2 * linux/kernel/capability.c
4 * Copyright (C) 1997 Andrew Main <zefram@fysh.org>
6 * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org>
7 * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
10 #include <linux/capability.h>
12 #include <linux/module.h>
13 #include <linux/security.h>
14 #include <linux/syscalls.h>
15 #include <linux/pid_namespace.h>
16 #include <asm/uaccess.h>
19 * This lock protects task->cap_* for all tasks including current.
20 * Locking rule: acquire this prior to tasklist_lock.
22 static DEFINE_SPINLOCK(task_capability_lock
);
25 * Leveraged for setting/resetting capabilities
28 const kernel_cap_t __cap_empty_set
= CAP_EMPTY_SET
;
29 const kernel_cap_t __cap_full_set
= CAP_FULL_SET
;
30 const kernel_cap_t __cap_init_eff_set
= CAP_INIT_EFF_SET
;
32 EXPORT_SYMBOL(__cap_empty_set
);
33 EXPORT_SYMBOL(__cap_full_set
);
34 EXPORT_SYMBOL(__cap_init_eff_set
);
37 * More recent versions of libcap are available from:
39 * http://www.kernel.org/pub/linux/libs/security/linux-privs/
42 static void warn_legacy_capability_use(void)
46 char name
[sizeof(current
->comm
)];
48 printk(KERN_INFO
"warning: `%s' uses 32-bit capabilities"
49 " (legacy support in use)\n",
50 get_task_comm(name
, current
));
56 * Version 2 capabilities worked fine, but the linux/capability.h file
57 * that accompanied their introduction encouraged their use without
58 * the necessary user-space source code changes. As such, we have
59 * created a version 3 with equivalent functionality to version 2, but
60 * with a header change to protect legacy source code from using
61 * version 2 when it wanted to use version 1. If your system has code
62 * that trips the following warning, it is using version 2 specific
63 * capabilities and may be doing so insecurely.
65 * The remedy is to either upgrade your version of libcap (to 2.10+,
66 * if the application is linked against it), or recompile your
67 * application with modern kernel headers and this warning will go
71 static void warn_deprecated_v2(void)
76 char name
[sizeof(current
->comm
)];
78 printk(KERN_INFO
"warning: `%s' uses deprecated v2"
79 " capabilities in a way that may be insecure.\n",
80 get_task_comm(name
, current
));
86 * Version check. Return the number of u32s in each capability flag
87 * array, or a negative value on error.
89 static int cap_validate_magic(cap_user_header_t header
, unsigned *tocopy
)
93 if (get_user(version
, &header
->version
))
97 case _LINUX_CAPABILITY_VERSION_1
:
98 warn_legacy_capability_use();
99 *tocopy
= _LINUX_CAPABILITY_U32S_1
;
101 case _LINUX_CAPABILITY_VERSION_2
:
102 warn_deprecated_v2();
104 * fall through - v3 is otherwise equivalent to v2.
106 case _LINUX_CAPABILITY_VERSION_3
:
107 *tocopy
= _LINUX_CAPABILITY_U32S_3
;
110 if (put_user((u32
)_KERNEL_CAPABILITY_VERSION
, &header
->version
))
118 #ifndef CONFIG_SECURITY_FILE_CAPABILITIES
121 * Without filesystem capability support, we nominally support one process
122 * setting the capabilities of another
124 static inline int cap_get_target_pid(pid_t pid
, kernel_cap_t
*pEp
,
125 kernel_cap_t
*pIp
, kernel_cap_t
*pPp
)
127 struct task_struct
*target
;
130 spin_lock(&task_capability_lock
);
131 read_lock(&tasklist_lock
);
133 if (pid
&& pid
!= task_pid_vnr(current
)) {
134 target
= find_task_by_vpid(pid
);
142 ret
= security_capget(target
, pEp
, pIp
, pPp
);
145 read_unlock(&tasklist_lock
);
146 spin_unlock(&task_capability_lock
);
152 * cap_set_pg - set capabilities for all processes in a given process
153 * group. We call this holding task_capability_lock and tasklist_lock.
155 static inline int cap_set_pg(int pgrp_nr
, kernel_cap_t
*effective
,
156 kernel_cap_t
*inheritable
,
157 kernel_cap_t
*permitted
)
159 struct task_struct
*g
, *target
;
164 spin_lock(&task_capability_lock
);
165 read_lock(&tasklist_lock
);
167 pgrp
= find_vpid(pgrp_nr
);
168 do_each_pid_task(pgrp
, PIDTYPE_PGID
, g
) {
170 while_each_thread(g
, target
) {
171 if (!security_capset_check(target
, effective
,
172 inheritable
, permitted
)) {
173 security_capset_set(target
, effective
,
174 inheritable
, permitted
);
179 } while_each_pid_task(pgrp
, PIDTYPE_PGID
, g
);
181 read_unlock(&tasklist_lock
);
182 spin_unlock(&task_capability_lock
);
190 * cap_set_all - set capabilities for all processes other than init
191 * and self. We call this holding task_capability_lock and tasklist_lock.
193 static inline int cap_set_all(kernel_cap_t
*effective
,
194 kernel_cap_t
*inheritable
,
195 kernel_cap_t
*permitted
)
197 struct task_struct
*g
, *target
;
201 spin_lock(&task_capability_lock
);
202 read_lock(&tasklist_lock
);
204 do_each_thread(g
, target
) {
205 if (target
== current
206 || is_container_init(target
->group_leader
))
209 if (security_capset_check(target
, effective
, inheritable
,
213 security_capset_set(target
, effective
, inheritable
, permitted
);
214 } while_each_thread(g
, target
);
216 read_unlock(&tasklist_lock
);
217 spin_unlock(&task_capability_lock
);
226 * Given the target pid does not refer to the current process we
227 * need more elaborate support... (This support is not present when
228 * filesystem capabilities are configured.)
230 static inline int do_sys_capset_other_tasks(pid_t pid
, kernel_cap_t
*effective
,
231 kernel_cap_t
*inheritable
,
232 kernel_cap_t
*permitted
)
234 struct task_struct
*target
;
237 if (!capable(CAP_SETPCAP
))
240 if (pid
== -1) /* all procs other than current and init */
241 return cap_set_all(effective
, inheritable
, permitted
);
243 else if (pid
< 0) /* all procs in process group */
244 return cap_set_pg(-pid
, effective
, inheritable
, permitted
);
246 /* target != current */
247 spin_lock(&task_capability_lock
);
248 read_lock(&tasklist_lock
);
250 target
= find_task_by_vpid(pid
);
254 ret
= security_capset_check(target
, effective
, inheritable
,
257 /* having verified that the proposed changes are legal,
258 we now put them into effect. */
260 security_capset_set(target
, effective
, inheritable
,
264 read_unlock(&tasklist_lock
);
265 spin_unlock(&task_capability_lock
);
270 #else /* ie., def CONFIG_SECURITY_FILE_CAPABILITIES */
273 * If we have configured with filesystem capability support, then the
274 * only thing that can change the capabilities of the current process
275 * is the current process. As such, we can't be in this code at the
276 * same time as we are in the process of setting capabilities in this
277 * process. The net result is that we can limit our use of locks to
278 * when we are reading the caps of another process.
280 static inline int cap_get_target_pid(pid_t pid
, kernel_cap_t
*pEp
,
281 kernel_cap_t
*pIp
, kernel_cap_t
*pPp
)
285 if (pid
&& (pid
!= task_pid_vnr(current
))) {
286 struct task_struct
*target
;
288 spin_lock(&task_capability_lock
);
289 read_lock(&tasklist_lock
);
291 target
= find_task_by_vpid(pid
);
295 ret
= security_capget(target
, pEp
, pIp
, pPp
);
297 read_unlock(&tasklist_lock
);
298 spin_unlock(&task_capability_lock
);
300 ret
= security_capget(current
, pEp
, pIp
, pPp
);
306 * With filesystem capability support configured, the kernel does not
307 * permit the changing of capabilities in one process by another
308 * process. (CAP_SETPCAP has much less broad semantics when configured
311 static inline int do_sys_capset_other_tasks(pid_t pid
,
312 kernel_cap_t
*effective
,
313 kernel_cap_t
*inheritable
,
314 kernel_cap_t
*permitted
)
319 #endif /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
322 * Atomically modify the effective capabilities returning the original
323 * value. No permission check is performed here - it is assumed that the
324 * caller is permitted to set the desired effective capabilities.
326 kernel_cap_t
cap_set_effective(const kernel_cap_t pE_new
)
330 spin_lock(&task_capability_lock
);
332 pE_old
= current
->cap_effective
;
333 current
->cap_effective
= pE_new
;
335 spin_unlock(&task_capability_lock
);
340 EXPORT_SYMBOL(cap_set_effective
);
343 * sys_capget - get the capabilities of a given process.
344 * @header: pointer to struct that contains capability version and
346 * @dataptr: pointer to struct that contains the effective, permitted,
347 * and inheritable capabilities that are returned
349 * Returns 0 on success and < 0 on error.
351 asmlinkage
long sys_capget(cap_user_header_t header
, cap_user_data_t dataptr
)
356 kernel_cap_t pE
, pI
, pP
;
358 ret
= cap_validate_magic(header
, &tocopy
);
362 if (get_user(pid
, &header
->pid
))
368 ret
= cap_get_target_pid(pid
, &pE
, &pI
, &pP
);
371 struct __user_cap_data_struct kdata
[_KERNEL_CAPABILITY_U32S
];
374 for (i
= 0; i
< tocopy
; i
++) {
375 kdata
[i
].effective
= pE
.cap
[i
];
376 kdata
[i
].permitted
= pP
.cap
[i
];
377 kdata
[i
].inheritable
= pI
.cap
[i
];
381 * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
382 * we silently drop the upper capabilities here. This
383 * has the effect of making older libcap
384 * implementations implicitly drop upper capability
385 * bits when they perform a: capget/modify/capset
388 * This behavior is considered fail-safe
389 * behavior. Upgrading the application to a newer
390 * version of libcap will enable access to the newer
393 * An alternative would be to return an error here
394 * (-ERANGE), but that causes legacy applications to
395 * unexpectidly fail; the capget/modify/capset aborts
396 * before modification is attempted and the application
399 if (copy_to_user(dataptr
, kdata
, tocopy
400 * sizeof(struct __user_cap_data_struct
))) {
409 * sys_capset - set capabilities for a process or (*) a group of processes
410 * @header: pointer to struct that contains capability version and
412 * @data: pointer to struct that contains the effective, permitted,
413 * and inheritable capabilities
415 * Set capabilities for a given process, all processes, or all
416 * processes in a given process group.
418 * The restrictions on setting capabilities are specified as:
420 * [pid is for the 'target' task. 'current' is the calling task.]
422 * I: any raised capabilities must be a subset of the (old current) permitted
423 * P: any raised capabilities must be a subset of the (old current) permitted
424 * E: must be set to a subset of (new target) permitted
426 * Returns 0 on success and < 0 on error.
428 asmlinkage
long sys_capset(cap_user_header_t header
, const cap_user_data_t data
)
430 struct __user_cap_data_struct kdata
[_KERNEL_CAPABILITY_U32S
];
432 kernel_cap_t inheritable
, permitted
, effective
;
436 ret
= cap_validate_magic(header
, &tocopy
);
440 if (get_user(pid
, &header
->pid
))
443 if (copy_from_user(&kdata
, data
, tocopy
444 * sizeof(struct __user_cap_data_struct
))) {
448 for (i
= 0; i
< tocopy
; i
++) {
449 effective
.cap
[i
] = kdata
[i
].effective
;
450 permitted
.cap
[i
] = kdata
[i
].permitted
;
451 inheritable
.cap
[i
] = kdata
[i
].inheritable
;
453 while (i
< _KERNEL_CAPABILITY_U32S
) {
454 effective
.cap
[i
] = 0;
455 permitted
.cap
[i
] = 0;
456 inheritable
.cap
[i
] = 0;
460 if (pid
&& (pid
!= task_pid_vnr(current
)))
461 ret
= do_sys_capset_other_tasks(pid
, &effective
, &inheritable
,
465 * This lock is required even when filesystem
466 * capability support is configured - it protects the
467 * sys_capget() call from returning incorrect data in
468 * the case that the targeted process is not the
471 spin_lock(&task_capability_lock
);
473 ret
= security_capset_check(current
, &effective
, &inheritable
,
476 * Having verified that the proposed changes are
477 * legal, we now put them into effect.
480 security_capset_set(current
, &effective
, &inheritable
,
482 spin_unlock(&task_capability_lock
);
489 int __capable(struct task_struct
*t
, int cap
)
491 if (security_capable(t
, cap
) == 0) {
492 t
->flags
|= PF_SUPERPRIV
;
500 return __capable(current
, cap
);
502 EXPORT_SYMBOL(capable
);