[thirdparty/systemd.git] / src / basic / capability-util.h

/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once

#include <stdbool.h>
#include <stdint.h>
#include <sys/capability.h>
#include <sys/types.h>

#include "macro.h"
#include "missing_capability.h"
#include "util.h"

#define CAP_ALL (uint64_t) -1

unsigned long cap_last_cap(void);
int have_effective_cap(int value);
int capability_bounding_set_drop(uint64_t keep, bool right_now);
int capability_bounding_set_drop_usermode(uint64_t keep);

int capability_ambient_set_apply(uint64_t set, bool also_inherit);
int capability_update_inherited_set(cap_t caps, uint64_t ambient_set);

int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities);

int drop_capability(cap_value_t cv);

DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free);
#define _cleanup_cap_free_ _cleanup_(cap_freep)

static inline void cap_free_charpp(char **p) {
        if (*p)
                cap_free(*p);
}
#define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp)

static inline uint64_t all_capabilities(void) {
        return UINT64_MAX >> (63 - cap_last_cap());
}

static inline bool cap_test_all(uint64_t caps) {
        return FLAGS_SET(caps, all_capabilities());
}

bool ambient_capabilities_supported(void);

/* Identical to linux/capability.h's CAP_TO_MASK(), but uses an unsigned 1U instead of a signed 1 for shifting left, in
 * order to avoid complaints about shifting a signed int left by 31 bits, which would make it negative. */
#define CAP_TO_MASK_CORRECTED(x) (1U << ((x) & 31U))

typedef struct CapabilityQuintet {
        /* Stores all five types of capabilities in one go. Note that we use (uint64_t) -1 for unset here. This hence
         * needs to be updated as soon as Linux learns more than 63 caps. */
        uint64_t effective;
        uint64_t bounding;
        uint64_t inheritable;
        uint64_t permitted;
        uint64_t ambient;
} CapabilityQuintet;

assert_cc(CAP_LAST_CAP < 64);

#define CAPABILITY_QUINTET_NULL { (uint64_t) -1, (uint64_t) -1, (uint64_t) -1, (uint64_t) -1, (uint64_t) -1 }

static inline bool capability_quintet_is_set(const CapabilityQuintet *q) {
        return q->effective != (uint64_t) -1 ||
                q->bounding != (uint64_t) -1 ||
                q->inheritable != (uint64_t) -1 ||
                q->permitted != (uint64_t) -1 ||
                q->ambient != (uint64_t) -1;
}

/* Mangles the specified caps quintet taking the current bounding set into account:
 * drops all caps from all five sets if our bounding set doesn't allow them.
 * Returns true if the quintet was modified. */
bool capability_quintet_mangle(CapabilityQuintet *q);

int capability_quintet_enforce(const CapabilityQuintet *q);
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
05d3a176	2	#pragma once
7f110ff9	3
ec8927ca	4	#include <stdbool.h>
11c3a366	5	#include <stdint.h>
5ce70e5b	6	#include <sys/capability.h>
11c3a366	7	#include <sys/types.h>
5ce70e5b	8
11c3a366	9	#include "macro.h"
36dd5ffd	10	#include "missing_capability.h"
5ce70e5b	11	#include "util.h"
ec8927ca	12
a103496c IP	13	#define CAP_ALL (uint64_t) -1
a103496c IP	14
d7832d2c KS	15	unsigned long cap_last_cap(void);
d7832d2c KS	16	int have_effective_cap(int value);
a103496c IP	17	int capability_bounding_set_drop(uint64_t keep, bool right_now);
a103496c IP	18	int capability_bounding_set_drop_usermode(uint64_t keep);
5ce70e5b	19
755d4b67 IP	20	int capability_ambient_set_apply(uint64_t set, bool also_inherit);
	21	int capability_update_inherited_set(cap_t caps, uint64_t ambient_set);
	22
45afd519	23	int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities);
966bff26	24
dd5ae4c3 PK	25	int drop_capability(cap_value_t cv);
dd5ae4c3 PK	26
5ce70e5b ZJS	27	DEFINE_TRIVIAL_CLEANUP_FUNC(cap_t, cap_free);
	28	#define _cleanup_cap_free_ _cleanup_(cap_freep)
	29
	30	static inline void cap_free_charpp(char **p) {
	31	if (*p)
	32	cap_free(*p);
	33	}
	34	#define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp)
a103496c	35
c8a79aa8 LP	36	static inline uint64_t all_capabilities(void) {
	37	return UINT64_MAX >> (63 - cap_last_cap());
	38	}
	39
a103496c	40	static inline bool cap_test_all(uint64_t caps) {
c8a79aa8	41	return FLAGS_SET(caps, all_capabilities());
a103496c	42	}
39f608e4 LP	43
39f608e4 LP	44	bool ambient_capabilities_supported(void);
5f00c568 LP	45
	46	/* Identical to linux/capability.h's CAP_TO_MASK(), but uses an unsigned 1U instead of a signed 1 for shifting left, in
	47	* order to avoid complaints about shifting a signed int left by 31 bits, which would make it negative. */
	48	#define CAP_TO_MASK_CORRECTED(x) (1U << ((x) & 31U))
d7391698 LP	49
	50	typedef struct CapabilityQuintet {
	51	/* Stores all five types of capabilities in one go. Note that we use (uint64_t) -1 for unset here. This hence
	52	* needs to be updated as soon as Linux learns more than 63 caps. */
	53	uint64_t effective;
	54	uint64_t bounding;
	55	uint64_t inheritable;
	56	uint64_t permitted;
	57	uint64_t ambient;
	58	} CapabilityQuintet;
	59
	60	assert_cc(CAP_LAST_CAP < 64);
	61
	62	#define CAPABILITY_QUINTET_NULL { (uint64_t) -1, (uint64_t) -1, (uint64_t) -1, (uint64_t) -1, (uint64_t) -1 }
	63
	64	static inline bool capability_quintet_is_set(const CapabilityQuintet *q) {
	65	return q->effective != (uint64_t) -1 \|\|
	66	q->bounding != (uint64_t) -1 \|\|
	67	q->inheritable != (uint64_t) -1 \|\|
	68	q->permitted != (uint64_t) -1 \|\|
	69	q->ambient != (uint64_t) -1;
	70	}
	71
f66ad460 AZ	72	/* Mangles the specified caps quintet taking the current bounding set into account:
	73	* drops all caps from all five sets if our bounding set doesn't allow them.
	74	* Returns true if the quintet was modified. */
	75	bool capability_quintet_mangle(CapabilityQuintet *q);
	76
d7391698	77	int capability_quintet_enforce(const CapabilityQuintet *q);