| blob | 48071ed7c445d025fa4ae57c12f032bfa916521f |
1 /* Common capabilities, needed by capability.o.
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 */
10 #include <linux/capability.h>
11 #include <linux/audit.h>
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/lsm_hooks.h>
16 #include <linux/file.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/pagemap.h>
20 #include <linux/swap.h>
21 #include <linux/skbuff.h>
22 #include <linux/netlink.h>
23 #include <linux/ptrace.h>
24 #include <linux/xattr.h>
25 #include <linux/hugetlb.h>
26 #include <linux/mount.h>
27 #include <linux/sched.h>
28 #include <linux/prctl.h>
29 #include <linux/securebits.h>
30 #include <linux/user_namespace.h>
31 #include <linux/binfmts.h>
32 #include <linux/personality.h>
34 /*
35 * If a non-root user executes a setuid-root binary in
36 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
37 * However if fE is also set, then the intent is for only
38 * the file capabilities to be applied, and the setuid-root
39 * bit is left on either to change the uid (plausible) or
40 * to get full privilege on a kernel without file capabilities
41 * support. So in that case we do not raise capabilities.
42 *
43 * Warn if that happens, once per boot.
44 */
46 {
50 " effective capabilities. Therefore not raising all"
53 }
54 }
56 /**
57 * cap_capable - Determine whether a task has a particular effective capability
58 * @cred: The credentials to use
59 * @ns: The user namespace in which we need the capability
60 * @cap: The capability to check for
61 * @audit: Whether to write an audit message or not
62 *
63 * Determine whether the nominated task has the specified capability amongst
64 * its effective set, returning 0 if it does, -ve if it does not.
65 *
66 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
67 * and has_capability() functions. That is, it has the reverse semantics:
68 * cap_has_capability() returns 0 when a task has a capability, but the
69 * kernel's capable() and has_capability() returns 1 for this case.
70 */
73 {
76 /* See if cred has the capability in the target user namespace
77 * by examining the target user namespace and all of the target
78 * user namespace's parents.
79 */
81 /* Do we have the necessary capabilities? */
85 /* Have we tried all of the parent namespaces? */
89 /*
90 * The owner of the user namespace in the parent of the
91 * user namespace has all caps.
92 */
96 /*
97 * If you have a capability in a parent user ns, then you have
98 * it over all children user namespaces as well.
99 */
101 }
103 /* We never get here */
104 }
106 /**
107 * cap_settime - Determine whether the current process may set the system clock
108 * @ts: The time to set
109 * @tz: The timezone to set
110 *
111 * Determine whether the current process may set the system clock and timezone
112 * information, returning 0 if permission granted, -ve if denied.
113 */
115 {
119 }
121 /**
122 * cap_ptrace_access_check - Determine whether the current process may access
123 * another
124 * @child: The process to be accessed
125 * @mode: The mode of attachment.
126 *
127 * If we are in the same or an ancestor user_ns and have all the target
128 * task's capabilities, then ptrace access is allowed.
129 * If we have the ptrace capability to the target user_ns, then ptrace
130 * access is allowed.
131 * Else denied.
132 *
133 * Determine whether a process may access another, returning 0 if permission
134 * granted, -ve if denied.
135 */
137 {
147 else
155 out:
158 }
160 /**
161 * cap_ptrace_traceme - Determine whether another process may trace the current
162 * @parent: The task proposed to be the tracer
163 *
164 * If parent is in the same or an ancestor user_ns and has all current's
165 * capabilities, then ptrace access is allowed.
166 * If parent has the ptrace capability to current's user_ns, then ptrace
167 * access is allowed.
168 * Else denied.
169 *
170 * Determine whether the nominated task is permitted to trace the current
171 * process, returning 0 if permission is granted, -ve if denied.
172 */
174 {
187 out:
190 }
192 /**
193 * cap_capget - Retrieve a task's capability sets
194 * @target: The task from which to retrieve the capability sets
195 * @effective: The place to record the effective set
196 * @inheritable: The place to record the inheritable set
197 * @permitted: The place to record the permitted set
198 *
199 * This function retrieves the capabilities of the nominated task and returns
200 * them to the caller.
201 */
204 {
207 /* Derived from kernel/capability.c:sys_capget. */
215 }
217 /*
218 * Determine whether the inheritable capabilities are limited to the old
219 * permitted set. Returns 1 if they are limited, 0 if they are not.
220 */
222 {
224 /* they are so limited unless the current task has the CAP_SETPCAP
225 * capability
226 */
231 }
233 /**
234 * cap_capset - Validate and apply proposed changes to current's capabilities
235 * @new: The proposed new credentials; alterations should be made here
236 * @old: The current task's current credentials
237 * @effective: A pointer to the proposed new effective capabilities set
238 * @inheritable: A pointer to the proposed new inheritable capabilities set
239 * @permitted: A pointer to the proposed new permitted capabilities set
240 *
241 * This function validates and applies a proposed mass change to the current
242 * process's capability sets. The changes are made to the proposed new
243 * credentials, and assuming no error, will be committed by the caller of LSM.
244 */
250 {
255 /* incapable of using this inheritable set */
261 /* no new pI capabilities outside bounding set */
264 /* verify restrictions on target's new Permitted set */
268 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
276 /*
277 * Mask off ambient bits that are no longer both permitted and
278 * inheritable.
279 */
286 }
288 /*
289 * Clear proposed capability sets for execve().
290 */
292 {
295 }
297 /**
298 * cap_inode_need_killpriv - Determine if inode change affects privileges
299 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
300 *
301 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
302 * affects the security markings on that inode, and if it is, should
303 * inode_killpriv() be invoked or the change rejected?
304 *
305 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
306 * -ve to deny the change.
307 */
309 {
320 }
322 /**
323 * cap_inode_killpriv - Erase the security markings on an inode
324 * @dentry: The inode/dentry to alter
325 *
326 * Erase the privilege-enhancing security markings on an inode.
327 *
328 * Returns 0 if successful, -ve on error.
329 */
331 {
338 }
340 /*
341 * Calculate the new process capability sets from the capability sets attached
342 * to a file.
343 */
348 {
363 /*
364 * pP' = (X & fP) | (pI & fI)
365 * The addition of pA' is handled later.
366 */
372 /* insufficient to execute correctly */
374 }
376 /*
377 * For legacy apps, with no internal support for recognizing they
378 * do not have enough capabilities, we return an error if they are
379 * missing some "forced" (aka file-permitted) capabilities.
380 */
382 }
384 /*
385 * Extract the on-exec-apply capability sets for an executable file.
386 */
388 {
390 __u32 magic_etc;
401 XATTR_CAPS_SZ);
403 /* no data, that's ok */
426 }
433 }
439 }
441 /*
442 * Attempt to get the on-exec apply capability sets for an executable file from
443 * its xattrs and, if present, apply them to the proposed credentials being
444 * constructed by execve().
445 */
447 {
467 }
474 out:
479 }
481 /**
482 * cap_bprm_set_creds - Set up the proposed credentials for execve().
483 * @bprm: The execution parameters, including the proposed creds
484 *
485 * Set up the proposed credentials for a new execution context being
486 * constructed by execve(). The proposed creds in @bprm->cred is altered,
487 * which won't take effect immediately. Returns 0 if successful, -ve on error.
488 */
490 {
495 kuid_t root_uid;
508 /*
509 * If the legacy file capability is set, then don't set privs
510 * for a setuid root binary run by a non-root user. Do set it
511 * for a root user just to cause least surprise to an admin.
512 */
516 }
517 /*
518 * To support inheritance of root-permissions and suid-root
519 * executables under compatibility mode, we override the
520 * capability sets for the file.
521 *
522 * If only the real uid is 0, we do not set the effective bit.
523 */
525 /* pP' = (cap_bset & ~0) | (pI & ~0) */
528 }
531 }
532 skip:
534 /* if we have fs caps, clear dangerous personality flags */
539 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
540 * credentials unless they have the appropriate permit.
541 *
542 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
543 */
549 /* downgrade; they get no more than they had, and maybe less */
554 }
557 }
562 /* File caps or setid cancels ambient. */
566 /*
567 * Now that we've computed pA', update pP' to give:
568 * pP' = (X & fP) | (pI & fI) | pA'
569 */
572 /*
573 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
574 * this is the same as pE' = (fE ? pP' : 0) | pA'.
575 */
578 else
586 /*
587 * Audit candidate if current->cap_effective is set
588 *
589 * We do not bother to audit if 3 things are true:
590 * 1) cap_effective has all caps
591 * 2) we are root
592 * 3) root is supposed to have all caps (SECURE_NOROOT)
593 * Since this is just a normal root execing a process.
594 *
595 * Number 1 above might fail if you don't have a full bset, but I think
596 * that is interesting information to audit.
597 */
605 }
606 }
614 }
616 /**
617 * cap_bprm_secureexec - Determine whether a secure execution is required
618 * @bprm: The execution parameters
619 *
620 * Determine whether a secure execution is required, return 1 if it is, and 0
621 * if it is not.
622 *
623 * The credentials have been committed by this point, and so are no longer
624 * available through @bprm->cred.
625 */
627 {
636 }
640 }
642 /**
643 * cap_inode_setxattr - Determine whether an xattr may be altered
644 * @dentry: The inode/dentry being altered
645 * @name: The name of the xattr to be changed
646 * @value: The value that the xattr will be changed to
647 * @size: The size of value
648 * @flags: The replacement flag
649 *
650 * Determine whether an xattr may be altered or set on an inode, returning 0 if
651 * permission is granted, -ve if denied.
652 *
653 * This is used to make sure security xattrs don't get updated or set by those
654 * who aren't privileged to do so.
655 */
658 {
663 }
670 }
672 /**
673 * cap_inode_removexattr - Determine whether an xattr may be removed
674 * @dentry: The inode/dentry being altered
675 * @name: The name of the xattr to be changed
676 *
677 * Determine whether an xattr may be removed from an inode, returning 0 if
678 * permission is granted, -ve if denied.
679 *
680 * This is used to make sure security xattrs don't get removed by those who
681 * aren't privileged to remove them.
682 */
684 {
689 }
696 }
698 /*
699 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
700 * a process after a call to setuid, setreuid, or setresuid.
701 *
702 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
703 * {r,e,s}uid != 0, the permitted and effective capabilities are
704 * cleared.
705 *
706 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
707 * capabilities of the process are cleared.
708 *
709 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
710 * capabilities are set to the permitted capabilities.
711 *
712 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
713 * never happen.
714 *
715 * -astor
716 *
717 * cevans - New behaviour, Oct '99
718 * A process may, via prctl(), elect to keep its capabilities when it
719 * calls setuid() and switches away from uid==0. Both permitted and
720 * effective sets will be retained.
721 * Without this change, it was impossible for a daemon to drop only some
722 * of its privilege. The call to setuid(!=0) would drop all privileges!
723 * Keeping uid 0 is not an option because uid 0 owns too many vital
724 * files..
725 * Thanks to Olaf Kirch and Peter Benie for spotting this.
726 */
728 {
740 }
742 /*
743 * Pre-ambient programs expect setresuid to nonroot followed
744 * by exec to drop capabilities. We should make sure that
745 * this remains the case.
746 */
748 }
753 }
755 /**
756 * cap_task_fix_setuid - Fix up the results of setuid() call
757 * @new: The proposed credentials
758 * @old: The current task's current credentials
759 * @flags: Indications of what has changed
760 *
761 * Fix up the results of setuid() call before the credential changes are
762 * actually applied, returning 0 to grant the changes, -ve to deny them.
763 */
765 {
770 /* juggle the capabilities to follow [RES]UID changes unless
771 * otherwise suppressed */
777 /* juggle the capabilties to follow FSUID changes, unless
778 * otherwise suppressed
779 *
780 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
781 * if not, we might be a bit too harsh here.
782 */
793 }
798 }
801 }
803 /*
804 * Rationale: code calling task_setscheduler, task_setioprio, and
805 * task_setnice, assumes that
806 * . if capable(cap_sys_nice), then those actions should be allowed
807 * . if not capable(cap_sys_nice), but acting on your own processes,
808 * then those actions should be allowed
809 * This is insufficient now since you can call code without suid, but
810 * yet with increased caps.
811 * So we check for increased caps on the target process.
812 */
814 {
825 }
827 /**
828 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
829 * @p: The task to affect
830 *
831 * Detemine if the requested scheduler policy change is permitted for the
832 * specified task, returning 0 if permission is granted, -ve if denied.
833 */
835 {
837 }
839 /**
840 * cap_task_ioprio - Detemine if I/O priority change is permitted
841 * @p: The task to affect
842 * @ioprio: The I/O priority to set
843 *
844 * Detemine if the requested I/O priority change is permitted for the specified
845 * task, returning 0 if permission is granted, -ve if denied.
846 */
848 {
850 }
852 /**
853 * cap_task_ioprio - Detemine if task priority change is permitted
854 * @p: The task to affect
855 * @nice: The nice value to set
856 *
857 * Detemine if the requested task priority change is permitted for the
858 * specified task, returning 0 if permission is granted, -ve if denied.
859 */
861 {
863 }
865 /*
866 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
867 * the current task's bounding set. Returns 0 on success, -ve on error.
868 */
870 {
883 }
885 /**
886 * cap_task_prctl - Implement process control functions for this security module
887 * @option: The process control function requested
888 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
889 *
890 * Allow process control functions (sys_prctl()) to alter capabilities; may
891 * also deny access to other functions not otherwise implemented here.
892 *
893 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
894 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
895 * modules will consider performing the function.
896 */
899 {
912 /*
913 * The next four prctl's remain to assist with transitioning a
914 * system from legacy UID=0 based privilege (when filesystem
915 * capabilities are not in use) to a system using filesystem
916 * capabilities only - as the POSIX.1e draft intended.
917 *
918 * Note:
919 *
920 * PR_SET_SECUREBITS =
921 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
922 * | issecure_mask(SECURE_NOROOT)
923 * | issecure_mask(SECURE_NOROOT_LOCKED)
924 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
925 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
926 *
927 * will ensure that the current process and all of its
928 * children will be locked into a pure
929 * capability-based-privilege environment.
930 */
939 /*
940 * [1] no changing of bits that are locked
941 * [2] no unlocking of locks
942 * [3] no setting of unsupported bits
943 * [4] doing anything requires privilege (go read about
944 * the "sendmail capabilities bug")
945 */
946 )
947 /* cannot change a locked bit */
973 else
987 }
1001 arg3) ||
1010 else
1013 }
1016 /* No functionality available - continue with default */
1018 }
1019 }
1021 /**
1022 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1023 * @mm: The VM space in which the new mapping is to be made
1024 * @pages: The size of the mapping
1025 *
1026 * Determine whether the allocation of a new virtual mapping by the current
1027 * task is permitted, returning 1 if permission is granted, 0 if not.
1028 */
1030 {
1037 }
1039 /*
1040 * cap_mmap_addr - check if able to map given addr
1041 * @addr: address attempting to be mapped
1042 *
1043 * If the process is attempting to map memory below dac_mmap_min_addr they need
1044 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
1045 * capability security module. Returns 0 if this mapping should be allowed
1046 * -EPERM if not.
1047 */
1049 {
1054 SECURITY_CAP_AUDIT);
1055 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
1058 }
1060 }
1064 {
1066 }
1068 #ifdef CONFIG_SECURITY
1089 };
1092 {
1094 }