[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.suse / file-capabilities-add-file_caps-switch.diff

From: Andreas Gruenbacher <agruen@suse.de>
Subject: file capabilities: add file_caps switch

Based on a patch from Serge Hallyn <serue@us.ibm.com>:

Add a file_caps boot option when file capabilities are
compiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES=y).

This allows distributions to ship a kernel with file capabilities
compiled in, without forcing users to use (and understand and
trust) them.

When file_caps=0 is specified at boot, then when a process executes
a file, any file capabilities stored with that file will not be
used in the calculation of the process' new capability sets.

This means that booting with the file_caps=0 boot option will
not be the same as booting a kernel with file capabilities
compiled out - in particular a task with  CAP_SETPCAP will not
have any chance of passing capabilities to another task (which
isn't "really" possible anyway, and which may soon by killed
altogether by David Howells in any case), and it will instead
be able to put new capabilities in its pI.  However since fI
will always be empty and pI is masked with fI, it gains the
task nothing.

We also support the extra prctl options, setting securebits and
dropping capabilities from the per-process bounding set.

The other remaining difference is that killpriv, task_setscheduler,
setioprio, and setnice will continue to be hooked.  That will
be noticable in the case where a root task changed its uid
while keeping some caps, and another task owned by the new uid
tries to change settings for the more privileged task.

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

---
 Documentation/kernel-parameters.txt |    9 +++++++++
 include/linux/capability.h          |    3 +++
 kernel/capability.c                 |   11 +++++++++++
 security/commoncap.c                |    3 +++
 4 files changed, 26 insertions(+)

--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1403,6 +1403,15 @@ and is between 256 and 4096 characters.
 			instruction doesn't work correctly and not to
 			use it.
 
+	file_caps=	Tells the kernel whether to honor file capabilities.
+			When disabled, the only way then for a file to be
+			executed with privilege is to be setuid root or executed
+			by root.
+			Format: {"0" | "1"}
+			0 -- ignore file capabilities.
+			1 -- honor file capabilities.
+			Default value is 1.
+
 	nohalt		[IA-64] Tells the kernel not to use the power saving
 			function PAL_HALT_LIGHT when idle. This increases
 			power-consumption. On the positive side, it reduces
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -68,6 +68,9 @@ typedef struct __user_cap_data_struct {
 #define VFS_CAP_U32             VFS_CAP_U32_2
 #define VFS_CAP_REVISION	VFS_CAP_REVISION_2
 
+#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
+extern int file_caps_enabled;
+#endif
 
 struct vfs_cap_data {
 	__le32 magic_etc;            /* Little endian */
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -33,6 +33,17 @@ EXPORT_SYMBOL(__cap_empty_set);
 EXPORT_SYMBOL(__cap_full_set);
 EXPORT_SYMBOL(__cap_init_eff_set);
 
+#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
+int file_caps_enabled = 1;
+
+static int __init setup_file_caps(char *str)
+{
+	get_option(&str, &file_caps_enabled);
+	return 1;
+}
+__setup("file_caps=", setup_file_caps);
+#endif
+
 /*
  * More recent versions of libcap are available from:
  *
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -281,6 +281,9 @@ static int get_file_caps(struct linux_bi
 
 	bprm_clear_caps(bprm);
 
+	if (!file_caps_enabled)
+		return 0;
+
 	if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
 		return 0;
Commit	Line	Data
6a930a95 BS	1	From: Andreas Gruenbacher <agruen@suse.de>
	2	Subject: file capabilities: add file_caps switch
	3
	4	Based on a patch from Serge Hallyn <serue@us.ibm.com>:
	5
	6	Add a file_caps boot option when file capabilities are
	7	compiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES=y).
	8
	9	This allows distributions to ship a kernel with file capabilities
	10	compiled in, without forcing users to use (and understand and
	11	trust) them.
	12
	13	When file_caps=0 is specified at boot, then when a process executes
	14	a file, any file capabilities stored with that file will not be
	15	used in the calculation of the process' new capability sets.
	16
	17	This means that booting with the file_caps=0 boot option will
	18	not be the same as booting a kernel with file capabilities
	19	compiled out - in particular a task with CAP_SETPCAP will not
	20	have any chance of passing capabilities to another task (which
	21	isn't "really" possible anyway, and which may soon by killed
	22	altogether by David Howells in any case), and it will instead
	23	be able to put new capabilities in its pI. However since fI
	24	will always be empty and pI is masked with fI, it gains the
	25	task nothing.
	26
	27	We also support the extra prctl options, setting securebits and
	28	dropping capabilities from the per-process bounding set.
	29
	30	The other remaining difference is that killpriv, task_setscheduler,
	31	setioprio, and setnice will continue to be hooked. That will
	32	be noticable in the case where a root task changed its uid
	33	while keeping some caps, and another task owned by the new uid
	34	tries to change settings for the more privileged task.
	35
	36	Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
	37
	38	---
	39	Documentation/kernel-parameters.txt \| 9 +++++++++
	40	include/linux/capability.h \| 3 +++
	41	kernel/capability.c \| 11 +++++++++++
	42	security/commoncap.c \| 3 +++
	43	4 files changed, 26 insertions(+)
	44
	45	--- a/Documentation/kernel-parameters.txt
	46	+++ b/Documentation/kernel-parameters.txt
	47	@@ -1403,6 +1403,15 @@ and is between 256 and 4096 characters.
	48	instruction doesn't work correctly and not to
	49	use it.
	50
	51	+ file_caps= Tells the kernel whether to honor file capabilities.
	52	+ When disabled, the only way then for a file to be
	53	+ executed with privilege is to be setuid root or executed
	54	+ by root.
	55	+ Format: {"0" \| "1"}
	56	+ 0 -- ignore file capabilities.
	57	+ 1 -- honor file capabilities.
	58	+ Default value is 1.
	59	+
	60	nohalt [IA-64] Tells the kernel not to use the power saving
	61	function PAL_HALT_LIGHT when idle. This increases
	62	power-consumption. On the positive side, it reduces
	63	--- a/include/linux/capability.h
	64	+++ b/include/linux/capability.h
65	@@ -68,6 +68,9 @@ typedef struct __user_cap_data_struct {
66	#define VFS_CAP_U32 VFS_CAP_U32_2
67	#define VFS_CAP_REVISION VFS_CAP_REVISION_2
68
69	+#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
70	+extern int file_caps_enabled;
71	+#endif
72
73	struct vfs_cap_data {
74	__le32 magic_etc; /* Little endian */
75	--- a/kernel/capability.c
76	+++ b/kernel/capability.c
77	@@ -33,6 +33,17 @@ EXPORT_SYMBOL(__cap_empty_set);
78	EXPORT_SYMBOL(__cap_full_set);
79	EXPORT_SYMBOL(__cap_init_eff_set);
80
81	+#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
82	+int file_caps_enabled = 1;
83	+
84	+static int __init setup_file_caps(char *str)
85	+{
86	+ get_option(&str, &file_caps_enabled);
87	+ return 1;
88	+}
89	+__setup("file_caps=", setup_file_caps);
90	+#endif
91	+
92	/*
93	* More recent versions of libcap are available from:
94	*
95	--- a/security/commoncap.c
96	+++ b/security/commoncap.c
97	@@ -281,6 +281,9 @@ static int get_file_caps(struct linux_bi
98
99	bprm_clear_caps(bprm);
100
101	+ if (!file_caps_enabled)
102	+ return 0;
103	+
104	if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
105	return 0;
106