]>
Commit | Line | Data |
---|---|---|
4d1e5b62 AF |
1 | From: Andreas Gruenbacher <agruen@suse.de> |
2 | Subject: file capabilities: add file_caps switch | |
3 | ||
4 | Based on a patch from Serge Hallyn <serue@us.ibm.com>: | |
5 | ||
6 | Add a file_caps boot option when file capabilities are | |
7 | compiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES=y). | |
8 | ||
9 | This allows distributions to ship a kernel with file capabilities | |
10 | compiled in, without forcing users to use (and understand and | |
11 | trust) them. | |
12 | ||
13 | When file_caps=0 is specified at boot, then when a process executes | |
14 | a file, any file capabilities stored with that file will not be | |
15 | used in the calculation of the process' new capability sets. | |
16 | ||
17 | This means that booting with the file_caps=0 boot option will | |
18 | not be the same as booting a kernel with file capabilities | |
19 | compiled out - in particular a task with CAP_SETPCAP will not | |
20 | have any chance of passing capabilities to another task (which | |
21 | isn't "really" possible anyway, and which may soon by killed | |
22 | altogether by David Howells in any case), and it will instead | |
23 | be able to put new capabilities in its pI. However since fI | |
24 | will always be empty and pI is masked with fI, it gains the | |
25 | task nothing. | |
26 | ||
27 | We also support the extra prctl options, setting securebits and | |
28 | dropping capabilities from the per-process bounding set. | |
29 | ||
30 | The other remaining difference is that killpriv, task_setscheduler, | |
31 | setioprio, and setnice will continue to be hooked. That will | |
32 | be noticable in the case where a root task changed its uid | |
33 | while keeping some caps, and another task owned by the new uid | |
34 | tries to change settings for the more privileged task. | |
35 | ||
36 | Signed-off-by: Andreas Gruenbacher <agruen@suse.de> | |
37 | ||
38 | --- | |
39 | Documentation/kernel-parameters.txt | 9 +++++++++ | |
40 | include/linux/capability.h | 3 +++ | |
41 | kernel/capability.c | 11 +++++++++++ | |
42 | security/commoncap.c | 3 +++ | |
43 | 4 files changed, 26 insertions(+) | |
44 | ||
45 | --- a/Documentation/kernel-parameters.txt | |
46 | +++ b/Documentation/kernel-parameters.txt | |
47 | @@ -1403,6 +1403,15 @@ and is between 256 and 4096 characters. | |
48 | instruction doesn't work correctly and not to | |
49 | use it. | |
50 | ||
51 | + file_caps= Tells the kernel whether to honor file capabilities. | |
52 | + When disabled, the only way then for a file to be | |
53 | + executed with privilege is to be setuid root or executed | |
54 | + by root. | |
55 | + Format: {"0" | "1"} | |
56 | + 0 -- ignore file capabilities. | |
57 | + 1 -- honor file capabilities. | |
58 | + Default value is 1. | |
59 | + | |
60 | nohalt [IA-64] Tells the kernel not to use the power saving | |
61 | function PAL_HALT_LIGHT when idle. This increases | |
62 | power-consumption. On the positive side, it reduces | |
63 | --- a/include/linux/capability.h | |
64 | +++ b/include/linux/capability.h | |
65 | @@ -68,6 +68,9 @@ typedef struct __user_cap_data_struct { | |
66 | #define VFS_CAP_U32 VFS_CAP_U32_2 | |
67 | #define VFS_CAP_REVISION VFS_CAP_REVISION_2 | |
68 | ||
69 | +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES | |
70 | +extern int file_caps_enabled; | |
71 | +#endif | |
72 | ||
73 | struct vfs_cap_data { | |
74 | __le32 magic_etc; /* Little endian */ | |
75 | --- a/kernel/capability.c | |
76 | +++ b/kernel/capability.c | |
77 | @@ -33,6 +33,17 @@ EXPORT_SYMBOL(__cap_empty_set); | |
78 | EXPORT_SYMBOL(__cap_full_set); | |
79 | EXPORT_SYMBOL(__cap_init_eff_set); | |
80 | ||
81 | +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES | |
82 | +int file_caps_enabled = 1; | |
83 | + | |
84 | +static int __init setup_file_caps(char *str) | |
85 | +{ | |
86 | + get_option(&str, &file_caps_enabled); | |
87 | + return 1; | |
88 | +} | |
89 | +__setup("file_caps=", setup_file_caps); | |
90 | +#endif | |
91 | + | |
92 | /* | |
93 | * More recent versions of libcap are available from: | |
94 | * | |
95 | --- a/security/commoncap.c | |
96 | +++ b/security/commoncap.c | |
97 | @@ -281,6 +281,9 @@ static int get_file_caps(struct linux_bi | |
98 | ||
99 | bprm_clear_caps(bprm); | |
100 | ||
101 | + if (!file_caps_enabled) | |
102 | + return 0; | |
103 | + | |
104 | if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) | |
105 | return 0; | |
106 |