1 /* 2 * linux/kernel/capability.c 3 * 4 * Copyright (C) 1997 Andrew Main <zefram@fysh.org> 5 * 6 * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> 7 * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> 8 */ 9 10 #include <linux/audit.h> 11 #include <linux/capability.h> 12 #include <linux/mm.h> 13 #include <linux/module.h> 14 #include <linux/security.h> 15 #include <linux/syscalls.h> 16 #include <linux/pid_namespace.h> 17 #include <asm/uaccess.h> 18 19 /* 20 * This lock protects task->cap_* for all tasks including current. 21 * Locking rule: acquire this prior to tasklist_lock. 22 */ 23 static DEFINE_SPINLOCK(task_capability_lock); 24 25 /* 26 * Leveraged for setting/resetting capabilities 27 */ 28 29 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; 30 const kernel_cap_t __cap_full_set = CAP_FULL_SET; 31 const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET; 32 33 EXPORT_SYMBOL(__cap_empty_set); 34 EXPORT_SYMBOL(__cap_full_set); 35 EXPORT_SYMBOL(__cap_init_eff_set); 36 37 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES 38 int file_caps_enabled = 1; 39 40 static int __init file_caps_disable(char *str) 41 { 42 file_caps_enabled = 0; 43 return 1; 44 } 45 __setup("no_file_caps", file_caps_disable); 46 #endif 47 48 /* 49 * More recent versions of libcap are available from: 50 * 51 * http://www.kernel.org/pub/linux/libs/security/linux-privs/ 52 */ 53 54 static void warn_legacy_capability_use(void) 55 { 56 static int warned; 57 if (!warned) { 58 char name[sizeof(current->comm)]; 59 60 printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" 61 " (legacy support in use)\n", 62 get_task_comm(name, current)); 63 warned = 1; 64 } 65 } 66 67 /* 68 * Version 2 capabilities worked fine, but the linux/capability.h file 69 * that accompanied their introduction encouraged their use without 70 * the necessary user-space source code changes. As such, we have 71 * created a version 3 with equivalent functionality to version 2, but 72 * with a header change to protect legacy source code from using 73 * version 2 when it wanted to use version 1. If your system has code 74 * that trips the following warning, it is using version 2 specific 75 * capabilities and may be doing so insecurely. 76 * 77 * The remedy is to either upgrade your version of libcap (to 2.10+, 78 * if the application is linked against it), or recompile your 79 * application with modern kernel headers and this warning will go 80 * away. 81 */ 82 83 static void warn_deprecated_v2(void) 84 { 85 static int warned; 86 87 if (!warned) { 88 char name[sizeof(current->comm)]; 89 90 printk(KERN_INFO "warning: `%s' uses deprecated v2" 91 " capabilities in a way that may be insecure.\n", 92 get_task_comm(name, current)); 93 warned = 1; 94 } 95 } 96 97 /* 98 * Version check. Return the number of u32s in each capability flag 99 * array, or a negative value on error. 100 */ 101 static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) 102 { 103 __u32 version; 104 105 if (get_user(version, &header->version)) 106 return -EFAULT; 107 108 switch (version) { 109 case _LINUX_CAPABILITY_VERSION_1: 110 warn_legacy_capability_use(); 111 *tocopy = _LINUX_CAPABILITY_U32S_1; 112 break; 113 case _LINUX_CAPABILITY_VERSION_2: 114 warn_deprecated_v2(); 115 /* 116 * fall through - v3 is otherwise equivalent to v2. 117 */ 118 case _LINUX_CAPABILITY_VERSION_3: 119 *tocopy = _LINUX_CAPABILITY_U32S_3; 120 break; 121 default: 122 if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) 123 return -EFAULT; 124 return -EINVAL; 125 } 126 127 return 0; 128 } 129 130 /* 131 * If we have configured with filesystem capability support, then the 132 * only thing that can change the capabilities of the current process 133 * is the current process. As such, we can't be in this code at the 134 * same time as we are in the process of setting capabilities in this 135 * process. The net result is that we can limit our use of locks to 136 * when we are reading the caps of another process. 137 */ 138 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, 139 kernel_cap_t *pIp, kernel_cap_t *pPp) 140 { 141 int ret; 142 143 if (pid && (pid != task_pid_vnr(current))) { 144 struct task_struct *target; 145 146 spin_lock(&task_capability_lock); 147 read_lock(&tasklist_lock); 148 149 target = find_task_by_vpid(pid); 150 if (!target) 151 ret = -ESRCH; 152 else 153 ret = security_capget(target, pEp, pIp, pPp); 154 155 read_unlock(&tasklist_lock); 156 spin_unlock(&task_capability_lock); 157 } else 158 ret = security_capget(current, pEp, pIp, pPp); 159 160 return ret; 161 } 162 163 /* 164 * Atomically modify the effective capabilities returning the original 165 * value. No permission check is performed here - it is assumed that the 166 * caller is permitted to set the desired effective capabilities. 167 */ 168 kernel_cap_t cap_set_effective(const kernel_cap_t pE_new) 169 { 170 kernel_cap_t pE_old; 171 172 spin_lock(&task_capability_lock); 173 174 pE_old = current->cred->cap_effective; 175 current->cred->cap_effective = pE_new; 176 177 spin_unlock(&task_capability_lock); 178 179 return pE_old; 180 } 181 182 EXPORT_SYMBOL(cap_set_effective); 183 184 /** 185 * sys_capget - get the capabilities of a given process. 186 * @header: pointer to struct that contains capability version and 187 * target pid data 188 * @dataptr: pointer to struct that contains the effective, permitted, 189 * and inheritable capabilities that are returned 190 * 191 * Returns 0 on success and < 0 on error. 192 */ 193 asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr) 194 { 195 int ret = 0; 196 pid_t pid; 197 unsigned tocopy; 198 kernel_cap_t pE, pI, pP; 199 200 ret = cap_validate_magic(header, &tocopy); 201 if (ret != 0) 202 return ret; 203 204 if (get_user(pid, &header->pid)) 205 return -EFAULT; 206 207 if (pid < 0) 208 return -EINVAL; 209 210 ret = cap_get_target_pid(pid, &pE, &pI, &pP); 211 212 if (!ret) { 213 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; 214 unsigned i; 215 216 for (i = 0; i < tocopy; i++) { 217 kdata[i].effective = pE.cap[i]; 218 kdata[i].permitted = pP.cap[i]; 219 kdata[i].inheritable = pI.cap[i]; 220 } 221 222 /* 223 * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, 224 * we silently drop the upper capabilities here. This 225 * has the effect of making older libcap 226 * implementations implicitly drop upper capability 227 * bits when they perform a: capget/modify/capset 228 * sequence. 229 * 230 * This behavior is considered fail-safe 231 * behavior. Upgrading the application to a newer 232 * version of libcap will enable access to the newer 233 * capabilities. 234 * 235 * An alternative would be to return an error here 236 * (-ERANGE), but that causes legacy applications to 237 * unexpectidly fail; the capget/modify/capset aborts 238 * before modification is attempted and the application 239 * fails. 240 */ 241 if (copy_to_user(dataptr, kdata, tocopy 242 * sizeof(struct __user_cap_data_struct))) { 243 return -EFAULT; 244 } 245 } 246 247 return ret; 248 } 249 250 /** 251 * sys_capset - set capabilities for a process or (*) a group of processes 252 * @header: pointer to struct that contains capability version and 253 * target pid data 254 * @data: pointer to struct that contains the effective, permitted, 255 * and inheritable capabilities 256 * 257 * Set capabilities for the current process only. The ability to any other 258 * process(es) has been deprecated and removed. 259 * 260 * The restrictions on setting capabilities are specified as: 261 * 262 * I: any raised capabilities must be a subset of the old permitted 263 * P: any raised capabilities must be a subset of the old permitted 264 * E: must be set to a subset of new permitted 265 * 266 * Returns 0 on success and < 0 on error. 267 */ 268 asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) 269 { 270 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; 271 unsigned i, tocopy; 272 kernel_cap_t inheritable, permitted, effective; 273 int ret; 274 pid_t pid; 275 276 ret = cap_validate_magic(header, &tocopy); 277 if (ret != 0) 278 return ret; 279 280 if (get_user(pid, &header->pid)) 281 return -EFAULT; 282 283 /* may only affect current now */ 284 if (pid != 0 && pid != task_pid_vnr(current)) 285 return -EPERM; 286 287 if (copy_from_user(&kdata, data, tocopy 288 * sizeof(struct __user_cap_data_struct))) 289 return -EFAULT; 290 291 for (i = 0; i < tocopy; i++) { 292 effective.cap[i] = kdata[i].effective; 293 permitted.cap[i] = kdata[i].permitted; 294 inheritable.cap[i] = kdata[i].inheritable; 295 } 296 while (i < _KERNEL_CAPABILITY_U32S) { 297 effective.cap[i] = 0; 298 permitted.cap[i] = 0; 299 inheritable.cap[i] = 0; 300 i++; 301 } 302 303 ret = audit_log_capset(pid, &effective, &inheritable, &permitted); 304 if (ret) 305 return ret; 306 307 /* This lock is required even when filesystem capability support is 308 * configured - it protects the sys_capget() call from returning 309 * incorrect data in the case that the targeted process is not the 310 * current one. 311 */ 312 spin_lock(&task_capability_lock); 313 314 ret = security_capset_check(&effective, &inheritable, &permitted); 315 /* Having verified that the proposed changes are legal, we now put them 316 * into effect. 317 */ 318 if (!ret) 319 security_capset_set(&effective, &inheritable, &permitted); 320 spin_unlock(&task_capability_lock); 321 return ret; 322 } 323 324 /** 325 * capable - Determine if the current task has a superior capability in effect 326 * @cap: The capability to be tested for 327 * 328 * Return true if the current task has the given superior capability currently 329 * available for use, false if not. 330 * 331 * This sets PF_SUPERPRIV on the task if the capability is available on the 332 * assumption that it's about to be used. 333 */ 334 int capable(int cap) 335 { 336 if (unlikely(!cap_valid(cap))) { 337 printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap); 338 BUG(); 339 } 340 341 if (has_capability(current, cap)) { 342 current->flags |= PF_SUPERPRIV; 343 return 1; 344 } 345 return 0; 346 } 347 EXPORT_SYMBOL(capable); 348