projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
defconfig: set extra cmdline for apex
[GitHub/exynos8895/android_kernel_samsung_universal8895.git] / kernel / capability.c
1 /*
2 * linux/kernel/capability.c
3 *
4 * Copyright (C) 1997 Andrew Main <zefram@fysh.org>
5 *
6 * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org>
7 * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
8 */
9
10 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
12 #include <linux/audit.h>
13 #include <linux/capability.h>
14 #include <linux/mm.h>
15 #include <linux/export.h>
16 #include <linux/security.h>
17 #include <linux/syscalls.h>
18 #include <linux/pid_namespace.h>
19 #include <linux/user_namespace.h>
20 #include <asm/uaccess.h>
21
22 #ifdef CONFIG_LOD_SEC
23 #include <linux/linux_on_dex.h>
24 #endif
25
26 /*
27 * Leveraged for setting/resetting capabilities
28 */
29
30 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
31 EXPORT_SYMBOL(__cap_empty_set);
32
33 int file_caps_enabled = 1;
34
35 static int __init file_caps_disable(char *str)
36 {
37 file_caps_enabled = 0;
38 return 1;
39 }
40 __setup("no_file_caps", file_caps_disable);
41
42 #ifdef CONFIG_MULTIUSER
43 /*
44 * More recent versions of libcap are available from:
45 *
46 * http://www.kernel.org/pub/linux/libs/security/linux-privs/
47 */
48
49 static void warn_legacy_capability_use(void)
50 {
51 char name[sizeof(current->comm)];
52
53 pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n",
54 get_task_comm(name, current));
55 }
56
57 /*
58 * Version 2 capabilities worked fine, but the linux/capability.h file
59 * that accompanied their introduction encouraged their use without
60 * the necessary user-space source code changes. As such, we have
61 * created a version 3 with equivalent functionality to version 2, but
62 * with a header change to protect legacy source code from using
63 * version 2 when it wanted to use version 1. If your system has code
64 * that trips the following warning, it is using version 2 specific
65 * capabilities and may be doing so insecurely.
66 *
67 * The remedy is to either upgrade your version of libcap (to 2.10+,
68 * if the application is linked against it), or recompile your
69 * application with modern kernel headers and this warning will go
70 * away.
71 */
72
73 static void warn_deprecated_v2(void)
74 {
75 char name[sizeof(current->comm)];
76
77 pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n",
78 get_task_comm(name, current));
79 }
80
81 /*
82 * Version check. Return the number of u32s in each capability flag
83 * array, or a negative value on error.
84 */
85 static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
86 {
87 __u32 version;
88
89 if (get_user(version, &header->version))
90 return -EFAULT;
91
92 switch (version) {
93 case _LINUX_CAPABILITY_VERSION_1:
94 warn_legacy_capability_use();
95 *tocopy = _LINUX_CAPABILITY_U32S_1;
96 break;
97 case _LINUX_CAPABILITY_VERSION_2:
98 warn_deprecated_v2();
99 /*
100 * fall through - v3 is otherwise equivalent to v2.
101 */
102 case _LINUX_CAPABILITY_VERSION_3:
103 *tocopy = _LINUX_CAPABILITY_U32S_3;
104 break;
105 default:
106 if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
107 return -EFAULT;
108 return -EINVAL;
109 }
110
111 return 0;
112 }
113
114 /*
115 * The only thing that can change the capabilities of the current
116 * process is the current process. As such, we can't be in this code
117 * at the same time as we are in the process of setting capabilities
118 * in this process. The net result is that we can limit our use of
119 * locks to when we are reading the caps of another process.
120 */
121 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
122 kernel_cap_t *pIp, kernel_cap_t *pPp)
123 {
124 int ret;
125
126 if (pid && (pid != task_pid_vnr(current))) {
127 struct task_struct *target;
128
129 rcu_read_lock();
130
131 target = find_task_by_vpid(pid);
132 if (!target)
133 ret = -ESRCH;
134 else
135 ret = security_capget(target, pEp, pIp, pPp);
136
137 rcu_read_unlock();
138 } else
139 ret = security_capget(current, pEp, pIp, pPp);
140
141 return ret;
142 }
143
144 /**
145 * sys_capget - get the capabilities of a given process.
146 * @header: pointer to struct that contains capability version and
147 * target pid data
148 * @dataptr: pointer to struct that contains the effective, permitted,
149 * and inheritable capabilities that are returned
150 *
151 * Returns 0 on success and < 0 on error.
152 */
153 SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
154 {
155 int ret = 0;
156 pid_t pid;
157 unsigned tocopy;
158 kernel_cap_t pE, pI, pP;
159
160 ret = cap_validate_magic(header, &tocopy);
161 if ((dataptr == NULL) || (ret != 0))
162 return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
163
164 if (get_user(pid, &header->pid))
165 return -EFAULT;
166
167 if (pid < 0)
168 return -EINVAL;
169
170 ret = cap_get_target_pid(pid, &pE, &pI, &pP);
171 if (!ret) {
172 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
173 unsigned i;
174
175 for (i = 0; i < tocopy; i++) {
176 kdata[i].effective = pE.cap[i];
177 kdata[i].permitted = pP.cap[i];
178 kdata[i].inheritable = pI.cap[i];
179 }
180
181 /*
182 * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
183 * we silently drop the upper capabilities here. This
184 * has the effect of making older libcap
185 * implementations implicitly drop upper capability
186 * bits when they perform a: capget/modify/capset
187 * sequence.
188 *
189 * This behavior is considered fail-safe
190 * behavior. Upgrading the application to a newer
191 * version of libcap will enable access to the newer
192 * capabilities.
193 *
194 * An alternative would be to return an error here
195 * (-ERANGE), but that causes legacy applications to
196 * unexpectedly fail; the capget/modify/capset aborts
197 * before modification is attempted and the application
198 * fails.
199 */
200 if (copy_to_user(dataptr, kdata, tocopy
201 * sizeof(struct __user_cap_data_struct))) {
202 return -EFAULT;
203 }
204 }
205
206 return ret;
207 }
208
209 /**
210 * sys_capset - set capabilities for a process or (*) a group of processes
211 * @header: pointer to struct that contains capability version and
212 * target pid data
213 * @data: pointer to struct that contains the effective, permitted,
214 * and inheritable capabilities
215 *
216 * Set capabilities for the current process only. The ability to any other
217 * process(es) has been deprecated and removed.
218 *
219 * The restrictions on setting capabilities are specified as:
220 *
221 * I: any raised capabilities must be a subset of the old permitted
222 * P: any raised capabilities must be a subset of the old permitted
223 * E: must be set to a subset of new permitted
224 *
225 * Returns 0 on success and < 0 on error.
226 */
227 SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
228 {
229 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
230 unsigned i, tocopy, copybytes;
231 kernel_cap_t inheritable, permitted, effective;
232 struct cred *new;
233 int ret;
234 pid_t pid;
235
236 ret = cap_validate_magic(header, &tocopy);
237 if (ret != 0)
238 return ret;
239
240 if (get_user(pid, &header->pid))
241 return -EFAULT;
242
243 /* may only affect current now */
244 if (pid != 0 && pid != task_pid_vnr(current))
245 return -EPERM;
246
247 copybytes = tocopy * sizeof(struct __user_cap_data_struct);
248 if (copybytes > sizeof(kdata))
249 return -EFAULT;
250
251 if (copy_from_user(&kdata, data, copybytes))
252 return -EFAULT;
253
254 for (i = 0; i < tocopy; i++) {
255 effective.cap[i] = kdata[i].effective;
256 permitted.cap[i] = kdata[i].permitted;
257 inheritable.cap[i] = kdata[i].inheritable;
258 }
259 while (i < _KERNEL_CAPABILITY_U32S) {
260 effective.cap[i] = 0;
261 permitted.cap[i] = 0;
262 inheritable.cap[i] = 0;
263 i++;
264 }
265
266 effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
267 permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
268 inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
269
270 new = prepare_creds();
271 if (!new)
272 return -ENOMEM;
273
274 ret = security_capset(new, current_cred(),
275 &effective, &inheritable, &permitted);
276 if (ret < 0)
277 goto error;
278
279 audit_log_capset(new, current_cred());
280
281 return commit_creds(new);
282
283 error:
284 abort_creds(new);
285 return ret;
286 }
287
288 /**
289 * has_ns_capability - Does a task have a capability in a specific user ns
290 * @t: The task in question
291 * @ns: target user namespace
292 * @cap: The capability to be tested for
293 *
294 * Return true if the specified task has the given superior capability
295 * currently in effect to the specified user namespace, false if not.
296 *
297 * Note that this does not set PF_SUPERPRIV on the task.
298 */
299 bool has_ns_capability(struct task_struct *t,
300 struct user_namespace *ns, int cap)
301 {
302 int ret;
303
304 rcu_read_lock();
305 ret = security_capable(__task_cred(t), ns, cap);
306 rcu_read_unlock();
307
308 return (ret == 0);
309 }
310
311 /**
312 * has_capability - Does a task have a capability in init_user_ns
313 * @t: The task in question
314 * @cap: The capability to be tested for
315 *
316 * Return true if the specified task has the given superior capability
317 * currently in effect to the initial user namespace, false if not.
318 *
319 * Note that this does not set PF_SUPERPRIV on the task.
320 */
321 bool has_capability(struct task_struct *t, int cap)
322 {
323 return has_ns_capability(t, &init_user_ns, cap);
324 }
325
326 /**
327 * has_ns_capability_noaudit - Does a task have a capability (unaudited)
328 * in a specific user ns.
329 * @t: The task in question
330 * @ns: target user namespace
331 * @cap: The capability to be tested for
332 *
333 * Return true if the specified task has the given superior capability
334 * currently in effect to the specified user namespace, false if not.
335 * Do not write an audit message for the check.
336 *
337 * Note that this does not set PF_SUPERPRIV on the task.
338 */
339 bool has_ns_capability_noaudit(struct task_struct *t,
340 struct user_namespace *ns, int cap)
341 {
342 int ret;
343
344 rcu_read_lock();
345 ret = security_capable_noaudit(__task_cred(t), ns, cap);
346 rcu_read_unlock();
347
348 return (ret == 0);
349 }
350
351 /**
352 * has_capability_noaudit - Does a task have a capability (unaudited) in the
353 * initial user ns
354 * @t: The task in question
355 * @cap: The capability to be tested for
356 *
357 * Return true if the specified task has the given superior capability
358 * currently in effect to init_user_ns, false if not. Don't write an
359 * audit message for the check.
360 *
361 * Note that this does not set PF_SUPERPRIV on the task.
362 */
363 bool has_capability_noaudit(struct task_struct *t, int cap)
364 {
365 return has_ns_capability_noaudit(t, &init_user_ns, cap);
366 }
367
368 static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
369 {
370 int capable;
371
372 if (unlikely(!cap_valid(cap))) {
373 pr_crit("capable() called with invalid cap=%u\n", cap);
374 BUG();
375 }
376
377 capable = audit ? security_capable(current_cred(), ns, cap) :
378 security_capable_noaudit(current_cred(), ns, cap);
379 if (capable == 0) {
380 current->flags |= PF_SUPERPRIV;
381 return true;
382 }
383 return false;
384 }
385
386 /**
387 * ns_capable - Determine if the current task has a superior capability in effect
388 * @ns: The usernamespace we want the capability in
389 * @cap: The capability to be tested for
390 *
391 * Return true if the current task has the given superior capability currently
392 * available for use, false if not.
393 *
394 * This sets PF_SUPERPRIV on the task if the capability is available on the
395 * assumption that it's about to be used.
396 */
397 bool ns_capable(struct user_namespace *ns, int cap)
398 {
399 return ns_capable_common(ns, cap, true);
400 }
401 EXPORT_SYMBOL(ns_capable);
402
403 /**
404 * ns_capable_noaudit - Determine if the current task has a superior capability
405 * (unaudited) in effect
406 * @ns: The usernamespace we want the capability in
407 * @cap: The capability to be tested for
408 *
409 * Return true if the current task has the given superior capability currently
410 * available for use, false if not.
411 *
412 * This sets PF_SUPERPRIV on the task if the capability is available on the
413 * assumption that it's about to be used.
414 */
415 bool ns_capable_noaudit(struct user_namespace *ns, int cap)
416 {
417 return ns_capable_common(ns, cap, false);
418 }
419 EXPORT_SYMBOL(ns_capable_noaudit);
420
421 /**
422 * capable - Determine if the current task has a superior capability in effect
423 * @cap: The capability to be tested for
424 *
425 * Return true if the current task has the given superior capability currently
426 * available for use, false if not.
427 *
428 * This sets PF_SUPERPRIV on the task if the capability is available on the
429 * assumption that it's about to be used.
430 */
431 bool capable(int cap)
432 {
433 return ns_capable(&init_user_ns, cap);
434 }
435 EXPORT_SYMBOL(capable);
436 #endif /* CONFIG_MULTIUSER */
437
438 /**
439 * file_ns_capable - Determine if the file's opener had a capability in effect
440 * @file: The file we want to check
441 * @ns: The usernamespace we want the capability in
442 * @cap: The capability to be tested for
443 *
444 * Return true if task that opened the file had a capability in effect
445 * when the file was opened.
446 *
447 * This does not set PF_SUPERPRIV because the caller may not
448 * actually be privileged.
449 */
450 bool file_ns_capable(const struct file *file, struct user_namespace *ns,
451 int cap)
452 {
453 if (WARN_ON_ONCE(!cap_valid(cap)))
454 return false;
455
456 if (security_capable(file->f_cred, ns, cap) == 0)
457 return true;
458
459 return false;
460 }
461 EXPORT_SYMBOL(file_ns_capable);
462
463 /**
464 * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
465 * @ns: The user namespace in question
466 * @inode: The inode in question
467 *
468 * Return true if the inode uid and gid are within the namespace.
469 */
470 bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode)
471 {
472 return kuid_has_mapping(ns, inode->i_uid) &&
473 kgid_has_mapping(ns, inode->i_gid);
474 }
475
476 /**
477 * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
478 * @inode: The inode in question
479 * @cap: The capability in question
480 *
481 * Return true if the current task has the given capability targeted at
482 * its own user namespace and that the given inode's uid and gid are
483 * mapped into the current user namespace.
484 */
485 bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
486 {
487 struct user_namespace *ns = current_user_ns();
488
489 //Never allow LOD container process access outside inodes
490 #ifdef CONFIG_LOD_SEC
491 if (current_is_LOD() && (!inode_is_LOD(inode))){
492 #ifndef CONFIG_SAMSUNG_PRODUCT_SHIP
493 printk(KERN_ERR "LOD capable_wrt_inode_uidgid: blocking CAP %d of PROC %s "
494 "PID %d PROC_UID %d INODE_UID %d\n", cap, current->comm, current->pid,
495 current_cred()->uid.val, inode->i_uid.val);
496 #endif
497 return false;
498 }
499 #endif
500
501 return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode);
502 }
503 EXPORT_SYMBOL(capable_wrt_inode_uidgid);
504
505 /**
506 * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace
507 * @tsk: The task that may be ptraced
508 * @ns: The user namespace to search for CAP_SYS_PTRACE in
509 *
510 * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE
511 * in the specified user namespace.
512 */
513 bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
514 {
515 int ret = 0; /* An absent tracer adds no restrictions */
516 const struct cred *cred;
517 rcu_read_lock();
518 cred = rcu_dereference(tsk->ptracer_cred);
519 if (cred)
520 ret = security_capable_noaudit(cred, ns, CAP_SYS_PTRACE);
521 rcu_read_unlock();
522 return (ret == 0);
523 }