release/src-rt-6.x/linux/linux-2.6/security/commoncap.c

   1 /* Common capabilities, needed by capability.o and root_plug.o
   2  *
   3  *      This program is free software; you can redistribute it and/or modify
   4  *      it under the terms of the GNU General Public License as published by
   5  *      the Free Software Foundation; either version 2 of the License, or
   6  *      (at your option) any later version.
   7  *
   8  */
   9
  10 #include <linux/capability.h>
  11 #include <linux/module.h>
  12 #include <linux/init.h>
  13 #include <linux/kernel.h>
  14 #include <linux/security.h>
  15 #include <linux/file.h>
  16 #include <linux/mm.h>
  17 #include <linux/mman.h>
  18 #include <linux/pagemap.h>
  19 #include <linux/swap.h>
  20 #include <linux/skbuff.h>
  21 #include <linux/netlink.h>
  22 #include <linux/ptrace.h>
  23 #include <linux/xattr.h>
  24 #include <linux/hugetlb.h>
  25
  26 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
  27 {
  28         NETLINK_CB(skb).eff_cap = current->cap_effective;
  29         return 0;
  30 }
  31
  32 EXPORT_SYMBOL(cap_netlink_send);
  33
  34 int cap_netlink_recv(struct sk_buff *skb, int cap)
  35 {
  36         if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
  37                 return -EPERM;
  38         return 0;
  39 }
  40
  41 EXPORT_SYMBOL(cap_netlink_recv);
  42
  43 int cap_capable (struct task_struct *tsk, int cap)
  44 {
  45         /* Derived from include/linux/sched.h:capable. */
  46         if (cap_raised(tsk->cap_effective, cap))
  47                 return 0;
  48         return -EPERM;
  49 }
  50
  51 int cap_settime(struct timespec *ts, struct timezone *tz)
  52 {
  53         if (!capable(CAP_SYS_TIME))
  54                 return -EPERM;
  55         return 0;
  56 }
  57
  58 int cap_ptrace (struct task_struct *parent, struct task_struct *child)
  59 {
  60         /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
  61         if (!cap_issubset(child->cap_permitted, parent->cap_permitted) &&
  62             !__capable(parent, CAP_SYS_PTRACE))
  63                 return -EPERM;
  64         return 0;
  65 }
  66
  67 int cap_capget (struct task_struct *target, kernel_cap_t *effective,
  68                 kernel_cap_t *inheritable, kernel_cap_t *permitted)
  69 {
  70         /* Derived from kernel/capability.c:sys_capget. */
  71         *effective = cap_t (target->cap_effective);
  72         *inheritable = cap_t (target->cap_inheritable);
  73         *permitted = cap_t (target->cap_permitted);
  74         return 0;
  75 }
  76
  77 int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
  78                       kernel_cap_t *inheritable, kernel_cap_t *permitted)
  79 {
  80         /* Derived from kernel/capability.c:sys_capset. */
  81         /* verify restrictions on target's new Inheritable set */
  82         if (!cap_issubset (*inheritable,
  83                            cap_combine (target->cap_inheritable,
  84                                         current->cap_permitted))) {
  85                 return -EPERM;
  86         }
  87
  88         /* verify restrictions on target's new Permitted set */
  89         if (!cap_issubset (*permitted,
  90                            cap_combine (target->cap_permitted,
  91                                         current->cap_permitted))) {
  92                 return -EPERM;
  93         }
  94
  95         /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
  96         if (!cap_issubset (*effective, *permitted)) {
  97                 return -EPERM;
  98         }
  99
 100         return 0;
 101 }
 102
 103 void cap_capset_set (struct task_struct *target, kernel_cap_t *effective,
 104                      kernel_cap_t *inheritable, kernel_cap_t *permitted)
 105 {
 106         target->cap_effective = *effective;
 107         target->cap_inheritable = *inheritable;
 108         target->cap_permitted = *permitted;
 109 }
 110
 111 int cap_bprm_set_security (struct linux_binprm *bprm)
 112 {
 113         /* Copied from fs/exec.c:prepare_binprm. */
 114
 115         /* We don't have VFS support for capabilities yet */
 116         cap_clear (bprm->cap_inheritable);
 117         cap_clear (bprm->cap_permitted);
 118         cap_clear (bprm->cap_effective);
 119
 120         /*  To support inheritance of root-permissions and suid-root
 121          *  executables under compatibility mode, we raise all three
 122          *  capability sets for the file.
 123          *
 124          *  If only the real uid is 0, we only raise the inheritable
 125          *  and permitted sets of the executable file.
 126          */
 127
 128         if (!issecure (SECURE_NOROOT)) {
 129                 if (bprm->e_uid == 0 || current->uid == 0) {
 130                         cap_set_full (bprm->cap_inheritable);
 131                         cap_set_full (bprm->cap_permitted);
 132                 }
 133                 if (bprm->e_uid == 0)
 134                         cap_set_full (bprm->cap_effective);
 135         }
 136         return 0;
 137 }
 138
 139 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
 140 {
 141         /* Derived from fs/exec.c:compute_creds. */
 142         kernel_cap_t new_permitted, working;
 143
 144         new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
 145         working = cap_intersect (bprm->cap_inheritable,
 146                                  current->cap_inheritable);
 147         new_permitted = cap_combine (new_permitted, working);
 148
 149         if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
 150             !cap_issubset (new_permitted, current->cap_permitted)) {
 151                 current->mm->dumpable = suid_dumpable;
 152
 153                 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
 154                         if (!capable(CAP_SETUID)) {
 155                                 bprm->e_uid = current->uid;
 156                                 bprm->e_gid = current->gid;
 157                         }
 158                         if (!capable (CAP_SETPCAP)) {
 159                                 new_permitted = cap_intersect (new_permitted,
 160                                                         current->cap_permitted);
 161                         }
 162                 }
 163         }
 164
 165         current->suid = current->euid = current->fsuid = bprm->e_uid;
 166         current->sgid = current->egid = current->fsgid = bprm->e_gid;
 167
 168         /* For init, we want to retain the capabilities set
 169          * in the init_task struct. Thus we skip the usual
 170          * capability rules */
 171         if (!is_init(current)) {
 172                 current->cap_permitted = new_permitted;
 173                 current->cap_effective =
 174                     cap_intersect (new_permitted, bprm->cap_effective);
 175         }
 176
 177         /* AUD: Audit candidate if current->cap_effective is set */
 178
 179         current->keep_capabilities = 0;
 180 }
 181
 182 int cap_bprm_secureexec (struct linux_binprm *bprm)
 183 {
 184         /* If/when this module is enhanced to incorporate capability
 185            bits on files, the test below should be extended to also perform a
 186            test between the old and new capability sets.  For now,
 187            it simply preserves the legacy decision algorithm used by
 188            the old userland. */
 189         return (current->euid != current->uid ||
 190                 current->egid != current->gid);
 191 }
 192
 193 int cap_inode_setxattr(struct dentry *dentry, char *name, void *value,
 194                        size_t size, int flags)
 195 {
 196         if (!strncmp(name, XATTR_SECURITY_PREFIX,
 197                      sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
 198             !capable(CAP_SYS_ADMIN))
 199                 return -EPERM;
 200         return 0;
 201 }
 202
 203 int cap_inode_removexattr(struct dentry *dentry, char *name)
 204 {
 205         if (!strncmp(name, XATTR_SECURITY_PREFIX,
 206                      sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
 207             !capable(CAP_SYS_ADMIN))
 208                 return -EPERM;
 209         return 0;
 210 }
 211
 212 /* moved from kernel/sys.c. */
 213 /*
 214  * cap_emulate_setxuid() fixes the effective / permitted capabilities of
 215  * a process after a call to setuid, setreuid, or setresuid.
 216  *
 217  *  1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
 218  *  {r,e,s}uid != 0, the permitted and effective capabilities are
 219  *  cleared.
 220  *
 221  *  2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
 222  *  capabilities of the process are cleared.
 223  *
 224  *  3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
 225  *  capabilities are set to the permitted capabilities.
 226  *
 227  *  fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
 228  *  never happen.
 229  *
 230  *  -astor
 231  *
 232  * cevans - New behaviour, Oct '99
 233  * A process may, via prctl(), elect to keep its capabilities when it
 234  * calls setuid() and switches away from uid==0. Both permitted and
 235  * effective sets will be retained.
 236  * Without this change, it was impossible for a daemon to drop only some
 237  * of its privilege. The call to setuid(!=0) would drop all privileges!
 238  * Keeping uid 0 is not an option because uid 0 owns too many vital
 239  * files..
 240  * Thanks to Olaf Kirch and Peter Benie for spotting this.
 241  */
 242 static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
 243                                         int old_suid)
 244 {
 245         if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) &&
 246             (current->uid != 0 && current->euid != 0 && current->suid != 0) &&
 247             !current->keep_capabilities) {
 248                 cap_clear (current->cap_permitted);
 249                 cap_clear (current->cap_effective);
 250         }
 251         if (old_euid == 0 && current->euid != 0) {
 252                 cap_clear (current->cap_effective);
 253         }
 254         if (old_euid != 0 && current->euid == 0) {
 255                 current->cap_effective = current->cap_permitted;
 256         }
 257 }
 258
 259 int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
 260                           int flags)
 261 {
 262         switch (flags) {
 263         case LSM_SETID_RE:
 264         case LSM_SETID_ID:
 265         case LSM_SETID_RES:
 266                 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */
 267                 if (!issecure (SECURE_NO_SETUID_FIXUP)) {
 268                         cap_emulate_setxuid (old_ruid, old_euid, old_suid);
 269                 }
 270                 break;
 271         case LSM_SETID_FS:
 272                 {
 273                         uid_t old_fsuid = old_ruid;
 274
 275                         /* Copied from kernel/sys.c:setfsuid. */
 276
 277                         /*
 278                          * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
 279                          *          if not, we might be a bit too harsh here.
 280                          */
 281
 282                         if (!issecure (SECURE_NO_SETUID_FIXUP)) {
 283                                 if (old_fsuid == 0 && current->fsuid != 0) {
 284                                         cap_t (current->cap_effective) &=
 285                                             ~CAP_FS_MASK;
 286                                 }
 287                                 if (old_fsuid != 0 && current->fsuid == 0) {
 288                                         cap_t (current->cap_effective) |=
 289                                             (cap_t (current->cap_permitted) &
 290                                              CAP_FS_MASK);
 291                                 }
 292                         }
 293                         break;
 294                 }
 295         default:
 296                 return -EINVAL;
 297         }
 298
 299         return 0;
 300 }
 301
 302 void cap_task_reparent_to_init (struct task_struct *p)
 303 {
 304         p->cap_effective = CAP_INIT_EFF_SET;
 305         p->cap_inheritable = CAP_INIT_INH_SET;
 306         p->cap_permitted = CAP_FULL_SET;
 307         p->keep_capabilities = 0;
 308         return;
 309 }
 310
 311 int cap_syslog (int type)
 312 {
 313         if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
 314                 return -EPERM;
 315         return 0;
 316 }
 317
 318 int cap_vm_enough_memory(struct mm_struct *mm, long pages)
 319 {
 320         int cap_sys_admin = 0;
 321
 322         if (cap_capable(current, CAP_SYS_ADMIN) == 0)
 323                 cap_sys_admin = 1;
 324         return __vm_enough_memory(mm, pages, cap_sys_admin);
 325 }
 326
 327 EXPORT_SYMBOL(cap_capable);
 328 EXPORT_SYMBOL(cap_settime);
 329 EXPORT_SYMBOL(cap_ptrace);
 330 EXPORT_SYMBOL(cap_capget);
 331 EXPORT_SYMBOL(cap_capset_check);
 332 EXPORT_SYMBOL(cap_capset_set);
 333 EXPORT_SYMBOL(cap_bprm_set_security);
 334 EXPORT_SYMBOL(cap_bprm_apply_creds);
 335 EXPORT_SYMBOL(cap_bprm_secureexec);
 336 EXPORT_SYMBOL(cap_inode_setxattr);
 337 EXPORT_SYMBOL(cap_inode_removexattr);
 338 EXPORT_SYMBOL(cap_task_post_setuid);
 339 EXPORT_SYMBOL(cap_task_reparent_to_init);
 340 EXPORT_SYMBOL(cap_syslog);
 341 EXPORT_SYMBOL(cap_vm_enough_memory);
 342
 343 MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module");
 344 MODULE_LICENSE("GPL");