xref: /openbmc/linux/kernel/capability.c (revision a1e58bbd) 
1 /*
2  * linux/kernel/capability.c
3  *
4  * Copyright (C) 1997  Andrew Main <zefram@fysh.org>
5  *
6  * Integrated into 2.1.97+,  Andrew G. Morgan <morgan@kernel.org>
7  * 30 May 2002:	Cleanup, Robert M. Love <rml@tech9.net>
8  */
9 
10 #include <linux/capability.h>
11 #include <linux/mm.h>
12 #include <linux/module.h>
13 #include <linux/security.h>
14 #include <linux/syscalls.h>
15 #include <linux/pid_namespace.h>
16 #include <asm/uaccess.h>
17 
18 /*
19  * This lock protects task->cap_* for all tasks including current.
20  * Locking rule: acquire this prior to tasklist_lock.
21  */
22 static DEFINE_SPINLOCK(task_capability_lock);
23 
24 /*
25  * Leveraged for setting/resetting capabilities
26  */
27 
28 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
29 const kernel_cap_t __cap_full_set = CAP_FULL_SET;
30 const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
31 
32 EXPORT_SYMBOL(__cap_empty_set);
33 EXPORT_SYMBOL(__cap_full_set);
34 EXPORT_SYMBOL(__cap_init_eff_set);
35 
36 /*
37  * More recent versions of libcap are available from:
38  *
39  *   http://www.kernel.org/pub/linux/libs/security/linux-privs/
40  */
41 
42 static void warn_legacy_capability_use(void)
43 {
44 	static int warned;
45 	if (!warned) {
46 		char name[sizeof(current->comm)];
47 
48 		printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"
49 		       " (legacy support in use)\n",
50 		       get_task_comm(name, current));
51 		warned = 1;
52 	}
53 }
54 
55 /*
56  * For sys_getproccap() and sys_setproccap(), any of the three
57  * capability set pointers may be NULL -- indicating that that set is
58  * uninteresting and/or not to be changed.
59  */
60 
61 /**
62  * sys_capget - get the capabilities of a given process.
63  * @header: pointer to struct that contains capability version and
64  *	target pid data
65  * @dataptr: pointer to struct that contains the effective, permitted,
66  *	and inheritable capabilities that are returned
67  *
68  * Returns 0 on success and < 0 on error.
69  */
70 asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
71 {
72 	int ret = 0;
73 	pid_t pid;
74 	__u32 version;
75 	struct task_struct *target;
76 	unsigned tocopy;
77 	kernel_cap_t pE, pI, pP;
78 
79 	if (get_user(version, &header->version))
80 		return -EFAULT;
81 
82 	switch (version) {
83 	case _LINUX_CAPABILITY_VERSION_1:
84 		warn_legacy_capability_use();
85 		tocopy = _LINUX_CAPABILITY_U32S_1;
86 		break;
87 	case _LINUX_CAPABILITY_VERSION_2:
88 		tocopy = _LINUX_CAPABILITY_U32S_2;
89 		break;
90 	default:
91 		if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
92 			return -EFAULT;
93 		return -EINVAL;
94 	}
95 
96 	if (get_user(pid, &header->pid))
97 		return -EFAULT;
98 
99 	if (pid < 0)
100 		return -EINVAL;
101 
102 	spin_lock(&task_capability_lock);
103 	read_lock(&tasklist_lock);
104 
105 	if (pid && pid != task_pid_vnr(current)) {
106 		target = find_task_by_vpid(pid);
107 		if (!target) {
108 			ret = -ESRCH;
109 			goto out;
110 		}
111 	} else
112 		target = current;
113 
114 	ret = security_capget(target, &pE, &pI, &pP);
115 
116 out:
117 	read_unlock(&tasklist_lock);
118 	spin_unlock(&task_capability_lock);
119 
120 	if (!ret) {
121 		struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
122 		unsigned i;
123 
124 		for (i = 0; i < tocopy; i++) {
125 			kdata[i].effective = pE.cap[i];
126 			kdata[i].permitted = pP.cap[i];
127 			kdata[i].inheritable = pI.cap[i];
128 		}
129 
130 		/*
131 		 * Note, in the case, tocopy < _LINUX_CAPABILITY_U32S,
132 		 * we silently drop the upper capabilities here. This
133 		 * has the effect of making older libcap
134 		 * implementations implicitly drop upper capability
135 		 * bits when they perform a: capget/modify/capset
136 		 * sequence.
137 		 *
138 		 * This behavior is considered fail-safe
139 		 * behavior. Upgrading the application to a newer
140 		 * version of libcap will enable access to the newer
141 		 * capabilities.
142 		 *
143 		 * An alternative would be to return an error here
144 		 * (-ERANGE), but that causes legacy applications to
145 		 * unexpectidly fail; the capget/modify/capset aborts
146 		 * before modification is attempted and the application
147 		 * fails.
148 		 */
149 
150 		if (copy_to_user(dataptr, kdata, tocopy
151 				 * sizeof(struct __user_cap_data_struct))) {
152 			return -EFAULT;
153 		}
154 	}
155 
156 	return ret;
157 }
158 
159 /*
160  * cap_set_pg - set capabilities for all processes in a given process
161  * group.  We call this holding task_capability_lock and tasklist_lock.
162  */
163 static inline int cap_set_pg(int pgrp_nr, kernel_cap_t *effective,
164 			      kernel_cap_t *inheritable,
165 			      kernel_cap_t *permitted)
166 {
167 	struct task_struct *g, *target;
168 	int ret = -EPERM;
169 	int found = 0;
170 	struct pid *pgrp;
171 
172 	pgrp = find_vpid(pgrp_nr);
173 	do_each_pid_task(pgrp, PIDTYPE_PGID, g) {
174 		target = g;
175 		while_each_thread(g, target) {
176 			if (!security_capset_check(target, effective,
177 							inheritable,
178 							permitted)) {
179 				security_capset_set(target, effective,
180 							inheritable,
181 							permitted);
182 				ret = 0;
183 			}
184 			found = 1;
185 		}
186 	} while_each_pid_task(pgrp, PIDTYPE_PGID, g);
187 
188 	if (!found)
189 		ret = 0;
190 	return ret;
191 }
192 
193 /*
194  * cap_set_all - set capabilities for all processes other than init
195  * and self.  We call this holding task_capability_lock and tasklist_lock.
196  */
197 static inline int cap_set_all(kernel_cap_t *effective,
198 			       kernel_cap_t *inheritable,
199 			       kernel_cap_t *permitted)
200 {
201      struct task_struct *g, *target;
202      int ret = -EPERM;
203      int found = 0;
204 
205      do_each_thread(g, target) {
206              if (target == current || is_container_init(target->group_leader))
207                      continue;
208              found = 1;
209 	     if (security_capset_check(target, effective, inheritable,
210 						permitted))
211 		     continue;
212 	     ret = 0;
213 	     security_capset_set(target, effective, inheritable, permitted);
214      } while_each_thread(g, target);
215 
216      if (!found)
217 	     ret = 0;
218      return ret;
219 }
220 
221 /**
222  * sys_capset - set capabilities for a process or a group of processes
223  * @header: pointer to struct that contains capability version and
224  *	target pid data
225  * @data: pointer to struct that contains the effective, permitted,
226  *	and inheritable capabilities
227  *
228  * Set capabilities for a given process, all processes, or all
229  * processes in a given process group.
230  *
231  * The restrictions on setting capabilities are specified as:
232  *
233  * [pid is for the 'target' task.  'current' is the calling task.]
234  *
235  * I: any raised capabilities must be a subset of the (old current) permitted
236  * P: any raised capabilities must be a subset of the (old current) permitted
237  * E: must be set to a subset of (new target) permitted
238  *
239  * Returns 0 on success and < 0 on error.
240  */
241 asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
242 {
243 	struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
244 	unsigned i, tocopy;
245 	kernel_cap_t inheritable, permitted, effective;
246 	__u32 version;
247 	struct task_struct *target;
248 	int ret;
249 	pid_t pid;
250 
251 	if (get_user(version, &header->version))
252 		return -EFAULT;
253 
254 	switch (version) {
255 	case _LINUX_CAPABILITY_VERSION_1:
256 		warn_legacy_capability_use();
257 		tocopy = _LINUX_CAPABILITY_U32S_1;
258 		break;
259 	case _LINUX_CAPABILITY_VERSION_2:
260 		tocopy = _LINUX_CAPABILITY_U32S_2;
261 		break;
262 	default:
263 		if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
264 			return -EFAULT;
265 		return -EINVAL;
266 	}
267 
268 	if (get_user(pid, &header->pid))
269 		return -EFAULT;
270 
271 	if (pid && pid != task_pid_vnr(current) && !capable(CAP_SETPCAP))
272 		return -EPERM;
273 
274 	if (copy_from_user(&kdata, data, tocopy
275 			   * sizeof(struct __user_cap_data_struct))) {
276 		return -EFAULT;
277 	}
278 
279 	for (i = 0; i < tocopy; i++) {
280 		effective.cap[i] = kdata[i].effective;
281 		permitted.cap[i] = kdata[i].permitted;
282 		inheritable.cap[i] = kdata[i].inheritable;
283 	}
284 	while (i < _LINUX_CAPABILITY_U32S) {
285 		effective.cap[i] = 0;
286 		permitted.cap[i] = 0;
287 		inheritable.cap[i] = 0;
288 		i++;
289 	}
290 
291 	spin_lock(&task_capability_lock);
292 	read_lock(&tasklist_lock);
293 
294 	if (pid > 0 && pid != task_pid_vnr(current)) {
295 		target = find_task_by_vpid(pid);
296 		if (!target) {
297 			ret = -ESRCH;
298 			goto out;
299 		}
300 	} else
301 		target = current;
302 
303 	ret = 0;
304 
305 	/* having verified that the proposed changes are legal,
306 	   we now put them into effect. */
307 	if (pid < 0) {
308 		if (pid == -1)	/* all procs other than current and init */
309 			ret = cap_set_all(&effective, &inheritable, &permitted);
310 
311 		else		/* all procs in process group */
312 			ret = cap_set_pg(-pid, &effective, &inheritable,
313 					 &permitted);
314 	} else {
315 		ret = security_capset_check(target, &effective, &inheritable,
316 					    &permitted);
317 		if (!ret)
318 			security_capset_set(target, &effective, &inheritable,
319 					    &permitted);
320 	}
321 
322 out:
323 	read_unlock(&tasklist_lock);
324 	spin_unlock(&task_capability_lock);
325 
326 	return ret;
327 }
328 
329 int __capable(struct task_struct *t, int cap)
330 {
331 	if (security_capable(t, cap) == 0) {
332 		t->flags |= PF_SUPERPRIV;
333 		return 1;
334 	}
335 	return 0;
336 }
337 
338 int capable(int cap)
339 {
340 	return __capable(current, cap);
341 }
342 EXPORT_SYMBOL(capable);
343