Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | /* |
| 2 | * linux/kernel/capability.c |
| 3 | * |
| 4 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> |
| 5 | * |
Andrew Morgan | 72c2d58 | 2007-10-18 03:05:59 -0700 | [diff] [blame] | 6 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 7 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 8 | */ |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 9 | |
Eric Paris | e68b75a0 | 2008-11-11 21:48:22 +1100 | [diff] [blame] | 10 | #include <linux/audit.h> |
Randy.Dunlap | c59ede7 | 2006-01-11 12:17:46 -0800 | [diff] [blame] | 11 | #include <linux/capability.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 12 | #include <linux/mm.h> |
| 13 | #include <linux/module.h> |
| 14 | #include <linux/security.h> |
| 15 | #include <linux/syscalls.h> |
Serge E. Hallyn | b460cbc | 2007-10-18 23:39:52 -0700 | [diff] [blame] | 16 | #include <linux/pid_namespace.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 17 | #include <asm/uaccess.h> |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 18 | #include "cred-internals.h" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 19 | |
| 20 | /* |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 21 | * Leveraged for setting/resetting capabilities |
| 22 | */ |
| 23 | |
| 24 | const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; |
| 25 | const kernel_cap_t __cap_full_set = CAP_FULL_SET; |
| 26 | const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET; |
| 27 | |
| 28 | EXPORT_SYMBOL(__cap_empty_set); |
| 29 | EXPORT_SYMBOL(__cap_full_set); |
| 30 | EXPORT_SYMBOL(__cap_init_eff_set); |
| 31 | |
Serge E. Hallyn | 1f29fae | 2008-11-05 16:08:52 -0600 | [diff] [blame] | 32 | int file_caps_enabled = 1; |
| 33 | |
| 34 | static int __init file_caps_disable(char *str) |
| 35 | { |
| 36 | file_caps_enabled = 0; |
| 37 | return 1; |
| 38 | } |
| 39 | __setup("no_file_caps", file_caps_disable); |
Serge E. Hallyn | 1f29fae | 2008-11-05 16:08:52 -0600 | [diff] [blame] | 40 | |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 41 | /* |
| 42 | * More recent versions of libcap are available from: |
| 43 | * |
| 44 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ |
| 45 | */ |
| 46 | |
| 47 | static void warn_legacy_capability_use(void) |
| 48 | { |
| 49 | static int warned; |
| 50 | if (!warned) { |
| 51 | char name[sizeof(current->comm)]; |
| 52 | |
| 53 | printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" |
| 54 | " (legacy support in use)\n", |
| 55 | get_task_comm(name, current)); |
| 56 | warned = 1; |
| 57 | } |
| 58 | } |
| 59 | |
| 60 | /* |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 61 | * Version 2 capabilities worked fine, but the linux/capability.h file |
| 62 | * that accompanied their introduction encouraged their use without |
| 63 | * the necessary user-space source code changes. As such, we have |
| 64 | * created a version 3 with equivalent functionality to version 2, but |
| 65 | * with a header change to protect legacy source code from using |
| 66 | * version 2 when it wanted to use version 1. If your system has code |
| 67 | * that trips the following warning, it is using version 2 specific |
| 68 | * capabilities and may be doing so insecurely. |
| 69 | * |
| 70 | * The remedy is to either upgrade your version of libcap (to 2.10+, |
| 71 | * if the application is linked against it), or recompile your |
| 72 | * application with modern kernel headers and this warning will go |
| 73 | * away. |
| 74 | */ |
| 75 | |
| 76 | static void warn_deprecated_v2(void) |
| 77 | { |
| 78 | static int warned; |
| 79 | |
| 80 | if (!warned) { |
| 81 | char name[sizeof(current->comm)]; |
| 82 | |
| 83 | printk(KERN_INFO "warning: `%s' uses deprecated v2" |
| 84 | " capabilities in a way that may be insecure.\n", |
| 85 | get_task_comm(name, current)); |
| 86 | warned = 1; |
| 87 | } |
| 88 | } |
| 89 | |
| 90 | /* |
| 91 | * Version check. Return the number of u32s in each capability flag |
| 92 | * array, or a negative value on error. |
| 93 | */ |
| 94 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) |
| 95 | { |
| 96 | __u32 version; |
| 97 | |
| 98 | if (get_user(version, &header->version)) |
| 99 | return -EFAULT; |
| 100 | |
| 101 | switch (version) { |
| 102 | case _LINUX_CAPABILITY_VERSION_1: |
| 103 | warn_legacy_capability_use(); |
| 104 | *tocopy = _LINUX_CAPABILITY_U32S_1; |
| 105 | break; |
| 106 | case _LINUX_CAPABILITY_VERSION_2: |
| 107 | warn_deprecated_v2(); |
| 108 | /* |
| 109 | * fall through - v3 is otherwise equivalent to v2. |
| 110 | */ |
| 111 | case _LINUX_CAPABILITY_VERSION_3: |
| 112 | *tocopy = _LINUX_CAPABILITY_U32S_3; |
| 113 | break; |
| 114 | default: |
| 115 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) |
| 116 | return -EFAULT; |
| 117 | return -EINVAL; |
| 118 | } |
| 119 | |
| 120 | return 0; |
| 121 | } |
| 122 | |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 123 | /* |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 124 | * The only thing that can change the capabilities of the current |
| 125 | * process is the current process. As such, we can't be in this code |
| 126 | * at the same time as we are in the process of setting capabilities |
| 127 | * in this process. The net result is that we can limit our use of |
| 128 | * locks to when we are reading the caps of another process. |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 129 | */ |
| 130 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, |
| 131 | kernel_cap_t *pIp, kernel_cap_t *pPp) |
| 132 | { |
| 133 | int ret; |
| 134 | |
| 135 | if (pid && (pid != task_pid_vnr(current))) { |
| 136 | struct task_struct *target; |
| 137 | |
Thomas Gleixner | 86fc80f | 2009-12-09 17:13:31 +0100 | [diff] [blame^] | 138 | rcu_read_lock(); |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 139 | |
| 140 | target = find_task_by_vpid(pid); |
| 141 | if (!target) |
| 142 | ret = -ESRCH; |
| 143 | else |
| 144 | ret = security_capget(target, pEp, pIp, pPp); |
| 145 | |
Thomas Gleixner | 86fc80f | 2009-12-09 17:13:31 +0100 | [diff] [blame^] | 146 | rcu_read_unlock(); |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 147 | } else |
| 148 | ret = security_capget(current, pEp, pIp, pPp); |
| 149 | |
| 150 | return ret; |
| 151 | } |
| 152 | |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 153 | /** |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 154 | * sys_capget - get the capabilities of a given process. |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 155 | * @header: pointer to struct that contains capability version and |
| 156 | * target pid data |
| 157 | * @dataptr: pointer to struct that contains the effective, permitted, |
| 158 | * and inheritable capabilities that are returned |
| 159 | * |
| 160 | * Returns 0 on success and < 0 on error. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 161 | */ |
Heiko Carstens | b290ebe | 2009-01-14 14:14:06 +0100 | [diff] [blame] | 162 | SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 163 | { |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 164 | int ret = 0; |
| 165 | pid_t pid; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 166 | unsigned tocopy; |
| 167 | kernel_cap_t pE, pI, pP; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 168 | |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 169 | ret = cap_validate_magic(header, &tocopy); |
Andrew G. Morgan | c4a5af5 | 2009-11-23 04:57:52 +0000 | [diff] [blame] | 170 | if ((dataptr == NULL) || (ret != 0)) |
| 171 | return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 172 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 173 | if (get_user(pid, &header->pid)) |
| 174 | return -EFAULT; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 175 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 176 | if (pid < 0) |
| 177 | return -EINVAL; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 178 | |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 179 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 180 | if (!ret) { |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 181 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 182 | unsigned i; |
| 183 | |
| 184 | for (i = 0; i < tocopy; i++) { |
| 185 | kdata[i].effective = pE.cap[i]; |
| 186 | kdata[i].permitted = pP.cap[i]; |
| 187 | kdata[i].inheritable = pI.cap[i]; |
| 188 | } |
| 189 | |
| 190 | /* |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 191 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 192 | * we silently drop the upper capabilities here. This |
| 193 | * has the effect of making older libcap |
| 194 | * implementations implicitly drop upper capability |
| 195 | * bits when they perform a: capget/modify/capset |
| 196 | * sequence. |
| 197 | * |
| 198 | * This behavior is considered fail-safe |
| 199 | * behavior. Upgrading the application to a newer |
| 200 | * version of libcap will enable access to the newer |
| 201 | * capabilities. |
| 202 | * |
| 203 | * An alternative would be to return an error here |
| 204 | * (-ERANGE), but that causes legacy applications to |
| 205 | * unexpectidly fail; the capget/modify/capset aborts |
| 206 | * before modification is attempted and the application |
| 207 | * fails. |
| 208 | */ |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 209 | if (copy_to_user(dataptr, kdata, tocopy |
| 210 | * sizeof(struct __user_cap_data_struct))) { |
| 211 | return -EFAULT; |
| 212 | } |
| 213 | } |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 214 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 215 | return ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 216 | } |
| 217 | |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 218 | /** |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 219 | * sys_capset - set capabilities for a process or (*) a group of processes |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 220 | * @header: pointer to struct that contains capability version and |
| 221 | * target pid data |
| 222 | * @data: pointer to struct that contains the effective, permitted, |
| 223 | * and inheritable capabilities |
| 224 | * |
David Howells | 1cdcbec | 2008-11-14 10:39:14 +1100 | [diff] [blame] | 225 | * Set capabilities for the current process only. The ability to any other |
| 226 | * process(es) has been deprecated and removed. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 227 | * |
| 228 | * The restrictions on setting capabilities are specified as: |
| 229 | * |
David Howells | 1cdcbec | 2008-11-14 10:39:14 +1100 | [diff] [blame] | 230 | * I: any raised capabilities must be a subset of the old permitted |
| 231 | * P: any raised capabilities must be a subset of the old permitted |
| 232 | * E: must be set to a subset of new permitted |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 233 | * |
| 234 | * Returns 0 on success and < 0 on error. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 235 | */ |
Heiko Carstens | b290ebe | 2009-01-14 14:14:06 +0100 | [diff] [blame] | 236 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 237 | { |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 238 | struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; |
Arjan van de Ven | 825332e | 2009-10-14 08:17:36 +1100 | [diff] [blame] | 239 | unsigned i, tocopy, copybytes; |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 240 | kernel_cap_t inheritable, permitted, effective; |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 241 | struct cred *new; |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 242 | int ret; |
| 243 | pid_t pid; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 244 | |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 245 | ret = cap_validate_magic(header, &tocopy); |
| 246 | if (ret != 0) |
| 247 | return ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 248 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 249 | if (get_user(pid, &header->pid)) |
| 250 | return -EFAULT; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 251 | |
David Howells | 1cdcbec | 2008-11-14 10:39:14 +1100 | [diff] [blame] | 252 | /* may only affect current now */ |
| 253 | if (pid != 0 && pid != task_pid_vnr(current)) |
| 254 | return -EPERM; |
| 255 | |
Arjan van de Ven | 825332e | 2009-10-14 08:17:36 +1100 | [diff] [blame] | 256 | copybytes = tocopy * sizeof(struct __user_cap_data_struct); |
| 257 | if (copybytes > sizeof(kdata)) |
| 258 | return -EFAULT; |
| 259 | |
| 260 | if (copy_from_user(&kdata, data, copybytes)) |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 261 | return -EFAULT; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 262 | |
| 263 | for (i = 0; i < tocopy; i++) { |
| 264 | effective.cap[i] = kdata[i].effective; |
| 265 | permitted.cap[i] = kdata[i].permitted; |
| 266 | inheritable.cap[i] = kdata[i].inheritable; |
| 267 | } |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 268 | while (i < _KERNEL_CAPABILITY_U32S) { |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 269 | effective.cap[i] = 0; |
| 270 | permitted.cap[i] = 0; |
| 271 | inheritable.cap[i] = 0; |
| 272 | i++; |
| 273 | } |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 274 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 275 | new = prepare_creds(); |
| 276 | if (!new) |
| 277 | return -ENOMEM; |
| 278 | |
| 279 | ret = security_capset(new, current_cred(), |
| 280 | &effective, &inheritable, &permitted); |
| 281 | if (ret < 0) |
| 282 | goto error; |
| 283 | |
Al Viro | 57f71a0 | 2009-01-04 14:52:57 -0500 | [diff] [blame] | 284 | audit_log_capset(pid, new, current_cred()); |
Eric Paris | e68b75a0 | 2008-11-11 21:48:22 +1100 | [diff] [blame] | 285 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 286 | return commit_creds(new); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 287 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 288 | error: |
| 289 | abort_creds(new); |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 290 | return ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 291 | } |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 292 | |
David Howells | 5cd9c58 | 2008-08-14 11:37:28 +0100 | [diff] [blame] | 293 | /** |
| 294 | * capable - Determine if the current task has a superior capability in effect |
| 295 | * @cap: The capability to be tested for |
| 296 | * |
| 297 | * Return true if the current task has the given superior capability currently |
| 298 | * available for use, false if not. |
| 299 | * |
| 300 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
| 301 | * assumption that it's about to be used. |
| 302 | */ |
| 303 | int capable(int cap) |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 304 | { |
Eric Paris | 637d32d | 2008-10-29 15:42:12 +1100 | [diff] [blame] | 305 | if (unlikely(!cap_valid(cap))) { |
| 306 | printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap); |
| 307 | BUG(); |
| 308 | } |
| 309 | |
David Howells | 3699c53 | 2009-01-06 22:27:01 +0000 | [diff] [blame] | 310 | if (security_capable(cap) == 0) { |
David Howells | 5cd9c58 | 2008-08-14 11:37:28 +0100 | [diff] [blame] | 311 | current->flags |= PF_SUPERPRIV; |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 312 | return 1; |
| 313 | } |
| 314 | return 0; |
| 315 | } |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 316 | EXPORT_SYMBOL(capable); |