to the proposed credentials being
380 * constructed by execve().
381 */
382static int get_file_caps(struct linux_binprm *bprm, bool *effective)
383{
384    struct dentry *dentry;
385    int rc = 0;
386    struct cpu_vfs_cap_data vcaps;
387
388    bprm_clear_caps(bprm);
389
390    if (!file_caps_enabled)
391        return 0;
392
393    if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
394        return 0;
395
396    dentry = dget(bprm->file->f_dentry);
397
398    rc = get_vfs_caps_from_disk(dentry, &vcaps);
399    if (rc < 0) {
400        if (rc == -EINVAL)
401            printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
402                __func__, rc, bprm->filename);
403        else if (rc == -ENODATA)
404            rc = 0;
405        goto out;
406    }
407
408    rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective);
409    if (rc == -EINVAL)
410        printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
411               __func__, rc, bprm->filename);
412
413out:
414    dput(dentry);
415    if (rc)
416        bprm_clear_caps(bprm);
417
418    return rc;
419}
420
421/**
422 * cap_bprm_set_creds - Set up the proposed credentials for execve().
423 * @bprm: The execution parameters, including the proposed creds
424 *
425 * Set up the proposed credentials for a new execution context being
426 * constructed by execve(). The proposed creds in @bprm->cred is altered,
427 * which won't take effect immediately. Returns 0 if successful, -ve on error.
428 */
429int cap_bprm_set_creds(struct linux_binprm *bprm)
430{
431    const struct cred *old = current_cred();
432    struct cred *new = bprm->cred;
433    bool effective;
434    int ret;
435
436    effective = false;
437    ret = get_file_caps(bprm, &effective);
438    if (ret < 0)
439        return ret;
440
441    if (!issecure(SECURE_NOROOT)) {
442        /*
443         * If the legacy file capability is set, then don't set privs
444         * for a setuid root binary run by a non-root user. Do set it
445         * for a root user just to cause least surprise to an admin.
446         */
447        if (effective && new->uid != 0 && new->euid == 0) {
448            warn_setuid_and_fcaps_mixed(bprm->filename);
449            goto skip;
450        }
451        /*
452         * To support inheritance of root-permissions and suid-root
453         * executables under compatibility mode, we override the
454         * capability sets for the file.
455         *
456         * If only the real uid is 0, we do not set the effective bit.
457         */
458        if (new->euid == 0 || new->uid == 0) {
459            /* pP' = (cap_bset & ~0) | (pI & ~0) */
460            new->cap_permitted = cap_combine(old->cap_bset,
461                             old->cap_inheritable);
462        }
463        if (new->euid == 0)
464            effective = true;
465    }
466skip:
467
468    /* Don't let someone trace a set[ug]id/setpcap binary with the revised
469     * credentials unless they have the appropriate permit
470     */
471    if ((new->euid != old->uid ||
472         new->egid != old->gid ||
473         !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
474        bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
475        /* downgrade; they get no more than they had, and maybe less */
476        if (!capable(CAP_SETUID)) {
477            new->euid = new->uid;
478            new->egid = new->gid;
479        }
480        new->cap_permitted = cap_intersect(new->cap_permitted,
481                           old->cap_permitted);
482    }
483
484    new->suid = new->fsuid = new->euid;
485    new->sgid = new->fsgid = new->egid;
486
487    /* For init, we want to retain the capabilities set in the initial
488     * task. Thus we skip the usual capability rules
489     */
490    if (!is_global_init(current)) {
491        if (effective)
492            new->cap_effective = new->cap_permitted;
493        else
494            cap_clear(new->cap_effective);
495    }
496    bprm->cap_effective = effective;
497
498    /*
499     * Audit candidate if current->cap_effective is set
500     *
501     * We do not bother to audit if 3 things are true:
502     * 1) cap_effective has all caps
503     * 2) we are root
504     * 3) root is supposed to have all caps (SECURE_NOROOT)
505     * Since this is just a normal root execing a process.
506     *
507     * Number 1 above might fail if you don't have a full bset, but I think
508     * that is interesting information to audit.
509     */
510    if (!cap_isclear(new->cap_effective)) {
511        if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
512            new->euid != 0 || new->uid != 0 ||
513            issecure(SECURE_NOROOT)) {
514            ret = audit_log_bprm_fcaps(bprm, new, old);
515            if (ret < 0)
516                return ret;
517        }
518    }
519
520    new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
521    return 0;
522}
523
524/**
525 * cap_bprm_secureexec - Determine whether a secure execution is required
526 * @bprm: The execution parameters
527 *
528 * Determine whether a secure execution is required, return 1 if it is, and 0
529 * if it is not.
530 *
531 * The credentials have been committed by this point, and so are no longer
532 * available through @bprm->cred.
533 */
534int cap_bprm_secureexec(struct linux_binprm *bprm)
535{
536    const struct cred *cred = current_cred();
537
538    if (cred->uid != 0) {
539        if (bprm->cap_effective)
540            return 1;
541        if (!cap_isclear(cred->cap_permitted))
542            return 1;
543    }
544
545    return (cred->euid != cred->uid ||
546        cred->egid != cred->gid);
547}
548
549/**
550 * cap_inode_setxattr - Determine whether an xattr may be altered
551 * @dentry: The inode/dentry being altered
552 * @name: The name of the xattr to be changed
553 * @value: The value that the xattr will be changed to
554 * @size: The size of value
555 * @flags: The replacement flag
556 *
557 * Determine whether an xattr may be altered or set on an inode, returning 0 if
558 * permission is granted, -ve if denied.
559 *
560 * This is used to make sure security xattrs don't get updated or set by those
561 * who aren't privileged to do so.
562 */
563int cap_inode_setxattr(struct dentry *dentry, const char *name,
564               const void *value, size_t size, int flags)
565{
566    if (!strcmp(name, XATTR_NAME_CAPS)) {
567        if (!capable(CAP_SETFCAP))
568            return -EPERM;
569        return 0;
570    }
571
572    if (!strncmp(name, XATTR_SECURITY_PREFIX,
573             sizeof(XATTR_SECURITY_PREFIX) - 1) &&
574        !capable(CAP_SYS_ADMIN))
575        return -EPERM;
576    return 0;
577}
578
579/**
580 * cap_inode_removexattr - Determine whether an xattr may be removed
581 * @dentry: The inode/dentry being altered
582 * @name: The name of the xattr to be changed
583 *
584 * Determine whether an xattr may be removed from an inode, returning 0 if
585 * permission is granted, -ve if denied.
586 *
587 * This is used to make sure security xattrs don't get removed by those who
588 * aren't privileged to remove them.
589 */
590int cap_inode_removexattr(struct dentry *dentry, const char *name)
591{
592    if (!strcmp(name, XATTR_NAME_CAPS)) {
593        if (!capable(CAP_SETFCAP))
594            return -EPERM;
595        return 0;
596    }
597
598    if (!strncmp(name, XATTR_SECURITY_PREFIX,
599             sizeof(XATTR_SECURITY_PREFIX) - 1) &&
600        !capable(CAP_SYS_ADMIN))
601        return -EPERM;
602    return 0;
603}
604
605/*
606 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
607 * a process after a call to setuid, setreuid, or setresuid.
608 *
609 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
610 * {r,e,s}uid != 0, the permitted and effective capabilities are
611 * cleared.
612 *
613 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
614 * capabilities of the process are cleared.
615 *
616 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
617 * capabilities are set to the permitted capabilities.
618 *
619 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
620 * never happen.
621 *
622 * -astor
623 *
624 * cevans - New behaviour, Oct '99
625 * A process may, via prctl(), elect to keep its capabilities when it
626 * calls setuid() and switches away from uid==0. Both permitted and
627 * effective sets will be retained.
628 * Without this change, it was impossible for a daemon to drop only some
629 * of its privilege. The call to setuid(!=0) would drop all privileges!
630 * Keeping uid 0 is not an option because uid 0 owns too many vital
631 * files..
632 * Thanks to Olaf Kirch and Peter Benie for spotting this.
633 */
634static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
635{
636    if ((old->uid == 0 || old->euid == 0 || old->suid == 0) &&
637        (new->uid != 0 && new->euid != 0 && new->suid != 0) &&
638        !issecure(SECURE_KEEP_CAPS)) {
639        cap_clear(new->cap_permitted);
640        cap_clear(new->cap_effective);
641    }
642    if (old->euid == 0 && new->euid != 0)
643        cap_clear(new->cap_effective);
644    if (old->euid != 0 && new->euid == 0)
645        new->cap_effective = new->cap_permitted;
646}
647
648/**
649 * cap_task_fix_setuid - Fix up the results of setuid() call
650 * @new: The proposed credentials
651 * @old: The current task's current credentials
652 * @flags: Indications of what has changed
653 *
654 * Fix up the results of setuid() call before the credential changes are
655 * actually applied, returning 0 to grant the changes, -ve to deny them.
656 */
657int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
658{
659    switch (flags) {
660    case LSM_SETID_RE:
661    case LSM_SETID_ID:
662    case LSM_SETID_RES:
663        /* juggle the capabilities to follow [RES]UID changes unless
664         * otherwise suppressed */
665        if (!issecure(SECURE_NO_SETUID_FIXUP))
666            cap_emulate_setxuid(new, old);
667        break;
668
669    case LSM_SETID_FS:
670        /* juggle the capabilties to follow FSUID changes, unless
671         * otherwise suppressed
672         *
673         * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
674         * if not, we might be a bit too harsh here.
675         */
676        if (!issecure(SECURE_NO_SETUID_FIXUP)) {
677            if (old->fsuid == 0 && new->fsuid != 0)
678                new->cap_effective =
679                    cap_drop_fs_set(new->cap_effective);
680
681            if (old->fsuid != 0 && new->fsuid == 0)
682                new->cap_effective =
683                    cap_raise_fs_set(new->cap_effective,
684                             new->cap_permitted);
685        }
686        break;
687
688    default:
689        return -EINVAL;
690    }
691
692    return 0;
693}
694
695/*
696 * Rationale: code calling task_setscheduler, task_setioprio, and
697 * task_setnice, assumes that
698 * . if capable(cap_sys_nice), then those actions should be allowed
699 * . if not capable(cap_sys_nice), but acting on your own processes,
700 * then those actions should be allowed
701 * This is insufficient now since you can call code without suid, but
702 * yet with increased caps.
703 * So we check for increased caps on the target process.
704 */
705static int cap_safe_nice(struct task_struct *p)
706{
707    int is_subset;
708
709    rcu_read_lock();
710    is_subset = cap_issubset(__task_cred(p)->cap_permitted,
711                 current_cred()->cap_permitted);
712    rcu_read_unlock();
713
714    if (!is_subset && !capable(CAP_SYS_NICE))
715        return -EPERM;
716    return 0;
717}
718
719/**
720 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
721 * @p: The task to affect
722 * @policy: The policy to effect
723 * @lp: The parameters to the scheduling policy
724 *
725 * Detemine if the requested scheduler policy change is permitted for the
726 * specified task, returning 0 if permission is granted, -ve if denied.
727 */
728int cap_task_setscheduler(struct task_struct *p, int policy,
729               struct sched_param *lp)
730{
731    return cap_safe_nice(p);
732}
733
734/**
735 * cap_task_ioprio - Detemine if I/O priority change is permitted
736 * @p: The task to affect
737 * @ioprio: The I/O priority to set
738 *
739 * Detemine if the requested I/O priority change is permitted for the specified
740 * task, returning 0 if permission is granted, -ve if denied.
741 */
742int cap_task_setioprio(struct task_struct *p, int ioprio)
743{
744    return cap_safe_nice(p);
745}
746
747/**
748 * cap_task_ioprio - Detemine if task priority change is permitted
749 * @p: The task to affect
750 * @nice: The nice value to set
751 *
752 * Detemine if the requested task priority change is permitted for the
753 * specified task, returning 0 if permission is granted, -ve if denied.
754 */
755int cap_task_setnice(struct task_struct *p, int nice)
756{
757    return cap_safe_nice(p);
758}
759
760/*
761 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
762 * the current task's bounding set. Returns 0 on success, -ve on error.
763 */
764static long cap_prctl_drop(struct cred *new, unsigned long cap)
765{
766    if (!capable(CAP_SETPCAP))
767        return -EPERM;
768    if (!cap_valid(cap))
769        return -EINVAL;
770
771    cap_lower(new->cap_bset, cap);
772    return 0;
773}
774
775/**
776 * cap_task_prctl - Implement process control functions for this security module
777 * @option: The process control function requested
778 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
779 *
780 * Allow process control functions (sys_prctl()) to alter capabilities; may
781 * also deny access to other functions not otherwise implemented here.
782 *
783 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
784 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
785 * modules will consider performing the function.
786 */
787int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
788           unsigned long arg4, unsigned long arg5)
789{
790    struct cred *new;
791    long error = 0;
792
793    new = prepare_creds();
794    if (!new)
795        return -ENOMEM;
796
797    switch (option) {
798    case PR_CAPBSET_READ:
799        error = -EINVAL;
800        if (!cap_valid(arg2))
801            goto error;
802        error = !!cap_raised(new->cap_bset, arg2);
803        goto no_change;
804
805    case PR_CAPBSET_DROP:
806        error = cap_prctl_drop(new, arg2);
807        if (error < 0)
808            goto error;
809        goto changed;
810
811    /*
812     * The next four prctl's remain to assist with transitioning a
813     * system from legacy UID=0 based privilege (when filesystem
814     * capabilities are not in use) to a system using filesystem
815     * capabilities only - as the POSIX.1e draft intended.
816     *
817     * Note:
818     *
819     * PR_SET_SECUREBITS =
820     * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
821     * | issecure_mask(SECURE_NOROOT)
822     * | issecure_mask(SECURE_NOROOT_LOCKED)
823     * | issecure_mask(SECURE_NO_SETUID_FIXUP)
824     * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
825     *
826     * will ensure that the current process and all of its
827     * children will be locked into a pure
828     * capability-based-privilege environment.
829     */
830    case PR_SET_SECUREBITS:
831        error = -EPERM;
832        if ((((new->securebits & SECURE_ALL_LOCKS) >> 1)
833             & (new->securebits ^ arg2)) /*[1]*/
834            || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
835            || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
836            || (cap_capable(current, current_cred(), CAP_SETPCAP,
837                    SECURITY_CAP_AUDIT) != 0) /*[4]*/
838            /*
839             * [1] no changing of bits that are locked
840             * [2] no unlocking of locks
841             * [3] no setting of unsupported bits
842             * [4] doing anything requires privilege (go read about
843             * the "sendmail capabilities bug")
844             */
845            )
846            /* cannot change a locked bit */
847            goto error;
848        new->securebits = arg2;
849        goto changed;
850
851    case PR_GET_SECUREBITS:
852        error = new->securebits;
853        goto no_change;
854
855    case PR_GET_KEEPCAPS:
856        if (issecure(SECURE_KEEP_CAPS))
857            error = 1;
858        goto no_change;
859
860    case PR_SET_KEEPCAPS:
861        error = -EINVAL;
862        if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
863            goto error;
864        error = -EPERM;
865        if (issecure(SECURE_KEEP_CAPS_LOCKED))
866            goto error;
867        if (arg2)
868            new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
869        else
870            new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
871        goto changed;
872
873    default:
874        /* No functionality available - continue with default */
875        error = -ENOSYS;
876        goto error;
877    }
878
879    /* Functionality provided */
880changed:
881    return commit_creds(new);
882
883no_change:
884error:
885    abort_creds(new);
886    return error;
887}
888
889/**
890 * cap_syslog - Determine whether syslog function is permitted
891 * @type: Function requested
892 * @from_file: Whether this request came from an open file (i.e. /proc)
893 *
894 * Determine whether the current process is permitted to use a particular
895 * syslog function, returning 0 if permission is granted, -ve if not.
896 */
897int cap_syslog(int type, bool from_file)
898{
899    if (type != SYSLOG_ACTION_OPEN && from_file)
900        return 0;
901    if ((type != SYSLOG_ACTION_READ_ALL &&
902         type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYS_ADMIN))
903        return -EPERM;
904    return 0;
905}
906
907/**
908 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
909 * @mm: The VM space in which the new mapping is to be made
910 * @pages: The size of the mapping
911 *
912 * Determine whether the allocation of a new virtual mapping by the current
913 * task is permitted, returning 0 if permission is granted, -ve if not.
914 */
915int cap_vm_enough_memory(struct mm_struct *mm, long pages)
916{
917    int cap_sys_admin = 0;
918
919    if (cap_capable(current, current_cred(), CAP_SYS_ADMIN,
920            SECURITY_CAP_NOAUDIT) == 0)
921        cap_sys_admin = 1;
922    return __vm_enough_memory(mm, pages, cap_sys_admin);
923}
924
925/*
926 * cap_file_mmap - check if able to map given addr
927 * @file: unused
928 * @reqprot: unused
929 * @prot: unused
930 * @flags: unused
931 * @addr: address attempting to be mapped
932 * @addr_only: unused
933 *
934 * If the process is attempting to map memory below dac_mmap_min_addr they need
935 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
936 * capability security module. Returns 0 if this mapping should be allowed
937 * -EPERM if not.
938 */
939int cap_file_mmap(struct file *file, unsigned long reqprot,
940          unsigned long prot, unsigned long flags,
941          unsigned long addr, unsigned long addr_only)
942{
943    int ret = 0;
944
945    if (addr < dac_mmap_min_addr) {
946        ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO,
947                  SECURITY_CAP_AUDIT);
948        /* set PF_SUPERPRIV if it turns out we allow the low mmap */
949        if (ret == 0)
950            current->flags |= PF_SUPERPRIV;
951    }
952    return ret;
953}
954

Archive Download this file



interactive