| blob | 43c18254d9c70ab2be1ec2126710b7ce5e71b615 |
1 /* Common capabilities, needed by capability.o.
2 *
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 */
10 #include <linux/capability.h>
11 #include <linux/audit.h>
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/kernel.h>
15 #include <linux/security.h>
16 #include <linux/file.h>
17 #include <linux/mm.h>
18 #include <linux/mman.h>
19 #include <linux/pagemap.h>
20 #include <linux/swap.h>
21 #include <linux/skbuff.h>
22 #include <linux/netlink.h>
23 #include <linux/ptrace.h>
24 #include <linux/xattr.h>
25 #include <linux/hugetlb.h>
26 #include <linux/mount.h>
27 #include <linux/sched.h>
28 #include <linux/prctl.h>
29 #include <linux/securebits.h>
30 #include <linux/syslog.h>
32 /*
33 * If a non-root user executes a setuid-root binary in
34 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
35 * However if fE is also set, then the intent is for only
36 * the file capabilities to be applied, and the setuid-root
37 * bit is left on either to change the uid (plausible) or
38 * to get full privilege on a kernel without file capabilities
39 * support. So in that case we do not raise capabilities.
40 *
41 * Warn if that happens, once per boot.
42 */
44 {
48 " effective capabilities. Therefore not raising all"
51 }
52 }
55 {
58 }
61 {
65 }
68 /**
69 * cap_capable - Determine whether a task has a particular effective capability
70 * @tsk: The task to query
71 * @cred: The credentials to use
72 * @cap: The capability to check for
73 * @audit: Whether to write an audit message or not
74 *
75 * Determine whether the nominated task has the specified capability amongst
76 * its effective set, returning 0 if it does, -ve if it does not.
77 *
78 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
79 * and has_capability() functions. That is, it has the reverse semantics:
80 * cap_has_capability() returns 0 when a task has a capability, but the
81 * kernel's capable() and has_capability() returns 1 for this case.
82 */
85 {
87 }
89 /**
90 * cap_settime - Determine whether the current process may set the system clock
91 * @ts: The time to set
92 * @tz: The timezone to set
93 *
94 * Determine whether the current process may set the system clock and timezone
95 * information, returning 0 if permission granted, -ve if denied.
96 */
98 {
102 }
104 /**
105 * cap_ptrace_access_check - Determine whether the current process may access
106 * another
107 * @child: The process to be accessed
108 * @mode: The mode of attachment.
109 *
110 * Determine whether a process may access another, returning 0 if permission
111 * granted, -ve if denied.
112 */
114 {
124 }
126 /**
127 * cap_ptrace_traceme - Determine whether another process may trace the current
128 * @parent: The task proposed to be the tracer
129 *
130 * Determine whether the nominated task is permitted to trace the current
131 * process, returning 0 if permission is granted, -ve if denied.
132 */
134 {
144 }
146 /**
147 * cap_capget - Retrieve a task's capability sets
148 * @target: The task from which to retrieve the capability sets
149 * @effective: The place to record the effective set
150 * @inheritable: The place to record the inheritable set
151 * @permitted: The place to record the permitted set
152 *
153 * This function retrieves the capabilities of the nominated task and returns
154 * them to the caller.
155 */
158 {
161 /* Derived from kernel/capability.c:sys_capget. */
169 }
171 /*
172 * Determine whether the inheritable capabilities are limited to the old
173 * permitted set. Returns 1 if they are limited, 0 if they are not.
174 */
176 {
178 /* they are so limited unless the current task has the CAP_SETPCAP
179 * capability
180 */
185 }
187 /**
188 * cap_capset - Validate and apply proposed changes to current's capabilities
189 * @new: The proposed new credentials; alterations should be made here
190 * @old: The current task's current credentials
191 * @effective: A pointer to the proposed new effective capabilities set
192 * @inheritable: A pointer to the proposed new inheritable capabilities set
193 * @permitted: A pointer to the proposed new permitted capabilities set
194 *
195 * This function validates and applies a proposed mass change to the current
196 * process's capability sets. The changes are made to the proposed new
197 * credentials, and assuming no error, will be committed by the caller of LSM.
198 */
204 {
209 /* incapable of using this inheritable set */
215 /* no new pI capabilities outside bounding set */
218 /* verify restrictions on target's new Permitted set */
222 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
230 }
232 /*
233 * Clear proposed capability sets for execve().
234 */
236 {
239 }
241 /**
242 * cap_inode_need_killpriv - Determine if inode change affects privileges
243 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
244 *
245 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
246 * affects the security markings on that inode, and if it is, should
247 * inode_killpriv() be invoked or the change rejected?
248 *
249 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and
250 * -ve to deny the change.
251 */
253 {
264 }
266 /**
267 * cap_inode_killpriv - Erase the security markings on an inode
268 * @dentry: The inode/dentry to alter
269 *
270 * Erase the privilege-enhancing security markings on an inode.
271 *
272 * Returns 0 if successful, -ve on error.
273 */
275 {
282 }
284 /*
285 * Calculate the new process capability sets from the capability sets attached
286 * to a file.
287 */
291 {
303 /*
304 * pP' = (X & fP) | (pI & fI)
305 */
311 /* insufficient to execute correctly */
313 }
315 /*
316 * For legacy apps, with no internal support for recognizing they
317 * do not have enough capabilities, we return an error if they are
318 * missing some "forced" (aka file-permitted) capabilities.
319 */
321 }
323 /*
324 * Extract the on-exec-apply capability sets for an executable file.
325 */
327 {
329 __u32 magic_etc;
340 XATTR_CAPS_SZ);
342 /* no data, that's ok */
365 }
372 }
375 }
377 /*
378 * Attempt to get the on-exec apply capability sets for an executable file from
379 * its xattrs and, if present, apply them to the proposed credentials being
380 * constructed by execve().
381 */
383 {
406 }
413 out:
419 }
421 /**
422 * cap_bprm_set_creds - Set up the proposed credentials for execve().
423 * @bprm: The execution parameters, including the proposed creds
424 *
425 * Set up the proposed credentials for a new execution context being
426 * constructed by execve(). The proposed creds in @bprm->cred is altered,
427 * which won't take effect immediately. Returns 0 if successful, -ve on error.
428 */
430 {
442 /*
443 * If the legacy file capability is set, then don't set privs
444 * for a setuid root binary run by a non-root user. Do set it
445 * for a root user just to cause least surprise to an admin.
446 */
450 }
451 /*
452 * To support inheritance of root-permissions and suid-root
453 * executables under compatibility mode, we override the
454 * capability sets for the file.
455 *
456 * If only the real uid is 0, we do not set the effective bit.
457 */
459 /* pP' = (cap_bset & ~0) | (pI & ~0) */
462 }
465 }
466 skip:
468 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
469 * credentials unless they have the appropriate permit
470 */
475 /* downgrade; they get no more than they had, and maybe less */
479 }
482 }
487 /* For init, we want to retain the capabilities set in the initial
488 * task. Thus we skip the usual capability rules
489 */
493 else
495 }
498 /*
499 * Audit candidate if current->cap_effective is set
500 *
501 * We do not bother to audit if 3 things are true:
502 * 1) cap_effective has all caps
503 * 2) we are root
504 * 3) root is supposed to have all caps (SECURE_NOROOT)
505 * Since this is just a normal root execing a process.
506 *
507 * Number 1 above might fail if you don't have a full bset, but I think
508 * that is interesting information to audit.
509 */
517 }
518 }
522 }
524 /**
525 * cap_bprm_secureexec - Determine whether a secure execution is required
526 * @bprm: The execution parameters
527 *
528 * Determine whether a secure execution is required, return 1 if it is, and 0
529 * if it is not.
530 *
531 * The credentials have been committed by this point, and so are no longer
532 * available through @bprm->cred.
533 */
535 {
543 }
547 }
549 /**
550 * cap_inode_setxattr - Determine whether an xattr may be altered
551 * @dentry: The inode/dentry being altered
552 * @name: The name of the xattr to be changed
553 * @value: The value that the xattr will be changed to
554 * @size: The size of value
555 * @flags: The replacement flag
556 *
557 * Determine whether an xattr may be altered or set on an inode, returning 0 if
558 * permission is granted, -ve if denied.
559 *
560 * This is used to make sure security xattrs don't get updated or set by those
561 * who aren't privileged to do so.
562 */
565 {
570 }
577 }
579 /**
580 * cap_inode_removexattr - Determine whether an xattr may be removed
581 * @dentry: The inode/dentry being altered
582 * @name: The name of the xattr to be changed
583 *
584 * Determine whether an xattr may be removed from an inode, returning 0 if
585 * permission is granted, -ve if denied.
586 *
587 * This is used to make sure security xattrs don't get removed by those who
588 * aren't privileged to remove them.
589 */
591 {
596 }
603 }
605 /*
606 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
607 * a process after a call to setuid, setreuid, or setresuid.
608 *
609 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
610 * {r,e,s}uid != 0, the permitted and effective capabilities are
611 * cleared.
612 *
613 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
614 * capabilities of the process are cleared.
615 *
616 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
617 * capabilities are set to the permitted capabilities.
618 *
619 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
620 * never happen.
621 *
622 * -astor
623 *
624 * cevans - New behaviour, Oct '99
625 * A process may, via prctl(), elect to keep its capabilities when it
626 * calls setuid() and switches away from uid==0. Both permitted and
627 * effective sets will be retained.
628 * Without this change, it was impossible for a daemon to drop only some
629 * of its privilege. The call to setuid(!=0) would drop all privileges!
630 * Keeping uid 0 is not an option because uid 0 owns too many vital
631 * files..
632 * Thanks to Olaf Kirch and Peter Benie for spotting this.
633 */
635 {
641 }
646 }
648 /**
649 * cap_task_fix_setuid - Fix up the results of setuid() call
650 * @new: The proposed credentials
651 * @old: The current task's current credentials
652 * @flags: Indications of what has changed
653 *
654 * Fix up the results of setuid() call before the credential changes are
655 * actually applied, returning 0 to grant the changes, -ve to deny them.
656 */
658 {
663 /* juggle the capabilities to follow [RES]UID changes unless
664 * otherwise suppressed */
679 }
684 }
687 }
689 /*
690 * Rationale: code calling task_setscheduler, task_setioprio, and
691 * task_setnice, assumes that
692 * . if capable(cap_sys_nice), then those actions should be allowed
693 * . if not capable(cap_sys_nice), but acting on your own processes,
694 * then those actions should be allowed
695 * This is insufficient now since you can call code without suid, but
696 * yet with increased caps.
697 * So we check for increased caps on the target process.
698 */
700 {
711 }
713 /**
714 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
715 * @p: The task to affect
716 * @policy: The policy to effect
717 * @lp: The parameters to the scheduling policy
718 *
719 * Detemine if the requested scheduler policy change is permitted for the
720 * specified task, returning 0 if permission is granted, -ve if denied.
721 */
724 {
726 }
728 /**
729 * cap_task_ioprio - Detemine if I/O priority change is permitted
730 * @p: The task to affect
731 * @ioprio: The I/O priority to set
732 *
733 * Detemine if the requested I/O priority change is permitted for the specified
734 * task, returning 0 if permission is granted, -ve if denied.
735 */
737 {
739 }
741 /**
742 * cap_task_ioprio - Detemine if task priority change is permitted
743 * @p: The task to affect
744 * @nice: The nice value to set
745 *
746 * Detemine if the requested task priority change is permitted for the
747 * specified task, returning 0 if permission is granted, -ve if denied.
748 */
750 {
752 }
754 /*
755 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
756 * the current task's bounding set. Returns 0 on success, -ve on error.
757 */
759 {
767 }
769 /**
770 * cap_task_prctl - Implement process control functions for this security module
771 * @option: The process control function requested
772 * @arg2, @arg3, @arg4, @arg5: The argument data for this function
773 *
774 * Allow process control functions (sys_prctl()) to alter capabilities; may
775 * also deny access to other functions not otherwise implemented here.
776 *
777 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
778 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
779 * modules will consider performing the function.
780 */
783 {
805 /*
806 * The next four prctl's remain to assist with transitioning a
807 * system from legacy UID=0 based privilege (when filesystem
808 * capabilities are not in use) to a system using filesystem
809 * capabilities only - as the POSIX.1e draft intended.
810 *
811 * Note:
812 *
813 * PR_SET_SECUREBITS =
814 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
815 * | issecure_mask(SECURE_NOROOT)
816 * | issecure_mask(SECURE_NOROOT_LOCKED)
817 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
818 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
819 *
820 * will ensure that the current process and all of its
821 * children will be locked into a pure
822 * capability-based-privilege environment.
823 */
832 /*
833 * [1] no changing of bits that are locked
834 * [2] no unlocking of locks
835 * [3] no setting of unsupported bits
836 * [4] doing anything requires privilege (go read about
837 * the "sendmail capabilities bug")
838 */
839 )
840 /* cannot change a locked bit */
863 else
868 /* No functionality available - continue with default */
871 }
873 /* Functionality provided */
874 changed:
877 no_change:
878 error:
881 }
883 /**
884 * cap_syslog - Determine whether syslog function is permitted
885 * @type: Function requested
886 * @from_file: Whether this request came from an open file (i.e. /proc)
887 *
888 * Determine whether the current process is permitted to use a particular
889 * syslog function, returning 0 if permission is granted, -ve if not.
890 */
892 {
899 }
901 /**
902 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
903 * @mm: The VM space in which the new mapping is to be made
904 * @pages: The size of the mapping
905 *
906 * Determine whether the allocation of a new virtual mapping by the current
907 * task is permitted, returning 0 if permission is granted, -ve if not.
908 */
910 {
917 }
919 /*
920 * cap_file_mmap - check if able to map given addr
921 * @file: unused
922 * @reqprot: unused
923 * @prot: unused
924 * @flags: unused
925 * @addr: address attempting to be mapped
926 * @addr_only: unused
927 *
928 * If the process is attempting to map memory below dac_mmap_min_addr they need
929 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
930 * capability security module. Returns 0 if this mapping should be allowed
931 * -EPERM if not.
932 */
936 {
941 SECURITY_CAP_AUDIT);
942 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
945 }
947 }