1 /* 2 * linux/kernel/capability.c 3 * 4 * Copyright (C) 1997 Andrew Main <zefram@fysh.org> 5 * 6 * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> 7 * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/mm.h> 12 #include <linux/module.h> 13 #include <linux/security.h> 14 #include <linux/syscalls.h> 15 #include <linux/pid_namespace.h> 16 #include <asm/uaccess.h> 17 18 /* 19 * This lock protects task->cap_* for all tasks including current. 20 * Locking rule: acquire this prior to tasklist_lock. 21 */ 22 static DEFINE_SPINLOCK(task_capability_lock); 23 24 /* 25 * Leveraged for setting/resetting capabilities 26 */ 27 28 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET; 29 const kernel_cap_t __cap_full_set = CAP_FULL_SET; 30 const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET; 31 32 EXPORT_SYMBOL(__cap_empty_set); 33 EXPORT_SYMBOL(__cap_full_set); 34 EXPORT_SYMBOL(__cap_init_eff_set); 35 36 /* 37 * More recent versions of libcap are available from: 38 * 39 * http://www.kernel.org/pub/linux/libs/security/linux-privs/ 40 */ 41 42 static void warn_legacy_capability_use(void) 43 { 44 static int warned; 45 if (!warned) { 46 char name[sizeof(current->comm)]; 47 48 printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" 49 " (legacy support in use)\n", 50 get_task_comm(name, current)); 51 warned = 1; 52 } 53 } 54 55 /* 56 * Version 2 capabilities worked fine, but the linux/capability.h file 57 * that accompanied their introduction encouraged their use without 58 * the necessary user-space source code changes. As such, we have 59 * created a version 3 with equivalent functionality to version 2, but 60 * with a header change to protect legacy source code from using 61 * version 2 when it wanted to use version 1. If your system has code 62 * that trips the following warning, it is using version 2 specific 63 * capabilities and may be doing so insecurely. 64 * 65 * The remedy is to either upgrade your version of libcap (to 2.10+, 66 * if the application is linked against it), or recompile your 67 * application with modern kernel headers and this warning will go 68 * away. 69 */ 70 71 static void warn_deprecated_v2(void) 72 { 73 static int warned; 74 75 if (!warned) { 76 char name[sizeof(current->comm)]; 77 78 printk(KERN_INFO "warning: `%s' uses deprecated v2" 79 " capabilities in a way that may be insecure.\n", 80 get_task_comm(name, current)); 81 warned = 1; 82 } 83 } 84 85 /* 86 * Version check. Return the number of u32s in each capability flag 87 * array, or a negative value on error. 88 */ 89 static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) 90 { 91 __u32 version; 92 93 if (get_user(version, &header->version)) 94 return -EFAULT; 95 96 switch (version) { 97 case _LINUX_CAPABILITY_VERSION_1: 98 warn_legacy_capability_use(); 99 *tocopy = _LINUX_CAPABILITY_U32S_1; 100 break; 101 case _LINUX_CAPABILITY_VERSION_2: 102 warn_deprecated_v2(); 103 /* 104 * fall through - v3 is otherwise equivalent to v2. 105 */ 106 case _LINUX_CAPABILITY_VERSION_3: 107 *tocopy = _LINUX_CAPABILITY_U32S_3; 108 break; 109 default: 110 if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) 111 return -EFAULT; 112 return -EINVAL; 113 } 114 115 return 0; 116 } 117 118 #ifndef CONFIG_SECURITY_FILE_CAPABILITIES 119 120 /* 121 * Without filesystem capability support, we nominally support one process 122 * setting the capabilities of another 123 */ 124 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, 125 kernel_cap_t *pIp, kernel_cap_t *pPp) 126 { 127 struct task_struct *target; 128 int ret; 129 130 spin_lock(&task_capability_lock); 131 read_lock(&tasklist_lock); 132 133 if (pid && pid != task_pid_vnr(current)) { 134 target = find_task_by_vpid(pid); 135 if (!target) { 136 ret = -ESRCH; 137 goto out; 138 } 139 } else 140 target = current; 141 142 ret = security_capget(target, pEp, pIp, pPp); 143 144 out: 145 read_unlock(&tasklist_lock); 146 spin_unlock(&task_capability_lock); 147 148 return ret; 149 } 150 151 /* 152 * cap_set_pg - set capabilities for all processes in a given process 153 * group. We call this holding task_capability_lock and tasklist_lock. 154 */ 155 static inline int cap_set_pg(int pgrp_nr, kernel_cap_t *effective, 156 kernel_cap_t *inheritable, 157 kernel_cap_t *permitted) 158 { 159 struct task_struct *g, *target; 160 int ret = -EPERM; 161 int found = 0; 162 struct pid *pgrp; 163 164 spin_lock(&task_capability_lock); 165 read_lock(&tasklist_lock); 166 167 pgrp = find_vpid(pgrp_nr); 168 do_each_pid_task(pgrp, PIDTYPE_PGID, g) { 169 target = g; 170 while_each_thread(g, target) { 171 if (!security_capset_check(target, effective, 172 inheritable, permitted)) { 173 security_capset_set(target, effective, 174 inheritable, permitted); 175 ret = 0; 176 } 177 found = 1; 178 } 179 } while_each_pid_task(pgrp, PIDTYPE_PGID, g); 180 181 read_unlock(&tasklist_lock); 182 spin_unlock(&task_capability_lock); 183 184 if (!found) 185 ret = 0; 186 return ret; 187 } 188 189 /* 190 * cap_set_all - set capabilities for all processes other than init 191 * and self. We call this holding task_capability_lock and tasklist_lock. 192 */ 193 static inline int cap_set_all(kernel_cap_t *effective, 194 kernel_cap_t *inheritable, 195 kernel_cap_t *permitted) 196 { 197 struct task_struct *g, *target; 198 int ret = -EPERM; 199 int found = 0; 200 201 spin_lock(&task_capability_lock); 202 read_lock(&tasklist_lock); 203 204 do_each_thread(g, target) { 205 if (target == current 206 || is_container_init(target->group_leader)) 207 continue; 208 found = 1; 209 if (security_capset_check(target, effective, inheritable, 210 permitted)) 211 continue; 212 ret = 0; 213 security_capset_set(target, effective, inheritable, permitted); 214 } while_each_thread(g, target); 215 216 read_unlock(&tasklist_lock); 217 spin_unlock(&task_capability_lock); 218 219 if (!found) 220 ret = 0; 221 222 return ret; 223 } 224 225 /* 226 * Given the target pid does not refer to the current process we 227 * need more elaborate support... (This support is not present when 228 * filesystem capabilities are configured.) 229 */ 230 static inline int do_sys_capset_other_tasks(pid_t pid, kernel_cap_t *effective, 231 kernel_cap_t *inheritable, 232 kernel_cap_t *permitted) 233 { 234 struct task_struct *target; 235 int ret; 236 237 if (!capable(CAP_SETPCAP)) 238 return -EPERM; 239 240 if (pid == -1) /* all procs other than current and init */ 241 return cap_set_all(effective, inheritable, permitted); 242 243 else if (pid < 0) /* all procs in process group */ 244 return cap_set_pg(-pid, effective, inheritable, permitted); 245 246 /* target != current */ 247 spin_lock(&task_capability_lock); 248 read_lock(&tasklist_lock); 249 250 target = find_task_by_vpid(pid); 251 if (!target) 252 ret = -ESRCH; 253 else { 254 ret = security_capset_check(target, effective, inheritable, 255 permitted); 256 257 /* having verified that the proposed changes are legal, 258 we now put them into effect. */ 259 if (!ret) 260 security_capset_set(target, effective, inheritable, 261 permitted); 262 } 263 264 read_unlock(&tasklist_lock); 265 spin_unlock(&task_capability_lock); 266 267 return ret; 268 } 269 270 #else /* ie., def CONFIG_SECURITY_FILE_CAPABILITIES */ 271 272 /* 273 * If we have configured with filesystem capability support, then the 274 * only thing that can change the capabilities of the current process 275 * is the current process. As such, we can't be in this code at the 276 * same time as we are in the process of setting capabilities in this 277 * process. The net result is that we can limit our use of locks to 278 * when we are reading the caps of another process. 279 */ 280 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, 281 kernel_cap_t *pIp, kernel_cap_t *pPp) 282 { 283 int ret; 284 285 if (pid && (pid != task_pid_vnr(current))) { 286 struct task_struct *target; 287 288 spin_lock(&task_capability_lock); 289 read_lock(&tasklist_lock); 290 291 target = find_task_by_vpid(pid); 292 if (!target) 293 ret = -ESRCH; 294 else 295 ret = security_capget(target, pEp, pIp, pPp); 296 297 read_unlock(&tasklist_lock); 298 spin_unlock(&task_capability_lock); 299 } else 300 ret = security_capget(current, pEp, pIp, pPp); 301 302 return ret; 303 } 304 305 /* 306 * With filesystem capability support configured, the kernel does not 307 * permit the changing of capabilities in one process by another 308 * process. (CAP_SETPCAP has much less broad semantics when configured 309 * this way.) 310 */ 311 static inline int do_sys_capset_other_tasks(pid_t pid, 312 kernel_cap_t *effective, 313 kernel_cap_t *inheritable, 314 kernel_cap_t *permitted) 315 { 316 return -EPERM; 317 } 318 319 #endif /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ 320 321 /* 322 * Atomically modify the effective capabilities returning the original 323 * value. No permission check is performed here - it is assumed that the 324 * caller is permitted to set the desired effective capabilities. 325 */ 326 kernel_cap_t cap_set_effective(const kernel_cap_t pE_new) 327 { 328 kernel_cap_t pE_old; 329 330 spin_lock(&task_capability_lock); 331 332 pE_old = current->cap_effective; 333 current->cap_effective = pE_new; 334 335 spin_unlock(&task_capability_lock); 336 337 return pE_old; 338 } 339 340 EXPORT_SYMBOL(cap_set_effective); 341 342 /** 343 * sys_capget - get the capabilities of a given process. 344 * @header: pointer to struct that contains capability version and 345 * target pid data 346 * @dataptr: pointer to struct that contains the effective, permitted, 347 * and inheritable capabilities that are returned 348 * 349 * Returns 0 on success and < 0 on error. 350 */ 351 asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr) 352 { 353 int ret = 0; 354 pid_t pid; 355 unsigned tocopy; 356 kernel_cap_t pE, pI, pP; 357 358 ret = cap_validate_magic(header, &tocopy); 359 if (ret != 0) 360 return ret; 361 362 if (get_user(pid, &header->pid)) 363 return -EFAULT; 364 365 if (pid < 0) 366 return -EINVAL; 367 368 ret = cap_get_target_pid(pid, &pE, &pI, &pP); 369 370 if (!ret) { 371 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; 372 unsigned i; 373 374 for (i = 0; i < tocopy; i++) { 375 kdata[i].effective = pE.cap[i]; 376 kdata[i].permitted = pP.cap[i]; 377 kdata[i].inheritable = pI.cap[i]; 378 } 379 380 /* 381 * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, 382 * we silently drop the upper capabilities here. This 383 * has the effect of making older libcap 384 * implementations implicitly drop upper capability 385 * bits when they perform a: capget/modify/capset 386 * sequence. 387 * 388 * This behavior is considered fail-safe 389 * behavior. Upgrading the application to a newer 390 * version of libcap will enable access to the newer 391 * capabilities. 392 * 393 * An alternative would be to return an error here 394 * (-ERANGE), but that causes legacy applications to 395 * unexpectidly fail; the capget/modify/capset aborts 396 * before modification is attempted and the application 397 * fails. 398 */ 399 if (copy_to_user(dataptr, kdata, tocopy 400 * sizeof(struct __user_cap_data_struct))) { 401 return -EFAULT; 402 } 403 } 404 405 return ret; 406 } 407 408 /** 409 * sys_capset - set capabilities for a process or (*) a group of processes 410 * @header: pointer to struct that contains capability version and 411 * target pid data 412 * @data: pointer to struct that contains the effective, permitted, 413 * and inheritable capabilities 414 * 415 * Set capabilities for a given process, all processes, or all 416 * processes in a given process group. 417 * 418 * The restrictions on setting capabilities are specified as: 419 * 420 * [pid is for the 'target' task. 'current' is the calling task.] 421 * 422 * I: any raised capabilities must be a subset of the (old current) permitted 423 * P: any raised capabilities must be a subset of the (old current) permitted 424 * E: must be set to a subset of (new target) permitted 425 * 426 * Returns 0 on success and < 0 on error. 427 */ 428 asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) 429 { 430 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; 431 unsigned i, tocopy; 432 kernel_cap_t inheritable, permitted, effective; 433 int ret; 434 pid_t pid; 435 436 ret = cap_validate_magic(header, &tocopy); 437 if (ret != 0) 438 return ret; 439 440 if (get_user(pid, &header->pid)) 441 return -EFAULT; 442 443 if (copy_from_user(&kdata, data, tocopy 444 * sizeof(struct __user_cap_data_struct))) { 445 return -EFAULT; 446 } 447 448 for (i = 0; i < tocopy; i++) { 449 effective.cap[i] = kdata[i].effective; 450 permitted.cap[i] = kdata[i].permitted; 451 inheritable.cap[i] = kdata[i].inheritable; 452 } 453 while (i < _KERNEL_CAPABILITY_U32S) { 454 effective.cap[i] = 0; 455 permitted.cap[i] = 0; 456 inheritable.cap[i] = 0; 457 i++; 458 } 459 460 if (pid && (pid != task_pid_vnr(current))) 461 ret = do_sys_capset_other_tasks(pid, &effective, &inheritable, 462 &permitted); 463 else { 464 /* 465 * This lock is required even when filesystem 466 * capability support is configured - it protects the 467 * sys_capget() call from returning incorrect data in 468 * the case that the targeted process is not the 469 * current one. 470 */ 471 spin_lock(&task_capability_lock); 472 473 ret = security_capset_check(current, &effective, &inheritable, 474 &permitted); 475 /* 476 * Having verified that the proposed changes are 477 * legal, we now put them into effect. 478 */ 479 if (!ret) 480 security_capset_set(current, &effective, &inheritable, 481 &permitted); 482 spin_unlock(&task_capability_lock); 483 } 484 485 486 return ret; 487 } 488 489 /** 490 * capable - Determine if the current task has a superior capability in effect 491 * @cap: The capability to be tested for 492 * 493 * Return true if the current task has the given superior capability currently 494 * available for use, false if not. 495 * 496 * This sets PF_SUPERPRIV on the task if the capability is available on the 497 * assumption that it's about to be used. 498 */ 499 int capable(int cap) 500 { 501 if (has_capability(current, cap)) { 502 current->flags |= PF_SUPERPRIV; 503 return 1; 504 } 505 return 0; 506 } 507 EXPORT_SYMBOL(capable); 508