]> git.ipfire.org Git - thirdparty/kernel/stable.git/blame - security/commoncap.c
projects / thirdparty / kernel / stable.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
mm/khugepaged: check again on anon uffd-wp during isolation
[thirdparty/kernel/stable.git] / security / commoncap.c
CommitLineData
2874c5fd 1// SPDX-License-Identifier: GPL-2.0-or-later
3e1c2515 2/* Common capabilities, needed by capability.o.
1da177e4
LT		 3 */
4
c59ede7b 5#include <linux/capability.h>
3fc689e9 6#include <linux/audit.h>
1da177e4
LT		 7#include <linux/init.h>
8#include <linux/kernel.h>
b1d9e6b0 9#include <linux/lsm_hooks.h>
1da177e4
LT		 10#include <linux/file.h>
11#include <linux/mm.h>
12#include <linux/mman.h>
13#include <linux/pagemap.h>
14#include <linux/swap.h>
1da177e4
LT		 15#include <linux/skbuff.h>
16#include <linux/netlink.h>
17#include <linux/ptrace.h>
18#include <linux/xattr.h>
19#include <linux/hugetlb.h>
b5376771 20#include <linux/mount.h>
b460cbc5 21#include <linux/sched.h>
3898b1b4
AM		 22#include <linux/prctl.h>
23#include <linux/securebits.h>
3486740a 24#include <linux/user_namespace.h>
40401530 25#include <linux/binfmts.h>
51b79bee 26#include <linux/personality.h>
a793d79e 27#include <linux/mnt_idmapping.h>
72c2d582 28
b5f22a59
SH		 29/*
30 * If a non-root user executes a setuid-root binary in
31 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
32 * However if fE is also set, then the intent is for only
33 * the file capabilities to be applied, and the setuid-root
34 * bit is left on either to change the uid (plausible) or
35 * to get full privilege on a kernel without file capabilities
36 * support. So in that case we do not raise capabilities.
37 *
38 * Warn if that happens, once per boot.
39 */
d7627467 40static void warn_setuid_and_fcaps_mixed(const char *fname)
b5f22a59
SH		 41{
42 static int warned;
43 if (!warned) {
44 printk(KERN_INFO "warning: `%s' has both setuid-root and"
45 " effective capabilities. Therefore not raising all"
46 " capabilities.\n", fname);
47 warned = 1;
48 }
49}
50
1d045980
DH		 51/**
52 * cap_capable - Determine whether a task has a particular effective capability
3699c53c 53 * @cred: The credentials to use
049ae601 54 * @targ_ns: The user namespace in which we need the capability
1d045980 55 * @cap: The capability to check for
e88ed488 56 * @opts: Bitmask of options defined in include/linux/security.h
1d045980
DH		 57 *
58 * Determine whether the nominated task has the specified capability amongst
59 * its effective set, returning 0 if it does, -ve if it does not.
60 *
3699c53c
DH		 61 * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
62 * and has_capability() functions. That is, it has the reverse semantics:
63 * cap_has_capability() returns 0 when a task has a capability, but the
64 * kernel's capable() and has_capability() returns 1 for this case.
a6dbb1ef 65 */
6a9de491 66int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
c1a85a00 67 int cap, unsigned int opts)
1da177e4 68{
520d9eab 69 struct user_namespace *ns = targ_ns;
3486740a 70
520d9eab
EB		 71 /* See if cred has the capability in the target user namespace
72 * by examining the target user namespace and all of the target
73 * user namespace's parents.
74 */
75 for (;;) {
3486740a 76 /* Do we have the necessary capabilities? */
520d9eab 77 if (ns == cred->user_ns)
3486740a
SH		 78 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
79
64db4c7f
KT		 80 /*
81 * If we're already at a lower level than we're looking for,
82 * we're done searching.
83 */
84 if (ns->level <= cred->user_ns->level)
3486740a
SH		 85 return -EPERM;
86
520d9eab
EB		 87 /*
88 * The owner of the user namespace in the parent of the
89 * user namespace has all caps.
90 */
91 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
92 return 0;
93
3486740a 94 /*
520d9eab 95 * If you have a capability in a parent user ns, then you have
3486740a
SH		 96 * it over all children user namespaces as well.
97 */
520d9eab 98 ns = ns->parent;
3486740a
SH		 99 }
100
101 /* We never get here */
1da177e4
LT		 102}
103
1d045980
DH		 104/**
105 * cap_settime - Determine whether the current process may set the system clock
106 * @ts: The time to set
107 * @tz: The timezone to set
108 *
109 * Determine whether the current process may set the system clock and timezone
110 * information, returning 0 if permission granted, -ve if denied.
111 */
457db29b 112int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
1da177e4
LT		 113{
114 if (!capable(CAP_SYS_TIME))
115 return -EPERM;
116 return 0;
117}
118
1d045980 119/**
9e48858f 120 * cap_ptrace_access_check - Determine whether the current process may access
1d045980
DH		 121 * another
122 * @child: The process to be accessed
123 * @mode: The mode of attachment.
124 *
8409cca7
SH		 125 * If we are in the same or an ancestor user_ns and have all the target
126 * task's capabilities, then ptrace access is allowed.
127 * If we have the ptrace capability to the target user_ns, then ptrace
128 * access is allowed.
129 * Else denied.
130 *
1d045980
DH		 131 * Determine whether a process may access another, returning 0 if permission
132 * granted, -ve if denied.
133 */
9e48858f 134int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
1da177e4 135{
c69e8d9c 136 int ret = 0;
8409cca7 137 const struct cred *cred, *child_cred;
caaee623 138 const kernel_cap_t *caller_caps;
c69e8d9c
DH		 139
140 rcu_read_lock();
8409cca7
SH		 141 cred = current_cred();
142 child_cred = __task_cred(child);
caaee623
JH		 143 if (mode & PTRACE_MODE_FSCREDS)
144 caller_caps = &cred->cap_effective;
145 else
146 caller_caps = &cred->cap_permitted;
c4a4d603 147 if (cred->user_ns == child_cred->user_ns &&
caaee623 148 cap_issubset(child_cred->cap_permitted, *caller_caps))
8409cca7 149 goto out;
c4a4d603 150 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
8409cca7
SH		 151 goto out;
152 ret = -EPERM;
153out:
c69e8d9c
DH		 154 rcu_read_unlock();
155 return ret;
5cd9c58f
DH		 156}
157
1d045980
DH		 158/**
159 * cap_ptrace_traceme - Determine whether another process may trace the current
160 * @parent: The task proposed to be the tracer
161 *
8409cca7
SH		 162 * If parent is in the same or an ancestor user_ns and has all current's
163 * capabilities, then ptrace access is allowed.
164 * If parent has the ptrace capability to current's user_ns, then ptrace
165 * access is allowed.
166 * Else denied.
167 *
1d045980
DH		 168 * Determine whether the nominated task is permitted to trace the current
169 * process, returning 0 if permission is granted, -ve if denied.
170 */
5cd9c58f
DH		 171int cap_ptrace_traceme(struct task_struct *parent)
172{
c69e8d9c 173 int ret = 0;
8409cca7 174 const struct cred *cred, *child_cred;
c69e8d9c
DH		 175
176 rcu_read_lock();
8409cca7
SH		 177 cred = __task_cred(parent);
178 child_cred = current_cred();
c4a4d603 179 if (cred->user_ns == child_cred->user_ns &&
8409cca7
SH		 180 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
181 goto out;
c4a4d603 182 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
8409cca7
SH		 183 goto out;
184 ret = -EPERM;
185out:
c69e8d9c
DH		 186 rcu_read_unlock();
187 return ret;
1da177e4
LT		 188}
189
1d045980
DH		 190/**
191 * cap_capget - Retrieve a task's capability sets
192 * @target: The task from which to retrieve the capability sets
193 * @effective: The place to record the effective set
194 * @inheritable: The place to record the inheritable set
195 * @permitted: The place to record the permitted set
196 *
197 * This function retrieves the capabilities of the nominated task and returns
198 * them to the caller.
199 */
200int cap_capget(struct task_struct *target, kernel_cap_t *effective,
201 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1da177e4 202{
c69e8d9c 203 const struct cred *cred;
b6dff3ec 204
1da177e4 205 /* Derived from kernel/capability.c:sys_capget. */
c69e8d9c
DH		 206 rcu_read_lock();
207 cred = __task_cred(target);
b6dff3ec
DH		 208 *effective = cred->cap_effective;
209 *inheritable = cred->cap_inheritable;
210 *permitted = cred->cap_permitted;
c69e8d9c 211 rcu_read_unlock();
1da177e4
LT		 212 return 0;
213}
214
1d045980
DH		 215/*
216 * Determine whether the inheritable capabilities are limited to the old
217 * permitted set. Returns 1 if they are limited, 0 if they are not.
218 */
72c2d582
AM		 219static inline int cap_inh_is_capped(void)
220{
1d045980
DH		 221 /* they are so limited unless the current task has the CAP_SETPCAP
222 * capability
223 */
c4a4d603 224 if (cap_capable(current_cred(), current_cred()->user_ns,
c1a85a00 225 CAP_SETPCAP, CAP_OPT_NONE) == 0)
1d045980 226 return 0;
1d045980 227 return 1;
1209726c 228}
72c2d582 229
1d045980
DH		 230/**
231 * cap_capset - Validate and apply proposed changes to current's capabilities
232 * @new: The proposed new credentials; alterations should be made here
233 * @old: The current task's current credentials
234 * @effective: A pointer to the proposed new effective capabilities set
235 * @inheritable: A pointer to the proposed new inheritable capabilities set
236 * @permitted: A pointer to the proposed new permitted capabilities set
237 *
238 * This function validates and applies a proposed mass change to the current
239 * process's capability sets. The changes are made to the proposed new
240 * credentials, and assuming no error, will be committed by the caller of LSM.
241 */
d84f4f99
DH		 242int cap_capset(struct cred *new,
243 const struct cred *old,
244 const kernel_cap_t *effective,
245 const kernel_cap_t *inheritable,
246 const kernel_cap_t *permitted)
1da177e4 247{
d84f4f99
DH		 248 if (cap_inh_is_capped() &&
249 !cap_issubset(*inheritable,
250 cap_combine(old->cap_inheritable,
251 old->cap_permitted)))
72c2d582 252 /* incapable of using this inheritable set */
1da177e4 253 return -EPERM;
d84f4f99 254
3b7391de 255 if (!cap_issubset(*inheritable,
d84f4f99
DH		 256 cap_combine(old->cap_inheritable,
257 old->cap_bset)))
3b7391de
SH		 258 /* no new pI capabilities outside bounding set */
259 return -EPERM;
1da177e4
LT		 260
261 /* verify restrictions on target's new Permitted set */
d84f4f99 262 if (!cap_issubset(*permitted, old->cap_permitted))
1da177e4 263 return -EPERM;
1da177e4
LT		 264
265 /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
d84f4f99 266 if (!cap_issubset(*effective, *permitted))
1da177e4 267 return -EPERM;
1da177e4 268
d84f4f99
DH		 269 new->cap_effective = *effective;
270 new->cap_inheritable = *inheritable;
271 new->cap_permitted = *permitted;
58319057
AL		 272
273 /*
274 * Mask off ambient bits that are no longer both permitted and
275 * inheritable.
276 */
277 new->cap_ambient = cap_intersect(new->cap_ambient,
278 cap_intersect(*permitted,
279 *inheritable));
280 if (WARN_ON(!cap_ambient_invariant_ok(new)))
281 return -EINVAL;
1da177e4
LT		 282 return 0;
283}
284
1d045980
DH		 285/**
286 * cap_inode_need_killpriv - Determine if inode change affects privileges
287 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
288 *
289 * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
290 * affects the security markings on that inode, and if it is, should
ab5348c9 291 * inode_killpriv() be invoked or the change rejected.
1d045980 292 *
049ae601 293 * Return: 1 if security.capability has a value, meaning inode_killpriv()
ab5348c9 294 * is required, 0 otherwise, meaning inode_killpriv() is not required.
1d045980 295 */
b5376771
SH		 296int cap_inode_need_killpriv(struct dentry *dentry)
297{
c6f493d6 298 struct inode *inode = d_backing_inode(dentry);
b5376771
SH		 299 int error;
300
5d6c3191
AG		 301 error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
302 return error > 0;
b5376771
SH		 303}
304
1d045980
DH		 305/**
306 * cap_inode_killpriv - Erase the security markings on an inode
71bc356f 307 *
39f60c1c 308 * @idmap: idmap of the mount the inode was found from
71bc356f 309 * @dentry: The inode/dentry to alter
1d045980
DH		 310 *
311 * Erase the privilege-enhancing security markings on an inode.
312 *
39f60c1c
CB		 313 * If the inode has been found through an idmapped mount the idmap of
314 * the vfsmount must be passed through @idmap. This function will then
315 * take care to map the inode according to @idmap before checking
71bc356f 316 * permissions. On non-idmapped mounts or if permission checking is to be
39f60c1c 317 * performed on the raw inode simply passs @nop_mnt_idmap.
71bc356f 318 *
049ae601 319 * Return: 0 if successful, -ve on error.
1d045980 320 */
39f60c1c 321int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry)
b5376771 322{
5d6c3191 323 int error;
b5376771 324
39f60c1c 325 error = __vfs_removexattr(idmap, dentry, XATTR_NAME_CAPS);
5d6c3191
AG		 326 if (error == -EOPNOTSUPP)
327 error = 0;
328 return error;
b5376771
SH		 329}
330
b7c9b675 331static bool rootid_owns_currentns(vfsuid_t rootvfsuid)
8db6c34f
SH		 332{
333 struct user_namespace *ns;
b7c9b675 334 kuid_t kroot;
8db6c34f 335
b7c9b675 336 if (!vfsuid_valid(rootvfsuid))
8db6c34f
SH		 337 return false;
338
b7c9b675
CB		 339 kroot = vfsuid_into_kuid(rootvfsuid);
340 for (ns = current_user_ns();; ns = ns->parent) {
8db6c34f
SH		 341 if (from_kuid(ns, kroot) == 0)
342 return true;
343 if (ns == &init_user_ns)
344 break;
345 }
346
347 return false;
348}
349
350static __u32 sansflags(__u32 m)
351{
352 return m & ~VFS_CAP_FLAGS_EFFECTIVE;
353}
354
f6fbd8cb 355static bool is_v2header(int size, const struct vfs_cap_data *cap)
8db6c34f 356{
8db6c34f
SH		 357 if (size != XATTR_CAPS_SZ_2)
358 return false;
dc32b5c3 359 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
8db6c34f
SH		 360}
361
f6fbd8cb 362static bool is_v3header(int size, const struct vfs_cap_data *cap)
8db6c34f 363{
8db6c34f
SH		 364 if (size != XATTR_CAPS_SZ_3)
365 return false;
dc32b5c3 366 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
8db6c34f
SH		 367}
368
369/*
370 * getsecurity: We are called for security.* before any attempt to read the
371 * xattr from the inode itself.
372 *
373 * This gives us a chance to read the on-disk value and convert it. If we
374 * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
375 *
376 * Note we are not called by vfs_getxattr_alloc(), but that is only called
377 * by the integrity subsystem, which really wants the unconverted values -
378 * so that's good.
379 */
4609e1f1 380int cap_inode_getsecurity(struct mnt_idmap *idmap,
71bc356f 381 struct inode *inode, const char *name, void **buffer,
8db6c34f
SH		 382 bool alloc)
383{
f6fbd8cb 384 int size;
8db6c34f 385 kuid_t kroot;
b7c9b675 386 vfsuid_t vfsroot;
f2b00be4 387 u32 nsmagic, magic;
8db6c34f
SH		 388 uid_t root, mappedroot;
389 char *tmpbuf = NULL;
390 struct vfs_cap_data *cap;
f2b00be4 391 struct vfs_ns_cap_data *nscap = NULL;
8db6c34f
SH		 392 struct dentry *dentry;
393 struct user_namespace *fs_ns;
394
395 if (strcmp(name, "capability") != 0)
396 return -EOPNOTSUPP;
397
355139a8 398 dentry = d_find_any_alias(inode);
8db6c34f
SH		 399 if (!dentry)
400 return -EINVAL;
4609e1f1 401 size = vfs_getxattr_alloc(idmap, dentry, XATTR_NAME_CAPS, &tmpbuf,
f6fbd8cb 402 sizeof(struct vfs_ns_cap_data), GFP_NOFS);
8db6c34f 403 dput(dentry);
f6fbd8cb
PM		 404 /* gcc11 complains if we don't check for !tmpbuf */
405 if (size < 0 || !tmpbuf)
8cf0a1bc 406 goto out_free;
8db6c34f
SH		 407
408 fs_ns = inode->i_sb->s_user_ns;
409 cap = (struct vfs_cap_data *) tmpbuf;
f6fbd8cb 410 if (is_v2header(size, cap)) {
f2b00be4 411 root = 0;
f6fbd8cb 412 } else if (is_v3header(size, cap)) {
f2b00be4
MS		 413 nscap = (struct vfs_ns_cap_data *) tmpbuf;
414 root = le32_to_cpu(nscap->rootid);
415 } else {
416 size = -EINVAL;
417 goto out_free;
8db6c34f
SH		 418 }
419
8db6c34f
SH		 420 kroot = make_kuid(fs_ns, root);
421
71bc356f 422 /* If this is an idmapped mount shift the kuid. */
4d7ca409 423 vfsroot = make_vfsuid(idmap, fs_ns, kroot);
71bc356f 424
8db6c34f
SH		 425 /* If the root kuid maps to a valid uid in current ns, then return
426 * this as a nscap. */
b7c9b675 427 mappedroot = from_kuid(current_user_ns(), vfsuid_into_kuid(vfsroot));
8db6c34f 428 if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
f2b00be4 429 size = sizeof(struct vfs_ns_cap_data);
8db6c34f 430 if (alloc) {
f2b00be4
MS		 431 if (!nscap) {
432 /* v2 -> v3 conversion */
433 nscap = kzalloc(size, GFP_ATOMIC);
434 if (!nscap) {
435 size = -ENOMEM;
436 goto out_free;
437 }
438 nsmagic = VFS_CAP_REVISION_3;
439 magic = le32_to_cpu(cap->magic_etc);
440 if (magic & VFS_CAP_FLAGS_EFFECTIVE)
441 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
442 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
443 nscap->magic_etc = cpu_to_le32(nsmagic);
444 } else {
445 /* use allocated v3 buffer */
446 tmpbuf = NULL;
447 }
8db6c34f 448 nscap->rootid = cpu_to_le32(mappedroot);
f2b00be4
MS		 449 *buffer = nscap;
450 }
451 goto out_free;
8db6c34f
SH		 452 }
453
b7c9b675 454 if (!rootid_owns_currentns(vfsroot)) {
f2b00be4
MS		 455 size = -EOVERFLOW;
456 goto out_free;
8db6c34f
SH		 457 }
458
459 /* This comes from a parent namespace. Return as a v2 capability */
460 size = sizeof(struct vfs_cap_data);
461 if (alloc) {
f2b00be4
MS		 462 if (nscap) {
463 /* v3 -> v2 conversion */
464 cap = kzalloc(size, GFP_ATOMIC);
465 if (!cap) {
466 size = -ENOMEM;
467 goto out_free;
468 }
8db6c34f
SH		 469 magic = VFS_CAP_REVISION_2;
470 nsmagic = le32_to_cpu(nscap->magic_etc);
471 if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
472 magic |= VFS_CAP_FLAGS_EFFECTIVE;
473 memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
474 cap->magic_etc = cpu_to_le32(magic);
1f578172 475 } else {
f2b00be4
MS		 476 /* use unconverted v2 */
477 tmpbuf = NULL;
8db6c34f 478 }
f2b00be4 479 *buffer = cap;
8db6c34f 480 }
f2b00be4 481out_free:
8db6c34f
SH		 482 kfree(tmpbuf);
483 return size;
484}
485
e65ce2a5
CB		 486/**
487 * rootid_from_xattr - translate root uid of vfs caps
488 *
489 * @value: vfs caps value which may be modified by this function
490 * @size: size of @ivalue
491 * @task_ns: user namespace of the caller
e65ce2a5 492 */
b7c9b675
CB		 493static vfsuid_t rootid_from_xattr(const void *value, size_t size,
494 struct user_namespace *task_ns)
8db6c34f
SH		 495{
496 const struct vfs_ns_cap_data *nscap = value;
497 uid_t rootid = 0;
498
499 if (size == XATTR_CAPS_SZ_3)
500 rootid = le32_to_cpu(nscap->rootid);
501
b7c9b675 502 return VFSUIDT_INIT(make_kuid(task_ns, rootid));
8db6c34f
SH		 503}
504
dc32b5c3 505static bool validheader(size_t size, const struct vfs_cap_data *cap)
8db6c34f 506{
dc32b5c3 507 return is_v2header(size, cap) || is_v3header(size, cap);
8db6c34f
SH		 508}
509
e65ce2a5
CB		 510/**
511 * cap_convert_nscap - check vfs caps
512 *
39f60c1c 513 * @idmap: idmap of the mount the inode was found from
e65ce2a5
CB		 514 * @dentry: used to retrieve inode to check permissions on
515 * @ivalue: vfs caps value which may be modified by this function
516 * @size: size of @ivalue
517 *
8db6c34f
SH		 518 * User requested a write of security.capability. If needed, update the
519 * xattr to change from v2 to v3, or to fixup the v3 rootid.
520 *
39f60c1c
CB		 521 * If the inode has been found through an idmapped mount the idmap of
522 * the vfsmount must be passed through @idmap. This function will then
523 * take care to map the inode according to @idmap before checking
e65ce2a5 524 * permissions. On non-idmapped mounts or if permission checking is to be
39f60c1c 525 * performed on the raw inode simply passs @nop_mnt_idmap.
e65ce2a5 526 *
049ae601 527 * Return: On success, return the new size; on error, return < 0.
8db6c34f 528 */
39f60c1c 529int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry,
e65ce2a5 530 const void **ivalue, size_t size)
8db6c34f
SH		 531{
532 struct vfs_ns_cap_data *nscap;
533 uid_t nsrootid;
534 const struct vfs_cap_data *cap = *ivalue;
535 __u32 magic, nsmagic;
536 struct inode *inode = d_backing_inode(dentry);
537 struct user_namespace *task_ns = current_user_ns(),
3b0c2d3e 538 *fs_ns = inode->i_sb->s_user_ns;
8db6c34f 539 kuid_t rootid;
b7c9b675 540 vfsuid_t vfsrootid;
8db6c34f
SH		 541 size_t newsize;
542
543 if (!*ivalue)
544 return -EINVAL;
dc32b5c3 545 if (!validheader(size, cap))
8db6c34f 546 return -EINVAL;
9452e93e 547 if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
8db6c34f 548 return -EPERM;
39f60c1c 549 if (size == XATTR_CAPS_SZ_2 && (idmap == &nop_mnt_idmap))
8db6c34f
SH		 550 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
551 /* user is privileged, just write the v2 */
552 return size;
553
b7c9b675
CB		 554 vfsrootid = rootid_from_xattr(*ivalue, size, task_ns);
555 if (!vfsuid_valid(vfsrootid))
556 return -EINVAL;
557
4d7ca409 558 rootid = from_vfsuid(idmap, fs_ns, vfsrootid);
8db6c34f
SH		 559 if (!uid_valid(rootid))
560 return -EINVAL;
561
562 nsrootid = from_kuid(fs_ns, rootid);
563 if (nsrootid == -1)
564 return -EINVAL;
565
566 newsize = sizeof(struct vfs_ns_cap_data);
567 nscap = kmalloc(newsize, GFP_ATOMIC);
568 if (!nscap)
569 return -ENOMEM;
570 nscap->rootid = cpu_to_le32(nsrootid);
571 nsmagic = VFS_CAP_REVISION_3;
572 magic = le32_to_cpu(cap->magic_etc);
573 if (magic & VFS_CAP_FLAGS_EFFECTIVE)
574 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
575 nscap->magic_etc = cpu_to_le32(nsmagic);
576 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
577
8db6c34f
SH		 578 *ivalue = nscap;
579 return newsize;
580}
581
1d045980
DH		 582/*
583 * Calculate the new process capability sets from the capability sets attached
584 * to a file.
585 */
c0b00441 586static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
a6f76f23 587 struct linux_binprm *bprm,
4d49f671 588 bool *effective,
fc7eadf7 589 bool *has_fcap)
b5376771 590{
a6f76f23 591 struct cred *new = bprm->cred;
c0b00441
EP		 592 int ret = 0;
593
594 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
a6f76f23 595 *effective = true;
c0b00441 596
4d49f671 597 if (caps->magic_etc & VFS_CAP_REVISION_MASK)
fc7eadf7 598 *has_fcap = true;
4d49f671 599
f122a08b
LT		 600 /*
601 * pP' = (X & fP) | (pI & fI)
602 * The addition of pA' is handled later.
603 */
604 new->cap_permitted.val =
605 (new->cap_bset.val & caps->permitted.val) |
606 (new->cap_inheritable.val & caps->inheritable.val);
c0b00441 607
f122a08b
LT		 608 if (caps->permitted.val & ~new->cap_permitted.val)
609 /* insufficient to execute correctly */
610 ret = -EPERM;
c0b00441
EP		 611
612 /*
613 * For legacy apps, with no internal support for recognizing they
614 * do not have enough capabilities, we return an error if they are
615 * missing some "forced" (aka file-permitted) capabilities.
616 */
a6f76f23 617 return *effective ? ret : 0;
c0b00441
EP		 618}
619
71bc356f
CB		 620/**
621 * get_vfs_caps_from_disk - retrieve vfs caps from disk
622 *
39f60c1c 623 * @idmap: idmap of the mount the inode was found from
71bc356f
CB		 624 * @dentry: dentry from which @inode is retrieved
625 * @cpu_caps: vfs capabilities
626 *
1d045980 627 * Extract the on-exec-apply capability sets for an executable file.
71bc356f 628 *
39f60c1c
CB		 629 * If the inode has been found through an idmapped mount the idmap of
630 * the vfsmount must be passed through @idmap. This function will then
631 * take care to map the inode according to @idmap before checking
71bc356f 632 * permissions. On non-idmapped mounts or if permission checking is to be
39f60c1c 633 * performed on the raw inode simply passs @nop_mnt_idmap.
1d045980 634 */
39f60c1c 635int get_vfs_caps_from_disk(struct mnt_idmap *idmap,
71bc356f
CB		 636 const struct dentry *dentry,
637 struct cpu_vfs_cap_data *cpu_caps)
c0b00441 638{
c6f493d6 639 struct inode *inode = d_backing_inode(dentry);
b5376771 640 __u32 magic_etc;
c0b00441 641 int size;
8db6c34f
SH		 642 struct vfs_ns_cap_data data, *nscaps = &data;
643 struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
644 kuid_t rootkuid;
b7c9b675 645 vfsuid_t rootvfsuid;
76ba89c7 646 struct user_namespace *fs_ns;
c0b00441
EP		 647
648 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
649
5d6c3191 650 if (!inode)
c0b00441
EP		 651 return -ENODATA;
652
76ba89c7 653 fs_ns = inode->i_sb->s_user_ns;
5d6c3191 654 size = __vfs_getxattr((struct dentry *)dentry, inode,
8db6c34f 655 XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);
a6f76f23 656 if (size == -ENODATA || size == -EOPNOTSUPP)
c0b00441
EP		 657 /* no data, that's ok */
658 return -ENODATA;
8db6c34f 659
c0b00441
EP		 660 if (size < 0)
661 return size;
b5376771 662
e338d263 663 if (size < sizeof(magic_etc))
b5376771
SH		 664 return -EINVAL;
665
8db6c34f 666 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc);
b5376771 667
8db6c34f 668 rootkuid = make_kuid(fs_ns, 0);
a6f76f23 669 switch (magic_etc & VFS_CAP_REVISION_MASK) {
e338d263
AM		 670 case VFS_CAP_REVISION_1:
671 if (size != XATTR_CAPS_SZ_1)
672 return -EINVAL;
e338d263
AM		 673 break;
674 case VFS_CAP_REVISION_2:
675 if (size != XATTR_CAPS_SZ_2)
676 return -EINVAL;
e338d263 677 break;
8db6c34f
SH		 678 case VFS_CAP_REVISION_3:
679 if (size != XATTR_CAPS_SZ_3)
680 return -EINVAL;
8db6c34f
SH		 681 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid));
682 break;
683
b5376771
SH		 684 default:
685 return -EINVAL;
686 }
b7c9b675 687
4d7ca409 688 rootvfsuid = make_vfsuid(idmap, fs_ns, rootkuid);
b7c9b675
CB		 689 if (!vfsuid_valid(rootvfsuid))
690 return -ENODATA;
691
8db6c34f
SH		 692 /* Limit the caps to the mounter of the filesystem
693 * or the more limited uid specified in the xattr.
694 */
b7c9b675 695 if (!rootid_owns_currentns(rootvfsuid))
8db6c34f 696 return -ENODATA;
e338d263 697
f122a08b
LT		 698 cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted);
699 cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable);
700
701 /*
702 * Rev1 had just a single 32-bit word, later expanded
703 * to a second one for the high bits
704 */
705 if ((magic_etc & VFS_CAP_REVISION_MASK) != VFS_CAP_REVISION_1) {
706 cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32;
707 cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32;
e338d263 708 }
a6f76f23 709
f122a08b
LT		 710 cpu_caps->permitted.val &= CAP_VALID_MASK;
711 cpu_caps->inheritable.val &= CAP_VALID_MASK;
7d8b6c63 712
b7c9b675 713 cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid);
2fec30e2 714
c0b00441 715 return 0;
b5376771
SH		 716}
717
1d045980
DH		 718/*
719 * Attempt to get the on-exec apply capability sets for an executable file from
720 * its xattrs and, if present, apply them to the proposed credentials being
721 * constructed by execve().
722 */
56305aa9
EB		 723static int get_file_caps(struct linux_binprm *bprm, struct file *file,
724 bool *effective, bool *has_fcap)
b5376771 725{
b5376771 726 int rc = 0;
c0b00441 727 struct cpu_vfs_cap_data vcaps;
b5376771 728
ee67ae7e 729 cap_clear(bprm->cred->cap_permitted);
3318a386 730
1f29fae2
SH		 731 if (!file_caps_enabled)
732 return 0;
733
56305aa9 734 if (!mnt_may_suid(file->f_path.mnt))
b5376771 735 return 0;
380cf5ba
AL		 736
737 /*
738 * This check is redundant with mnt_may_suid() but is kept to make
739 * explicit that capability bits are limited to s_user_ns and its
740 * descendants.
741 */
56305aa9 742 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
d07b846f 743 return 0;
b5376771 744
39f60c1c 745 rc = get_vfs_caps_from_disk(file_mnt_idmap(file),
71bc356f 746 file->f_path.dentry, &vcaps);
c0b00441
EP		 747 if (rc < 0) {
748 if (rc == -EINVAL)
8db6c34f
SH		 749 printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
750 bprm->filename);
c0b00441
EP		 751 else if (rc == -ENODATA)
752 rc = 0;
b5376771
SH		 753 goto out;
754 }
b5376771 755
fc7eadf7 756 rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
b5376771
SH		 757
758out:
b5376771 759 if (rc)
ee67ae7e 760 cap_clear(bprm->cred->cap_permitted);
b5376771
SH		 761
762 return rc;
763}
764
9304b46c
RGB		 765static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
766
81a6a012
RGB		 767static inline bool __is_real(kuid_t uid, struct cred *cred)
768{ return uid_eq(cred->uid, uid); }
769
770static inline bool __is_eff(kuid_t uid, struct cred *cred)
771{ return uid_eq(cred->euid, uid); }
772
773static inline bool __is_suid(kuid_t uid, struct cred *cred)
774{ return !__is_real(uid, cred) && __is_eff(uid, cred); }
775
db1a8922
RGB		 776/*
777 * handle_privileged_root - Handle case of privileged root
778 * @bprm: The execution parameters, including the proposed creds
779 * @has_fcap: Are any file capabilities set?
780 * @effective: Do we have effective root privilege?
781 * @root_uid: This namespace' root UID WRT initial USER namespace
782 *
783 * Handle the case where root is privileged and hasn't been neutered by
784 * SECURE_NOROOT. If file capabilities are set, they won't be combined with
785 * set UID root and nothing is changed. If we are root, cap_permitted is
786 * updated. If we have become set UID root, the effective bit is set.
787 */
fc7eadf7 788static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
db1a8922
RGB		 789 bool *effective, kuid_t root_uid)
790{
791 const struct cred *old = current_cred();
792 struct cred *new = bprm->cred;
793
9304b46c 794 if (!root_privileged())
db1a8922
RGB		 795 return;
796 /*
797 * If the legacy file capability is set, then don't set privs
798 * for a setuid root binary run by a non-root user. Do set it
799 * for a root user just to cause least surprise to an admin.
800 */
81a6a012 801 if (has_fcap && __is_suid(root_uid, new)) {
db1a8922
RGB		 802 warn_setuid_and_fcaps_mixed(bprm->filename);
803 return;
804 }
805 /*
806 * To support inheritance of root-permissions and suid-root
807 * executables under compatibility mode, we override the
808 * capability sets for the file.
809 */
81a6a012 810 if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
db1a8922
RGB		 811 /* pP' = (cap_bset & ~0) | (pI & ~0) */
812 new->cap_permitted = cap_combine(old->cap_bset,
813 old->cap_inheritable);
814 }
815 /*
816 * If only the real uid is 0, we do not set the effective bit.
817 */
81a6a012 818 if (__is_eff(root_uid, new))
db1a8922
RGB		 819 *effective = true;
820}
821
4c7e715f
RGB		 822#define __cap_gained(field, target, source) \
823 !cap_issubset(target->cap_##field, source->cap_##field)
824#define __cap_grew(target, source, cred) \
825 !cap_issubset(cred->cap_##target, cred->cap_##source)
826#define __cap_full(field, cred) \
827 cap_issubset(CAP_FULL_SET, cred->cap_##field)
81a6a012
RGB		 828
829static inline bool __is_setuid(struct cred *new, const struct cred *old)
830{ return !uid_eq(new->euid, old->uid); }
831
832static inline bool __is_setgid(struct cred *new, const struct cred *old)
833{ return !gid_eq(new->egid, old->gid); }
834
9fbc2c79 835/*
dbbbe110 836 * 1) Audit candidate if current->cap_effective is set
9fbc2c79
RGB		 837 *
838 * We do not bother to audit if 3 things are true:
839 * 1) cap_effective has all caps
588fb2c7 840 * 2) we became root *OR* are were already root
9fbc2c79
RGB		 841 * 3) root is supposed to have all caps (SECURE_NOROOT)
842 * Since this is just a normal root execing a process.
843 *
844 * Number 1 above might fail if you don't have a full bset, but I think
845 * that is interesting information to audit.
dbbbe110
RGB		 846 *
847 * A number of other conditions require logging:
848 * 2) something prevented setuid root getting all caps
849 * 3) non-setuid root gets fcaps
850 * 4) non-setuid root gets ambient
9fbc2c79 851 */
dbbbe110
RGB		 852static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
853 kuid_t root, bool has_fcap)
9fbc2c79
RGB		 854{
855 bool ret = false;
856
dbbbe110
RGB		 857 if ((__cap_grew(effective, ambient, new) &&
858 !(__cap_full(effective, new) &&
859 (__is_eff(root, new) || __is_real(root, new)) &&
860 root_privileged())) ||
861 (root_privileged() &&
862 __is_suid(root, new) &&
863 !__cap_full(effective, new)) ||
864 (!__is_setuid(new, old) &&
865 ((has_fcap &&
866 __cap_gained(permitted, new, old)) ||
867 __cap_gained(ambient, new, old))))
868
02ebbaf4 869 ret = true;
dbbbe110 870
9fbc2c79
RGB		 871 return ret;
872}
873
1d045980 874/**
56305aa9 875 * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
1d045980 876 * @bprm: The execution parameters, including the proposed creds
56305aa9 877 * @file: The file to pull the credentials from
1d045980
DH		 878 *
879 * Set up the proposed credentials for a new execution context being
880 * constructed by execve(). The proposed creds in @bprm->cred is altered,
049ae601
RD		 881 * which won't take effect immediately.
882 *
883 * Return: 0 if successful, -ve on error.
a6f76f23 884 */
56305aa9 885int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file)
1da177e4 886{
56305aa9 887 /* Process setpcap binaries and capabilities for uid 0 */
a6f76f23
DH		 888 const struct cred *old = current_cred();
889 struct cred *new = bprm->cred;
fc7eadf7 890 bool effective = false, has_fcap = false, is_setid;
b5376771 891 int ret;
18815a18 892 kuid_t root_uid;
1da177e4 893
58319057
AL		 894 if (WARN_ON(!cap_ambient_invariant_ok(old)))
895 return -EPERM;
896
56305aa9 897 ret = get_file_caps(bprm, file, &effective, &has_fcap);
a6f76f23
DH		 898 if (ret < 0)
899 return ret;
1da177e4 900
18815a18
EB		 901 root_uid = make_kuid(new->user_ns, 0);
902
fc7eadf7 903 handle_privileged_root(bprm, has_fcap, &effective, root_uid);
b5376771 904
d52fc5dd 905 /* if we have fs caps, clear dangerous personality flags */
4c7e715f 906 if (__cap_gained(permitted, new, old))
56305aa9 907 bprm->per_clear |= PER_CLEAR_ON_SETID;
d52fc5dd 908
a6f76f23 909 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
259e5e6c
AL		 910 * credentials unless they have the appropriate permit.
911 *
912 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
a6f76f23 913 */
81a6a012 914 is_setid = __is_setuid(new, old) || __is_setgid(new, old);
58319057 915
4c7e715f 916 if ((is_setid || __cap_gained(permitted, new, old)) &&
9227dd2a 917 ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
20523132 918 !ptracer_capable(current, new->user_ns))) {
a6f76f23 919 /* downgrade; they get no more than they had, and maybe less */
70169420 920 if (!ns_capable(new->user_ns, CAP_SETUID) ||
259e5e6c 921 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
a6f76f23
DH		 922 new->euid = new->uid;
923 new->egid = new->gid;
1da177e4 924 }
b3a222e5
SH		 925 new->cap_permitted = cap_intersect(new->cap_permitted,
926 old->cap_permitted);
1da177e4
LT		 927 }
928
a6f76f23
DH		 929 new->suid = new->fsuid = new->euid;
930 new->sgid = new->fsgid = new->egid;
1da177e4 931
58319057 932 /* File caps or setid cancels ambient. */
fc7eadf7 933 if (has_fcap || is_setid)
58319057
AL		 934 cap_clear(new->cap_ambient);
935
936 /*
937 * Now that we've computed pA', update pP' to give:
938 * pP' = (X & fP) | (pI & fI) | pA'
939 */
940 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
941
942 /*
943 * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set,
944 * this is the same as pE' = (fE ? pP' : 0) | pA'.
945 */
4bf2ea77
EP		 946 if (effective)
947 new->cap_effective = new->cap_permitted;
948 else
58319057
AL		 949 new->cap_effective = new->cap_ambient;
950
951 if (WARN_ON(!cap_ambient_invariant_ok(new)))
952 return -EPERM;
953
dbbbe110 954 if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
9fbc2c79
RGB		 955 ret = audit_log_bprm_fcaps(bprm, new, old);
956 if (ret < 0)
957 return ret;
3fc689e9 958 }
1da177e4 959
d84f4f99 960 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
58319057
AL		 961
962 if (WARN_ON(!cap_ambient_invariant_ok(new)))
963 return -EPERM;
964
46d98eb4 965 /* Check for privilege-elevated exec. */
02ebbaf4
RGB		 966 if (is_setid ||
967 (!__is_real(root_uid, new) &&
968 (effective ||
969 __cap_grew(permitted, ambient, new))))
56305aa9 970 bprm->secureexec = 1;
b5376771 971
ee67ae7e 972 return 0;
1da177e4
LT		 973}
974
1d045980
DH		 975/**
976 * cap_inode_setxattr - Determine whether an xattr may be altered
977 * @dentry: The inode/dentry being altered
978 * @name: The name of the xattr to be changed
979 * @value: The value that the xattr will be changed to
980 * @size: The size of value
981 * @flags: The replacement flag
982 *
983 * Determine whether an xattr may be altered or set on an inode, returning 0 if
984 * permission is granted, -ve if denied.
985 *
986 * This is used to make sure security xattrs don't get updated or set by those
987 * who aren't privileged to do so.
988 */
8f0cfa52
DH		 989int cap_inode_setxattr(struct dentry *dentry, const char *name,
990 const void *value, size_t size, int flags)
1da177e4 991{
b1d749c5
EB		 992 struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
993
8db6c34f
SH		 994 /* Ignore non-security xattrs */
995 if (strncmp(name, XATTR_SECURITY_PREFIX,
c5eaab1d 996 XATTR_SECURITY_PREFIX_LEN) != 0)
8db6c34f
SH		 997 return 0;
998
999 /*
1000 * For XATTR_NAME_CAPS the check will be done in
1001 * cap_convert_nscap(), called by setxattr()
1002 */
1003 if (strcmp(name, XATTR_NAME_CAPS) == 0)
b5376771 1004 return 0;
1d045980 1005
b1d749c5 1006 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1da177e4
LT		 1007 return -EPERM;
1008 return 0;
1009}
1010
1d045980
DH		 1011/**
1012 * cap_inode_removexattr - Determine whether an xattr may be removed
71bc356f 1013 *
39f60c1c 1014 * @idmap: idmap of the mount the inode was found from
71bc356f
CB		 1015 * @dentry: The inode/dentry being altered
1016 * @name: The name of the xattr to be changed
1d045980
DH		 1017 *
1018 * Determine whether an xattr may be removed from an inode, returning 0 if
1019 * permission is granted, -ve if denied.
1020 *
39f60c1c
CB		 1021 * If the inode has been found through an idmapped mount the idmap of
1022 * the vfsmount must be passed through @idmap. This function will then
1023 * take care to map the inode according to @idmap before checking
71bc356f 1024 * permissions. On non-idmapped mounts or if permission checking is to be
39f60c1c 1025 * performed on the raw inode simply pass @nop_mnt_idmap.
71bc356f 1026 *
1d045980
DH		 1027 * This is used to make sure security xattrs don't get removed by those who
1028 * aren't privileged to remove them.
1029 */
39f60c1c 1030int cap_inode_removexattr(struct mnt_idmap *idmap,
71bc356f 1031 struct dentry *dentry, const char *name)
1da177e4 1032{
b1d749c5
EB		 1033 struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
1034
8db6c34f
SH		 1035 /* Ignore non-security xattrs */
1036 if (strncmp(name, XATTR_SECURITY_PREFIX,
c5eaab1d 1037 XATTR_SECURITY_PREFIX_LEN) != 0)
8db6c34f
SH		 1038 return 0;
1039
1040 if (strcmp(name, XATTR_NAME_CAPS) == 0) {
1041 /* security.capability gets namespaced */
1042 struct inode *inode = d_backing_inode(dentry);
1043 if (!inode)
1044 return -EINVAL;
9452e93e 1045 if (!capable_wrt_inode_uidgid(idmap, inode, CAP_SETFCAP))
b5376771
SH		 1046 return -EPERM;
1047 return 0;
1d045980
DH		 1048 }
1049
b1d749c5 1050 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
1da177e4
LT		 1051 return -EPERM;
1052 return 0;
1053}
1054
a6f76f23 1055/*
1da177e4
LT		 1056 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
1057 * a process after a call to setuid, setreuid, or setresuid.
1058 *
1059 * 1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
1060 * {r,e,s}uid != 0, the permitted and effective capabilities are
1061 * cleared.
1062 *
1063 * 2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
1064 * capabilities of the process are cleared.
1065 *
1066 * 3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
1067 * capabilities are set to the permitted capabilities.
1068 *
a6f76f23 1069 * fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
1da177e4
LT		 1070 * never happen.
1071 *
a6f76f23 1072 * -astor
1da177e4
LT		 1073 *
1074 * cevans - New behaviour, Oct '99
1075 * A process may, via prctl(), elect to keep its capabilities when it
1076 * calls setuid() and switches away from uid==0. Both permitted and
1077 * effective sets will be retained.
1078 * Without this change, it was impossible for a daemon to drop only some
1079 * of its privilege. The call to setuid(!=0) would drop all privileges!
1080 * Keeping uid 0 is not an option because uid 0 owns too many vital
1081 * files..
1082 * Thanks to Olaf Kirch and Peter Benie for spotting this.
1083 */
d84f4f99 1084static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
1da177e4 1085{
18815a18
EB		 1086 kuid_t root_uid = make_kuid(old->user_ns, 0);
1087
1088 if ((uid_eq(old->uid, root_uid) ||
1089 uid_eq(old->euid, root_uid) ||
1090 uid_eq(old->suid, root_uid)) &&
1091 (!uid_eq(new->uid, root_uid) &&
1092 !uid_eq(new->euid, root_uid) &&
58319057
AL		 1093 !uid_eq(new->suid, root_uid))) {
1094 if (!issecure(SECURE_KEEP_CAPS)) {
1095 cap_clear(new->cap_permitted);
1096 cap_clear(new->cap_effective);
1097 }
1098
1099 /*
1100 * Pre-ambient programs expect setresuid to nonroot followed
1101 * by exec to drop capabilities. We should make sure that
1102 * this remains the case.
1103 */
1104 cap_clear(new->cap_ambient);
1da177e4 1105 }
18815a18 1106 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
d84f4f99 1107 cap_clear(new->cap_effective);
18815a18 1108 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
d84f4f99 1109 new->cap_effective = new->cap_permitted;
1da177e4
LT		 1110}
1111
1d045980
DH		 1112/**
1113 * cap_task_fix_setuid - Fix up the results of setuid() call
1114 * @new: The proposed credentials
1115 * @old: The current task's current credentials
1116 * @flags: Indications of what has changed
1117 *
1118 * Fix up the results of setuid() call before the credential changes are
049ae601
RD		 1119 * actually applied.
1120 *
1121 * Return: 0 to grant the changes, -ve to deny them.
1d045980 1122 */
d84f4f99 1123int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
1da177e4
LT		 1124{
1125 switch (flags) {
1126 case LSM_SETID_RE:
1127 case LSM_SETID_ID:
1128 case LSM_SETID_RES:
1d045980
DH		 1129 /* juggle the capabilities to follow [RES]UID changes unless
1130 * otherwise suppressed */
d84f4f99
DH		 1131 if (!issecure(SECURE_NO_SETUID_FIXUP))
1132 cap_emulate_setxuid(new, old);
1da177e4 1133 break;
1da177e4 1134
1d045980
DH		 1135 case LSM_SETID_FS:
1136 /* juggle the capabilties to follow FSUID changes, unless
1137 * otherwise suppressed
1138 *
d84f4f99
DH		 1139 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
1140 * if not, we might be a bit too harsh here.
1141 */
1142 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
18815a18
EB		 1143 kuid_t root_uid = make_kuid(old->user_ns, 0);
1144 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
d84f4f99
DH		 1145 new->cap_effective =
1146 cap_drop_fs_set(new->cap_effective);
1d045980 1147
18815a18 1148 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
d84f4f99
DH		 1149 new->cap_effective =
1150 cap_raise_fs_set(new->cap_effective,
1151 new->cap_permitted);
1da177e4 1152 }
d84f4f99 1153 break;
1d045980 1154
1da177e4
LT		 1155 default:
1156 return -EINVAL;
1157 }
1158
1159 return 0;
1160}
1161
b5376771
SH		 1162/*
1163 * Rationale: code calling task_setscheduler, task_setioprio, and
1164 * task_setnice, assumes that
1165 * . if capable(cap_sys_nice), then those actions should be allowed
1166 * . if not capable(cap_sys_nice), but acting on your own processes,
1167 * then those actions should be allowed
1168 * This is insufficient now since you can call code without suid, but
1169 * yet with increased caps.
1170 * So we check for increased caps on the target process.
1171 */
de45e806 1172static int cap_safe_nice(struct task_struct *p)
b5376771 1173{
f54fb863 1174 int is_subset, ret = 0;
c69e8d9c
DH		 1175
1176 rcu_read_lock();
1177 is_subset = cap_issubset(__task_cred(p)->cap_permitted,
1178 current_cred()->cap_permitted);
f54fb863
SH		 1179 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
1180 ret = -EPERM;
c69e8d9c
DH		 1181 rcu_read_unlock();
1182
f54fb863 1183 return ret;
b5376771
SH		 1184}
1185
1d045980
DH		 1186/**
1187 * cap_task_setscheduler - Detemine if scheduler policy change is permitted
1188 * @p: The task to affect
1d045980
DH		 1189 *
1190 * Detemine if the requested scheduler policy change is permitted for the
049ae601
RD		 1191 * specified task.
1192 *
1193 * Return: 0 if permission is granted, -ve if denied.
1d045980 1194 */
b0ae1981 1195int cap_task_setscheduler(struct task_struct *p)
b5376771
SH		 1196{
1197 return cap_safe_nice(p);
1198}
1199
1d045980 1200/**
049ae601 1201 * cap_task_setioprio - Detemine if I/O priority change is permitted
1d045980
DH		 1202 * @p: The task to affect
1203 * @ioprio: The I/O priority to set
1204 *
1205 * Detemine if the requested I/O priority change is permitted for the specified
049ae601
RD		 1206 * task.
1207 *
1208 * Return: 0 if permission is granted, -ve if denied.
1d045980
DH		 1209 */
1210int cap_task_setioprio(struct task_struct *p, int ioprio)
b5376771
SH		 1211{
1212 return cap_safe_nice(p);
1213}
1214
1d045980 1215/**
049ae601 1216 * cap_task_setnice - Detemine if task priority change is permitted
1d045980
DH		 1217 * @p: The task to affect
1218 * @nice: The nice value to set
1219 *
1220 * Detemine if the requested task priority change is permitted for the
049ae601
RD		 1221 * specified task.
1222 *
1223 * Return: 0 if permission is granted, -ve if denied.
1d045980
DH		 1224 */
1225int cap_task_setnice(struct task_struct *p, int nice)
b5376771
SH		 1226{
1227 return cap_safe_nice(p);
1228}
1229
3b7391de 1230/*
1d045980
DH		 1231 * Implement PR_CAPBSET_DROP. Attempt to remove the specified capability from
1232 * the current task's bounding set. Returns 0 on success, -ve on error.
3b7391de 1233 */
6d6f3328 1234static int cap_prctl_drop(unsigned long cap)
3b7391de 1235{
6d6f3328
TH		 1236 struct cred *new;
1237
160da84d 1238 if (!ns_capable(current_user_ns(), CAP_SETPCAP))
3b7391de
SH		 1239 return -EPERM;
1240 if (!cap_valid(cap))
1241 return -EINVAL;
d84f4f99 1242
6d6f3328
TH		 1243 new = prepare_creds();
1244 if (!new)
1245 return -ENOMEM;
d84f4f99 1246 cap_lower(new->cap_bset, cap);
6d6f3328 1247 return commit_creds(new);
3b7391de 1248}
3898b1b4 1249
1d045980
DH		 1250/**
1251 * cap_task_prctl - Implement process control functions for this security module
1252 * @option: The process control function requested
049ae601
RD		 1253 * @arg2: The argument data for this function
1254 * @arg3: The argument data for this function
1255 * @arg4: The argument data for this function
1256 * @arg5: The argument data for this function
1d045980
DH		 1257 *
1258 * Allow process control functions (sys_prctl()) to alter capabilities; may
1259 * also deny access to other functions not otherwise implemented here.
1260 *
049ae601 1261 * Return: 0 or +ve on success, -ENOSYS if this function is not implemented
1d045980
DH		 1262 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
1263 * modules will consider performing the function.
1264 */
3898b1b4 1265int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
d84f4f99 1266 unsigned long arg4, unsigned long arg5)
3898b1b4 1267{
6d6f3328 1268 const struct cred *old = current_cred();
d84f4f99 1269 struct cred *new;
d84f4f99 1270
3898b1b4
AM		 1271 switch (option) {
1272 case PR_CAPBSET_READ:
1273 if (!cap_valid(arg2))
6d6f3328
TH		 1274 return -EINVAL;
1275 return !!cap_raised(old->cap_bset, arg2);
d84f4f99 1276
3898b1b4 1277 case PR_CAPBSET_DROP:
6d6f3328 1278 return cap_prctl_drop(arg2);
3898b1b4
AM		 1279
1280 /*
1281 * The next four prctl's remain to assist with transitioning a
1282 * system from legacy UID=0 based privilege (when filesystem
1283 * capabilities are not in use) to a system using filesystem
1284 * capabilities only - as the POSIX.1e draft intended.
1285 *
1286 * Note:
1287 *
1288 * PR_SET_SECUREBITS =
1289 * issecure_mask(SECURE_KEEP_CAPS_LOCKED)
1290 * | issecure_mask(SECURE_NOROOT)
1291 * | issecure_mask(SECURE_NOROOT_LOCKED)
1292 * | issecure_mask(SECURE_NO_SETUID_FIXUP)
1293 * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
1294 *
1295 * will ensure that the current process and all of its
1296 * children will be locked into a pure
1297 * capability-based-privilege environment.
1298 */
1299 case PR_SET_SECUREBITS:
6d6f3328
TH		 1300 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
1301 & (old->securebits ^ arg2)) /*[1]*/
1302 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
d84f4f99 1303 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
6a9de491 1304 || (cap_capable(current_cred(),
c1a85a00
MM		 1305 current_cred()->user_ns,
1306 CAP_SETPCAP,
1307 CAP_OPT_NONE) != 0) /*[4]*/
3898b1b4
AM		 1308 /*
1309 * [1] no changing of bits that are locked
1310 * [2] no unlocking of locks
1311 * [3] no setting of unsupported bits
1312 * [4] doing anything requires privilege (go read about
1313 * the "sendmail capabilities bug")
1314 */
d84f4f99
DH		 1315 )
1316 /* cannot change a locked bit */
6d6f3328
TH		 1317 return -EPERM;
1318
1319 new = prepare_creds();
1320 if (!new)
1321 return -ENOMEM;
d84f4f99 1322 new->securebits = arg2;
6d6f3328 1323 return commit_creds(new);
d84f4f99 1324
3898b1b4 1325 case PR_GET_SECUREBITS:
6d6f3328 1326 return old->securebits;
3898b1b4 1327
3898b1b4 1328 case PR_GET_KEEPCAPS:
6d6f3328 1329 return !!issecure(SECURE_KEEP_CAPS);
d84f4f99 1330
3898b1b4
AM		 1331 case PR_SET_KEEPCAPS:
1332 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
6d6f3328 1333 return -EINVAL;
d84f4f99 1334 if (issecure(SECURE_KEEP_CAPS_LOCKED))
6d6f3328
TH		 1335 return -EPERM;
1336
1337 new = prepare_creds();
1338 if (!new)
1339 return -ENOMEM;
d84f4f99
DH		 1340 if (arg2)
1341 new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
3898b1b4 1342 else
d84f4f99 1343 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
6d6f3328 1344 return commit_creds(new);
3898b1b4 1345
58319057
AL		 1346 case PR_CAP_AMBIENT:
1347 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
1348 if (arg3 | arg4 | arg5)
1349 return -EINVAL;
1350
1351 new = prepare_creds();
1352 if (!new)
1353 return -ENOMEM;
1354 cap_clear(new->cap_ambient);
1355 return commit_creds(new);
1356 }
1357
1358 if (((!cap_valid(arg3)) | arg4 | arg5))
1359 return -EINVAL;
1360
1361 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
1362 return !!cap_raised(current_cred()->cap_ambient, arg3);
1363 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
1364 arg2 != PR_CAP_AMBIENT_LOWER) {
1365 return -EINVAL;
1366 } else {
1367 if (arg2 == PR_CAP_AMBIENT_RAISE &&
1368 (!cap_raised(current_cred()->cap_permitted, arg3) ||
1369 !cap_raised(current_cred()->cap_inheritable,
746bf6d6
AL		 1370 arg3) ||
1371 issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
58319057
AL		 1372 return -EPERM;
1373
1374 new = prepare_creds();
1375 if (!new)
1376 return -ENOMEM;
1377 if (arg2 == PR_CAP_AMBIENT_RAISE)
1378 cap_raise(new->cap_ambient, arg3);
1379 else
1380 cap_lower(new->cap_ambient, arg3);
1381 return commit_creds(new);
1382 }
1383
3898b1b4
AM		 1384 default:
1385 /* No functionality available - continue with default */
6d6f3328 1386 return -ENOSYS;
3898b1b4 1387 }
1da177e4
LT		 1388}
1389
1d045980
DH		 1390/**
1391 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1392 * @mm: The VM space in which the new mapping is to be made
1393 * @pages: The size of the mapping
1394 *
1395 * Determine whether the allocation of a new virtual mapping by the current
049ae601
RD		 1396 * task is permitted.
1397 *
1398 * Return: 1 if permission is granted, 0 if not.
1d045980 1399 */
34b4e4aa 1400int cap_vm_enough_memory(struct mm_struct *mm, long pages)
1da177e4
LT		 1401{
1402 int cap_sys_admin = 0;
1403
c1a85a00
MM		 1404 if (cap_capable(current_cred(), &init_user_ns,
1405 CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0)
1da177e4 1406 cap_sys_admin = 1;
c1a85a00 1407
b1d9e6b0 1408 return cap_sys_admin;
1da177e4 1409}
7c73875e 1410
049ae601 1411/**
d007794a 1412 * cap_mmap_addr - check if able to map given addr
7c73875e 1413 * @addr: address attempting to be mapped
7c73875e 1414 *
6f262d8e 1415 * If the process is attempting to map memory below dac_mmap_min_addr they need
7c73875e 1416 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
049ae601
RD		 1417 * capability security module.
1418 *
1419 * Return: 0 if this mapping should be allowed or -EPERM if not.
7c73875e 1420 */
d007794a 1421int cap_mmap_addr(unsigned long addr)
7c73875e
EP		 1422{
1423 int ret = 0;
1424
a2551df7 1425 if (addr < dac_mmap_min_addr) {
6a9de491 1426 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
c1a85a00 1427 CAP_OPT_NONE);
7c73875e
EP		 1428 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
1429 if (ret == 0)
1430 current->flags |= PF_SUPERPRIV;
1431 }
1432 return ret;
1433}
d007794a 1434
e5467859
AV		 1435int cap_mmap_file(struct file *file, unsigned long reqprot,
1436 unsigned long prot, unsigned long flags)
d007794a 1437{
e5467859 1438 return 0;
d007794a 1439}
b1d9e6b0
CS		 1440
1441#ifdef CONFIG_SECURITY
1442
d1c5947e 1443static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
b1d9e6b0
CS		 1444 LSM_HOOK_INIT(capable, cap_capable),
1445 LSM_HOOK_INIT(settime, cap_settime),
1446 LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
1447 LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
1448 LSM_HOOK_INIT(capget, cap_capget),
1449 LSM_HOOK_INIT(capset, cap_capset),
56305aa9 1450 LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file),
b1d9e6b0
CS		 1451 LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
1452 LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
8db6c34f 1453 LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
b1d9e6b0
CS		 1454 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
1455 LSM_HOOK_INIT(mmap_file, cap_mmap_file),
1456 LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
1457 LSM_HOOK_INIT(task_prctl, cap_task_prctl),
1458 LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
1459 LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
1460 LSM_HOOK_INIT(task_setnice, cap_task_setnice),
1461 LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
1462};
1463
d117a154 1464static int __init capability_init(void)
b1d9e6b0 1465{
d69dece5
CS		 1466 security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
1467 "capability");
d117a154 1468 return 0;
b1d9e6b0
CS		 1469}
1470
d117a154
KC		 1471DEFINE_LSM(capability) = {
1472 .name = "capability",
1473 .order = LSM_ORDER_FIRST,
1474 .init = capability_init,
1475};
1476
b1d9e6b0 1477#endif /* CONFIG_SECURITY */
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git