blob: ca8f697bac23a6af0421d448f69c36f66627fe9b [file] [log] [blame]
James Morris3e1c2512009-10-20 13:48:33 +09001/* Common capabilities, needed by capability.o.
Linus Torvalds1da177e2005-04-16 15:20:36 -07002 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 */
9
Randy.Dunlapc59ede72006-01-11 12:17:46 -080010#include <linux/capability.h>
Eric Paris3fc689e2008-11-11 21:48:18 +110011#include <linux/audit.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070012#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/kernel.h>
Casey Schauflerb1d9e6b2015-05-02 15:11:42 -070015#include <linux/lsm_hooks.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070016#include <linux/file.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/pagemap.h>
20#include <linux/swap.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -070021#include <linux/skbuff.h>
22#include <linux/netlink.h>
23#include <linux/ptrace.h>
24#include <linux/xattr.h>
25#include <linux/hugetlb.h>
Serge E. Hallynb5376772007-10-16 23:31:36 -070026#include <linux/mount.h>
Serge E. Hallynb460cbc2007-10-18 23:39:52 -070027#include <linux/sched.h>
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -070028#include <linux/prctl.h>
29#include <linux/securebits.h>
Serge E. Hallyn34867402011-03-23 16:43:17 -070030#include <linux/user_namespace.h>
Al Viro40401532012-02-13 03:58:52 +000031#include <linux/binfmts.h>
Jonghwan Choi51b79be2012-04-18 17:23:04 -040032#include <linux/personality.h>
Andrew Morgan72c2d582007-10-18 03:05:59 -070033
Chia-chi Yeh198bc8c2009-06-19 07:15:05 +080034#ifdef CONFIG_ANDROID_PARANOID_NETWORK
35#include <linux/android_aid.h>
36#endif
37
Serge E. Hallynb5f22a52009-04-02 18:47:14 -050038/*
39 * If a non-root user executes a setuid-root binary in
40 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
41 * However if fE is also set, then the intent is for only
42 * the file capabilities to be applied, and the setuid-root
43 * bit is left on either to change the uid (plausible) or
44 * to get full privilege on a kernel without file capabilities
45 * support. So in that case we do not raise capabilities.
46 *
47 * Warn if that happens, once per boot.
48 */
David Howellsd7627462010-08-17 23:52:56 +010049static void warn_setuid_and_fcaps_mixed(const char *fname)
Serge E. Hallynb5f22a52009-04-02 18:47:14 -050050{
51 static int warned;
52 if (!warned) {
53 printk(KERN_INFO "warning: `%s' has both setuid-root and"
54 " effective capabilities. Therefore not raising all"
55 " capabilities.\n", fname);
56 warned = 1;
57 }
58}
59
David Howells1d045982008-11-14 10:39:24 +110060/**
John Stultz0268f762017-08-25 16:41:26 -070061 * __cap_capable - Determine whether a task has a particular effective capability
David Howells3699c532009-01-06 22:27:01 +000062 * @cred: The credentials to use
Serge E. Hallyn34867402011-03-23 16:43:17 -070063 * @ns: The user namespace in which we need the capability
David Howells1d045982008-11-14 10:39:24 +110064 * @cap: The capability to check for
65 * @audit: Whether to write an audit message or not
66 *
67 * Determine whether the nominated task has the specified capability amongst
68 * its effective set, returning 0 if it does, -ve if it does not.
69 *
David Howells3699c532009-01-06 22:27:01 +000070 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
71 * and has_capability() functions. That is, it has the reverse semantics:
72 * cap_has_capability() returns 0 when a task has a capability, but the
73 * kernel's capable() and has_capability() returns 1 for this case.
Andrew G. Morgana6dbb1e2008-01-21 17:18:30 -080074 */
John Stultz0268f762017-08-25 16:41:26 -070075int __cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
Eric Paris6a9de492012-01-03 12:25:14 -050076 int cap, int audit)
Linus Torvalds1da177e2005-04-16 15:20:36 -070077{
Eric W. Biederman520d9ea2012-12-13 18:06:40 -080078 struct user_namespace *ns = targ_ns;
Serge E. Hallyn34867402011-03-23 16:43:17 -070079
Eric W. Biederman520d9ea2012-12-13 18:06:40 -080080 /* See if cred has the capability in the target user namespace
81 * by examining the target user namespace and all of the target
82 * user namespace's parents.
83 */
84 for (;;) {
Serge E. Hallyn34867402011-03-23 16:43:17 -070085 /* Do we have the necessary capabilities? */
Eric W. Biederman520d9ea2012-12-13 18:06:40 -080086 if (ns == cred->user_ns)
Serge E. Hallyn34867402011-03-23 16:43:17 -070087 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
88
89 /* Have we tried all of the parent namespaces? */
Eric W. Biederman520d9ea2012-12-13 18:06:40 -080090 if (ns == &init_user_ns)
Serge E. Hallyn34867402011-03-23 16:43:17 -070091 return -EPERM;
92
Eric W. Biederman520d9ea2012-12-13 18:06:40 -080093 /*
94 * The owner of the user namespace in the parent of the
95 * user namespace has all caps.
96 */
97 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
98 return 0;
99
Serge E. Hallyn34867402011-03-23 16:43:17 -0700100 /*
Eric W. Biederman520d9ea2012-12-13 18:06:40 -0800101 * If you have a capability in a parent user ns, then you have
Serge E. Hallyn34867402011-03-23 16:43:17 -0700102 * it over all children user namespaces as well.
103 */
Eric W. Biederman520d9ea2012-12-13 18:06:40 -0800104 ns = ns->parent;
Serge E. Hallyn34867402011-03-23 16:43:17 -0700105 }
106
107 /* We never get here */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700108}
109
John Stultz0268f762017-08-25 16:41:26 -0700110int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
111 int cap, int audit)
112{
113 int ret = __cap_capable(cred, targ_ns, cap, audit);
114
115#ifdef CONFIG_ANDROID_PARANOID_NETWORK
116 if (ret != 0 && cap == CAP_NET_RAW && in_egroup_p(AID_NET_RAW)) {
117 printk("Process %s granted CAP_NET_RAW from Android group net_raw.\n", current->comm);
118 printk(" Please update the .rc file to explictly set 'capabilities NET_RAW'\n");
119 printk(" Implicit grants are deprecated and will be removed in the future.\n");
120 return 0;
121 }
122 if (ret != 0 && cap == CAP_NET_ADMIN && in_egroup_p(AID_NET_ADMIN)) {
123 printk("Process %s granted CAP_NET_ADMIN from Android group net_admin.\n", current->comm);
124 printk(" Please update the .rc file to explictly set 'capabilities NET_ADMIN'\n");
125 printk(" Implicit grants are deprecated and will be removed in the future.\n");
126 return 0;
127 }
128#endif
129 return ret;
130}
David Howells1d045982008-11-14 10:39:24 +1100131/**
132 * cap_settime - Determine whether the current process may set the system clock
133 * @ts: The time to set
134 * @tz: The timezone to set
135 *
136 * Determine whether the current process may set the system clock and timezone
137 * information, returning 0 if permission granted, -ve if denied.
138 */
Baolin Wang457db292016-04-08 14:02:11 +0800139int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700140{
141 if (!capable(CAP_SYS_TIME))
142 return -EPERM;
143 return 0;
144}
145
David Howells1d045982008-11-14 10:39:24 +1100146/**
Ingo Molnar9e488582009-05-07 19:26:19 +1000147 * cap_ptrace_access_check - Determine whether the current process may access
David Howells1d045982008-11-14 10:39:24 +1100148 * another
149 * @child: The process to be accessed
150 * @mode: The mode of attachment.
151 *
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700152 * If we are in the same or an ancestor user_ns and have all the target
153 * task's capabilities, then ptrace access is allowed.
154 * If we have the ptrace capability to the target user_ns, then ptrace
155 * access is allowed.
156 * Else denied.
157 *
David Howells1d045982008-11-14 10:39:24 +1100158 * Determine whether a process may access another, returning 0 if permission
159 * granted, -ve if denied.
160 */
Ingo Molnar9e488582009-05-07 19:26:19 +1000161int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700162{
David Howellsc69e8d92008-11-14 10:39:19 +1100163 int ret = 0;
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700164 const struct cred *cred, *child_cred;
Jann Horncaaee622016-01-20 15:00:04 -0800165 const kernel_cap_t *caller_caps;
David Howellsc69e8d92008-11-14 10:39:19 +1100166
167 rcu_read_lock();
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700168 cred = current_cred();
169 child_cred = __task_cred(child);
Jann Horncaaee622016-01-20 15:00:04 -0800170 if (mode & PTRACE_MODE_FSCREDS)
171 caller_caps = &cred->cap_effective;
172 else
173 caller_caps = &cred->cap_permitted;
Eric W. Biedermanc4a4d602011-11-16 23:15:31 -0800174 if (cred->user_ns == child_cred->user_ns &&
Jann Horncaaee622016-01-20 15:00:04 -0800175 cap_issubset(child_cred->cap_permitted, *caller_caps))
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700176 goto out;
Eric W. Biedermanc4a4d602011-11-16 23:15:31 -0800177 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700178 goto out;
179 ret = -EPERM;
180out:
David Howellsc69e8d92008-11-14 10:39:19 +1100181 rcu_read_unlock();
182 return ret;
David Howells5cd9c582008-08-14 11:37:28 +0100183}
184
David Howells1d045982008-11-14 10:39:24 +1100185/**
186 * cap_ptrace_traceme - Determine whether another process may trace the current
187 * @parent: The task proposed to be the tracer
188 *
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700189 * If parent is in the same or an ancestor user_ns and has all current's
190 * capabilities, then ptrace access is allowed.
191 * If parent has the ptrace capability to current's user_ns, then ptrace
192 * access is allowed.
193 * Else denied.
194 *
David Howells1d045982008-11-14 10:39:24 +1100195 * Determine whether the nominated task is permitted to trace the current
196 * process, returning 0 if permission is granted, -ve if denied.
197 */
David Howells5cd9c582008-08-14 11:37:28 +0100198int cap_ptrace_traceme(struct task_struct *parent)
199{
David Howellsc69e8d92008-11-14 10:39:19 +1100200 int ret = 0;
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700201 const struct cred *cred, *child_cred;
David Howellsc69e8d92008-11-14 10:39:19 +1100202
203 rcu_read_lock();
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700204 cred = __task_cred(parent);
205 child_cred = current_cred();
Eric W. Biedermanc4a4d602011-11-16 23:15:31 -0800206 if (cred->user_ns == child_cred->user_ns &&
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700207 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
208 goto out;
Eric W. Biedermanc4a4d602011-11-16 23:15:31 -0800209 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
Serge E. Hallyn8409cca2011-03-23 16:43:20 -0700210 goto out;
211 ret = -EPERM;
212out:
David Howellsc69e8d92008-11-14 10:39:19 +1100213 rcu_read_unlock();
214 return ret;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700215}
216
David Howells1d045982008-11-14 10:39:24 +1100217/**
218 * cap_capget - Retrieve a task's capability sets
219 * @target: The task from which to retrieve the capability sets
220 * @effective: The place to record the effective set
221 * @inheritable: The place to record the inheritable set
222 * @permitted: The place to record the permitted set
223 *
224 * This function retrieves the capabilities of the nominated task and returns
225 * them to the caller.
226 */
227int cap_capget(struct task_struct *target, kernel_cap_t *effective,
228 kernel_cap_t *inheritable, kernel_cap_t *permitted)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700229{
David Howellsc69e8d92008-11-14 10:39:19 +1100230 const struct cred *cred;
David Howellsb6dff3e2008-11-14 10:39:16 +1100231
Linus Torvalds1da177e2005-04-16 15:20:36 -0700232 /* Derived from kernel/capability.c:sys_capget. */
David Howellsc69e8d92008-11-14 10:39:19 +1100233 rcu_read_lock();
234 cred = __task_cred(target);
David Howellsb6dff3e2008-11-14 10:39:16 +1100235 *effective = cred->cap_effective;
236 *inheritable = cred->cap_inheritable;
237 *permitted = cred->cap_permitted;
David Howellsc69e8d92008-11-14 10:39:19 +1100238 rcu_read_unlock();
Linus Torvalds1da177e2005-04-16 15:20:36 -0700239 return 0;
240}
241
David Howells1d045982008-11-14 10:39:24 +1100242/*
243 * Determine whether the inheritable capabilities are limited to the old
244 * permitted set. Returns 1 if they are limited, 0 if they are not.
245 */
Andrew Morgan72c2d582007-10-18 03:05:59 -0700246static inline int cap_inh_is_capped(void)
247{
David Howells1d045982008-11-14 10:39:24 +1100248
249 /* they are so limited unless the current task has the CAP_SETPCAP
250 * capability
Andrew Morgan72c2d582007-10-18 03:05:59 -0700251 */
Eric W. Biedermanc4a4d602011-11-16 23:15:31 -0800252 if (cap_capable(current_cred(), current_cred()->user_ns,
Eric Paris6a9de492012-01-03 12:25:14 -0500253 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
David Howells1d045982008-11-14 10:39:24 +1100254 return 0;
David Howells1d045982008-11-14 10:39:24 +1100255 return 1;
Andrew Morgan72c2d582007-10-18 03:05:59 -0700256}
257
David Howells1d045982008-11-14 10:39:24 +1100258/**
259 * cap_capset - Validate and apply proposed changes to current's capabilities
260 * @new: The proposed new credentials; alterations should be made here
261 * @old: The current task's current credentials
262 * @effective: A pointer to the proposed new effective capabilities set
263 * @inheritable: A pointer to the proposed new inheritable capabilities set
264 * @permitted: A pointer to the proposed new permitted capabilities set
265 *
266 * This function validates and applies a proposed mass change to the current
267 * process's capability sets. The changes are made to the proposed new
268 * credentials, and assuming no error, will be committed by the caller of LSM.
269 */
David Howellsd84f4f92008-11-14 10:39:23 +1100270int cap_capset(struct cred *new,
271 const struct cred *old,
272 const kernel_cap_t *effective,
273 const kernel_cap_t *inheritable,
274 const kernel_cap_t *permitted)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700275{
David Howellsd84f4f92008-11-14 10:39:23 +1100276 if (cap_inh_is_capped() &&
277 !cap_issubset(*inheritable,
278 cap_combine(old->cap_inheritable,
279 old->cap_permitted)))
Andrew Morgan72c2d582007-10-18 03:05:59 -0700280 /* incapable of using this inheritable set */
Linus Torvalds1da177e2005-04-16 15:20:36 -0700281 return -EPERM;
David Howellsd84f4f92008-11-14 10:39:23 +1100282
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800283 if (!cap_issubset(*inheritable,
David Howellsd84f4f92008-11-14 10:39:23 +1100284 cap_combine(old->cap_inheritable,
285 old->cap_bset)))
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800286 /* no new pI capabilities outside bounding set */
287 return -EPERM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700288
289 /* verify restrictions on target's new Permitted set */
David Howellsd84f4f92008-11-14 10:39:23 +1100290 if (!cap_issubset(*permitted, old->cap_permitted))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700291 return -EPERM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700292
293 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
David Howellsd84f4f92008-11-14 10:39:23 +1100294 if (!cap_issubset(*effective, *permitted))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700295 return -EPERM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700296
David Howellsd84f4f92008-11-14 10:39:23 +1100297 new->cap_effective = *effective;
298 new->cap_inheritable = *inheritable;
299 new->cap_permitted = *permitted;
Andy Lutomirski58319052015-09-04 15:42:45 -0700300
301 /*
302 * Mask off ambient bits that are no longer both permitted and
303 * inheritable.
304 */
305 new->cap_ambient = cap_intersect(new->cap_ambient,
306 cap_intersect(*permitted,
307 *inheritable));
308 if (WARN_ON(!cap_ambient_invariant_ok(new)))
309 return -EINVAL;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700310 return 0;
311}
312
David Howells1d045982008-11-14 10:39:24 +1100313/*
314 * Clear proposed capability sets for execve().
315 */
Serge E. Hallynb5376772007-10-16 23:31:36 -0700316static inline void bprm_clear_caps(struct linux_binprm *bprm)
317{
David Howellsa6f76f22008-11-14 10:39:24 +1100318 cap_clear(bprm->cred->cap_permitted);
Serge E. Hallynb5376772007-10-16 23:31:36 -0700319 bprm->cap_effective = false;
320}
321
David Howells1d045982008-11-14 10:39:24 +1100322/**
323 * cap_inode_need_killpriv - Determine if inode change affects privileges
324 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
325 *
326 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
327 * affects the security markings on that inode, and if it is, should
328 * inode_killpriv() be invoked or the change rejected?
329 *
330 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
331 * -ve to deny the change.
332 */
Serge E. Hallynb5376772007-10-16 23:31:36 -0700333int cap_inode_need_killpriv(struct dentry *dentry)
334{
David Howellsc6f493d2015-03-17 22:26:22 +0000335 struct inode *inode = d_backing_inode(dentry);
Serge E. Hallynb5376772007-10-16 23:31:36 -0700336 int error;
337
Andreas Gruenbacher5d6c3192016-09-29 17:48:42 +0200338 error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
339 return error > 0;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700340}
341
David Howells1d045982008-11-14 10:39:24 +1100342/**
343 * cap_inode_killpriv - Erase the security markings on an inode
344 * @dentry: The inode/dentry to alter
345 *
346 * Erase the privilege-enhancing security markings on an inode.
347 *
348 * Returns 0 if successful, -ve on error.
349 */
Serge E. Hallynb5376772007-10-16 23:31:36 -0700350int cap_inode_killpriv(struct dentry *dentry)
351{
Andreas Gruenbacher5d6c3192016-09-29 17:48:42 +0200352 int error;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700353
Andreas Gruenbacher5d6c3192016-09-29 17:48:42 +0200354 error = __vfs_removexattr(dentry, XATTR_NAME_CAPS);
355 if (error == -EOPNOTSUPP)
356 error = 0;
357 return error;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700358}
359
David Howells1d045982008-11-14 10:39:24 +1100360/*
361 * Calculate the new process capability sets from the capability sets attached
362 * to a file.
363 */
Eric Parisc0b00442008-11-11 21:48:10 +1100364static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
David Howellsa6f76f22008-11-14 10:39:24 +1100365 struct linux_binprm *bprm,
Zhi Li4d49f672011-08-11 13:27:50 +0800366 bool *effective,
367 bool *has_cap)
Serge E. Hallynb5376772007-10-16 23:31:36 -0700368{
David Howellsa6f76f22008-11-14 10:39:24 +1100369 struct cred *new = bprm->cred;
Eric Parisc0b00442008-11-11 21:48:10 +1100370 unsigned i;
371 int ret = 0;
372
373 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
David Howellsa6f76f22008-11-14 10:39:24 +1100374 *effective = true;
Eric Parisc0b00442008-11-11 21:48:10 +1100375
Zhi Li4d49f672011-08-11 13:27:50 +0800376 if (caps->magic_etc & VFS_CAP_REVISION_MASK)
377 *has_cap = true;
378
Eric Parisc0b00442008-11-11 21:48:10 +1100379 CAP_FOR_EACH_U32(i) {
380 __u32 permitted = caps->permitted.cap[i];
381 __u32 inheritable = caps->inheritable.cap[i];
382
383 /*
384 * pP' = (X & fP) | (pI & fI)
Andy Lutomirski58319052015-09-04 15:42:45 -0700385 * The addition of pA' is handled later.
Eric Parisc0b00442008-11-11 21:48:10 +1100386 */
David Howellsa6f76f22008-11-14 10:39:24 +1100387 new->cap_permitted.cap[i] =
388 (new->cap_bset.cap[i] & permitted) |
389 (new->cap_inheritable.cap[i] & inheritable);
Eric Parisc0b00442008-11-11 21:48:10 +1100390
David Howellsa6f76f22008-11-14 10:39:24 +1100391 if (permitted & ~new->cap_permitted.cap[i])
392 /* insufficient to execute correctly */
Eric Parisc0b00442008-11-11 21:48:10 +1100393 ret = -EPERM;
Eric Parisc0b00442008-11-11 21:48:10 +1100394 }
395
396 /*
397 * For legacy apps, with no internal support for recognizing they
398 * do not have enough capabilities, we return an error if they are
399 * missing some "forced" (aka file-permitted) capabilities.
400 */
David Howellsa6f76f22008-11-14 10:39:24 +1100401 return *effective ? ret : 0;
Eric Parisc0b00442008-11-11 21:48:10 +1100402}
403
David Howells1d045982008-11-14 10:39:24 +1100404/*
405 * Extract the on-exec-apply capability sets for an executable file.
406 */
Eric Parisc0b00442008-11-11 21:48:10 +1100407int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
408{
David Howellsc6f493d2015-03-17 22:26:22 +0000409 struct inode *inode = d_backing_inode(dentry);
Serge E. Hallynb5376772007-10-16 23:31:36 -0700410 __u32 magic_etc;
Andrew Morgane338d262008-02-04 22:29:42 -0800411 unsigned tocopy, i;
Eric Parisc0b00442008-11-11 21:48:10 +1100412 int size;
413 struct vfs_cap_data caps;
414
415 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
416
Andreas Gruenbacher5d6c3192016-09-29 17:48:42 +0200417 if (!inode)
Eric Parisc0b00442008-11-11 21:48:10 +1100418 return -ENODATA;
419
Andreas Gruenbacher5d6c3192016-09-29 17:48:42 +0200420 size = __vfs_getxattr((struct dentry *)dentry, inode,
421 XATTR_NAME_CAPS, &caps, XATTR_CAPS_SZ);
David Howellsa6f76f22008-11-14 10:39:24 +1100422 if (size == -ENODATA || size == -EOPNOTSUPP)
Eric Parisc0b00442008-11-11 21:48:10 +1100423 /* no data, that's ok */
424 return -ENODATA;
Eric Parisc0b00442008-11-11 21:48:10 +1100425 if (size < 0)
426 return size;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700427
Andrew Morgane338d262008-02-04 22:29:42 -0800428 if (size < sizeof(magic_etc))
Serge E. Hallynb5376772007-10-16 23:31:36 -0700429 return -EINVAL;
430
Eric Parisc0b00442008-11-11 21:48:10 +1100431 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc);
Serge E. Hallynb5376772007-10-16 23:31:36 -0700432
David Howellsa6f76f22008-11-14 10:39:24 +1100433 switch (magic_etc & VFS_CAP_REVISION_MASK) {
Andrew Morgane338d262008-02-04 22:29:42 -0800434 case VFS_CAP_REVISION_1:
435 if (size != XATTR_CAPS_SZ_1)
436 return -EINVAL;
437 tocopy = VFS_CAP_U32_1;
438 break;
439 case VFS_CAP_REVISION_2:
440 if (size != XATTR_CAPS_SZ_2)
441 return -EINVAL;
442 tocopy = VFS_CAP_U32_2;
443 break;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700444 default:
445 return -EINVAL;
446 }
Andrew Morgane338d262008-02-04 22:29:42 -0800447
Andrew G. Morgan5459c162008-07-23 21:28:24 -0700448 CAP_FOR_EACH_U32(i) {
Eric Parisc0b00442008-11-11 21:48:10 +1100449 if (i >= tocopy)
450 break;
451 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted);
452 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
Andrew Morgane338d262008-02-04 22:29:42 -0800453 }
David Howellsa6f76f22008-11-14 10:39:24 +1100454
Eric Paris7d8b6c62014-07-23 15:36:26 -0400455 cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
456 cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
457
Eric Parisc0b00442008-11-11 21:48:10 +1100458 return 0;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700459}
460
David Howells1d045982008-11-14 10:39:24 +1100461/*
462 * Attempt to get the on-exec apply capability sets for an executable file from
463 * its xattrs and, if present, apply them to the proposed credentials being
464 * constructed by execve().
465 */
Zhi Li4d49f672011-08-11 13:27:50 +0800466static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_cap)
Serge E. Hallynb5376772007-10-16 23:31:36 -0700467{
Serge E. Hallynb5376772007-10-16 23:31:36 -0700468 int rc = 0;
Eric Parisc0b00442008-11-11 21:48:10 +1100469 struct cpu_vfs_cap_data vcaps;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700470
Serge Hallyn3318a382008-10-30 11:52:23 -0500471 bprm_clear_caps(bprm);
472
Serge E. Hallyn1f29fae2008-11-05 16:08:52 -0600473 if (!file_caps_enabled)
474 return 0;
475
Andy Lutomirski380cf5b2016-06-23 16:41:05 -0500476 if (!mnt_may_suid(bprm->file->f_path.mnt))
Serge E. Hallynb5376772007-10-16 23:31:36 -0700477 return 0;
Andy Lutomirski380cf5b2016-06-23 16:41:05 -0500478
479 /*
480 * This check is redundant with mnt_may_suid() but is kept to make
481 * explicit that capability bits are limited to s_user_ns and its
482 * descendants.
483 */
Seth Forsheed07b8462015-09-23 15:16:04 -0500484 if (!current_in_userns(bprm->file->f_path.mnt->mnt_sb->s_user_ns))
485 return 0;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700486
Al Virof4a4a8b2014-12-28 09:27:07 -0500487 rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
Eric Parisc0b00442008-11-11 21:48:10 +1100488 if (rc < 0) {
489 if (rc == -EINVAL)
490 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n",
491 __func__, rc, bprm->filename);
492 else if (rc == -ENODATA)
493 rc = 0;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700494 goto out;
495 }
Serge E. Hallynb5376772007-10-16 23:31:36 -0700496
Zhi Li4d49f672011-08-11 13:27:50 +0800497 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_cap);
David Howellsa6f76f22008-11-14 10:39:24 +1100498 if (rc == -EINVAL)
499 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
500 __func__, rc, bprm->filename);
Serge E. Hallynb5376772007-10-16 23:31:36 -0700501
502out:
Serge E. Hallynb5376772007-10-16 23:31:36 -0700503 if (rc)
504 bprm_clear_caps(bprm);
505
506 return rc;
507}
508
David Howells1d045982008-11-14 10:39:24 +1100509/**
510 * cap_bprm_set_creds - Set up the proposed credentials for execve().
511 * @bprm: The execution parameters, including the proposed creds
512 *
513 * Set up the proposed credentials for a new execution context being
514 * constructed by execve(). The proposed creds in @bprm->cred is altered,
515 * which won't take effect immediately. Returns 0 if successful, -ve on error.
David Howellsa6f76f22008-11-14 10:39:24 +1100516 */
517int cap_bprm_set_creds(struct linux_binprm *bprm)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700518{
David Howellsa6f76f22008-11-14 10:39:24 +1100519 const struct cred *old = current_cred();
520 struct cred *new = bprm->cred;
Andy Lutomirski58319052015-09-04 15:42:45 -0700521 bool effective, has_cap = false, is_setid;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700522 int ret;
Eric W. Biederman18815a12012-02-07 16:45:47 -0800523 kuid_t root_uid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700524
Eric W. Biederman8a093d42020-05-25 12:56:15 -0500525 new->cap_ambient = old->cap_ambient;
Andy Lutomirski58319052015-09-04 15:42:45 -0700526 if (WARN_ON(!cap_ambient_invariant_ok(old)))
527 return -EPERM;
528
David Howellsa6f76f22008-11-14 10:39:24 +1100529 effective = false;
Zhi Li4d49f672011-08-11 13:27:50 +0800530 ret = get_file_caps(bprm, &effective, &has_cap);
David Howellsa6f76f22008-11-14 10:39:24 +1100531 if (ret < 0)
532 return ret;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700533
Eric W. Biederman18815a12012-02-07 16:45:47 -0800534 root_uid = make_kuid(new->user_ns, 0);
535
Andrew G. Morgan5459c162008-07-23 21:28:24 -0700536 if (!issecure(SECURE_NOROOT)) {
537 /*
Serge E. Hallynb5f22a52009-04-02 18:47:14 -0500538 * If the legacy file capability is set, then don't set privs
539 * for a setuid root binary run by a non-root user. Do set it
540 * for a root user just to cause least surprise to an admin.
541 */
Eric W. Biederman18815a12012-02-07 16:45:47 -0800542 if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
Serge E. Hallynb5f22a52009-04-02 18:47:14 -0500543 warn_setuid_and_fcaps_mixed(bprm->filename);
544 goto skip;
545 }
546 /*
Andrew G. Morgan5459c162008-07-23 21:28:24 -0700547 * To support inheritance of root-permissions and suid-root
548 * executables under compatibility mode, we override the
549 * capability sets for the file.
550 *
David Howellsa6f76f22008-11-14 10:39:24 +1100551 * If only the real uid is 0, we do not set the effective bit.
Andrew G. Morgan5459c162008-07-23 21:28:24 -0700552 */
Eric W. Biederman18815a12012-02-07 16:45:47 -0800553 if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
Andrew G. Morgan5459c162008-07-23 21:28:24 -0700554 /* pP' = (cap_bset & ~0) | (pI & ~0) */
David Howellsa6f76f22008-11-14 10:39:24 +1100555 new->cap_permitted = cap_combine(old->cap_bset,
556 old->cap_inheritable);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700557 }
Eric W. Biederman18815a12012-02-07 16:45:47 -0800558 if (uid_eq(new->euid, root_uid))
David Howellsa6f76f22008-11-14 10:39:24 +1100559 effective = true;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700560 }
Serge E. Hallynb5f22a52009-04-02 18:47:14 -0500561skip:
Serge E. Hallynb5376772007-10-16 23:31:36 -0700562
Eric Parisd52fc5d2012-04-17 16:26:54 -0400563 /* if we have fs caps, clear dangerous personality flags */
564 if (!cap_issubset(new->cap_permitted, old->cap_permitted))
565 bprm->per_clear |= PER_CLEAR_ON_SETID;
566
567
David Howellsa6f76f22008-11-14 10:39:24 +1100568 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
Andy Lutomirski259e5e62012-04-12 16:47:50 -0500569 * credentials unless they have the appropriate permit.
570 *
571 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
David Howellsa6f76f22008-11-14 10:39:24 +1100572 */
Andy Lutomirski58319052015-09-04 15:42:45 -0700573 is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);
574
575 if ((is_setid ||
David Howellsa6f76f22008-11-14 10:39:24 +1100576 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
577 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
578 /* downgrade; they get no more than they had, and maybe less */
Andy Lutomirski259e5e62012-04-12 16:47:50 -0500579 if (!capable(CAP_SETUID) ||
580 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
David Howellsa6f76f22008-11-14 10:39:24 +1100581 new->euid = new->uid;
582 new->egid = new->gid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700583 }
Serge E. Hallynb3a222e2009-11-23 16:21:30 -0600584 new->cap_permitted = cap_intersect(new->cap_permitted,
585 old->cap_permitted);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700586 }
587
David Howellsa6f76f22008-11-14 10:39:24 +1100588 new->suid = new->fsuid = new->euid;
589 new->sgid = new->fsgid = new->egid;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700590
Andy Lutomirski58319052015-09-04 15:42:45 -0700591 /* File caps or setid cancels ambient. */
592 if (has_cap || is_setid)
593 cap_clear(new->cap_ambient);
594
595 /*
596 * Now that we've computed pA', update pP' to give:
597 * pP' = (X & fP) | (pI & fI) | pA'
598 */
599 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
600
601 /*
602 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
603 * this is the same as pE' = (fE ? pP' : 0) | pA'.
604 */
Eric Paris4bf2ea72011-04-01 17:08:28 -0400605 if (effective)
606 new->cap_effective = new->cap_permitted;
607 else
Andy Lutomirski58319052015-09-04 15:42:45 -0700608 new->cap_effective = new->cap_ambient;
609
610 if (WARN_ON(!cap_ambient_invariant_ok(new)))
611 return -EPERM;
612
David Howellsa6f76f22008-11-14 10:39:24 +1100613 bprm->cap_effective = effective;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700614
Eric Paris3fc689e2008-11-11 21:48:18 +1100615 /*
616 * Audit candidate if current->cap_effective is set
617 *
618 * We do not bother to audit if 3 things are true:
619 * 1) cap_effective has all caps
620 * 2) we are root
621 * 3) root is supposed to have all caps (SECURE_NOROOT)
622 * Since this is just a normal root execing a process.
623 *
624 * Number 1 above might fail if you don't have a full bset, but I think
625 * that is interesting information to audit.
626 */
Andy Lutomirski58319052015-09-04 15:42:45 -0700627 if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
David Howellsd84f4f92008-11-14 10:39:23 +1100628 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
Eric W. Biederman18815a12012-02-07 16:45:47 -0800629 !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
David Howellsa6f76f22008-11-14 10:39:24 +1100630 issecure(SECURE_NOROOT)) {
631 ret = audit_log_bprm_fcaps(bprm, new, old);
632 if (ret < 0)
633 return ret;
634 }
Eric Paris3fc689e2008-11-11 21:48:18 +1100635 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700636
David Howellsd84f4f92008-11-14 10:39:23 +1100637 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
Andy Lutomirski58319052015-09-04 15:42:45 -0700638
639 if (WARN_ON(!cap_ambient_invariant_ok(new)))
640 return -EPERM;
641
David Howellsa6f76f22008-11-14 10:39:24 +1100642 return 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700643}
644
David Howells1d045982008-11-14 10:39:24 +1100645/**
646 * cap_bprm_secureexec - Determine whether a secure execution is required
647 * @bprm: The execution parameters
648 *
649 * Determine whether a secure execution is required, return 1 if it is, and 0
650 * if it is not.
651 *
652 * The credentials have been committed by this point, and so are no longer
653 * available through @bprm->cred.
David Howellsa6f76f22008-11-14 10:39:24 +1100654 */
655int cap_bprm_secureexec(struct linux_binprm *bprm)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700656{
David Howellsc69e8d92008-11-14 10:39:19 +1100657 const struct cred *cred = current_cred();
Eric W. Biederman18815a12012-02-07 16:45:47 -0800658 kuid_t root_uid = make_kuid(cred->user_ns, 0);
David Howellsb6dff3e2008-11-14 10:39:16 +1100659
Eric W. Biederman18815a12012-02-07 16:45:47 -0800660 if (!uid_eq(cred->uid, root_uid)) {
Serge E. Hallynb5376772007-10-16 23:31:36 -0700661 if (bprm->cap_effective)
662 return 1;
Andy Lutomirski58319052015-09-04 15:42:45 -0700663 if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
Serge E. Hallynb5376772007-10-16 23:31:36 -0700664 return 1;
665 }
666
Eric W. Biederman18815a12012-02-07 16:45:47 -0800667 return (!uid_eq(cred->euid, cred->uid) ||
668 !gid_eq(cred->egid, cred->gid));
Linus Torvalds1da177e2005-04-16 15:20:36 -0700669}
670
David Howells1d045982008-11-14 10:39:24 +1100671/**
672 * cap_inode_setxattr - Determine whether an xattr may be altered
673 * @dentry: The inode/dentry being altered
674 * @name: The name of the xattr to be changed
675 * @value: The value that the xattr will be changed to
676 * @size: The size of value
677 * @flags: The replacement flag
678 *
679 * Determine whether an xattr may be altered or set on an inode, returning 0 if
680 * permission is granted, -ve if denied.
681 *
682 * This is used to make sure security xattrs don't get updated or set by those
683 * who aren't privileged to do so.
684 */
David Howells8f0cfa52008-04-29 00:59:41 -0700685int cap_inode_setxattr(struct dentry *dentry, const char *name,
686 const void *value, size_t size, int flags)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700687{
Serge E. Hallynb5376772007-10-16 23:31:36 -0700688 if (!strcmp(name, XATTR_NAME_CAPS)) {
689 if (!capable(CAP_SETFCAP))
690 return -EPERM;
691 return 0;
David Howells1d045982008-11-14 10:39:24 +1100692 }
693
694 if (!strncmp(name, XATTR_SECURITY_PREFIX,
Justin P. Mattockc5b60b52010-04-21 00:02:11 -0700695 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
Linus Torvalds1da177e2005-04-16 15:20:36 -0700696 !capable(CAP_SYS_ADMIN))
697 return -EPERM;
698 return 0;
699}
700
David Howells1d045982008-11-14 10:39:24 +1100701/**
702 * cap_inode_removexattr - Determine whether an xattr may be removed
703 * @dentry: The inode/dentry being altered
704 * @name: The name of the xattr to be changed
705 *
706 * Determine whether an xattr may be removed from an inode, returning 0 if
707 * permission is granted, -ve if denied.
708 *
709 * This is used to make sure security xattrs don't get removed by those who
710 * aren't privileged to remove them.
711 */
David Howells8f0cfa52008-04-29 00:59:41 -0700712int cap_inode_removexattr(struct dentry *dentry, const char *name)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700713{
Serge E. Hallynb5376772007-10-16 23:31:36 -0700714 if (!strcmp(name, XATTR_NAME_CAPS)) {
715 if (!capable(CAP_SETFCAP))
716 return -EPERM;
717 return 0;
David Howells1d045982008-11-14 10:39:24 +1100718 }
719
720 if (!strncmp(name, XATTR_SECURITY_PREFIX,
Justin P. Mattockc5b60b52010-04-21 00:02:11 -0700721 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
Linus Torvalds1da177e2005-04-16 15:20:36 -0700722 !capable(CAP_SYS_ADMIN))
723 return -EPERM;
724 return 0;
725}
726
David Howellsa6f76f22008-11-14 10:39:24 +1100727/*
Linus Torvalds1da177e2005-04-16 15:20:36 -0700728 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
729 * a process after a call to setuid, setreuid, or setresuid.
730 *
731 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
732 * {r,e,s}uid != 0, the permitted and effective capabilities are
733 * cleared.
734 *
735 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
736 * capabilities of the process are cleared.
737 *
738 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
739 * capabilities are set to the permitted capabilities.
740 *
David Howellsa6f76f22008-11-14 10:39:24 +1100741 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
Linus Torvalds1da177e2005-04-16 15:20:36 -0700742 * never happen.
743 *
David Howellsa6f76f22008-11-14 10:39:24 +1100744 * -astor
Linus Torvalds1da177e2005-04-16 15:20:36 -0700745 *
746 * cevans - New behaviour, Oct '99
747 * A process may, via prctl(), elect to keep its capabilities when it
748 * calls setuid() and switches away from uid==0. Both permitted and
749 * effective sets will be retained.
750 * Without this change, it was impossible for a daemon to drop only some
751 * of its privilege. The call to setuid(!=0) would drop all privileges!
752 * Keeping uid 0 is not an option because uid 0 owns too many vital
753 * files..
754 * Thanks to Olaf Kirch and Peter Benie for spotting this.
755 */
David Howellsd84f4f92008-11-14 10:39:23 +1100756static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700757{
Eric W. Biederman18815a12012-02-07 16:45:47 -0800758 kuid_t root_uid = make_kuid(old->user_ns, 0);
759
760 if ((uid_eq(old->uid, root_uid) ||
761 uid_eq(old->euid, root_uid) ||
762 uid_eq(old->suid, root_uid)) &&
763 (!uid_eq(new->uid, root_uid) &&
764 !uid_eq(new->euid, root_uid) &&
Andy Lutomirski58319052015-09-04 15:42:45 -0700765 !uid_eq(new->suid, root_uid))) {
766 if (!issecure(SECURE_KEEP_CAPS)) {
767 cap_clear(new->cap_permitted);
768 cap_clear(new->cap_effective);
769 }
770
771 /*
772 * Pre-ambient programs expect setresuid to nonroot followed
773 * by exec to drop capabilities. We should make sure that
774 * this remains the case.
775 */
776 cap_clear(new->cap_ambient);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700777 }
Eric W. Biederman18815a12012-02-07 16:45:47 -0800778 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
David Howellsd84f4f92008-11-14 10:39:23 +1100779 cap_clear(new->cap_effective);
Eric W. Biederman18815a12012-02-07 16:45:47 -0800780 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
David Howellsd84f4f92008-11-14 10:39:23 +1100781 new->cap_effective = new->cap_permitted;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700782}
783
David Howells1d045982008-11-14 10:39:24 +1100784/**
785 * cap_task_fix_setuid - Fix up the results of setuid() call
786 * @new: The proposed credentials
787 * @old: The current task's current credentials
788 * @flags: Indications of what has changed
789 *
790 * Fix up the results of setuid() call before the credential changes are
791 * actually applied, returning 0 to grant the changes, -ve to deny them.
792 */
David Howellsd84f4f92008-11-14 10:39:23 +1100793int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700794{
795 switch (flags) {
796 case LSM_SETID_RE:
797 case LSM_SETID_ID:
798 case LSM_SETID_RES:
David Howells1d045982008-11-14 10:39:24 +1100799 /* juggle the capabilities to follow [RES]UID changes unless
800 * otherwise suppressed */
David Howellsd84f4f92008-11-14 10:39:23 +1100801 if (!issecure(SECURE_NO_SETUID_FIXUP))
802 cap_emulate_setxuid(new, old);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700803 break;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700804
David Howells1d045982008-11-14 10:39:24 +1100805 case LSM_SETID_FS:
806 /* juggle the capabilties to follow FSUID changes, unless
807 * otherwise suppressed
808 *
David Howellsd84f4f92008-11-14 10:39:23 +1100809 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
810 * if not, we might be a bit too harsh here.
811 */
812 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
Eric W. Biederman18815a12012-02-07 16:45:47 -0800813 kuid_t root_uid = make_kuid(old->user_ns, 0);
814 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
David Howellsd84f4f92008-11-14 10:39:23 +1100815 new->cap_effective =
816 cap_drop_fs_set(new->cap_effective);
David Howells1d045982008-11-14 10:39:24 +1100817
Eric W. Biederman18815a12012-02-07 16:45:47 -0800818 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
David Howellsd84f4f92008-11-14 10:39:23 +1100819 new->cap_effective =
820 cap_raise_fs_set(new->cap_effective,
821 new->cap_permitted);
Linus Torvalds1da177e2005-04-16 15:20:36 -0700822 }
David Howellsd84f4f92008-11-14 10:39:23 +1100823 break;
David Howells1d045982008-11-14 10:39:24 +1100824
Linus Torvalds1da177e2005-04-16 15:20:36 -0700825 default:
826 return -EINVAL;
827 }
828
829 return 0;
830}
831
Serge E. Hallynb5376772007-10-16 23:31:36 -0700832/*
833 * Rationale: code calling task_setscheduler, task_setioprio, and
834 * task_setnice, assumes that
835 * . if capable(cap_sys_nice), then those actions should be allowed
836 * . if not capable(cap_sys_nice), but acting on your own processes,
837 * then those actions should be allowed
838 * This is insufficient now since you can call code without suid, but
839 * yet with increased caps.
840 * So we check for increased caps on the target process.
841 */
Serge E. Hallynde45e802008-09-26 22:27:47 -0400842static int cap_safe_nice(struct task_struct *p)
Serge E. Hallynb5376772007-10-16 23:31:36 -0700843{
Serge Hallynf54fb862013-07-23 13:18:53 -0500844 int is_subset, ret = 0;
David Howellsc69e8d92008-11-14 10:39:19 +1100845
846 rcu_read_lock();
847 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
848 current_cred()->cap_permitted);
Serge Hallynf54fb862013-07-23 13:18:53 -0500849 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
850 ret = -EPERM;
David Howellsc69e8d92008-11-14 10:39:19 +1100851 rcu_read_unlock();
852
Serge Hallynf54fb862013-07-23 13:18:53 -0500853 return ret;
Serge E. Hallynb5376772007-10-16 23:31:36 -0700854}
855
David Howells1d045982008-11-14 10:39:24 +1100856/**
857 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
858 * @p: The task to affect
David Howells1d045982008-11-14 10:39:24 +1100859 *
860 * Detemine if the requested scheduler policy change is permitted for the
861 * specified task, returning 0 if permission is granted, -ve if denied.
862 */
KOSAKI Motohirob0ae1982010-10-15 04:21:18 +0900863int cap_task_setscheduler(struct task_struct *p)
Serge E. Hallynb5376772007-10-16 23:31:36 -0700864{
865 return cap_safe_nice(p);
866}
867
David Howells1d045982008-11-14 10:39:24 +1100868/**
869 * cap_task_ioprio - Detemine if I/O priority change is permitted
870 * @p: The task to affect
871 * @ioprio: The I/O priority to set
872 *
873 * Detemine if the requested I/O priority change is permitted for the specified
874 * task, returning 0 if permission is granted, -ve if denied.
875 */
876int cap_task_setioprio(struct task_struct *p, int ioprio)
Serge E. Hallynb5376772007-10-16 23:31:36 -0700877{
878 return cap_safe_nice(p);
879}
880
David Howells1d045982008-11-14 10:39:24 +1100881/**
882 * cap_task_ioprio - Detemine if task priority change is permitted
883 * @p: The task to affect
884 * @nice: The nice value to set
885 *
886 * Detemine if the requested task priority change is permitted for the
887 * specified task, returning 0 if permission is granted, -ve if denied.
888 */
889int cap_task_setnice(struct task_struct *p, int nice)
Serge E. Hallynb5376772007-10-16 23:31:36 -0700890{
891 return cap_safe_nice(p);
892}
893
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800894/*
David Howells1d045982008-11-14 10:39:24 +1100895 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
896 * the current task's bounding set. Returns 0 on success, -ve on error.
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800897 */
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900898static int cap_prctl_drop(unsigned long cap)
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800899{
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900900 struct cred *new;
901
Eric W. Biederman160da842013-07-02 10:04:54 -0700902 if (!ns_capable(current_user_ns(), CAP_SETPCAP))
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800903 return -EPERM;
904 if (!cap_valid(cap))
905 return -EINVAL;
David Howellsd84f4f92008-11-14 10:39:23 +1100906
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900907 new = prepare_creds();
908 if (!new)
909 return -ENOMEM;
David Howellsd84f4f92008-11-14 10:39:23 +1100910 cap_lower(new->cap_bset, cap);
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900911 return commit_creds(new);
Serge E. Hallyn3b7391d2008-02-04 22:29:45 -0800912}
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700913
David Howells1d045982008-11-14 10:39:24 +1100914/**
915 * cap_task_prctl - Implement process control functions for this security module
916 * @option: The process control function requested
917 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
918 *
919 * Allow process control functions (sys_prctl()) to alter capabilities; may
920 * also deny access to other functions not otherwise implemented here.
921 *
922 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
923 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
924 * modules will consider performing the function.
925 */
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700926int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
David Howellsd84f4f92008-11-14 10:39:23 +1100927 unsigned long arg4, unsigned long arg5)
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700928{
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900929 const struct cred *old = current_cred();
David Howellsd84f4f92008-11-14 10:39:23 +1100930 struct cred *new;
David Howellsd84f4f92008-11-14 10:39:23 +1100931
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700932 switch (option) {
933 case PR_CAPBSET_READ:
934 if (!cap_valid(arg2))
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900935 return -EINVAL;
936 return !!cap_raised(old->cap_bset, arg2);
David Howellsd84f4f92008-11-14 10:39:23 +1100937
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700938 case PR_CAPBSET_DROP:
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900939 return cap_prctl_drop(arg2);
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700940
941 /*
942 * The next four prctl's remain to assist with transitioning a
943 * system from legacy UID=0 based privilege (when filesystem
944 * capabilities are not in use) to a system using filesystem
945 * capabilities only - as the POSIX.1e draft intended.
946 *
947 * Note:
948 *
949 * PR_SET_SECUREBITS =
950 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
951 * | issecure_mask(SECURE_NOROOT)
952 * | issecure_mask(SECURE_NOROOT_LOCKED)
953 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
954 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
955 *
956 * will ensure that the current process and all of its
957 * children will be locked into a pure
958 * capability-based-privilege environment.
959 */
960 case PR_SET_SECUREBITS:
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900961 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
962 & (old->securebits ^ arg2)) /*[1]*/
963 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
David Howellsd84f4f92008-11-14 10:39:23 +1100964 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
Eric Paris6a9de492012-01-03 12:25:14 -0500965 || (cap_capable(current_cred(),
Eric W. Biedermanc4a4d602011-11-16 23:15:31 -0800966 current_cred()->user_ns, CAP_SETPCAP,
David Howells3699c532009-01-06 22:27:01 +0000967 SECURITY_CAP_AUDIT) != 0) /*[4]*/
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700968 /*
969 * [1] no changing of bits that are locked
970 * [2] no unlocking of locks
971 * [3] no setting of unsupported bits
972 * [4] doing anything requires privilege (go read about
973 * the "sendmail capabilities bug")
974 */
David Howellsd84f4f92008-11-14 10:39:23 +1100975 )
976 /* cannot change a locked bit */
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900977 return -EPERM;
978
979 new = prepare_creds();
980 if (!new)
981 return -ENOMEM;
David Howellsd84f4f92008-11-14 10:39:23 +1100982 new->securebits = arg2;
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900983 return commit_creds(new);
David Howellsd84f4f92008-11-14 10:39:23 +1100984
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700985 case PR_GET_SECUREBITS:
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900986 return old->securebits;
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700987
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700988 case PR_GET_KEEPCAPS:
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900989 return !!issecure(SECURE_KEEP_CAPS);
David Howellsd84f4f92008-11-14 10:39:23 +1100990
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -0700991 case PR_SET_KEEPCAPS:
992 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900993 return -EINVAL;
David Howellsd84f4f92008-11-14 10:39:23 +1100994 if (issecure(SECURE_KEEP_CAPS_LOCKED))
Tetsuo Handa6d6f3322014-07-22 21:20:01 +0900995 return -EPERM;
996
997 new = prepare_creds();
998 if (!new)
999 return -ENOMEM;
David Howellsd84f4f92008-11-14 10:39:23 +11001000 if (arg2)
1001 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -07001002 else
David Howellsd84f4f92008-11-14 10:39:23 +11001003 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
Tetsuo Handa6d6f3322014-07-22 21:20:01 +09001004 return commit_creds(new);
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -07001005
Andy Lutomirski58319052015-09-04 15:42:45 -07001006 case PR_CAP_AMBIENT:
1007 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
1008 if (arg3 | arg4 | arg5)
1009 return -EINVAL;
1010
1011 new = prepare_creds();
1012 if (!new)
1013 return -ENOMEM;
1014 cap_clear(new->cap_ambient);
1015 return commit_creds(new);
1016 }
1017
1018 if (((!cap_valid(arg3)) | arg4 | arg5))
1019 return -EINVAL;
1020
1021 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
1022 return !!cap_raised(current_cred()->cap_ambient, arg3);
1023 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
1024 arg2 != PR_CAP_AMBIENT_LOWER) {
1025 return -EINVAL;
1026 } else {
1027 if (arg2 == PR_CAP_AMBIENT_RAISE &&
1028 (!cap_raised(current_cred()->cap_permitted, arg3) ||
1029 !cap_raised(current_cred()->cap_inheritable,
Andy Lutomirski746bf6d2015-09-04 15:42:51 -07001030 arg3) ||
1031 issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
Andy Lutomirski58319052015-09-04 15:42:45 -07001032 return -EPERM;
1033
1034 new = prepare_creds();
1035 if (!new)
1036 return -ENOMEM;
1037 if (arg2 == PR_CAP_AMBIENT_RAISE)
1038 cap_raise(new->cap_ambient, arg3);
1039 else
1040 cap_lower(new->cap_ambient, arg3);
1041 return commit_creds(new);
1042 }
1043
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -07001044 default:
1045 /* No functionality available - continue with default */
Tetsuo Handa6d6f3322014-07-22 21:20:01 +09001046 return -ENOSYS;
Andrew G. Morgan3898b1b2008-04-28 02:13:40 -07001047 }
Linus Torvalds1da177e2005-04-16 15:20:36 -07001048}
1049
David Howells1d045982008-11-14 10:39:24 +11001050/**
David Howells1d045982008-11-14 10:39:24 +11001051 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1052 * @mm: The VM space in which the new mapping is to be made
1053 * @pages: The size of the mapping
1054 *
1055 * Determine whether the allocation of a new virtual mapping by the current
Casey Schauflerb1d9e6b2015-05-02 15:11:42 -07001056 * task is permitted, returning 1 if permission is granted, 0 if not.
David Howells1d045982008-11-14 10:39:24 +11001057 */
Alan Cox34b4e4a2007-08-22 14:01:28 -07001058int cap_vm_enough_memory(struct mm_struct *mm, long pages)
Linus Torvalds1da177e2005-04-16 15:20:36 -07001059{
1060 int cap_sys_admin = 0;
1061
Eric Paris6a9de492012-01-03 12:25:14 -05001062 if (cap_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
David Howells3699c532009-01-06 22:27:01 +00001063 SECURITY_CAP_NOAUDIT) == 0)
Linus Torvalds1da177e2005-04-16 15:20:36 -07001064 cap_sys_admin = 1;
Casey Schauflerb1d9e6b2015-05-02 15:11:42 -07001065 return cap_sys_admin;
Linus Torvalds1da177e2005-04-16 15:20:36 -07001066}
Eric Paris7c738752009-07-31 12:53:58 -04001067
1068/*
Al Virod0077942012-05-30 13:11:37 -04001069 * cap_mmap_addr - check if able to map given addr
1070 * @addr: address attempting to be mapped
1071 *
1072 * If the process is attempting to map memory below dac_mmap_min_addr they need
1073 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
1074 * capability security module. Returns 0 if this mapping should be allowed
1075 * -EPERM if not.
1076 */
1077int cap_mmap_addr(unsigned long addr)
1078{
1079 int ret = 0;
1080
1081 if (addr < dac_mmap_min_addr) {
1082 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
1083 SECURITY_CAP_AUDIT);
1084 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
1085 if (ret == 0)
1086 current->flags |= PF_SUPERPRIV;
1087 }
1088 return ret;
1089}
1090
Al Viroe5467852012-05-30 13:30:51 -04001091int cap_mmap_file(struct file *file, unsigned long reqprot,
1092 unsigned long prot, unsigned long flags)
Eric Paris7c738752009-07-31 12:53:58 -04001093{
Al Viroe5467852012-05-30 13:30:51 -04001094 return 0;
Eric Paris7c738752009-07-31 12:53:58 -04001095}
Casey Schauflerb1d9e6b2015-05-02 15:11:42 -07001096
1097#ifdef CONFIG_SECURITY
1098
James Morriscaefc012017-02-15 00:18:51 +11001099struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
Casey Schauflerb1d9e6b2015-05-02 15:11:42 -07001100 LSM_HOOK_INIT(capable, cap_capable),
1101 LSM_HOOK_INIT(settime, cap_settime),
1102 LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
1103 LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
1104 LSM_HOOK_INIT(capget, cap_capget),
1105 LSM_HOOK_INIT(capset, cap_capset),
1106 LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
1107 LSM_HOOK_INIT(bprm_secureexec, cap_bprm_secureexec),
1108 LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
1109 LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
1110 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
1111 LSM_HOOK_INIT(mmap_file, cap_mmap_file),
1112 LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
1113 LSM_HOOK_INIT(task_prctl, cap_task_prctl),
1114 LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
1115 LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
1116 LSM_HOOK_INIT(task_setnice, cap_task_setnice),
1117 LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
1118};
1119
1120void __init capability_add_hooks(void)
1121{
1122 security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
1123}
1124
1125#endif /* CONFIG_SECURITY */