1*663af70aSMartin KaFai Lau // SPDX-License-Identifier: GPL-2.0
2*663af70aSMartin KaFai Lau #include "cap_helpers.h"
3*663af70aSMartin KaFai Lau
4*663af70aSMartin KaFai Lau /* Avoid including <sys/capability.h> from the libcap-devel package,
5*663af70aSMartin KaFai Lau * so directly declare them here and use them from glibc.
6*663af70aSMartin KaFai Lau */
7*663af70aSMartin KaFai Lau int capget(cap_user_header_t header, cap_user_data_t data);
8*663af70aSMartin KaFai Lau int capset(cap_user_header_t header, const cap_user_data_t data);
9*663af70aSMartin KaFai Lau
cap_enable_effective(__u64 caps,__u64 * old_caps)10*663af70aSMartin KaFai Lau int cap_enable_effective(__u64 caps, __u64 *old_caps)
11*663af70aSMartin KaFai Lau {
12*663af70aSMartin KaFai Lau struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];
13*663af70aSMartin KaFai Lau struct __user_cap_header_struct hdr = {
14*663af70aSMartin KaFai Lau .version = _LINUX_CAPABILITY_VERSION_3,
15*663af70aSMartin KaFai Lau };
16*663af70aSMartin KaFai Lau __u32 cap0 = caps;
17*663af70aSMartin KaFai Lau __u32 cap1 = caps >> 32;
18*663af70aSMartin KaFai Lau int err;
19*663af70aSMartin KaFai Lau
20*663af70aSMartin KaFai Lau err = capget(&hdr, data);
21*663af70aSMartin KaFai Lau if (err)
22*663af70aSMartin KaFai Lau return err;
23*663af70aSMartin KaFai Lau
24*663af70aSMartin KaFai Lau if (old_caps)
25*663af70aSMartin KaFai Lau *old_caps = (__u64)(data[1].effective) << 32 | data[0].effective;
26*663af70aSMartin KaFai Lau
27*663af70aSMartin KaFai Lau if ((data[0].effective & cap0) == cap0 &&
28*663af70aSMartin KaFai Lau (data[1].effective & cap1) == cap1)
29*663af70aSMartin KaFai Lau return 0;
30*663af70aSMartin KaFai Lau
31*663af70aSMartin KaFai Lau data[0].effective |= cap0;
32*663af70aSMartin KaFai Lau data[1].effective |= cap1;
33*663af70aSMartin KaFai Lau err = capset(&hdr, data);
34*663af70aSMartin KaFai Lau if (err)
35*663af70aSMartin KaFai Lau return err;
36*663af70aSMartin KaFai Lau
37*663af70aSMartin KaFai Lau return 0;
38*663af70aSMartin KaFai Lau }
39*663af70aSMartin KaFai Lau
cap_disable_effective(__u64 caps,__u64 * old_caps)40*663af70aSMartin KaFai Lau int cap_disable_effective(__u64 caps, __u64 *old_caps)
41*663af70aSMartin KaFai Lau {
42*663af70aSMartin KaFai Lau struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];
43*663af70aSMartin KaFai Lau struct __user_cap_header_struct hdr = {
44*663af70aSMartin KaFai Lau .version = _LINUX_CAPABILITY_VERSION_3,
45*663af70aSMartin KaFai Lau };
46*663af70aSMartin KaFai Lau __u32 cap0 = caps;
47*663af70aSMartin KaFai Lau __u32 cap1 = caps >> 32;
48*663af70aSMartin KaFai Lau int err;
49*663af70aSMartin KaFai Lau
50*663af70aSMartin KaFai Lau err = capget(&hdr, data);
51*663af70aSMartin KaFai Lau if (err)
52*663af70aSMartin KaFai Lau return err;
53*663af70aSMartin KaFai Lau
54*663af70aSMartin KaFai Lau if (old_caps)
55*663af70aSMartin KaFai Lau *old_caps = (__u64)(data[1].effective) << 32 | data[0].effective;
56*663af70aSMartin KaFai Lau
57*663af70aSMartin KaFai Lau if (!(data[0].effective & cap0) && !(data[1].effective & cap1))
58*663af70aSMartin KaFai Lau return 0;
59*663af70aSMartin KaFai Lau
60*663af70aSMartin KaFai Lau data[0].effective &= ~cap0;
61*663af70aSMartin KaFai Lau data[1].effective &= ~cap1;
62*663af70aSMartin KaFai Lau err = capset(&hdr, data);
63*663af70aSMartin KaFai Lau if (err)
64*663af70aSMartin KaFai Lau return err;
65*663af70aSMartin KaFai Lau
66*663af70aSMartin KaFai Lau return 0;
67*663af70aSMartin KaFai Lau }
68