1 /* Common capabilities, needed by capability.o. 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ 9 10 #include <linux/capability.h> 11 #include <linux/audit.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/kernel.h> 15 #include <linux/security.h> 16 #include <linux/file.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/pagemap.h> 20 #include <linux/swap.h> 21 #include <linux/skbuff.h> 22 #include <linux/netlink.h> 23 #include <linux/ptrace.h> 24 #include <linux/xattr.h> 25 #include <linux/hugetlb.h> 26 #include <linux/mount.h> 27 #include <linux/sched.h> 28 #include <linux/prctl.h> 29 #include <linux/securebits.h> 30 31 /* 32 * If a non-root user executes a setuid-root binary in 33 * !secure(SECURE_NOROOT) mode, then we raise capabilities. 34 * However if fE is also set, then the intent is for only 35 * the file capabilities to be applied, and the setuid-root 36 * bit is left on either to change the uid (plausible) or 37 * to get full privilege on a kernel without file capabilities 38 * support. So in that case we do not raise capabilities. 39 * 40 * Warn if that happens, once per boot. 41 */ 42 static void warn_setuid_and_fcaps_mixed(char *fname) 43 { 44 static int warned; 45 if (!warned) { 46 printk(KERN_INFO "warning: `%s' has both setuid-root and" 47 " effective capabilities. Therefore not raising all" 48 " capabilities.\n", fname); 49 warned = 1; 50 } 51 } 52 53 int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 54 { 55 NETLINK_CB(skb).eff_cap = current_cap(); 56 return 0; 57 } 58 59 int cap_netlink_recv(struct sk_buff *skb, int cap) 60 { 61 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 62 return -EPERM; 63 return 0; 64 } 65 EXPORT_SYMBOL(cap_netlink_recv); 66 67 /** 68 * cap_capable - Determine whether a task has a particular effective capability 69 * @tsk: The task to query 70 * @cred: The credentials to use 71 * @cap: The capability to check for 72 * @audit: Whether to write an audit message or not 73 * 74 * Determine whether the nominated task has the specified capability amongst 75 * its effective set, returning 0 if it does, -ve if it does not. 76 * 77 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable() 78 * and has_capability() functions. That is, it has the reverse semantics: 79 * cap_has_capability() returns 0 when a task has a capability, but the 80 * kernel's capable() and has_capability() returns 1 for this case. 81 */ 82 int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, 83 int audit) 84 { 85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 86 } 87 88 /** 89 * cap_settime - Determine whether the current process may set the system clock 90 * @ts: The time to set 91 * @tz: The timezone to set 92 * 93 * Determine whether the current process may set the system clock and timezone 94 * information, returning 0 if permission granted, -ve if denied. 95 */ 96 int cap_settime(struct timespec *ts, struct timezone *tz) 97 { 98 if (!capable(CAP_SYS_TIME)) 99 return -EPERM; 100 return 0; 101 } 102 103 /** 104 * cap_ptrace_access_check - Determine whether the current process may access 105 * another 106 * @child: The process to be accessed 107 * @mode: The mode of attachment. 108 * 109 * Determine whether a process may access another, returning 0 if permission 110 * granted, -ve if denied. 111 */ 112 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) 113 { 114 int ret = 0; 115 116 rcu_read_lock(); 117 if (!cap_issubset(__task_cred(child)->cap_permitted, 118 current_cred()->cap_permitted) && 119 !capable(CAP_SYS_PTRACE)) 120 ret = -EPERM; 121 rcu_read_unlock(); 122 return ret; 123 } 124 125 /** 126 * cap_ptrace_traceme - Determine whether another process may trace the current 127 * @parent: The task proposed to be the tracer 128 * 129 * Determine whether the nominated task is permitted to trace the current 130 * process, returning 0 if permission is granted, -ve if denied. 131 */ 132 int cap_ptrace_traceme(struct task_struct *parent) 133 { 134 int ret = 0; 135 136 rcu_read_lock(); 137 if (!cap_issubset(current_cred()->cap_permitted, 138 __task_cred(parent)->cap_permitted) && 139 !has_capability(parent, CAP_SYS_PTRACE)) 140 ret = -EPERM; 141 rcu_read_unlock(); 142 return ret; 143 } 144 145 /** 146 * cap_capget - Retrieve a task's capability sets 147 * @target: The task from which to retrieve the capability sets 148 * @effective: The place to record the effective set 149 * @inheritable: The place to record the inheritable set 150 * @permitted: The place to record the permitted set 151 * 152 * This function retrieves the capabilities of the nominated task and returns 153 * them to the caller. 154 */ 155 int cap_capget(struct task_struct *target, kernel_cap_t *effective, 156 kernel_cap_t *inheritable, kernel_cap_t *permitted) 157 { 158 const struct cred *cred; 159 160 /* Derived from kernel/capability.c:sys_capget. */ 161 rcu_read_lock(); 162 cred = __task_cred(target); 163 *effective = cred->cap_effective; 164 *inheritable = cred->cap_inheritable; 165 *permitted = cred->cap_permitted; 166 rcu_read_unlock(); 167 return 0; 168 } 169 170 /* 171 * Determine whether the inheritable capabilities are limited to the old 172 * permitted set. Returns 1 if they are limited, 0 if they are not. 173 */ 174 static inline int cap_inh_is_capped(void) 175 { 176 177 /* they are so limited unless the current task has the CAP_SETPCAP 178 * capability 179 */ 180 if (cap_capable(current, current_cred(), CAP_SETPCAP, 181 SECURITY_CAP_AUDIT) == 0) 182 return 0; 183 return 1; 184 } 185 186 /** 187 * cap_capset - Validate and apply proposed changes to current's capabilities 188 * @new: The proposed new credentials; alterations should be made here 189 * @old: The current task's current credentials 190 * @effective: A pointer to the proposed new effective capabilities set 191 * @inheritable: A pointer to the proposed new inheritable capabilities set 192 * @permitted: A pointer to the proposed new permitted capabilities set 193 * 194 * This function validates and applies a proposed mass change to the current 195 * process's capability sets. The changes are made to the proposed new 196 * credentials, and assuming no error, will be committed by the caller of LSM. 197 */ 198 int cap_capset(struct cred *new, 199 const struct cred *old, 200 const kernel_cap_t *effective, 201 const kernel_cap_t *inheritable, 202 const kernel_cap_t *permitted) 203 { 204 if (cap_inh_is_capped() && 205 !cap_issubset(*inheritable, 206 cap_combine(old->cap_inheritable, 207 old->cap_permitted))) 208 /* incapable of using this inheritable set */ 209 return -EPERM; 210 211 if (!cap_issubset(*inheritable, 212 cap_combine(old->cap_inheritable, 213 old->cap_bset))) 214 /* no new pI capabilities outside bounding set */ 215 return -EPERM; 216 217 /* verify restrictions on target's new Permitted set */ 218 if (!cap_issubset(*permitted, old->cap_permitted)) 219 return -EPERM; 220 221 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */ 222 if (!cap_issubset(*effective, *permitted)) 223 return -EPERM; 224 225 new->cap_effective = *effective; 226 new->cap_inheritable = *inheritable; 227 new->cap_permitted = *permitted; 228 return 0; 229 } 230 231 /* 232 * Clear proposed capability sets for execve(). 233 */ 234 static inline void bprm_clear_caps(struct linux_binprm *bprm) 235 { 236 cap_clear(bprm->cred->cap_permitted); 237 bprm->cap_effective = false; 238 } 239 240 /** 241 * cap_inode_need_killpriv - Determine if inode change affects privileges 242 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 243 * 244 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV 245 * affects the security markings on that inode, and if it is, should 246 * inode_killpriv() be invoked or the change rejected? 247 * 248 * Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and 249 * -ve to deny the change. 250 */ 251 int cap_inode_need_killpriv(struct dentry *dentry) 252 { 253 struct inode *inode = dentry->d_inode; 254 int error; 255 256 if (!inode->i_op->getxattr) 257 return 0; 258 259 error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); 260 if (error <= 0) 261 return 0; 262 return 1; 263 } 264 265 /** 266 * cap_inode_killpriv - Erase the security markings on an inode 267 * @dentry: The inode/dentry to alter 268 * 269 * Erase the privilege-enhancing security markings on an inode. 270 * 271 * Returns 0 if successful, -ve on error. 272 */ 273 int cap_inode_killpriv(struct dentry *dentry) 274 { 275 struct inode *inode = dentry->d_inode; 276 277 if (!inode->i_op->removexattr) 278 return 0; 279 280 return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); 281 } 282 283 /* 284 * Calculate the new process capability sets from the capability sets attached 285 * to a file. 286 */ 287 static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, 288 struct linux_binprm *bprm, 289 bool *effective) 290 { 291 struct cred *new = bprm->cred; 292 unsigned i; 293 int ret = 0; 294 295 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) 296 *effective = true; 297 298 CAP_FOR_EACH_U32(i) { 299 __u32 permitted = caps->permitted.cap[i]; 300 __u32 inheritable = caps->inheritable.cap[i]; 301 302 /* 303 * pP' = (X & fP) | (pI & fI) 304 */ 305 new->cap_permitted.cap[i] = 306 (new->cap_bset.cap[i] & permitted) | 307 (new->cap_inheritable.cap[i] & inheritable); 308 309 if (permitted & ~new->cap_permitted.cap[i]) 310 /* insufficient to execute correctly */ 311 ret = -EPERM; 312 } 313 314 /* 315 * For legacy apps, with no internal support for recognizing they 316 * do not have enough capabilities, we return an error if they are 317 * missing some "forced" (aka file-permitted) capabilities. 318 */ 319 return *effective ? ret : 0; 320 } 321 322 /* 323 * Extract the on-exec-apply capability sets for an executable file. 324 */ 325 int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps) 326 { 327 struct inode *inode = dentry->d_inode; 328 __u32 magic_etc; 329 unsigned tocopy, i; 330 int size; 331 struct vfs_cap_data caps; 332 333 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data)); 334 335 if (!inode || !inode->i_op->getxattr) 336 return -ENODATA; 337 338 size = inode->i_op->getxattr((struct dentry *)dentry, XATTR_NAME_CAPS, &caps, 339 XATTR_CAPS_SZ); 340 if (size == -ENODATA || size == -EOPNOTSUPP) 341 /* no data, that's ok */ 342 return -ENODATA; 343 if (size < 0) 344 return size; 345 346 if (size < sizeof(magic_etc)) 347 return -EINVAL; 348 349 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps.magic_etc); 350 351 switch (magic_etc & VFS_CAP_REVISION_MASK) { 352 case VFS_CAP_REVISION_1: 353 if (size != XATTR_CAPS_SZ_1) 354 return -EINVAL; 355 tocopy = VFS_CAP_U32_1; 356 break; 357 case VFS_CAP_REVISION_2: 358 if (size != XATTR_CAPS_SZ_2) 359 return -EINVAL; 360 tocopy = VFS_CAP_U32_2; 361 break; 362 default: 363 return -EINVAL; 364 } 365 366 CAP_FOR_EACH_U32(i) { 367 if (i >= tocopy) 368 break; 369 cpu_caps->permitted.cap[i] = le32_to_cpu(caps.data[i].permitted); 370 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable); 371 } 372 373 return 0; 374 } 375 376 /* 377 * Attempt to get the on-exec apply capability sets for an executable file from 378 * its xattrs and, if present, apply them to the proposed credentials being 379 * constructed by execve(). 380 */ 381 static int get_file_caps(struct linux_binprm *bprm, bool *effective) 382 { 383 struct dentry *dentry; 384 int rc = 0; 385 struct cpu_vfs_cap_data vcaps; 386 387 bprm_clear_caps(bprm); 388 389 if (!file_caps_enabled) 390 return 0; 391 392 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) 393 return 0; 394 395 dentry = dget(bprm->file->f_dentry); 396 397 rc = get_vfs_caps_from_disk(dentry, &vcaps); 398 if (rc < 0) { 399 if (rc == -EINVAL) 400 printk(KERN_NOTICE "%s: get_vfs_caps_from_disk returned %d for %s\n", 401 __func__, rc, bprm->filename); 402 else if (rc == -ENODATA) 403 rc = 0; 404 goto out; 405 } 406 407 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective); 408 if (rc == -EINVAL) 409 printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", 410 __func__, rc, bprm->filename); 411 412 out: 413 dput(dentry); 414 if (rc) 415 bprm_clear_caps(bprm); 416 417 return rc; 418 } 419 420 /** 421 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 422 * @bprm: The execution parameters, including the proposed creds 423 * 424 * Set up the proposed credentials for a new execution context being 425 * constructed by execve(). The proposed creds in @bprm->cred is altered, 426 * which won't take effect immediately. Returns 0 if successful, -ve on error. 427 */ 428 int cap_bprm_set_creds(struct linux_binprm *bprm) 429 { 430 const struct cred *old = current_cred(); 431 struct cred *new = bprm->cred; 432 bool effective; 433 int ret; 434 435 effective = false; 436 ret = get_file_caps(bprm, &effective); 437 if (ret < 0) 438 return ret; 439 440 if (!issecure(SECURE_NOROOT)) { 441 /* 442 * If the legacy file capability is set, then don't set privs 443 * for a setuid root binary run by a non-root user. Do set it 444 * for a root user just to cause least surprise to an admin. 445 */ 446 if (effective && new->uid != 0 && new->euid == 0) { 447 warn_setuid_and_fcaps_mixed(bprm->filename); 448 goto skip; 449 } 450 /* 451 * To support inheritance of root-permissions and suid-root 452 * executables under compatibility mode, we override the 453 * capability sets for the file. 454 * 455 * If only the real uid is 0, we do not set the effective bit. 456 */ 457 if (new->euid == 0 || new->uid == 0) { 458 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 459 new->cap_permitted = cap_combine(old->cap_bset, 460 old->cap_inheritable); 461 } 462 if (new->euid == 0) 463 effective = true; 464 } 465 skip: 466 467 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 468 * credentials unless they have the appropriate permit 469 */ 470 if ((new->euid != old->uid || 471 new->egid != old->gid || 472 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 473 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 474 /* downgrade; they get no more than they had, and maybe less */ 475 if (!capable(CAP_SETUID)) { 476 new->euid = new->uid; 477 new->egid = new->gid; 478 } 479 new->cap_permitted = cap_intersect(new->cap_permitted, 480 old->cap_permitted); 481 } 482 483 new->suid = new->fsuid = new->euid; 484 new->sgid = new->fsgid = new->egid; 485 486 /* For init, we want to retain the capabilities set in the initial 487 * task. Thus we skip the usual capability rules 488 */ 489 if (!is_global_init(current)) { 490 if (effective) 491 new->cap_effective = new->cap_permitted; 492 else 493 cap_clear(new->cap_effective); 494 } 495 bprm->cap_effective = effective; 496 497 /* 498 * Audit candidate if current->cap_effective is set 499 * 500 * We do not bother to audit if 3 things are true: 501 * 1) cap_effective has all caps 502 * 2) we are root 503 * 3) root is supposed to have all caps (SECURE_NOROOT) 504 * Since this is just a normal root execing a process. 505 * 506 * Number 1 above might fail if you don't have a full bset, but I think 507 * that is interesting information to audit. 508 */ 509 if (!cap_isclear(new->cap_effective)) { 510 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || 511 new->euid != 0 || new->uid != 0 || 512 issecure(SECURE_NOROOT)) { 513 ret = audit_log_bprm_fcaps(bprm, new, old); 514 if (ret < 0) 515 return ret; 516 } 517 } 518 519 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 520 return 0; 521 } 522 523 /** 524 * cap_bprm_secureexec - Determine whether a secure execution is required 525 * @bprm: The execution parameters 526 * 527 * Determine whether a secure execution is required, return 1 if it is, and 0 528 * if it is not. 529 * 530 * The credentials have been committed by this point, and so are no longer 531 * available through @bprm->cred. 532 */ 533 int cap_bprm_secureexec(struct linux_binprm *bprm) 534 { 535 const struct cred *cred = current_cred(); 536 537 if (cred->uid != 0) { 538 if (bprm->cap_effective) 539 return 1; 540 if (!cap_isclear(cred->cap_permitted)) 541 return 1; 542 } 543 544 return (cred->euid != cred->uid || 545 cred->egid != cred->gid); 546 } 547 548 /** 549 * cap_inode_setxattr - Determine whether an xattr may be altered 550 * @dentry: The inode/dentry being altered 551 * @name: The name of the xattr to be changed 552 * @value: The value that the xattr will be changed to 553 * @size: The size of value 554 * @flags: The replacement flag 555 * 556 * Determine whether an xattr may be altered or set on an inode, returning 0 if 557 * permission is granted, -ve if denied. 558 * 559 * This is used to make sure security xattrs don't get updated or set by those 560 * who aren't privileged to do so. 561 */ 562 int cap_inode_setxattr(struct dentry *dentry, const char *name, 563 const void *value, size_t size, int flags) 564 { 565 if (!strcmp(name, XATTR_NAME_CAPS)) { 566 if (!capable(CAP_SETFCAP)) 567 return -EPERM; 568 return 0; 569 } 570 571 if (!strncmp(name, XATTR_SECURITY_PREFIX, 572 sizeof(XATTR_SECURITY_PREFIX) - 1) && 573 !capable(CAP_SYS_ADMIN)) 574 return -EPERM; 575 return 0; 576 } 577 578 /** 579 * cap_inode_removexattr - Determine whether an xattr may be removed 580 * @dentry: The inode/dentry being altered 581 * @name: The name of the xattr to be changed 582 * 583 * Determine whether an xattr may be removed from an inode, returning 0 if 584 * permission is granted, -ve if denied. 585 * 586 * This is used to make sure security xattrs don't get removed by those who 587 * aren't privileged to remove them. 588 */ 589 int cap_inode_removexattr(struct dentry *dentry, const char *name) 590 { 591 if (!strcmp(name, XATTR_NAME_CAPS)) { 592 if (!capable(CAP_SETFCAP)) 593 return -EPERM; 594 return 0; 595 } 596 597 if (!strncmp(name, XATTR_SECURITY_PREFIX, 598 sizeof(XATTR_SECURITY_PREFIX) - 1) && 599 !capable(CAP_SYS_ADMIN)) 600 return -EPERM; 601 return 0; 602 } 603 604 /* 605 * cap_emulate_setxuid() fixes the effective / permitted capabilities of 606 * a process after a call to setuid, setreuid, or setresuid. 607 * 608 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of 609 * {r,e,s}uid != 0, the permitted and effective capabilities are 610 * cleared. 611 * 612 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective 613 * capabilities of the process are cleared. 614 * 615 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective 616 * capabilities are set to the permitted capabilities. 617 * 618 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 619 * never happen. 620 * 621 * -astor 622 * 623 * cevans - New behaviour, Oct '99 624 * A process may, via prctl(), elect to keep its capabilities when it 625 * calls setuid() and switches away from uid==0. Both permitted and 626 * effective sets will be retained. 627 * Without this change, it was impossible for a daemon to drop only some 628 * of its privilege. The call to setuid(!=0) would drop all privileges! 629 * Keeping uid 0 is not an option because uid 0 owns too many vital 630 * files.. 631 * Thanks to Olaf Kirch and Peter Benie for spotting this. 632 */ 633 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 634 { 635 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) && 636 (new->uid != 0 && new->euid != 0 && new->suid != 0) && 637 !issecure(SECURE_KEEP_CAPS)) { 638 cap_clear(new->cap_permitted); 639 cap_clear(new->cap_effective); 640 } 641 if (old->euid == 0 && new->euid != 0) 642 cap_clear(new->cap_effective); 643 if (old->euid != 0 && new->euid == 0) 644 new->cap_effective = new->cap_permitted; 645 } 646 647 /** 648 * cap_task_fix_setuid - Fix up the results of setuid() call 649 * @new: The proposed credentials 650 * @old: The current task's current credentials 651 * @flags: Indications of what has changed 652 * 653 * Fix up the results of setuid() call before the credential changes are 654 * actually applied, returning 0 to grant the changes, -ve to deny them. 655 */ 656 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags) 657 { 658 switch (flags) { 659 case LSM_SETID_RE: 660 case LSM_SETID_ID: 661 case LSM_SETID_RES: 662 /* juggle the capabilities to follow [RES]UID changes unless 663 * otherwise suppressed */ 664 if (!issecure(SECURE_NO_SETUID_FIXUP)) 665 cap_emulate_setxuid(new, old); 666 break; 667 668 case LSM_SETID_FS: 669 /* juggle the capabilties to follow FSUID changes, unless 670 * otherwise suppressed 671 * 672 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? 673 * if not, we might be a bit too harsh here. 674 */ 675 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 676 if (old->fsuid == 0 && new->fsuid != 0) 677 new->cap_effective = 678 cap_drop_fs_set(new->cap_effective); 679 680 if (old->fsuid != 0 && new->fsuid == 0) 681 new->cap_effective = 682 cap_raise_fs_set(new->cap_effective, 683 new->cap_permitted); 684 } 685 break; 686 687 default: 688 return -EINVAL; 689 } 690 691 return 0; 692 } 693 694 /* 695 * Rationale: code calling task_setscheduler, task_setioprio, and 696 * task_setnice, assumes that 697 * . if capable(cap_sys_nice), then those actions should be allowed 698 * . if not capable(cap_sys_nice), but acting on your own processes, 699 * then those actions should be allowed 700 * This is insufficient now since you can call code without suid, but 701 * yet with increased caps. 702 * So we check for increased caps on the target process. 703 */ 704 static int cap_safe_nice(struct task_struct *p) 705 { 706 int is_subset; 707 708 rcu_read_lock(); 709 is_subset = cap_issubset(__task_cred(p)->cap_permitted, 710 current_cred()->cap_permitted); 711 rcu_read_unlock(); 712 713 if (!is_subset && !capable(CAP_SYS_NICE)) 714 return -EPERM; 715 return 0; 716 } 717 718 /** 719 * cap_task_setscheduler - Detemine if scheduler policy change is permitted 720 * @p: The task to affect 721 * @policy: The policy to effect 722 * @lp: The parameters to the scheduling policy 723 * 724 * Detemine if the requested scheduler policy change is permitted for the 725 * specified task, returning 0 if permission is granted, -ve if denied. 726 */ 727 int cap_task_setscheduler(struct task_struct *p, int policy, 728 struct sched_param *lp) 729 { 730 return cap_safe_nice(p); 731 } 732 733 /** 734 * cap_task_ioprio - Detemine if I/O priority change is permitted 735 * @p: The task to affect 736 * @ioprio: The I/O priority to set 737 * 738 * Detemine if the requested I/O priority change is permitted for the specified 739 * task, returning 0 if permission is granted, -ve if denied. 740 */ 741 int cap_task_setioprio(struct task_struct *p, int ioprio) 742 { 743 return cap_safe_nice(p); 744 } 745 746 /** 747 * cap_task_ioprio - Detemine if task priority change is permitted 748 * @p: The task to affect 749 * @nice: The nice value to set 750 * 751 * Detemine if the requested task priority change is permitted for the 752 * specified task, returning 0 if permission is granted, -ve if denied. 753 */ 754 int cap_task_setnice(struct task_struct *p, int nice) 755 { 756 return cap_safe_nice(p); 757 } 758 759 /* 760 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from 761 * the current task's bounding set. Returns 0 on success, -ve on error. 762 */ 763 static long cap_prctl_drop(struct cred *new, unsigned long cap) 764 { 765 if (!capable(CAP_SETPCAP)) 766 return -EPERM; 767 if (!cap_valid(cap)) 768 return -EINVAL; 769 770 cap_lower(new->cap_bset, cap); 771 return 0; 772 } 773 774 /** 775 * cap_task_prctl - Implement process control functions for this security module 776 * @option: The process control function requested 777 * @arg2, @arg3, @arg4, @arg5: The argument data for this function 778 * 779 * Allow process control functions (sys_prctl()) to alter capabilities; may 780 * also deny access to other functions not otherwise implemented here. 781 * 782 * Returns 0 or +ve on success, -ENOSYS if this function is not implemented 783 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM 784 * modules will consider performing the function. 785 */ 786 int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 787 unsigned long arg4, unsigned long arg5) 788 { 789 struct cred *new; 790 long error = 0; 791 792 new = prepare_creds(); 793 if (!new) 794 return -ENOMEM; 795 796 switch (option) { 797 case PR_CAPBSET_READ: 798 error = -EINVAL; 799 if (!cap_valid(arg2)) 800 goto error; 801 error = !!cap_raised(new->cap_bset, arg2); 802 goto no_change; 803 804 case PR_CAPBSET_DROP: 805 error = cap_prctl_drop(new, arg2); 806 if (error < 0) 807 goto error; 808 goto changed; 809 810 /* 811 * The next four prctl's remain to assist with transitioning a 812 * system from legacy UID=0 based privilege (when filesystem 813 * capabilities are not in use) to a system using filesystem 814 * capabilities only - as the POSIX.1e draft intended. 815 * 816 * Note: 817 * 818 * PR_SET_SECUREBITS = 819 * issecure_mask(SECURE_KEEP_CAPS_LOCKED) 820 * | issecure_mask(SECURE_NOROOT) 821 * | issecure_mask(SECURE_NOROOT_LOCKED) 822 * | issecure_mask(SECURE_NO_SETUID_FIXUP) 823 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) 824 * 825 * will ensure that the current process and all of its 826 * children will be locked into a pure 827 * capability-based-privilege environment. 828 */ 829 case PR_SET_SECUREBITS: 830 error = -EPERM; 831 if ((((new->securebits & SECURE_ALL_LOCKS) >> 1) 832 & (new->securebits ^ arg2)) /*[1]*/ 833 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 834 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 835 || (cap_capable(current, current_cred(), CAP_SETPCAP, 836 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 837 /* 838 * [1] no changing of bits that are locked 839 * [2] no unlocking of locks 840 * [3] no setting of unsupported bits 841 * [4] doing anything requires privilege (go read about 842 * the "sendmail capabilities bug") 843 */ 844 ) 845 /* cannot change a locked bit */ 846 goto error; 847 new->securebits = arg2; 848 goto changed; 849 850 case PR_GET_SECUREBITS: 851 error = new->securebits; 852 goto no_change; 853 854 case PR_GET_KEEPCAPS: 855 if (issecure(SECURE_KEEP_CAPS)) 856 error = 1; 857 goto no_change; 858 859 case PR_SET_KEEPCAPS: 860 error = -EINVAL; 861 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ 862 goto error; 863 error = -EPERM; 864 if (issecure(SECURE_KEEP_CAPS_LOCKED)) 865 goto error; 866 if (arg2) 867 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); 868 else 869 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); 870 goto changed; 871 872 default: 873 /* No functionality available - continue with default */ 874 error = -ENOSYS; 875 goto error; 876 } 877 878 /* Functionality provided */ 879 changed: 880 return commit_creds(new); 881 882 no_change: 883 error: 884 abort_creds(new); 885 return error; 886 } 887 888 /** 889 * cap_syslog - Determine whether syslog function is permitted 890 * @type: Function requested 891 * 892 * Determine whether the current process is permitted to use a particular 893 * syslog function, returning 0 if permission is granted, -ve if not. 894 */ 895 int cap_syslog(int type) 896 { 897 if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN)) 898 return -EPERM; 899 return 0; 900 } 901 902 /** 903 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted 904 * @mm: The VM space in which the new mapping is to be made 905 * @pages: The size of the mapping 906 * 907 * Determine whether the allocation of a new virtual mapping by the current 908 * task is permitted, returning 0 if permission is granted, -ve if not. 909 */ 910 int cap_vm_enough_memory(struct mm_struct *mm, long pages) 911 { 912 int cap_sys_admin = 0; 913 914 if (cap_capable(current, current_cred(), CAP_SYS_ADMIN, 915 SECURITY_CAP_NOAUDIT) == 0) 916 cap_sys_admin = 1; 917 return __vm_enough_memory(mm, pages, cap_sys_admin); 918 } 919 920 /* 921 * cap_file_mmap - check if able to map given addr 922 * @file: unused 923 * @reqprot: unused 924 * @prot: unused 925 * @flags: unused 926 * @addr: address attempting to be mapped 927 * @addr_only: unused 928 * 929 * If the process is attempting to map memory below mmap_min_addr they need 930 * CAP_SYS_RAWIO. The other parameters to this function are unused by the 931 * capability security module. Returns 0 if this mapping should be allowed 932 * -EPERM if not. 933 */ 934 int cap_file_mmap(struct file *file, unsigned long reqprot, 935 unsigned long prot, unsigned long flags, 936 unsigned long addr, unsigned long addr_only) 937 { 938 int ret = 0; 939 940 if (addr < dac_mmap_min_addr) { 941 ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO, 942 SECURITY_CAP_AUDIT); 943 /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 944 if (ret == 0) 945 current->flags |= PF_SUPERPRIV; 946 } 947 return ret; 948 } 949