1 /* Common capabilities, needed by capability.o and root_plug.o
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
10 #include <linux/capability.h>
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/kernel.h>
14 #include <linux/security.h>
15 #include <linux/file.h>
17 #include <linux/mman.h>
18 #include <linux/pagemap.h>
19 #include <linux/swap.h>
20 #include <linux/skbuff.h>
21 #include <linux/netlink.h>
22 #include <linux/ptrace.h>
23 #include <linux/xattr.h>
24 #include <linux/hugetlb.h>
26 int cap_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
28 NETLINK_CB(skb
).eff_cap
= current
->cap_effective
;
32 EXPORT_SYMBOL(cap_netlink_send
);
34 int cap_netlink_recv(struct sk_buff
*skb
, int cap
)
36 if (!cap_raised(NETLINK_CB(skb
).eff_cap
, cap
))
41 EXPORT_SYMBOL(cap_netlink_recv
);
43 int cap_capable (struct task_struct
*tsk
, int cap
)
45 /* Derived from include/linux/sched.h:capable. */
46 if (cap_raised(tsk
->cap_effective
, cap
))
51 int cap_settime(struct timespec
*ts
, struct timezone
*tz
)
53 if (!capable(CAP_SYS_TIME
))
58 int cap_ptrace (struct task_struct
*parent
, struct task_struct
*child
)
60 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
61 if (!cap_issubset(child
->cap_permitted
, parent
->cap_permitted
) &&
62 !__capable(parent
, CAP_SYS_PTRACE
))
67 int cap_capget (struct task_struct
*target
, kernel_cap_t
*effective
,
68 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
70 /* Derived from kernel/capability.c:sys_capget. */
71 *effective
= cap_t (target
->cap_effective
);
72 *inheritable
= cap_t (target
->cap_inheritable
);
73 *permitted
= cap_t (target
->cap_permitted
);
77 int cap_capset_check (struct task_struct
*target
, kernel_cap_t
*effective
,
78 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
80 /* Derived from kernel/capability.c:sys_capset. */
81 /* verify restrictions on target's new Inheritable set */
82 if (!cap_issubset (*inheritable
,
83 cap_combine (target
->cap_inheritable
,
84 current
->cap_permitted
))) {
88 /* verify restrictions on target's new Permitted set */
89 if (!cap_issubset (*permitted
,
90 cap_combine (target
->cap_permitted
,
91 current
->cap_permitted
))) {
95 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
96 if (!cap_issubset (*effective
, *permitted
)) {
103 void cap_capset_set (struct task_struct
*target
, kernel_cap_t
*effective
,
104 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
106 target
->cap_effective
= *effective
;
107 target
->cap_inheritable
= *inheritable
;
108 target
->cap_permitted
= *permitted
;
111 int cap_bprm_set_security (struct linux_binprm
*bprm
)
113 /* Copied from fs/exec.c:prepare_binprm. */
115 /* We don't have VFS support for capabilities yet */
116 cap_clear (bprm
->cap_inheritable
);
117 cap_clear (bprm
->cap_permitted
);
118 cap_clear (bprm
->cap_effective
);
120 /* To support inheritance of root-permissions and suid-root
121 * executables under compatibility mode, we raise all three
122 * capability sets for the file.
124 * If only the real uid is 0, we only raise the inheritable
125 * and permitted sets of the executable file.
128 if (!issecure (SECURE_NOROOT
)) {
129 if (bprm
->e_uid
== 0 || current
->uid
== 0) {
130 cap_set_full (bprm
->cap_inheritable
);
131 cap_set_full (bprm
->cap_permitted
);
133 if (bprm
->e_uid
== 0)
134 cap_set_full (bprm
->cap_effective
);
139 void cap_bprm_apply_creds (struct linux_binprm
*bprm
, int unsafe
)
141 /* Derived from fs/exec.c:compute_creds. */
142 kernel_cap_t new_permitted
, working
;
144 new_permitted
= cap_intersect (bprm
->cap_permitted
, cap_bset
);
145 working
= cap_intersect (bprm
->cap_inheritable
,
146 current
->cap_inheritable
);
147 new_permitted
= cap_combine (new_permitted
, working
);
149 if (bprm
->e_uid
!= current
->uid
|| bprm
->e_gid
!= current
->gid
||
150 !cap_issubset (new_permitted
, current
->cap_permitted
)) {
151 set_dumpable(current
->mm
, suid_dumpable
);
153 if (unsafe
& ~LSM_UNSAFE_PTRACE_CAP
) {
154 if (!capable(CAP_SETUID
)) {
155 bprm
->e_uid
= current
->uid
;
156 bprm
->e_gid
= current
->gid
;
158 if (!capable (CAP_SETPCAP
)) {
159 new_permitted
= cap_intersect (new_permitted
,
160 current
->cap_permitted
);
165 current
->suid
= current
->euid
= current
->fsuid
= bprm
->e_uid
;
166 current
->sgid
= current
->egid
= current
->fsgid
= bprm
->e_gid
;
168 /* For init, we want to retain the capabilities set
169 * in the init_task struct. Thus we skip the usual
170 * capability rules */
171 if (!is_init(current
)) {
172 current
->cap_permitted
= new_permitted
;
173 current
->cap_effective
=
174 cap_intersect (new_permitted
, bprm
->cap_effective
);
177 /* AUD: Audit candidate if current->cap_effective is set */
179 current
->keep_capabilities
= 0;
182 int cap_bprm_secureexec (struct linux_binprm
*bprm
)
184 /* If/when this module is enhanced to incorporate capability
185 bits on files, the test below should be extended to also perform a
186 test between the old and new capability sets. For now,
187 it simply preserves the legacy decision algorithm used by
189 return (current
->euid
!= current
->uid
||
190 current
->egid
!= current
->gid
);
193 int cap_inode_setxattr(struct dentry
*dentry
, char *name
, void *value
,
194 size_t size
, int flags
)
196 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
197 sizeof(XATTR_SECURITY_PREFIX
) - 1) &&
198 !capable(CAP_SYS_ADMIN
))
203 int cap_inode_removexattr(struct dentry
*dentry
, char *name
)
205 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
206 sizeof(XATTR_SECURITY_PREFIX
) - 1) &&
207 !capable(CAP_SYS_ADMIN
))
212 /* moved from kernel/sys.c. */
214 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
215 * a process after a call to setuid, setreuid, or setresuid.
217 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
218 * {r,e,s}uid != 0, the permitted and effective capabilities are
221 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
222 * capabilities of the process are cleared.
224 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
225 * capabilities are set to the permitted capabilities.
227 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
232 * cevans - New behaviour, Oct '99
233 * A process may, via prctl(), elect to keep its capabilities when it
234 * calls setuid() and switches away from uid==0. Both permitted and
235 * effective sets will be retained.
236 * Without this change, it was impossible for a daemon to drop only some
237 * of its privilege. The call to setuid(!=0) would drop all privileges!
238 * Keeping uid 0 is not an option because uid 0 owns too many vital
240 * Thanks to Olaf Kirch and Peter Benie for spotting this.
242 static inline void cap_emulate_setxuid (int old_ruid
, int old_euid
,
245 if ((old_ruid
== 0 || old_euid
== 0 || old_suid
== 0) &&
246 (current
->uid
!= 0 && current
->euid
!= 0 && current
->suid
!= 0) &&
247 !current
->keep_capabilities
) {
248 cap_clear (current
->cap_permitted
);
249 cap_clear (current
->cap_effective
);
251 if (old_euid
== 0 && current
->euid
!= 0) {
252 cap_clear (current
->cap_effective
);
254 if (old_euid
!= 0 && current
->euid
== 0) {
255 current
->cap_effective
= current
->cap_permitted
;
259 int cap_task_post_setuid (uid_t old_ruid
, uid_t old_euid
, uid_t old_suid
,
266 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */
267 if (!issecure (SECURE_NO_SETUID_FIXUP
)) {
268 cap_emulate_setxuid (old_ruid
, old_euid
, old_suid
);
273 uid_t old_fsuid
= old_ruid
;
275 /* Copied from kernel/sys.c:setfsuid. */
278 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
279 * if not, we might be a bit too harsh here.
282 if (!issecure (SECURE_NO_SETUID_FIXUP
)) {
283 if (old_fsuid
== 0 && current
->fsuid
!= 0) {
284 cap_t (current
->cap_effective
) &=
287 if (old_fsuid
!= 0 && current
->fsuid
== 0) {
288 cap_t (current
->cap_effective
) |=
289 (cap_t (current
->cap_permitted
) &
302 void cap_task_reparent_to_init (struct task_struct
*p
)
304 p
->cap_effective
= CAP_INIT_EFF_SET
;
305 p
->cap_inheritable
= CAP_INIT_INH_SET
;
306 p
->cap_permitted
= CAP_FULL_SET
;
307 p
->keep_capabilities
= 0;
311 int cap_syslog (int type
)
313 if ((type
!= 3 && type
!= 10) && !capable(CAP_SYS_ADMIN
))
318 int cap_vm_enough_memory(struct mm_struct
*mm
, long pages
)
320 int cap_sys_admin
= 0;
322 if (cap_capable(current
, CAP_SYS_ADMIN
) == 0)
324 return __vm_enough_memory(mm
, pages
, cap_sys_admin
);
327 EXPORT_SYMBOL(cap_capable
);
328 EXPORT_SYMBOL(cap_settime
);
329 EXPORT_SYMBOL(cap_ptrace
);
330 EXPORT_SYMBOL(cap_capget
);
331 EXPORT_SYMBOL(cap_capset_check
);
332 EXPORT_SYMBOL(cap_capset_set
);
333 EXPORT_SYMBOL(cap_bprm_set_security
);
334 EXPORT_SYMBOL(cap_bprm_apply_creds
);
335 EXPORT_SYMBOL(cap_bprm_secureexec
);
336 EXPORT_SYMBOL(cap_inode_setxattr
);
337 EXPORT_SYMBOL(cap_inode_removexattr
);
338 EXPORT_SYMBOL(cap_task_post_setuid
);
339 EXPORT_SYMBOL(cap_task_reparent_to_init
);
340 EXPORT_SYMBOL(cap_syslog
);
341 EXPORT_SYMBOL(cap_vm_enough_memory
);
343 MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module");
344 MODULE_LICENSE("GPL");