]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/capability-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #11827 from keszybz/pkgconfig-variables
[thirdparty/systemd.git] / src / basic / capability-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <errno.h>
4 #include <grp.h>
5 #include <stdio.h>
6 #include <stdlib.h>
7 #include <sys/capability.h>
8 #include <sys/prctl.h>
9 #include <unistd.h>
10
11 #include "alloc-util.h"
12 #include "capability-util.h"
13 #include "fileio.h"
14 #include "log.h"
15 #include "macro.h"
16 #include "missing_prctl.h"
17 #include "parse-util.h"
18 #include "user-util.h"
19 #include "util.h"
20
21 int have_effective_cap(int value) {
22 _cleanup_cap_free_ cap_t cap;
23 cap_flag_value_t fv;
24
25 cap = cap_get_proc();
26 if (!cap)
27 return -errno;
28
29 if (cap_get_flag(cap, value, CAP_EFFECTIVE, &fv) < 0)
30 return -errno;
31 else
32 return fv == CAP_SET;
33 }
34
35 unsigned long cap_last_cap(void) {
36 static thread_local unsigned long saved;
37 static thread_local bool valid = false;
38 _cleanup_free_ char *content = NULL;
39 unsigned long p = 0;
40 int r;
41
42 if (valid)
43 return saved;
44
45 /* available since linux-3.2 */
46 r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
47 if (r >= 0) {
48 r = safe_atolu(content, &p);
49 if (r >= 0) {
50 saved = p;
51 valid = true;
52 return p;
53 }
54 }
55
56 /* fall back to syscall-probing for pre linux-3.2 */
57 p = (unsigned long) CAP_LAST_CAP;
58
59 if (prctl(PR_CAPBSET_READ, p) < 0) {
60
61 /* Hmm, look downwards, until we find one that
62 * works */
63 for (p--; p > 0; p --)
64 if (prctl(PR_CAPBSET_READ, p) >= 0)
65 break;
66
67 } else {
68
69 /* Hmm, look upwards, until we find one that doesn't
70 * work */
71 for (;; p++)
72 if (prctl(PR_CAPBSET_READ, p+1) < 0)
73 break;
74 }
75
76 saved = p;
77 valid = true;
78
79 return p;
80 }
81
82 int capability_update_inherited_set(cap_t caps, uint64_t set) {
83 unsigned long i;
84
85 /* Add capabilities in the set to the inherited caps. Do not apply
86 * them yet. */
87
88 for (i = 0; i < cap_last_cap(); i++) {
89
90 if (set & (UINT64_C(1) << i)) {
91 cap_value_t v;
92
93 v = (cap_value_t) i;
94
95 /* Make the capability inheritable. */
96 if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
97 return -errno;
98 }
99 }
100
101 return 0;
102 }
103
104 int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
105 unsigned long i;
106 _cleanup_cap_free_ cap_t caps = NULL;
107
108 /* Add the capabilities to the ambient set. */
109
110 if (also_inherit) {
111 int r;
112 caps = cap_get_proc();
113 if (!caps)
114 return -errno;
115
116 r = capability_update_inherited_set(caps, set);
117 if (r < 0)
118 return -errno;
119
120 if (cap_set_proc(caps) < 0)
121 return -errno;
122 }
123
124 for (i = 0; i < cap_last_cap(); i++) {
125
126 if (set & (UINT64_C(1) << i)) {
127
128 /* Add the capability to the ambient set. */
129 if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
130 return -errno;
131 }
132 }
133
134 return 0;
135 }
136
137 int capability_bounding_set_drop(uint64_t keep, bool right_now) {
138 _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL;
139 cap_flag_value_t fv;
140 unsigned long i;
141 int r;
142
143 /* If we are run as PID 1 we will lack CAP_SETPCAP by default
144 * in the effective set (yes, the kernel drops that when
145 * executing init!), so get it back temporarily so that we can
146 * call PR_CAPBSET_DROP. */
147
148 before_cap = cap_get_proc();
149 if (!before_cap)
150 return -errno;
151
152 if (cap_get_flag(before_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0)
153 return -errno;
154
155 if (fv != CAP_SET) {
156 _cleanup_cap_free_ cap_t temp_cap = NULL;
157 static const cap_value_t v = CAP_SETPCAP;
158
159 temp_cap = cap_dup(before_cap);
160 if (!temp_cap)
161 return -errno;
162
163 if (cap_set_flag(temp_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0)
164 return -errno;
165
166 if (cap_set_proc(temp_cap) < 0)
167 log_debug_errno(errno, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");
168
169 /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this just means
170 * we'll fail later, when we actually intend to drop some capabilities. */
171 }
172
173 after_cap = cap_dup(before_cap);
174 if (!after_cap)
175 return -errno;
176
177 for (i = 0; i <= cap_last_cap(); i++) {
178 cap_value_t v;
179
180 if ((keep & (UINT64_C(1) << i)))
181 continue;
182
183 /* Drop it from the bounding set */
184 if (prctl(PR_CAPBSET_DROP, i) < 0) {
185 r = -errno;
186
187 /* If dropping the capability failed, let's see if we didn't have it in the first place. If so,
188 * continue anyway, as dropping a capability we didn't have in the first place doesn't really
189 * matter anyway. */
190 if (prctl(PR_CAPBSET_READ, i) != 0)
191 goto finish;
192 }
193 v = (cap_value_t) i;
194
195 /* Also drop it from the inheritable set, so
196 * that anything we exec() loses the
197 * capability for good. */
198 if (cap_set_flag(after_cap, CAP_INHERITABLE, 1, &v, CAP_CLEAR) < 0) {
199 r = -errno;
200 goto finish;
201 }
202
203 /* If we shall apply this right now drop it
204 * also from our own capability sets. */
205 if (right_now) {
206 if (cap_set_flag(after_cap, CAP_PERMITTED, 1, &v, CAP_CLEAR) < 0 ||
207 cap_set_flag(after_cap, CAP_EFFECTIVE, 1, &v, CAP_CLEAR) < 0) {
208 r = -errno;
209 goto finish;
210 }
211 }
212 }
213
214 r = 0;
215
216 finish:
217 if (cap_set_proc(after_cap) < 0) {
218 /* If there are no actual changes anyway then let's ignore this error. */
219 if (cap_compare(before_cap, after_cap) != 0)
220 r = -errno;
221 }
222
223 return r;
224 }
225
226 static int drop_from_file(const char *fn, uint64_t keep) {
227 _cleanup_free_ char *p = NULL;
228 uint64_t current, after;
229 uint32_t hi, lo;
230 int r, k;
231
232 r = read_one_line_file(fn, &p);
233 if (r < 0)
234 return r;
235
236 assert_cc(sizeof(hi) == sizeof(unsigned));
237 assert_cc(sizeof(lo) == sizeof(unsigned));
238
239 k = sscanf(p, "%u %u", &lo, &hi);
240 if (k != 2)
241 return -EIO;
242
243 current = (uint64_t) lo | ((uint64_t) hi << 32ULL);
244 after = current & keep;
245
246 if (current == after)
247 return 0;
248
249 lo = (unsigned) (after & 0xFFFFFFFFULL);
250 hi = (unsigned) ((after >> 32ULL) & 0xFFFFFFFFULL);
251
252 return write_string_filef(fn, WRITE_STRING_FILE_CREATE, "%u %u", lo, hi);
253 }
254
255 int capability_bounding_set_drop_usermode(uint64_t keep) {
256 int r;
257
258 r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);
259 if (r < 0)
260 return r;
261
262 r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);
263 if (r < 0)
264 return r;
265
266 return r;
267 }
268
269 int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
270 _cleanup_cap_free_ cap_t d = NULL;
271 unsigned i, j = 0;
272 int r;
273
274 /* Unfortunately we cannot leave privilege dropping to PID 1
275 * here, since we want to run as user but want to keep some
276 * capabilities. Since file capabilities have been introduced
277 * this cannot be done across exec() anymore, unless our
278 * binary has the capability configured in the file system,
279 * which we want to avoid. */
280
281 if (setresgid(gid, gid, gid) < 0)
282 return log_error_errno(errno, "Failed to change group ID: %m");
283
284 r = maybe_setgroups(0, NULL);
285 if (r < 0)
286 return log_error_errno(r, "Failed to drop auxiliary groups list: %m");
287
288 /* Ensure we keep the permitted caps across the setresuid() */
289 if (prctl(PR_SET_KEEPCAPS, 1) < 0)
290 return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");
291
292 if (setresuid(uid, uid, uid) < 0)
293 return log_error_errno(errno, "Failed to change user ID: %m");
294
295 if (prctl(PR_SET_KEEPCAPS, 0) < 0)
296 return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");
297
298 /* Drop all caps from the bounding set, except the ones we want */
299 r = capability_bounding_set_drop(keep_capabilities, true);
300 if (r < 0)
301 return log_error_errno(r, "Failed to drop capabilities: %m");
302
303 /* Now upgrade the permitted caps we still kept to effective caps */
304 d = cap_init();
305 if (!d)
306 return log_oom();
307
308 if (keep_capabilities) {
309 cap_value_t bits[u64log2(keep_capabilities) + 1];
310
311 for (i = 0; i < ELEMENTSOF(bits); i++)
312 if (keep_capabilities & (1ULL << i))
313 bits[j++] = i;
314
315 /* use enough bits */
316 assert(i == 64 || (keep_capabilities >> i) == 0);
317 /* don't use too many bits */
318 assert(keep_capabilities & (1ULL << (i - 1)));
319
320 if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 ||
321 cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0)
322 return log_error_errno(errno, "Failed to enable capabilities bits: %m");
323
324 if (cap_set_proc(d) < 0)
325 return log_error_errno(errno, "Failed to increase capabilities: %m");
326 }
327
328 return 0;
329 }
330
331 int drop_capability(cap_value_t cv) {
332 _cleanup_cap_free_ cap_t tmp_cap = NULL;
333
334 tmp_cap = cap_get_proc();
335 if (!tmp_cap)
336 return -errno;
337
338 if ((cap_set_flag(tmp_cap, CAP_INHERITABLE, 1, &cv, CAP_CLEAR) < 0) ||
339 (cap_set_flag(tmp_cap, CAP_PERMITTED, 1, &cv, CAP_CLEAR) < 0) ||
340 (cap_set_flag(tmp_cap, CAP_EFFECTIVE, 1, &cv, CAP_CLEAR) < 0))
341 return -errno;
342
343 if (cap_set_proc(tmp_cap) < 0)
344 return -errno;
345
346 return 0;
347 }
348
349 bool ambient_capabilities_supported(void) {
350 static int cache = -1;
351
352 if (cache >= 0)
353 return cache;
354
355 /* If PR_CAP_AMBIENT returns something valid, or an unexpected error code we assume that ambient caps are
356 * available. */
357
358 cache = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_KILL, 0, 0) >= 0 ||
359 !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS);
360
361 return cache;
362 }
363
364 int capability_quintet_enforce(const CapabilityQuintet *q) {
365 _cleanup_cap_free_ cap_t c = NULL;
366 int r;
367
368 if (q->ambient != (uint64_t) -1) {
369 unsigned long i;
370 bool changed = false;
371
372 c = cap_get_proc();
373 if (!c)
374 return -errno;
375
376 /* In order to raise the ambient caps set we first need to raise the matching inheritable + permitted
377 * cap */
378 for (i = 0; i <= cap_last_cap(); i++) {
379 uint64_t m = UINT64_C(1) << i;
380 cap_value_t cv = (cap_value_t) i;
381 cap_flag_value_t old_value_inheritable, old_value_permitted;
382
383 if ((q->ambient & m) == 0)
384 continue;
385
386 if (cap_get_flag(c, cv, CAP_INHERITABLE, &old_value_inheritable) < 0)
387 return -errno;
388 if (cap_get_flag(c, cv, CAP_PERMITTED, &old_value_permitted) < 0)
389 return -errno;
390
391 if (old_value_inheritable == CAP_SET && old_value_permitted == CAP_SET)
392 continue;
393
394 if (cap_set_flag(c, CAP_INHERITABLE, 1, &cv, CAP_SET) < 0)
395 return -errno;
396
397 if (cap_set_flag(c, CAP_PERMITTED, 1, &cv, CAP_SET) < 0)
398 return -errno;
399
400 changed = true;
401 }
402
403 if (changed)
404 if (cap_set_proc(c) < 0)
405 return -errno;
406
407 r = capability_ambient_set_apply(q->ambient, false);
408 if (r < 0)
409 return r;
410 }
411
412 if (q->inheritable != (uint64_t) -1 || q->permitted != (uint64_t) -1 || q->effective != (uint64_t) -1) {
413 bool changed = false;
414 unsigned long i;
415
416 if (!c) {
417 c = cap_get_proc();
418 if (!c)
419 return -errno;
420 }
421
422 for (i = 0; i <= cap_last_cap(); i++) {
423 uint64_t m = UINT64_C(1) << i;
424 cap_value_t cv = (cap_value_t) i;
425
426 if (q->inheritable != (uint64_t) -1) {
427 cap_flag_value_t old_value, new_value;
428
429 if (cap_get_flag(c, cv, CAP_INHERITABLE, &old_value) < 0)
430 return -errno;
431
432 new_value = (q->inheritable & m) ? CAP_SET : CAP_CLEAR;
433
434 if (old_value != new_value) {
435 changed = true;
436
437 if (cap_set_flag(c, CAP_INHERITABLE, 1, &cv, new_value) < 0)
438 return -errno;
439 }
440 }
441
442 if (q->permitted != (uint64_t) -1) {
443 cap_flag_value_t old_value, new_value;
444
445 if (cap_get_flag(c, cv, CAP_PERMITTED, &old_value) < 0)
446 return -errno;
447
448 new_value = (q->permitted & m) ? CAP_SET : CAP_CLEAR;
449
450 if (old_value != new_value) {
451 changed = true;
452
453 if (cap_set_flag(c, CAP_PERMITTED, 1, &cv, new_value) < 0)
454 return -errno;
455 }
456 }
457
458 if (q->effective != (uint64_t) -1) {
459 cap_flag_value_t old_value, new_value;
460
461 if (cap_get_flag(c, cv, CAP_EFFECTIVE, &old_value) < 0)
462 return -errno;
463
464 new_value = (q->effective & m) ? CAP_SET : CAP_CLEAR;
465
466 if (old_value != new_value) {
467 changed = true;
468
469 if (cap_set_flag(c, CAP_EFFECTIVE, 1, &cv, new_value) < 0)
470 return -errno;
471 }
472 }
473 }
474
475 if (changed)
476 if (cap_set_proc(c) < 0)
477 return -errno;
478 }
479
480 if (q->bounding != (uint64_t) -1) {
481 r = capability_bounding_set_drop(q->bounding, false);
482 if (r < 0)
483 return r;
484 }
485
486 return 0;
487 }
Unnamed repository; edit this file 'description' to name the repository.