Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/kernel/capability.c | |
3 | * | |
4 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> | |
5 | * | |
72c2d582 | 6 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
1da177e4 | 7 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
314f70fd | 8 | */ |
1da177e4 | 9 | |
e68b75a0 | 10 | #include <linux/audit.h> |
c59ede7b | 11 | #include <linux/capability.h> |
1da177e4 LT |
12 | #include <linux/mm.h> |
13 | #include <linux/module.h> | |
14 | #include <linux/security.h> | |
15 | #include <linux/syscalls.h> | |
b460cbc5 | 16 | #include <linux/pid_namespace.h> |
1da177e4 LT |
17 | #include <asm/uaccess.h> |
18 | ||
1da177e4 LT |
19 | /* |
20 | * This lock protects task->cap_* for all tasks including current. | |
21 | * Locking rule: acquire this prior to tasklist_lock. | |
22 | */ | |
23 | static DEFINE_SPINLOCK(task_capability_lock); | |
24 | ||
e338d263 AM |
25 | /* |
26 | * Leveraged for setting/resetting capabilities | |
27 | */ | |
28 | ||
29 | const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; | |
30 | const kernel_cap_t __cap_full_set = CAP_FULL_SET; | |
31 | const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET; | |
32 | ||
33 | EXPORT_SYMBOL(__cap_empty_set); | |
34 | EXPORT_SYMBOL(__cap_full_set); | |
35 | EXPORT_SYMBOL(__cap_init_eff_set); | |
36 | ||
1f29fae2 SH |
37 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES |
38 | int file_caps_enabled = 1; | |
39 | ||
40 | static int __init file_caps_disable(char *str) | |
41 | { | |
42 | file_caps_enabled = 0; | |
43 | return 1; | |
44 | } | |
45 | __setup("no_file_caps", file_caps_disable); | |
46 | #endif | |
47 | ||
e338d263 AM |
48 | /* |
49 | * More recent versions of libcap are available from: | |
50 | * | |
51 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ | |
52 | */ | |
53 | ||
54 | static void warn_legacy_capability_use(void) | |
55 | { | |
56 | static int warned; | |
57 | if (!warned) { | |
58 | char name[sizeof(current->comm)]; | |
59 | ||
60 | printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" | |
61 | " (legacy support in use)\n", | |
62 | get_task_comm(name, current)); | |
63 | warned = 1; | |
64 | } | |
65 | } | |
66 | ||
ca05a99a AM |
67 | /* |
68 | * Version 2 capabilities worked fine, but the linux/capability.h file | |
69 | * that accompanied their introduction encouraged their use without | |
70 | * the necessary user-space source code changes. As such, we have | |
71 | * created a version 3 with equivalent functionality to version 2, but | |
72 | * with a header change to protect legacy source code from using | |
73 | * version 2 when it wanted to use version 1. If your system has code | |
74 | * that trips the following warning, it is using version 2 specific | |
75 | * capabilities and may be doing so insecurely. | |
76 | * | |
77 | * The remedy is to either upgrade your version of libcap (to 2.10+, | |
78 | * if the application is linked against it), or recompile your | |
79 | * application with modern kernel headers and this warning will go | |
80 | * away. | |
81 | */ | |
82 | ||
83 | static void warn_deprecated_v2(void) | |
84 | { | |
85 | static int warned; | |
86 | ||
87 | if (!warned) { | |
88 | char name[sizeof(current->comm)]; | |
89 | ||
90 | printk(KERN_INFO "warning: `%s' uses deprecated v2" | |
91 | " capabilities in a way that may be insecure.\n", | |
92 | get_task_comm(name, current)); | |
93 | warned = 1; | |
94 | } | |
95 | } | |
96 | ||
97 | /* | |
98 | * Version check. Return the number of u32s in each capability flag | |
99 | * array, or a negative value on error. | |
100 | */ | |
101 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) | |
102 | { | |
103 | __u32 version; | |
104 | ||
105 | if (get_user(version, &header->version)) | |
106 | return -EFAULT; | |
107 | ||
108 | switch (version) { | |
109 | case _LINUX_CAPABILITY_VERSION_1: | |
110 | warn_legacy_capability_use(); | |
111 | *tocopy = _LINUX_CAPABILITY_U32S_1; | |
112 | break; | |
113 | case _LINUX_CAPABILITY_VERSION_2: | |
114 | warn_deprecated_v2(); | |
115 | /* | |
116 | * fall through - v3 is otherwise equivalent to v2. | |
117 | */ | |
118 | case _LINUX_CAPABILITY_VERSION_3: | |
119 | *tocopy = _LINUX_CAPABILITY_U32S_3; | |
120 | break; | |
121 | default: | |
122 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) | |
123 | return -EFAULT; | |
124 | return -EINVAL; | |
125 | } | |
126 | ||
127 | return 0; | |
128 | } | |
129 | ||
ab763c71 AM |
130 | /* |
131 | * If we have configured with filesystem capability support, then the | |
132 | * only thing that can change the capabilities of the current process | |
133 | * is the current process. As such, we can't be in this code at the | |
134 | * same time as we are in the process of setting capabilities in this | |
135 | * process. The net result is that we can limit our use of locks to | |
136 | * when we are reading the caps of another process. | |
137 | */ | |
138 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, | |
139 | kernel_cap_t *pIp, kernel_cap_t *pPp) | |
140 | { | |
141 | int ret; | |
142 | ||
143 | if (pid && (pid != task_pid_vnr(current))) { | |
144 | struct task_struct *target; | |
145 | ||
146 | spin_lock(&task_capability_lock); | |
147 | read_lock(&tasklist_lock); | |
148 | ||
149 | target = find_task_by_vpid(pid); | |
150 | if (!target) | |
151 | ret = -ESRCH; | |
152 | else | |
153 | ret = security_capget(target, pEp, pIp, pPp); | |
154 | ||
155 | read_unlock(&tasklist_lock); | |
156 | spin_unlock(&task_capability_lock); | |
157 | } else | |
158 | ret = security_capget(current, pEp, pIp, pPp); | |
159 | ||
160 | return ret; | |
161 | } | |
162 | ||
086f7316 AM |
163 | /* |
164 | * Atomically modify the effective capabilities returning the original | |
165 | * value. No permission check is performed here - it is assumed that the | |
166 | * caller is permitted to set the desired effective capabilities. | |
167 | */ | |
168 | kernel_cap_t cap_set_effective(const kernel_cap_t pE_new) | |
169 | { | |
170 | kernel_cap_t pE_old; | |
171 | ||
172 | spin_lock(&task_capability_lock); | |
173 | ||
174 | pE_old = current->cap_effective; | |
175 | current->cap_effective = pE_new; | |
176 | ||
177 | spin_unlock(&task_capability_lock); | |
178 | ||
179 | return pE_old; | |
180 | } | |
181 | ||
182 | EXPORT_SYMBOL(cap_set_effective); | |
183 | ||
207a7ba8 | 184 | /** |
1da177e4 | 185 | * sys_capget - get the capabilities of a given process. |
207a7ba8 RD |
186 | * @header: pointer to struct that contains capability version and |
187 | * target pid data | |
188 | * @dataptr: pointer to struct that contains the effective, permitted, | |
189 | * and inheritable capabilities that are returned | |
190 | * | |
191 | * Returns 0 on success and < 0 on error. | |
1da177e4 LT |
192 | */ |
193 | asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr) | |
194 | { | |
314f70fd DW |
195 | int ret = 0; |
196 | pid_t pid; | |
e338d263 AM |
197 | unsigned tocopy; |
198 | kernel_cap_t pE, pI, pP; | |
314f70fd | 199 | |
ca05a99a AM |
200 | ret = cap_validate_magic(header, &tocopy); |
201 | if (ret != 0) | |
202 | return ret; | |
1da177e4 | 203 | |
314f70fd DW |
204 | if (get_user(pid, &header->pid)) |
205 | return -EFAULT; | |
1da177e4 | 206 | |
314f70fd DW |
207 | if (pid < 0) |
208 | return -EINVAL; | |
1da177e4 | 209 | |
ab763c71 | 210 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
1da177e4 | 211 | |
e338d263 | 212 | if (!ret) { |
ca05a99a | 213 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263 AM |
214 | unsigned i; |
215 | ||
216 | for (i = 0; i < tocopy; i++) { | |
217 | kdata[i].effective = pE.cap[i]; | |
218 | kdata[i].permitted = pP.cap[i]; | |
219 | kdata[i].inheritable = pI.cap[i]; | |
220 | } | |
221 | ||
222 | /* | |
ca05a99a | 223 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
e338d263 AM |
224 | * we silently drop the upper capabilities here. This |
225 | * has the effect of making older libcap | |
226 | * implementations implicitly drop upper capability | |
227 | * bits when they perform a: capget/modify/capset | |
228 | * sequence. | |
229 | * | |
230 | * This behavior is considered fail-safe | |
231 | * behavior. Upgrading the application to a newer | |
232 | * version of libcap will enable access to the newer | |
233 | * capabilities. | |
234 | * | |
235 | * An alternative would be to return an error here | |
236 | * (-ERANGE), but that causes legacy applications to | |
237 | * unexpectidly fail; the capget/modify/capset aborts | |
238 | * before modification is attempted and the application | |
239 | * fails. | |
240 | */ | |
e338d263 AM |
241 | if (copy_to_user(dataptr, kdata, tocopy |
242 | * sizeof(struct __user_cap_data_struct))) { | |
243 | return -EFAULT; | |
244 | } | |
245 | } | |
1da177e4 | 246 | |
314f70fd | 247 | return ret; |
1da177e4 LT |
248 | } |
249 | ||
207a7ba8 | 250 | /** |
ab763c71 | 251 | * sys_capset - set capabilities for a process or (*) a group of processes |
207a7ba8 RD |
252 | * @header: pointer to struct that contains capability version and |
253 | * target pid data | |
254 | * @data: pointer to struct that contains the effective, permitted, | |
255 | * and inheritable capabilities | |
256 | * | |
1cdcbec1 DH |
257 | * Set capabilities for the current process only. The ability to any other |
258 | * process(es) has been deprecated and removed. | |
1da177e4 LT |
259 | * |
260 | * The restrictions on setting capabilities are specified as: | |
261 | * | |
1cdcbec1 DH |
262 | * I: any raised capabilities must be a subset of the old permitted |
263 | * P: any raised capabilities must be a subset of the old permitted | |
264 | * E: must be set to a subset of new permitted | |
207a7ba8 RD |
265 | * |
266 | * Returns 0 on success and < 0 on error. | |
1da177e4 LT |
267 | */ |
268 | asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) | |
269 | { | |
ca05a99a | 270 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
e338d263 | 271 | unsigned i, tocopy; |
314f70fd | 272 | kernel_cap_t inheritable, permitted, effective; |
314f70fd DW |
273 | int ret; |
274 | pid_t pid; | |
275 | ||
ca05a99a AM |
276 | ret = cap_validate_magic(header, &tocopy); |
277 | if (ret != 0) | |
278 | return ret; | |
314f70fd DW |
279 | |
280 | if (get_user(pid, &header->pid)) | |
281 | return -EFAULT; | |
282 | ||
1cdcbec1 DH |
283 | /* may only affect current now */ |
284 | if (pid != 0 && pid != task_pid_vnr(current)) | |
285 | return -EPERM; | |
286 | ||
e338d263 | 287 | if (copy_from_user(&kdata, data, tocopy |
1cdcbec1 | 288 | * sizeof(struct __user_cap_data_struct))) |
314f70fd | 289 | return -EFAULT; |
e338d263 AM |
290 | |
291 | for (i = 0; i < tocopy; i++) { | |
292 | effective.cap[i] = kdata[i].effective; | |
293 | permitted.cap[i] = kdata[i].permitted; | |
294 | inheritable.cap[i] = kdata[i].inheritable; | |
295 | } | |
ca05a99a | 296 | while (i < _KERNEL_CAPABILITY_U32S) { |
e338d263 AM |
297 | effective.cap[i] = 0; |
298 | permitted.cap[i] = 0; | |
299 | inheritable.cap[i] = 0; | |
300 | i++; | |
301 | } | |
314f70fd | 302 | |
e68b75a0 EP |
303 | ret = audit_log_capset(pid, &effective, &inheritable, &permitted); |
304 | if (ret) | |
305 | return ret; | |
306 | ||
1cdcbec1 DH |
307 | /* This lock is required even when filesystem capability support is |
308 | * configured - it protects the sys_capget() call from returning | |
309 | * incorrect data in the case that the targeted process is not the | |
310 | * current one. | |
311 | */ | |
312 | spin_lock(&task_capability_lock); | |
1da177e4 | 313 | |
1cdcbec1 DH |
314 | ret = security_capset_check(&effective, &inheritable, &permitted); |
315 | /* Having verified that the proposed changes are legal, we now put them | |
316 | * into effect. | |
317 | */ | |
318 | if (!ret) | |
319 | security_capset_set(&effective, &inheritable, &permitted); | |
320 | spin_unlock(&task_capability_lock); | |
314f70fd | 321 | return ret; |
1da177e4 | 322 | } |
12b5989b | 323 | |
5cd9c58f DH |
324 | /** |
325 | * capable - Determine if the current task has a superior capability in effect | |
326 | * @cap: The capability to be tested for | |
327 | * | |
328 | * Return true if the current task has the given superior capability currently | |
329 | * available for use, false if not. | |
330 | * | |
331 | * This sets PF_SUPERPRIV on the task if the capability is available on the | |
332 | * assumption that it's about to be used. | |
333 | */ | |
334 | int capable(int cap) | |
12b5989b | 335 | { |
637d32dc EP |
336 | if (unlikely(!cap_valid(cap))) { |
337 | printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap); | |
338 | BUG(); | |
339 | } | |
340 | ||
5cd9c58f DH |
341 | if (has_capability(current, cap)) { |
342 | current->flags |= PF_SUPERPRIV; | |
12b5989b CW |
343 | return 1; |
344 | } | |
345 | return 0; | |
346 | } | |
12b5989b | 347 | EXPORT_SYMBOL(capable); |