Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* Common capabilities, needed by capability.o and root_plug.o |
2 | * | |
3 | * This program is free software; you can redistribute it and/or modify | |
4 | * it under the terms of the GNU General Public License as published by | |
5 | * the Free Software Foundation; either version 2 of the License, or | |
6 | * (at your option) any later version. | |
7 | * | |
8 | */ | |
9 | ||
10 | #include <linux/config.h> | |
11 | #include <linux/module.h> | |
12 | #include <linux/init.h> | |
13 | #include <linux/kernel.h> | |
14 | #include <linux/security.h> | |
15 | #include <linux/file.h> | |
16 | #include <linux/mm.h> | |
17 | #include <linux/mman.h> | |
18 | #include <linux/pagemap.h> | |
19 | #include <linux/swap.h> | |
20 | #include <linux/smp_lock.h> | |
21 | #include <linux/skbuff.h> | |
22 | #include <linux/netlink.h> | |
23 | #include <linux/ptrace.h> | |
24 | #include <linux/xattr.h> | |
25 | #include <linux/hugetlb.h> | |
26 | ||
27 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | |
28 | { | |
29 | NETLINK_CB(skb).eff_cap = current->cap_effective; | |
30 | return 0; | |
31 | } | |
32 | ||
33 | EXPORT_SYMBOL(cap_netlink_send); | |
34 | ||
35 | int cap_netlink_recv(struct sk_buff *skb) | |
36 | { | |
37 | if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) | |
38 | return -EPERM; | |
39 | return 0; | |
40 | } | |
41 | ||
42 | EXPORT_SYMBOL(cap_netlink_recv); | |
43 | ||
44 | int cap_capable (struct task_struct *tsk, int cap) | |
45 | { | |
46 | /* Derived from include/linux/sched.h:capable. */ | |
47 | if (cap_raised(tsk->cap_effective, cap)) | |
48 | return 0; | |
49 | return -EPERM; | |
50 | } | |
51 | ||
52 | int cap_settime(struct timespec *ts, struct timezone *tz) | |
53 | { | |
54 | if (!capable(CAP_SYS_TIME)) | |
55 | return -EPERM; | |
56 | return 0; | |
57 | } | |
58 | ||
59 | int cap_ptrace (struct task_struct *parent, struct task_struct *child) | |
60 | { | |
61 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ | |
62 | if (!cap_issubset (child->cap_permitted, current->cap_permitted) && | |
63 | !capable(CAP_SYS_PTRACE)) | |
64 | return -EPERM; | |
65 | return 0; | |
66 | } | |
67 | ||
68 | int cap_capget (struct task_struct *target, kernel_cap_t *effective, | |
69 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | |
70 | { | |
71 | /* Derived from kernel/capability.c:sys_capget. */ | |
72 | *effective = cap_t (target->cap_effective); | |
73 | *inheritable = cap_t (target->cap_inheritable); | |
74 | *permitted = cap_t (target->cap_permitted); | |
75 | return 0; | |
76 | } | |
77 | ||
78 | int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, | |
79 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | |
80 | { | |
81 | /* Derived from kernel/capability.c:sys_capset. */ | |
82 | /* verify restrictions on target's new Inheritable set */ | |
83 | if (!cap_issubset (*inheritable, | |
84 | cap_combine (target->cap_inheritable, | |
85 | current->cap_permitted))) { | |
86 | return -EPERM; | |
87 | } | |
88 | ||
89 | /* verify restrictions on target's new Permitted set */ | |
90 | if (!cap_issubset (*permitted, | |
91 | cap_combine (target->cap_permitted, | |
92 | current->cap_permitted))) { | |
93 | return -EPERM; | |
94 | } | |
95 | ||
96 | /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ | |
97 | if (!cap_issubset (*effective, *permitted)) { | |
98 | return -EPERM; | |
99 | } | |
100 | ||
101 | return 0; | |
102 | } | |
103 | ||
104 | void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, | |
105 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | |
106 | { | |
107 | target->cap_effective = *effective; | |
108 | target->cap_inheritable = *inheritable; | |
109 | target->cap_permitted = *permitted; | |
110 | } | |
111 | ||
112 | int cap_bprm_set_security (struct linux_binprm *bprm) | |
113 | { | |
114 | /* Copied from fs/exec.c:prepare_binprm. */ | |
115 | ||
116 | /* We don't have VFS support for capabilities yet */ | |
117 | cap_clear (bprm->cap_inheritable); | |
118 | cap_clear (bprm->cap_permitted); | |
119 | cap_clear (bprm->cap_effective); | |
120 | ||
121 | /* To support inheritance of root-permissions and suid-root | |
122 | * executables under compatibility mode, we raise all three | |
123 | * capability sets for the file. | |
124 | * | |
125 | * If only the real uid is 0, we only raise the inheritable | |
126 | * and permitted sets of the executable file. | |
127 | */ | |
128 | ||
129 | if (!issecure (SECURE_NOROOT)) { | |
130 | if (bprm->e_uid == 0 || current->uid == 0) { | |
131 | cap_set_full (bprm->cap_inheritable); | |
132 | cap_set_full (bprm->cap_permitted); | |
133 | } | |
134 | if (bprm->e_uid == 0) | |
135 | cap_set_full (bprm->cap_effective); | |
136 | } | |
137 | return 0; | |
138 | } | |
139 | ||
140 | void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | |
141 | { | |
142 | /* Derived from fs/exec.c:compute_creds. */ | |
143 | kernel_cap_t new_permitted, working; | |
144 | ||
145 | new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); | |
146 | working = cap_intersect (bprm->cap_inheritable, | |
147 | current->cap_inheritable); | |
148 | new_permitted = cap_combine (new_permitted, working); | |
149 | ||
150 | if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || | |
151 | !cap_issubset (new_permitted, current->cap_permitted)) { | |
152 | current->mm->dumpable = 0; | |
153 | ||
154 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { | |
155 | if (!capable(CAP_SETUID)) { | |
156 | bprm->e_uid = current->uid; | |
157 | bprm->e_gid = current->gid; | |
158 | } | |
159 | if (!capable (CAP_SETPCAP)) { | |
160 | new_permitted = cap_intersect (new_permitted, | |
161 | current->cap_permitted); | |
162 | } | |
163 | } | |
164 | } | |
165 | ||
166 | current->suid = current->euid = current->fsuid = bprm->e_uid; | |
167 | current->sgid = current->egid = current->fsgid = bprm->e_gid; | |
168 | ||
169 | /* For init, we want to retain the capabilities set | |
170 | * in the init_task struct. Thus we skip the usual | |
171 | * capability rules */ | |
172 | if (current->pid != 1) { | |
173 | current->cap_permitted = new_permitted; | |
174 | current->cap_effective = | |
175 | cap_intersect (new_permitted, bprm->cap_effective); | |
176 | } | |
177 | ||
178 | /* AUD: Audit candidate if current->cap_effective is set */ | |
179 | ||
180 | current->keep_capabilities = 0; | |
181 | } | |
182 | ||
183 | int cap_bprm_secureexec (struct linux_binprm *bprm) | |
184 | { | |
185 | /* If/when this module is enhanced to incorporate capability | |
186 | bits on files, the test below should be extended to also perform a | |
187 | test between the old and new capability sets. For now, | |
188 | it simply preserves the legacy decision algorithm used by | |
189 | the old userland. */ | |
190 | return (current->euid != current->uid || | |
191 | current->egid != current->gid); | |
192 | } | |
193 | ||
194 | int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, | |
195 | size_t size, int flags) | |
196 | { | |
197 | if (!strncmp(name, XATTR_SECURITY_PREFIX, | |
198 | sizeof(XATTR_SECURITY_PREFIX) - 1) && | |
199 | !capable(CAP_SYS_ADMIN)) | |
200 | return -EPERM; | |
201 | return 0; | |
202 | } | |
203 | ||
204 | int cap_inode_removexattr(struct dentry *dentry, char *name) | |
205 | { | |
206 | if (!strncmp(name, XATTR_SECURITY_PREFIX, | |
207 | sizeof(XATTR_SECURITY_PREFIX) - 1) && | |
208 | !capable(CAP_SYS_ADMIN)) | |
209 | return -EPERM; | |
210 | return 0; | |
211 | } | |
212 | ||
213 | /* moved from kernel/sys.c. */ | |
214 | /* | |
215 | * cap_emulate_setxuid() fixes the effective / permitted capabilities of | |
216 | * a process after a call to setuid, setreuid, or setresuid. | |
217 | * | |
218 | * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of | |
219 | * {r,e,s}uid != 0, the permitted and effective capabilities are | |
220 | * cleared. | |
221 | * | |
222 | * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective | |
223 | * capabilities of the process are cleared. | |
224 | * | |
225 | * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective | |
226 | * capabilities are set to the permitted capabilities. | |
227 | * | |
228 | * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should | |
229 | * never happen. | |
230 | * | |
231 | * -astor | |
232 | * | |
233 | * cevans - New behaviour, Oct '99 | |
234 | * A process may, via prctl(), elect to keep its capabilities when it | |
235 | * calls setuid() and switches away from uid==0. Both permitted and | |
236 | * effective sets will be retained. | |
237 | * Without this change, it was impossible for a daemon to drop only some | |
238 | * of its privilege. The call to setuid(!=0) would drop all privileges! | |
239 | * Keeping uid 0 is not an option because uid 0 owns too many vital | |
240 | * files.. | |
241 | * Thanks to Olaf Kirch and Peter Benie for spotting this. | |
242 | */ | |
243 | static inline void cap_emulate_setxuid (int old_ruid, int old_euid, | |
244 | int old_suid) | |
245 | { | |
246 | if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && | |
247 | (current->uid != 0 && current->euid != 0 && current->suid != 0) && | |
248 | !current->keep_capabilities) { | |
249 | cap_clear (current->cap_permitted); | |
250 | cap_clear (current->cap_effective); | |
251 | } | |
252 | if (old_euid == 0 && current->euid != 0) { | |
253 | cap_clear (current->cap_effective); | |
254 | } | |
255 | if (old_euid != 0 && current->euid == 0) { | |
256 | current->cap_effective = current->cap_permitted; | |
257 | } | |
258 | } | |
259 | ||
260 | int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, | |
261 | int flags) | |
262 | { | |
263 | switch (flags) { | |
264 | case LSM_SETID_RE: | |
265 | case LSM_SETID_ID: | |
266 | case LSM_SETID_RES: | |
267 | /* Copied from kernel/sys.c:setreuid/setuid/setresuid. */ | |
268 | if (!issecure (SECURE_NO_SETUID_FIXUP)) { | |
269 | cap_emulate_setxuid (old_ruid, old_euid, old_suid); | |
270 | } | |
271 | break; | |
272 | case LSM_SETID_FS: | |
273 | { | |
274 | uid_t old_fsuid = old_ruid; | |
275 | ||
276 | /* Copied from kernel/sys.c:setfsuid. */ | |
277 | ||
278 | /* | |
279 | * FIXME - is fsuser used for all CAP_FS_MASK capabilities? | |
280 | * if not, we might be a bit too harsh here. | |
281 | */ | |
282 | ||
283 | if (!issecure (SECURE_NO_SETUID_FIXUP)) { | |
284 | if (old_fsuid == 0 && current->fsuid != 0) { | |
285 | cap_t (current->cap_effective) &= | |
286 | ~CAP_FS_MASK; | |
287 | } | |
288 | if (old_fsuid != 0 && current->fsuid == 0) { | |
289 | cap_t (current->cap_effective) |= | |
290 | (cap_t (current->cap_permitted) & | |
291 | CAP_FS_MASK); | |
292 | } | |
293 | } | |
294 | break; | |
295 | } | |
296 | default: | |
297 | return -EINVAL; | |
298 | } | |
299 | ||
300 | return 0; | |
301 | } | |
302 | ||
303 | void cap_task_reparent_to_init (struct task_struct *p) | |
304 | { | |
305 | p->cap_effective = CAP_INIT_EFF_SET; | |
306 | p->cap_inheritable = CAP_INIT_INH_SET; | |
307 | p->cap_permitted = CAP_FULL_SET; | |
308 | p->keep_capabilities = 0; | |
309 | return; | |
310 | } | |
311 | ||
312 | int cap_syslog (int type) | |
313 | { | |
314 | if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) | |
315 | return -EPERM; | |
316 | return 0; | |
317 | } | |
318 | ||
319 | int cap_vm_enough_memory(long pages) | |
320 | { | |
321 | int cap_sys_admin = 0; | |
322 | ||
323 | if (cap_capable(current, CAP_SYS_ADMIN) == 0) | |
324 | cap_sys_admin = 1; | |
325 | return __vm_enough_memory(pages, cap_sys_admin); | |
326 | } | |
327 | ||
328 | EXPORT_SYMBOL(cap_capable); | |
329 | EXPORT_SYMBOL(cap_settime); | |
330 | EXPORT_SYMBOL(cap_ptrace); | |
331 | EXPORT_SYMBOL(cap_capget); | |
332 | EXPORT_SYMBOL(cap_capset_check); | |
333 | EXPORT_SYMBOL(cap_capset_set); | |
334 | EXPORT_SYMBOL(cap_bprm_set_security); | |
335 | EXPORT_SYMBOL(cap_bprm_apply_creds); | |
336 | EXPORT_SYMBOL(cap_bprm_secureexec); | |
337 | EXPORT_SYMBOL(cap_inode_setxattr); | |
338 | EXPORT_SYMBOL(cap_inode_removexattr); | |
339 | EXPORT_SYMBOL(cap_task_post_setuid); | |
340 | EXPORT_SYMBOL(cap_task_reparent_to_init); | |
341 | EXPORT_SYMBOL(cap_syslog); | |
342 | EXPORT_SYMBOL(cap_vm_enough_memory); | |
343 | ||
344 | MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module"); | |
345 | MODULE_LICENSE("GPL"); |