tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / security / commoncap.c
at v2.6.24-rc1 589 lines 15 kB view raw
1/* Common capabilities, needed by capability.o and root_plug.o 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10#include <linux/capability.h> 11#include <linux/module.h> 12#include <linux/init.h> 13#include <linux/kernel.h> 14#include <linux/security.h> 15#include <linux/file.h> 16#include <linux/mm.h> 17#include <linux/mman.h> 18#include <linux/pagemap.h> 19#include <linux/swap.h> 20#include <linux/skbuff.h> 21#include <linux/netlink.h> 22#include <linux/ptrace.h> 23#include <linux/xattr.h> 24#include <linux/hugetlb.h> 25#include <linux/mount.h> 26#include <linux/sched.h> 27 28#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 29/* 30 * Because of the reduced scope of CAP_SETPCAP when filesystem 31 * capabilities are in effect, it is safe to allow this capability to 32 * be available in the default configuration. 33 */ 34# define CAP_INIT_BSET CAP_FULL_SET 35#else /* ie. ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 36# define CAP_INIT_BSET CAP_INIT_EFF_SET 37#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 38 39kernel_cap_t cap_bset = CAP_INIT_BSET; /* systemwide capability bound */ 40EXPORT_SYMBOL(cap_bset); 41 42/* Global security state */ 43 44unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */ 45EXPORT_SYMBOL(securebits); 46 47int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 48{ 49 NETLINK_CB(skb).eff_cap = current->cap_effective; 50 return 0; 51} 52 53int cap_netlink_recv(struct sk_buff *skb, int cap) 54{ 55 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 56 return -EPERM; 57 return 0; 58} 59 60EXPORT_SYMBOL(cap_netlink_recv); 61 62int cap_capable (struct task_struct *tsk, int cap) 63{ 64 /* Derived from include/linux/sched.h:capable. */ 65 if (cap_raised(tsk->cap_effective, cap)) 66 return 0; 67 return -EPERM; 68} 69 70int cap_settime(struct timespec *ts, struct timezone *tz) 71{ 72 if (!capable(CAP_SYS_TIME)) 73 return -EPERM; 74 return 0; 75} 76 77int cap_ptrace (struct task_struct *parent, struct task_struct *child) 78{ 79 /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ 80 if (!cap_issubset(child->cap_permitted, parent->cap_permitted) && 81 !__capable(parent, CAP_SYS_PTRACE)) 82 return -EPERM; 83 return 0; 84} 85 86int cap_capget (struct task_struct *target, kernel_cap_t *effective, 87 kernel_cap_t *inheritable, kernel_cap_t *permitted) 88{ 89 /* Derived from kernel/capability.c:sys_capget. */ 90 *effective = cap_t (target->cap_effective); 91 *inheritable = cap_t (target->cap_inheritable); 92 *permitted = cap_t (target->cap_permitted); 93 return 0; 94} 95 96#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 97 98static inline int cap_block_setpcap(struct task_struct *target) 99{ 100 /* 101 * No support for remote process capability manipulation with 102 * filesystem capability support. 103 */ 104 return (target != current); 105} 106 107static inline int cap_inh_is_capped(void) 108{ 109 /* 110 * return 1 if changes to the inheritable set are limited 111 * to the old permitted set. 112 */ 113 return !cap_capable(current, CAP_SETPCAP); 114} 115 116#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 117 118static inline int cap_block_setpcap(struct task_struct *t) { return 0; } 119static inline int cap_inh_is_capped(void) { return 1; } 120 121#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ 122 123int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, 124 kernel_cap_t *inheritable, kernel_cap_t *permitted) 125{ 126 if (cap_block_setpcap(target)) { 127 return -EPERM; 128 } 129 if (cap_inh_is_capped() 130 && !cap_issubset(*inheritable, 131 cap_combine(target->cap_inheritable, 132 current->cap_permitted))) { 133 /* incapable of using this inheritable set */ 134 return -EPERM; 135 } 136 137 /* verify restrictions on target's new Permitted set */ 138 if (!cap_issubset (*permitted, 139 cap_combine (target->cap_permitted, 140 current->cap_permitted))) { 141 return -EPERM; 142 } 143 144 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 145 if (!cap_issubset (*effective, *permitted)) { 146 return -EPERM; 147 } 148 149 return 0; 150} 151 152void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, 153 kernel_cap_t *inheritable, kernel_cap_t *permitted) 154{ 155 target->cap_effective = *effective; 156 target->cap_inheritable = *inheritable; 157 target->cap_permitted = *permitted; 158} 159 160static inline void bprm_clear_caps(struct linux_binprm *bprm) 161{ 162 cap_clear(bprm->cap_inheritable); 163 cap_clear(bprm->cap_permitted); 164 bprm->cap_effective = false; 165} 166 167#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 168 169int cap_inode_need_killpriv(struct dentry *dentry) 170{ 171 struct inode *inode = dentry->d_inode; 172 int error; 173 174 if (!inode->i_op || !inode->i_op->getxattr) 175 return 0; 176 177 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 178 if (error <= 0) 179 return 0; 180 return 1; 181} 182 183int cap_inode_killpriv(struct dentry *dentry) 184{ 185 struct inode *inode = dentry->d_inode; 186 187 if (!inode->i_op || !inode->i_op->removexattr) 188 return 0; 189 190 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 191} 192 193static inline int cap_from_disk(struct vfs_cap_data *caps, 194 struct linux_binprm *bprm, 195 int size) 196{ 197 __u32 magic_etc; 198 199 if (size != XATTR_CAPS_SZ) 200 return -EINVAL; 201 202 magic_etc = le32_to_cpu(caps->magic_etc); 203 204 switch ((magic_etc & VFS_CAP_REVISION_MASK)) { 205 case VFS_CAP_REVISION: 206 if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 207 bprm->cap_effective = true; 208 else 209 bprm->cap_effective = false; 210 bprm->cap_permitted = to_cap_t(le32_to_cpu(caps->permitted)); 211 bprm->cap_inheritable = to_cap_t(le32_to_cpu(caps->inheritable)); 212 return 0; 213 default: 214 return -EINVAL; 215 } 216} 217 218/* Locate any VFS capabilities: */ 219static int get_file_caps(struct linux_binprm *bprm) 220{ 221 struct dentry *dentry; 222 int rc = 0; 223 struct vfs_cap_data incaps; 224 struct inode *inode; 225 226 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) { 227 bprm_clear_caps(bprm); 228 return 0; 229 } 230 231 dentry = dget(bprm->file->f_dentry); 232 inode = dentry->d_inode; 233 if (!inode->i_op || !inode->i_op->getxattr) 234 goto out; 235 236 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 237 if (rc > 0) { 238 if (rc == XATTR_CAPS_SZ) 239 rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, 240 &incaps, XATTR_CAPS_SZ); 241 else 242 rc = -EINVAL; 243 } 244 if (rc == -ENODATA || rc == -EOPNOTSUPP) { 245 /* no data, that's ok */ 246 rc = 0; 247 goto out; 248 } 249 if (rc < 0) 250 goto out; 251 252 rc = cap_from_disk(&incaps, bprm, rc); 253 if (rc) 254 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 255 __FUNCTION__, rc, bprm->filename); 256 257out: 258 dput(dentry); 259 if (rc) 260 bprm_clear_caps(bprm); 261 262 return rc; 263} 264 265#else 266int cap_inode_need_killpriv(struct dentry *dentry) 267{ 268 return 0; 269} 270 271int cap_inode_killpriv(struct dentry *dentry) 272{ 273 return 0; 274} 275 276static inline int get_file_caps(struct linux_binprm *bprm) 277{ 278 bprm_clear_caps(bprm); 279 return 0; 280} 281#endif 282 283int cap_bprm_set_security (struct linux_binprm *bprm) 284{ 285 int ret; 286 287 ret = get_file_caps(bprm); 288 if (ret) 289 printk(KERN_NOTICE "%s: get_file_caps returned %d for %s\n", 290 __FUNCTION__, ret, bprm->filename); 291 292 /* To support inheritance of root-permissions and suid-root 293 * executables under compatibility mode, we raise all three 294 * capability sets for the file. 295 * 296 * If only the real uid is 0, we only raise the inheritable 297 * and permitted sets of the executable file. 298 */ 299 300 if (!issecure (SECURE_NOROOT)) { 301 if (bprm->e_uid == 0 || current->uid == 0) { 302 cap_set_full (bprm->cap_inheritable); 303 cap_set_full (bprm->cap_permitted); 304 } 305 if (bprm->e_uid == 0) 306 bprm->cap_effective = true; 307 } 308 309 return ret; 310} 311 312void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 313{ 314 /* Derived from fs/exec.c:compute_creds. */ 315 kernel_cap_t new_permitted, working; 316 317 new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); 318 working = cap_intersect (bprm->cap_inheritable, 319 current->cap_inheritable); 320 new_permitted = cap_combine (new_permitted, working); 321 322 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || 323 !cap_issubset (new_permitted, current->cap_permitted)) { 324 set_dumpable(current->mm, suid_dumpable); 325 current->pdeath_signal = 0; 326 327 if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 328 if (!capable(CAP_SETUID)) { 329 bprm->e_uid = current->uid; 330 bprm->e_gid = current->gid; 331 } 332 if (!capable (CAP_SETPCAP)) { 333 new_permitted = cap_intersect (new_permitted, 334 current->cap_permitted); 335 } 336 } 337 } 338 339 current->suid = current->euid = current->fsuid = bprm->e_uid; 340 current->sgid = current->egid = current->fsgid = bprm->e_gid; 341 342 /* For init, we want to retain the capabilities set 343 * in the init_task struct. Thus we skip the usual 344 * capability rules */ 345 if (!is_global_init(current)) { 346 current->cap_permitted = new_permitted; 347 current->cap_effective = bprm->cap_effective ? 348 new_permitted : 0; 349 } 350 351 /* AUD: Audit candidate if current->cap_effective is set */ 352 353 current->keep_capabilities = 0; 354} 355 356int cap_bprm_secureexec (struct linux_binprm *bprm) 357{ 358 if (current->uid != 0) { 359 if (bprm->cap_effective) 360 return 1; 361 if (!cap_isclear(bprm->cap_permitted)) 362 return 1; 363 if (!cap_isclear(bprm->cap_inheritable)) 364 return 1; 365 } 366 367 return (current->euid != current->uid || 368 current->egid != current->gid); 369} 370 371int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, 372 size_t size, int flags) 373{ 374 if (!strcmp(name, XATTR_NAME_CAPS)) { 375 if (!capable(CAP_SETFCAP)) 376 return -EPERM; 377 return 0; 378 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 379 sizeof(XATTR_SECURITY_PREFIX) - 1) && 380 !capable(CAP_SYS_ADMIN)) 381 return -EPERM; 382 return 0; 383} 384 385int cap_inode_removexattr(struct dentry *dentry, char *name) 386{ 387 if (!strcmp(name, XATTR_NAME_CAPS)) { 388 if (!capable(CAP_SETFCAP)) 389 return -EPERM; 390 return 0; 391 } else if (!strncmp(name, XATTR_SECURITY_PREFIX, 392 sizeof(XATTR_SECURITY_PREFIX) - 1) && 393 !capable(CAP_SYS_ADMIN)) 394 return -EPERM; 395 return 0; 396} 397 398/* moved from kernel/sys.c. */ 399/* 400 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 401 * a process after a call to setuid, setreuid, or setresuid. 402 * 403 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 404 * {r,e,s}uid != 0, the permitted and effective capabilities are 405 * cleared. 406 * 407 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 408 * capabilities of the process are cleared. 409 * 410 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 411 * capabilities are set to the permitted capabilities. 412 * 413 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 414 * never happen. 415 * 416 * -astor 417 * 418 * cevans - New behaviour, Oct '99 419 * A process may, via prctl(), elect to keep its capabilities when it 420 * calls setuid() and switches away from uid==0. Both permitted and 421 * effective sets will be retained. 422 * Without this change, it was impossible for a daemon to drop only some 423 * of its privilege. The call to setuid(!=0) would drop all privileges! 424 * Keeping uid 0 is not an option because uid 0 owns too many vital 425 * files.. 426 * Thanks to Olaf Kirch and Peter Benie for spotting this. 427 */ 428static inline void cap_emulate_setxuid (int old_ruid, int old_euid, 429 int old_suid) 430{ 431 if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && 432 (current->uid != 0 && current->euid != 0 && current->suid != 0) && 433 !current->keep_capabilities) { 434 cap_clear (current->cap_permitted); 435 cap_clear (current->cap_effective); 436 } 437 if (old_euid == 0 && current->euid != 0) { 438 cap_clear (current->cap_effective); 439 } 440 if (old_euid != 0 && current->euid == 0) { 441 current->cap_effective = current->cap_permitted; 442 } 443} 444 445int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, 446 int flags) 447{ 448 switch (flags) { 449 case LSM_SETID_RE: 450 case LSM_SETID_ID: 451 case LSM_SETID_RES: 452 /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ 453 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 454 cap_emulate_setxuid (old_ruid, old_euid, old_suid); 455 } 456 break; 457 case LSM_SETID_FS: 458 { 459 uid_t old_fsuid = old_ruid; 460 461 /* Copied from kernel/sys.c:setfsuid. */ 462 463 /* 464 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 465 * if not, we might be a bit too harsh here. 466 */ 467 468 if (!issecure (SECURE_NO_SETUID_FIXUP)) { 469 if (old_fsuid == 0 && current->fsuid != 0) { 470 cap_t (current->cap_effective) &= 471 ~CAP_FS_MASK; 472 } 473 if (old_fsuid != 0 && current->fsuid == 0) { 474 cap_t (current->cap_effective) |= 475 (cap_t (current->cap_permitted) & 476 CAP_FS_MASK); 477 } 478 } 479 break; 480 } 481 default: 482 return -EINVAL; 483 } 484 485 return 0; 486} 487 488#ifdef CONFIG_SECURITY_FILE_CAPABILITIES 489/* 490 * Rationale: code calling task_setscheduler, task_setioprio, and 491 * task_setnice, assumes that 492 * . if capable(cap_sys_nice), then those actions should be allowed 493 * . if not capable(cap_sys_nice), but acting on your own processes, 494 * then those actions should be allowed 495 * This is insufficient now since you can call code without suid, but 496 * yet with increased caps. 497 * So we check for increased caps on the target process. 498 */ 499static inline int cap_safe_nice(struct task_struct *p) 500{ 501 if (!cap_issubset(p->cap_permitted, current->cap_permitted) && 502 !__capable(current, CAP_SYS_NICE)) 503 return -EPERM; 504 return 0; 505} 506 507int cap_task_setscheduler (struct task_struct *p, int policy, 508 struct sched_param *lp) 509{ 510 return cap_safe_nice(p); 511} 512 513int cap_task_setioprio (struct task_struct *p, int ioprio) 514{ 515 return cap_safe_nice(p); 516} 517 518int cap_task_setnice (struct task_struct *p, int nice) 519{ 520 return cap_safe_nice(p); 521} 522 523int cap_task_kill(struct task_struct *p, struct siginfo *info, 524 int sig, u32 secid) 525{ 526 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info))) 527 return 0; 528 529 if (secid) 530 /* 531 * Signal sent as a particular user. 532 * Capabilities are ignored. May be wrong, but it's the 533 * only thing we can do at the moment. 534 * Used only by usb drivers? 535 */ 536 return 0; 537 if (cap_issubset(p->cap_permitted, current->cap_permitted)) 538 return 0; 539 if (capable(CAP_KILL)) 540 return 0; 541 542 return -EPERM; 543} 544#else 545int cap_task_setscheduler (struct task_struct *p, int policy, 546 struct sched_param *lp) 547{ 548 return 0; 549} 550int cap_task_setioprio (struct task_struct *p, int ioprio) 551{ 552 return 0; 553} 554int cap_task_setnice (struct task_struct *p, int nice) 555{ 556 return 0; 557} 558int cap_task_kill(struct task_struct *p, struct siginfo *info, 559 int sig, u32 secid) 560{ 561 return 0; 562} 563#endif 564 565void cap_task_reparent_to_init (struct task_struct *p) 566{ 567 p->cap_effective = CAP_INIT_EFF_SET; 568 p->cap_inheritable = CAP_INIT_INH_SET; 569 p->cap_permitted = CAP_FULL_SET; 570 p->keep_capabilities = 0; 571 return; 572} 573 574int cap_syslog (int type) 575{ 576 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 577 return -EPERM; 578 return 0; 579} 580 581int cap_vm_enough_memory(struct mm_struct *mm, long pages) 582{ 583 int cap_sys_admin = 0; 584 585 if (cap_capable(current, CAP_SYS_ADMIN) == 0) 586 cap_sys_admin = 1; 587 return __vm_enough_memory(mm, pages, cap_sys_admin); 588} 589