Root/
1 | /* |
2 | * linux/kernel/capability.c |
3 | * |
4 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> |
5 | * |
6 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
7 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
8 | */ |
9 | |
10 | #include <linux/audit.h> |
11 | #include <linux/capability.h> |
12 | #include <linux/mm.h> |
13 | #include <linux/module.h> |
14 | #include <linux/security.h> |
15 | #include <linux/syscalls.h> |
16 | #include <linux/pid_namespace.h> |
17 | #include <asm/uaccess.h> |
18 | #include "cred-internals.h" |
19 | |
20 | /* |
21 | * Leveraged for setting/resetting capabilities |
22 | */ |
23 | |
24 | const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
25 | const kernel_cap_t __cap_full_set = CAP_FULL_SET; |
26 | const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET; |
27 | |
28 | EXPORT_SYMBOL(__cap_empty_set); |
29 | EXPORT_SYMBOL(__cap_full_set); |
30 | EXPORT_SYMBOL(__cap_init_eff_set); |
31 | |
32 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES |
33 | int file_caps_enabled = 1; |
34 | |
35 | static int __init file_caps_disable(char *str) |
36 | { |
37 | file_caps_enabled = 0; |
38 | return 1; |
39 | } |
40 | __setup("no_file_caps", file_caps_disable); |
41 | #endif |
42 | |
43 | /* |
44 | * More recent versions of libcap are available from: |
45 | * |
46 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ |
47 | */ |
48 | |
49 | static void warn_legacy_capability_use(void) |
50 | { |
51 | static int warned; |
52 | if (!warned) { |
53 | char name[sizeof(current->comm)]; |
54 | |
55 | printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" |
56 | " (legacy support in use)\n", |
57 | get_task_comm(name, current)); |
58 | warned = 1; |
59 | } |
60 | } |
61 | |
62 | /* |
63 | * Version 2 capabilities worked fine, but the linux/capability.h file |
64 | * that accompanied their introduction encouraged their use without |
65 | * the necessary user-space source code changes. As such, we have |
66 | * created a version 3 with equivalent functionality to version 2, but |
67 | * with a header change to protect legacy source code from using |
68 | * version 2 when it wanted to use version 1. If your system has code |
69 | * that trips the following warning, it is using version 2 specific |
70 | * capabilities and may be doing so insecurely. |
71 | * |
72 | * The remedy is to either upgrade your version of libcap (to 2.10+, |
73 | * if the application is linked against it), or recompile your |
74 | * application with modern kernel headers and this warning will go |
75 | * away. |
76 | */ |
77 | |
78 | static void warn_deprecated_v2(void) |
79 | { |
80 | static int warned; |
81 | |
82 | if (!warned) { |
83 | char name[sizeof(current->comm)]; |
84 | |
85 | printk(KERN_INFO "warning: `%s' uses deprecated v2" |
86 | " capabilities in a way that may be insecure.\n", |
87 | get_task_comm(name, current)); |
88 | warned = 1; |
89 | } |
90 | } |
91 | |
92 | /* |
93 | * Version check. Return the number of u32s in each capability flag |
94 | * array, or a negative value on error. |
95 | */ |
96 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) |
97 | { |
98 | __u32 version; |
99 | |
100 | if (get_user(version, &header->version)) |
101 | return -EFAULT; |
102 | |
103 | switch (version) { |
104 | case _LINUX_CAPABILITY_VERSION_1: |
105 | warn_legacy_capability_use(); |
106 | *tocopy = _LINUX_CAPABILITY_U32S_1; |
107 | break; |
108 | case _LINUX_CAPABILITY_VERSION_2: |
109 | warn_deprecated_v2(); |
110 | /* |
111 | * fall through - v3 is otherwise equivalent to v2. |
112 | */ |
113 | case _LINUX_CAPABILITY_VERSION_3: |
114 | *tocopy = _LINUX_CAPABILITY_U32S_3; |
115 | break; |
116 | default: |
117 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) |
118 | return -EFAULT; |
119 | return -EINVAL; |
120 | } |
121 | |
122 | return 0; |
123 | } |
124 | |
125 | /* |
126 | * The only thing that can change the capabilities of the current |
127 | * process is the current process. As such, we can't be in this code |
128 | * at the same time as we are in the process of setting capabilities |
129 | * in this process. The net result is that we can limit our use of |
130 | * locks to when we are reading the caps of another process. |
131 | */ |
132 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, |
133 | kernel_cap_t *pIp, kernel_cap_t *pPp) |
134 | { |
135 | int ret; |
136 | |
137 | if (pid && (pid != task_pid_vnr(current))) { |
138 | struct task_struct *target; |
139 | |
140 | read_lock(&tasklist_lock); |
141 | |
142 | target = find_task_by_vpid(pid); |
143 | if (!target) |
144 | ret = -ESRCH; |
145 | else |
146 | ret = security_capget(target, pEp, pIp, pPp); |
147 | |
148 | read_unlock(&tasklist_lock); |
149 | } else |
150 | ret = security_capget(current, pEp, pIp, pPp); |
151 | |
152 | return ret; |
153 | } |
154 | |
155 | /** |
156 | * sys_capget - get the capabilities of a given process. |
157 | * @header: pointer to struct that contains capability version and |
158 | * target pid data |
159 | * @dataptr: pointer to struct that contains the effective, permitted, |
160 | * and inheritable capabilities that are returned |
161 | * |
162 | * Returns 0 on success and < 0 on error. |
163 | */ |
164 | SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
165 | { |
166 | int ret = 0; |
167 | pid_t pid; |
168 | unsigned tocopy; |
169 | kernel_cap_t pE, pI, pP; |
170 | |
171 | ret = cap_validate_magic(header, &tocopy); |
172 | if (ret != 0) |
173 | return ret; |
174 | |
175 | if (get_user(pid, &header->pid)) |
176 | return -EFAULT; |
177 | |
178 | if (pid < 0) |
179 | return -EINVAL; |
180 | |
181 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
182 | if (!ret) { |
183 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
184 | unsigned i; |
185 | |
186 | for (i = 0; i < tocopy; i++) { |
187 | kdata[i].effective = pE.cap[i]; |
188 | kdata[i].permitted = pP.cap[i]; |
189 | kdata[i].inheritable = pI.cap[i]; |
190 | } |
191 | |
192 | /* |
193 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
194 | * we silently drop the upper capabilities here. This |
195 | * has the effect of making older libcap |
196 | * implementations implicitly drop upper capability |
197 | * bits when they perform a: capget/modify/capset |
198 | * sequence. |
199 | * |
200 | * This behavior is considered fail-safe |
201 | * behavior. Upgrading the application to a newer |
202 | * version of libcap will enable access to the newer |
203 | * capabilities. |
204 | * |
205 | * An alternative would be to return an error here |
206 | * (-ERANGE), but that causes legacy applications to |
207 | * unexpectidly fail; the capget/modify/capset aborts |
208 | * before modification is attempted and the application |
209 | * fails. |
210 | */ |
211 | if (copy_to_user(dataptr, kdata, tocopy |
212 | * sizeof(struct __user_cap_data_struct))) { |
213 | return -EFAULT; |
214 | } |
215 | } |
216 | |
217 | return ret; |
218 | } |
219 | |
220 | /** |
221 | * sys_capset - set capabilities for a process or (*) a group of processes |
222 | * @header: pointer to struct that contains capability version and |
223 | * target pid data |
224 | * @data: pointer to struct that contains the effective, permitted, |
225 | * and inheritable capabilities |
226 | * |
227 | * Set capabilities for the current process only. The ability to any other |
228 | * process(es) has been deprecated and removed. |
229 | * |
230 | * The restrictions on setting capabilities are specified as: |
231 | * |
232 | * I: any raised capabilities must be a subset of the old permitted |
233 | * P: any raised capabilities must be a subset of the old permitted |
234 | * E: must be set to a subset of new permitted |
235 | * |
236 | * Returns 0 on success and < 0 on error. |
237 | */ |
238 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
239 | { |
240 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
241 | unsigned i, tocopy; |
242 | kernel_cap_t inheritable, permitted, effective; |
243 | struct cred *new; |
244 | int ret; |
245 | pid_t pid; |
246 | |
247 | ret = cap_validate_magic(header, &tocopy); |
248 | if (ret != 0) |
249 | return ret; |
250 | |
251 | if (get_user(pid, &header->pid)) |
252 | return -EFAULT; |
253 | |
254 | /* may only affect current now */ |
255 | if (pid != 0 && pid != task_pid_vnr(current)) |
256 | return -EPERM; |
257 | |
258 | if (copy_from_user(&kdata, data, |
259 | tocopy * sizeof(struct __user_cap_data_struct))) |
260 | return -EFAULT; |
261 | |
262 | for (i = 0; i < tocopy; i++) { |
263 | effective.cap[i] = kdata[i].effective; |
264 | permitted.cap[i] = kdata[i].permitted; |
265 | inheritable.cap[i] = kdata[i].inheritable; |
266 | } |
267 | while (i < _KERNEL_CAPABILITY_U32S) { |
268 | effective.cap[i] = 0; |
269 | permitted.cap[i] = 0; |
270 | inheritable.cap[i] = 0; |
271 | i++; |
272 | } |
273 | |
274 | new = prepare_creds(); |
275 | if (!new) |
276 | return -ENOMEM; |
277 | |
278 | ret = security_capset(new, current_cred(), |
279 | &effective, &inheritable, &permitted); |
280 | if (ret < 0) |
281 | goto error; |
282 | |
283 | audit_log_capset(pid, new, current_cred()); |
284 | |
285 | return commit_creds(new); |
286 | |
287 | error: |
288 | abort_creds(new); |
289 | return ret; |
290 | } |
291 | |
292 | /** |
293 | * capable - Determine if the current task has a superior capability in effect |
294 | * @cap: The capability to be tested for |
295 | * |
296 | * Return true if the current task has the given superior capability currently |
297 | * available for use, false if not. |
298 | * |
299 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
300 | * assumption that it's about to be used. |
301 | */ |
302 | int capable(int cap) |
303 | { |
304 | if (unlikely(!cap_valid(cap))) { |
305 | printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap); |
306 | BUG(); |
307 | } |
308 | |
309 | if (security_capable(cap) == 0) { |
310 | current->flags |= PF_SUPERPRIV; |
311 | return 1; |
312 | } |
313 | return 0; |
314 | } |
315 | EXPORT_SYMBOL(capable); |
316 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9