Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/kernel/capability.c | |
3 | * | |
4 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> | |
5 | * | |
72c2d582 | 6 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
1da177e4 | 7 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
314f70fd | 8 | */ |
1da177e4 | 9 | |
e68b75a0 | 10 | #include <linux/audit.h> |
c59ede7b | 11 | #include <linux/capability.h> |
1da177e4 | 12 | #include <linux/mm.h> |
9984de1a | 13 | #include <linux/export.h> |
1da177e4 LT |
14 | #include <linux/security.h> |
15 | #include <linux/syscalls.h> | |
b460cbc5 | 16 | #include <linux/pid_namespace.h> |
3486740a | 17 | #include <linux/user_namespace.h> |
1da177e4 | 18 | #include <asm/uaccess.h> |
1da177e4 | 19 | |
e338d263 AM |
20 | /* |
21 | * Leveraged for setting/resetting capabilities | |
22 | */ | |
23 | ||
24 | const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; | |
e338d263 AM |
25 | |
26 | EXPORT_SYMBOL(__cap_empty_set); | |
e338d263 | 27 | |
1f29fae2 SH |
28 | int file_caps_enabled = 1; |
29 | ||
30 | static int __init file_caps_disable(char *str) | |
31 | { | |
32 | file_caps_enabled = 0; | |
33 | return 1; | |
34 | } | |
35 | __setup("no_file_caps", file_caps_disable); | |
1f29fae2 | 36 | |
e338d263 AM |
37 | /* |
38 | * More recent versions of libcap are available from: | |
39 | * | |
40 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ | |
41 | */ | |
42 | ||
43 | static void warn_legacy_capability_use(void) | |
44 | { | |
45 | static int warned; | |
46 | if (!warned) { | |
47 | char name[sizeof(current->comm)]; | |
48 | ||
49 | printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" | |
50 | " (legacy support in use)\n", | |
51 | get_task_comm(name, current)); | |
52 | warned = 1; | |
53 | } | |
54 | } | |
55 | ||
ca05a99a AM |
56 | /* |
57 | * Version 2 capabilities worked fine, but the linux/capability.h file | |
58 | * that accompanied their introduction encouraged their use without | |
59 | * the necessary user-space source code changes. As such, we have | |
60 | * created a version 3 with equivalent functionality to version 2, but | |
61 | * with a header change to protect legacy source code from using | |
62 | * version 2 when it wanted to use version 1. If your system has code | |
63 | * that trips the following warning, it is using version 2 specific | |
64 | * capabilities and may be doing so insecurely. | |
65 | * | |
66 | * The remedy is to either upgrade your version of libcap (to 2.10+, | |
67 | * if the application is linked against it), or recompile your | |
68 | * application with modern kernel headers and this warning will go | |
69 | * away. | |
70 | */ | |
71 | ||
72 | static void warn_deprecated_v2(void) | |
73 | { | |
74 | static int warned; | |
75 | ||
76 | if (!warned) { | |
77 | char name[sizeof(current->comm)]; | |
78 | ||
79 | printk(KERN_INFO "warning: `%s' uses deprecated v2" | |
80 | " capabilities in a way that may be insecure.\n", | |
81 | get_task_comm(name, current)); | |
82 | warned = 1; | |
83 | } | |
84 | } | |
85 | ||
86 | /* | |
87 | * Version check. Return the number of u32s in each capability flag | |
88 | * array, or a negative value on error. | |
89 | */ | |
90 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) | |
91 | { | |
92 | __u32 version; | |
93 | ||
94 | if (get_user(version, &header->version)) | |
95 | return -EFAULT; | |
96 | ||
97 | switch (version) { | |
98 | case _LINUX_CAPABILITY_VERSION_1: | |
99 | warn_legacy_capability_use(); | |
100 | *tocopy = _LINUX_CAPABILITY_U32S_1; | |
101 | break; | |
102 | case _LINUX_CAPABILITY_VERSION_2: | |
103 | warn_deprecated_v2(); | |
104 | /* | |
105 | * fall through - v3 is otherwise equivalent to v2. | |
106 | */ | |
107 | case _LINUX_CAPABILITY_VERSION_3: | |
108 | *tocopy = _LINUX_CAPABILITY_U32S_3; | |
109 | break; | |
110 | default: | |
111 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) | |
112 | return -EFAULT; | |
113 | return -EINVAL; | |
114 | } | |
115 | ||
116 | return 0; | |
117 | } | |
118 | ||
ab763c71 | 119 | /* |
d84f4f99 DH |
120 | * The only thing that can change the capabilities of the current |
121 | * process is the current process. As such, we can't be in this code | |
122 | * at the same time as we are in the process of setting capabilities | |
123 | * in this process. The net result is that we can limit our use of | |
124 | * locks to when we are reading the caps of another process. | |
ab763c71 AM |
125 | */ |
126 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, | |
127 | kernel_cap_t *pIp, kernel_cap_t *pPp) | |
128 | { | |
129 | int ret; | |
130 | ||
131 | if (pid && (pid != task_pid_vnr(current))) { | |
132 | struct task_struct *target; | |
133 | ||
86fc80f1 | 134 | rcu_read_lock(); |
ab763c71 AM |
135 | |
136 | target = find_task_by_vpid(pid); | |
137 | if (!target) | |
138 | ret = -ESRCH; | |
139 | else | |
140 | ret = security_capget(target, pEp, pIp, pPp); | |
141 | ||
86fc80f1 | 142 | rcu_read_unlock(); |
ab763c71 AM |
143 | } else |
144 | ret = security_capget(current, pEp, pIp, pPp); | |
145 | ||
146 | return ret; | |
147 | } | |
148 | ||
207a7ba8 | 149 | /** |
1da177e4 | 150 | * sys_capget - get the capabilities of a given process. |
207a7ba8 RD |
151 | * @header: pointer to struct that contains capability version and |
152 | * target pid data | |
153 | * @dataptr: pointer to struct that contains the effective, permitted, | |
154 | * and inheritable capabilities that are returned | |
155 | * | |
156 | * Returns 0 on success and < 0 on error. | |
1da177e4 | 157 | */ |
b290ebe2 | 158 | SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
1da177e4 | 159 | { |
314f70fd DW |
160 | int ret = 0; |
161 | pid_t pid; | |
e338d263 AM |
162 | unsigned tocopy; |
163 | kernel_cap_t pE, pI, pP; | |
314f70fd | 164 | |
ca05a99a | 165 | ret = cap_validate_magic(header, &tocopy); |
c4a5af54 AM |
166 | if ((dataptr == NULL) || (ret != 0)) |
167 | return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; | |
1da177e4 | 168 | |
314f70fd DW |
169 | if (get_user(pid, &header->pid)) |
170 | return -EFAULT; | |
1da177e4 | 171 | |
314f70fd DW |
172 | if (pid < 0) |
173 | return -EINVAL; | |
1da177e4 | 174 | |
ab763c71 | 175 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
e338d263 | 176 | if (!ret) { |
ca05a99a | 177 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263 AM |
178 | unsigned i; |
179 | ||
180 | for (i = 0; i < tocopy; i++) { | |
181 | kdata[i].effective = pE.cap[i]; | |
182 | kdata[i].permitted = pP.cap[i]; | |
183 | kdata[i].inheritable = pI.cap[i]; | |
184 | } | |
185 | ||
186 | /* | |
ca05a99a | 187 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
e338d263 AM |
188 | * we silently drop the upper capabilities here. This |
189 | * has the effect of making older libcap | |
190 | * implementations implicitly drop upper capability | |
191 | * bits when they perform a: capget/modify/capset | |
192 | * sequence. | |
193 | * | |
194 | * This behavior is considered fail-safe | |
195 | * behavior. Upgrading the application to a newer | |
196 | * version of libcap will enable access to the newer | |
197 | * capabilities. | |
198 | * | |
199 | * An alternative would be to return an error here | |
200 | * (-ERANGE), but that causes legacy applications to | |
201 | * unexpectidly fail; the capget/modify/capset aborts | |
202 | * before modification is attempted and the application | |
203 | * fails. | |
204 | */ | |
e338d263 AM |
205 | if (copy_to_user(dataptr, kdata, tocopy |
206 | * sizeof(struct __user_cap_data_struct))) { | |
207 | return -EFAULT; | |
208 | } | |
209 | } | |
1da177e4 | 210 | |
314f70fd | 211 | return ret; |
1da177e4 LT |
212 | } |
213 | ||
207a7ba8 | 214 | /** |
ab763c71 | 215 | * sys_capset - set capabilities for a process or (*) a group of processes |
207a7ba8 RD |
216 | * @header: pointer to struct that contains capability version and |
217 | * target pid data | |
218 | * @data: pointer to struct that contains the effective, permitted, | |
219 | * and inheritable capabilities | |
220 | * | |
1cdcbec1 DH |
221 | * Set capabilities for the current process only. The ability to any other |
222 | * process(es) has been deprecated and removed. | |
1da177e4 LT |
223 | * |
224 | * The restrictions on setting capabilities are specified as: | |
225 | * | |
1cdcbec1 DH |
226 | * I: any raised capabilities must be a subset of the old permitted |
227 | * P: any raised capabilities must be a subset of the old permitted | |
228 | * E: must be set to a subset of new permitted | |
207a7ba8 RD |
229 | * |
230 | * Returns 0 on success and < 0 on error. | |
1da177e4 | 231 | */ |
b290ebe2 | 232 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
1da177e4 | 233 | { |
ca05a99a | 234 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
825332e4 | 235 | unsigned i, tocopy, copybytes; |
314f70fd | 236 | kernel_cap_t inheritable, permitted, effective; |
d84f4f99 | 237 | struct cred *new; |
314f70fd DW |
238 | int ret; |
239 | pid_t pid; | |
240 | ||
ca05a99a AM |
241 | ret = cap_validate_magic(header, &tocopy); |
242 | if (ret != 0) | |
243 | return ret; | |
314f70fd DW |
244 | |
245 | if (get_user(pid, &header->pid)) | |
246 | return -EFAULT; | |
247 | ||
1cdcbec1 DH |
248 | /* may only affect current now */ |
249 | if (pid != 0 && pid != task_pid_vnr(current)) | |
250 | return -EPERM; | |
251 | ||
825332e4 AV |
252 | copybytes = tocopy * sizeof(struct __user_cap_data_struct); |
253 | if (copybytes > sizeof(kdata)) | |
254 | return -EFAULT; | |
255 | ||
256 | if (copy_from_user(&kdata, data, copybytes)) | |
314f70fd | 257 | return -EFAULT; |
e338d263 AM |
258 | |
259 | for (i = 0; i < tocopy; i++) { | |
260 | effective.cap[i] = kdata[i].effective; | |
261 | permitted.cap[i] = kdata[i].permitted; | |
262 | inheritable.cap[i] = kdata[i].inheritable; | |
263 | } | |
ca05a99a | 264 | while (i < _KERNEL_CAPABILITY_U32S) { |
e338d263 AM |
265 | effective.cap[i] = 0; |
266 | permitted.cap[i] = 0; | |
267 | inheritable.cap[i] = 0; | |
268 | i++; | |
269 | } | |
314f70fd | 270 | |
76f01555 EP |
271 | effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; |
272 | permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | |
273 | inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK; | |
274 | ||
d84f4f99 DH |
275 | new = prepare_creds(); |
276 | if (!new) | |
277 | return -ENOMEM; | |
278 | ||
279 | ret = security_capset(new, current_cred(), | |
280 | &effective, &inheritable, &permitted); | |
281 | if (ret < 0) | |
282 | goto error; | |
283 | ||
57f71a0a | 284 | audit_log_capset(pid, new, current_cred()); |
e68b75a0 | 285 | |
d84f4f99 DH |
286 | return commit_creds(new); |
287 | ||
288 | error: | |
289 | abort_creds(new); | |
314f70fd | 290 | return ret; |
1da177e4 | 291 | } |
12b5989b | 292 | |
3263245d | 293 | /** |
25e75703 | 294 | * has_ns_capability - Does a task have a capability in a specific user ns |
3263245d | 295 | * @t: The task in question |
25e75703 | 296 | * @ns: target user namespace |
3263245d SH |
297 | * @cap: The capability to be tested for |
298 | * | |
299 | * Return true if the specified task has the given superior capability | |
25e75703 | 300 | * currently in effect to the specified user namespace, false if not. |
3263245d SH |
301 | * |
302 | * Note that this does not set PF_SUPERPRIV on the task. | |
303 | */ | |
25e75703 EP |
304 | bool has_ns_capability(struct task_struct *t, |
305 | struct user_namespace *ns, int cap) | |
3263245d | 306 | { |
2920a840 EP |
307 | int ret; |
308 | ||
309 | rcu_read_lock(); | |
25e75703 | 310 | ret = security_capable(__task_cred(t), ns, cap); |
2920a840 | 311 | rcu_read_unlock(); |
3263245d SH |
312 | |
313 | return (ret == 0); | |
314 | } | |
315 | ||
316 | /** | |
25e75703 | 317 | * has_capability - Does a task have a capability in init_user_ns |
3263245d | 318 | * @t: The task in question |
3263245d SH |
319 | * @cap: The capability to be tested for |
320 | * | |
321 | * Return true if the specified task has the given superior capability | |
25e75703 | 322 | * currently in effect to the initial user namespace, false if not. |
3263245d SH |
323 | * |
324 | * Note that this does not set PF_SUPERPRIV on the task. | |
325 | */ | |
25e75703 | 326 | bool has_capability(struct task_struct *t, int cap) |
3263245d | 327 | { |
25e75703 | 328 | return has_ns_capability(t, &init_user_ns, cap); |
3263245d SH |
329 | } |
330 | ||
331 | /** | |
7b61d648 EP |
332 | * has_ns_capability_noaudit - Does a task have a capability (unaudited) |
333 | * in a specific user ns. | |
3263245d | 334 | * @t: The task in question |
7b61d648 | 335 | * @ns: target user namespace |
3263245d SH |
336 | * @cap: The capability to be tested for |
337 | * | |
338 | * Return true if the specified task has the given superior capability | |
7b61d648 EP |
339 | * currently in effect to the specified user namespace, false if not. |
340 | * Do not write an audit message for the check. | |
3263245d SH |
341 | * |
342 | * Note that this does not set PF_SUPERPRIV on the task. | |
343 | */ | |
7b61d648 EP |
344 | bool has_ns_capability_noaudit(struct task_struct *t, |
345 | struct user_namespace *ns, int cap) | |
3263245d | 346 | { |
2920a840 EP |
347 | int ret; |
348 | ||
349 | rcu_read_lock(); | |
7b61d648 | 350 | ret = security_capable_noaudit(__task_cred(t), ns, cap); |
2920a840 | 351 | rcu_read_unlock(); |
3263245d SH |
352 | |
353 | return (ret == 0); | |
354 | } | |
355 | ||
5cd9c58f | 356 | /** |
7b61d648 EP |
357 | * has_capability_noaudit - Does a task have a capability (unaudited) in the |
358 | * initial user ns | |
359 | * @t: The task in question | |
5cd9c58f DH |
360 | * @cap: The capability to be tested for |
361 | * | |
7b61d648 EP |
362 | * Return true if the specified task has the given superior capability |
363 | * currently in effect to init_user_ns, false if not. Don't write an | |
364 | * audit message for the check. | |
5cd9c58f | 365 | * |
7b61d648 | 366 | * Note that this does not set PF_SUPERPRIV on the task. |
5cd9c58f | 367 | */ |
7b61d648 | 368 | bool has_capability_noaudit(struct task_struct *t, int cap) |
3486740a | 369 | { |
7b61d648 | 370 | return has_ns_capability_noaudit(t, &init_user_ns, cap); |
3486740a | 371 | } |
3486740a SH |
372 | |
373 | /** | |
374 | * ns_capable - Determine if the current task has a superior capability in effect | |
375 | * @ns: The usernamespace we want the capability in | |
376 | * @cap: The capability to be tested for | |
377 | * | |
378 | * Return true if the current task has the given superior capability currently | |
379 | * available for use, false if not. | |
380 | * | |
381 | * This sets PF_SUPERPRIV on the task if the capability is available on the | |
382 | * assumption that it's about to be used. | |
383 | */ | |
384 | bool ns_capable(struct user_namespace *ns, int cap) | |
12b5989b | 385 | { |
637d32dc EP |
386 | if (unlikely(!cap_valid(cap))) { |
387 | printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap); | |
388 | BUG(); | |
389 | } | |
390 | ||
951880e6 | 391 | if (security_capable(current_cred(), ns, cap) == 0) { |
5cd9c58f | 392 | current->flags |= PF_SUPERPRIV; |
3486740a | 393 | return true; |
12b5989b | 394 | } |
3486740a | 395 | return false; |
12b5989b | 396 | } |
3486740a SH |
397 | EXPORT_SYMBOL(ns_capable); |
398 | ||
935d8aab LT |
399 | /** |
400 | * file_ns_capable - Determine if the file's opener had a capability in effect | |
401 | * @file: The file we want to check | |
402 | * @ns: The usernamespace we want the capability in | |
403 | * @cap: The capability to be tested for | |
404 | * | |
405 | * Return true if task that opened the file had a capability in effect | |
406 | * when the file was opened. | |
407 | * | |
408 | * This does not set PF_SUPERPRIV because the caller may not | |
409 | * actually be privileged. | |
410 | */ | |
411 | bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap) | |
412 | { | |
413 | if (WARN_ON_ONCE(!cap_valid(cap))) | |
414 | return false; | |
415 | ||
416 | if (security_capable(file->f_cred, ns, cap) == 0) | |
417 | return true; | |
418 | ||
419 | return false; | |
420 | } | |
421 | EXPORT_SYMBOL(file_ns_capable); | |
422 | ||
3486740a | 423 | /** |
105ddf49 EP |
424 | * capable - Determine if the current task has a superior capability in effect |
425 | * @cap: The capability to be tested for | |
426 | * | |
427 | * Return true if the current task has the given superior capability currently | |
428 | * available for use, false if not. | |
3486740a | 429 | * |
105ddf49 EP |
430 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
431 | * assumption that it's about to be used. | |
3486740a | 432 | */ |
105ddf49 | 433 | bool capable(int cap) |
3486740a | 434 | { |
105ddf49 | 435 | return ns_capable(&init_user_ns, cap); |
3486740a | 436 | } |
105ddf49 | 437 | EXPORT_SYMBOL(capable); |
47a150ed SH |
438 | |
439 | /** | |
440 | * nsown_capable - Check superior capability to one's own user_ns | |
441 | * @cap: The capability in question | |
442 | * | |
443 | * Return true if the current task has the given superior capability | |
444 | * targeted at its own user namespace. | |
445 | */ | |
446 | bool nsown_capable(int cap) | |
447 | { | |
448 | return ns_capable(current_user_ns(), cap); | |
449 | } | |
1a48e2ac EB |
450 | |
451 | /** | |
4f80c6c1 | 452 | * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
1a48e2ac EB |
453 | * @inode: The inode in question |
454 | * @cap: The capability in question | |
455 | * | |
4f80c6c1 AL |
456 | * Return true if the current task has the given capability targeted at |
457 | * its own user namespace and that the given inode's uid and gid are | |
458 | * mapped into the current user namespace. | |
1a48e2ac | 459 | */ |
4f80c6c1 | 460 | bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) |
1a48e2ac EB |
461 | { |
462 | struct user_namespace *ns = current_user_ns(); | |
463 | ||
4f80c6c1 AL |
464 | return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && |
465 | kgid_has_mapping(ns, inode->i_gid); | |
1a48e2ac | 466 | } |