1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
10 #include "alloc-util.h"
11 #include "capability-util.h"
15 #include "logarithm.h"
17 #include "missing_prctl.h"
18 #include "missing_threads.h"
19 #include "parse-util.h"
20 #include "user-util.h"
22 int have_effective_cap(int value
) {
23 _cleanup_cap_free_ cap_t cap
= NULL
;
24 cap_flag_value_t fv
= CAP_CLEAR
; /* To avoid false-positive use-of-uninitialized-value error reported
31 if (cap_get_flag(cap
, value
, CAP_EFFECTIVE
, &fv
) < 0)
37 unsigned cap_last_cap(void) {
38 static atomic_int saved
= INT_MAX
;
45 /* Available since linux-3.2 */
46 _cleanup_free_
char *content
= NULL
;
47 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
49 log_debug_errno(r
, "Failed to read /proc/sys/kernel/cap_last_cap, ignoring: %m");
51 r
= safe_atoi(content
, &c
);
53 log_debug_errno(r
, "Failed to parse /proc/sys/kernel/cap_last_cap, ignoring: %m");
55 if (c
> CAP_LIMIT
) /* Safety for the future: if one day the kernel learns more than
56 * 64 caps, then we are in trouble (since we, as much userspace
57 * and kernel space store capability masks in uint64_t types). We
58 * also want to use UINT64_MAX as marker for "unset". Hence let's
59 * hence protect ourselves against that and always cap at 62 for
68 /* Fall back to syscall-probing for pre linux-3.2, or where /proc/ is not mounted */
69 unsigned long p
= (unsigned long) MIN(CAP_LAST_CAP
, CAP_LIMIT
);
71 if (prctl(PR_CAPBSET_READ
, p
) < 0) {
73 /* Hmm, look downwards, until we find one that works */
75 if (prctl(PR_CAPBSET_READ
, p
) >= 0)
80 /* Hmm, look upwards, until we find one that doesn't work */
81 for (; p
< CAP_LIMIT
; p
++)
82 if (prctl(PR_CAPBSET_READ
, p
+1) < 0)
91 int capability_update_inherited_set(cap_t caps
, uint64_t set
) {
92 /* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
93 * Do not apply them yet. */
95 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
96 cap_flag_value_t flag
= set
& (UINT64_C(1) << i
) ? CAP_SET
: CAP_CLEAR
;
101 if (cap_set_flag(caps
, CAP_INHERITABLE
, 1, &v
, flag
) < 0)
108 int capability_ambient_set_apply(uint64_t set
, bool also_inherit
) {
109 _cleanup_cap_free_ cap_t caps
= NULL
;
112 /* Remove capabilities requested in ambient set, but not in the bounding set */
113 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
117 if (FLAGS_SET(set
, (UINT64_C(1) << i
)) && prctl(PR_CAPBSET_READ
, i
) != 1) {
118 log_debug("Ambient capability %s requested but missing from bounding set,"
119 " suppressing automatically.", capability_to_name(i
));
120 set
&= ~(UINT64_C(1) << i
);
124 /* Add the capabilities to the ambient set (an possibly also the inheritable set) */
126 /* Check that we can use PR_CAP_AMBIENT or quit early. */
127 if (!ambient_capabilities_supported())
128 return (set
& all_capabilities()) == 0 ?
129 0 : -EOPNOTSUPP
; /* if actually no ambient caps are to be set, be silent,
130 * otherwise fail recognizably */
133 caps
= cap_get_proc();
137 r
= capability_update_inherited_set(caps
, set
);
141 if (cap_set_proc(caps
) < 0)
145 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
147 if (set
& (UINT64_C(1) << i
)) {
149 /* Add the capability to the ambient set. */
150 if (prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_RAISE
, i
, 0, 0) < 0)
154 /* Drop the capability so we don't inherit capabilities we didn't ask for. */
155 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, i
, 0, 0);
160 if (prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_LOWER
, i
, 0, 0) < 0)
169 int capability_gain_cap_setpcap(cap_t
*ret_before_caps
) {
170 _cleanup_cap_free_ cap_t caps
= NULL
;
172 caps
= cap_get_proc();
176 if (cap_get_flag(caps
, CAP_SETPCAP
, CAP_EFFECTIVE
, &fv
) < 0)
180 _cleanup_cap_free_ cap_t temp_cap
= NULL
;
181 static const cap_value_t v
= CAP_SETPCAP
;
183 temp_cap
= cap_dup(caps
);
187 if (cap_set_flag(temp_cap
, CAP_EFFECTIVE
, 1, &v
, CAP_SET
) < 0)
190 if (cap_set_proc(temp_cap
) < 0)
191 log_debug_errno(errno
, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");
193 /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this just means
194 * we'll fail later, when we actually intend to drop some capabilities or try to set securebits. */
197 /* Return the capabilities as they have been before setting CAP_SETPCAP */
198 *ret_before_caps
= TAKE_PTR(caps
);
203 int capability_bounding_set_drop(uint64_t keep
, bool right_now
) {
204 _cleanup_cap_free_ cap_t before_cap
= NULL
, after_cap
= NULL
;
207 /* If we are run as PID 1 we will lack CAP_SETPCAP by default
208 * in the effective set (yes, the kernel drops that when
209 * executing init!), so get it back temporarily so that we can
210 * call PR_CAPBSET_DROP. */
212 r
= capability_gain_cap_setpcap(&before_cap
);
216 after_cap
= cap_dup(before_cap
);
220 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
223 if ((keep
& (UINT64_C(1) << i
)))
226 /* Drop it from the bounding set */
227 if (prctl(PR_CAPBSET_DROP
, i
) < 0) {
230 /* If dropping the capability failed, let's see if we didn't have it in the first place. If so,
231 * continue anyway, as dropping a capability we didn't have in the first place doesn't really
233 if (prctl(PR_CAPBSET_READ
, i
) != 0)
238 /* Also drop it from the inheritable set, so
239 * that anything we exec() loses the
240 * capability for good. */
241 if (cap_set_flag(after_cap
, CAP_INHERITABLE
, 1, &v
, CAP_CLEAR
) < 0) {
246 /* If we shall apply this right now drop it
247 * also from our own capability sets. */
249 if (cap_set_flag(after_cap
, CAP_PERMITTED
, 1, &v
, CAP_CLEAR
) < 0 ||
250 cap_set_flag(after_cap
, CAP_EFFECTIVE
, 1, &v
, CAP_CLEAR
) < 0) {
260 if (cap_set_proc(after_cap
) < 0) {
261 /* If there are no actual changes anyway then let's ignore this error. */
262 if (cap_compare(before_cap
, after_cap
) != 0)
269 static int drop_from_file(const char *fn
, uint64_t keep
) {
270 _cleanup_free_
char *p
= NULL
;
271 uint64_t current
, after
;
275 r
= read_one_line_file(fn
, &p
);
279 k
= sscanf(p
, "%" PRIu32
" %" PRIu32
, &lo
, &hi
);
283 current
= (uint64_t) lo
| ((uint64_t) hi
<< 32);
284 after
= current
& keep
;
286 if (current
== after
)
289 lo
= after
& UINT32_MAX
;
290 hi
= (after
>> 32) & UINT32_MAX
;
292 return write_string_filef(fn
, 0, "%" PRIu32
" %" PRIu32
, lo
, hi
);
295 int capability_bounding_set_drop_usermode(uint64_t keep
) {
298 r
= drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep
);
302 r
= drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep
);
309 int drop_privileges(uid_t uid
, gid_t gid
, uint64_t keep_capabilities
) {
312 /* Unfortunately we cannot leave privilege dropping to PID 1 here, since we want to run as user but
313 * want to keep some capabilities. Since file capabilities have been introduced this cannot be done
314 * across exec() anymore, unless our binary has the capability configured in the file system, which
315 * we want to avoid. */
317 if (setresgid(gid
, gid
, gid
) < 0)
318 return log_error_errno(errno
, "Failed to change group ID: %m");
320 r
= maybe_setgroups(0, NULL
);
322 return log_error_errno(r
, "Failed to drop auxiliary groups list: %m");
324 /* Ensure we keep the permitted caps across the setresuid(). Note that we do this even if we actually
325 * don't want to keep any capabilities, since we want to be able to drop them from the bounding set
326 * too, and we can only do that if we have capabilities. */
327 if (prctl(PR_SET_KEEPCAPS
, 1) < 0)
328 return log_error_errno(errno
, "Failed to enable keep capabilities flag: %m");
330 if (setresuid(uid
, uid
, uid
) < 0)
331 return log_error_errno(errno
, "Failed to change user ID: %m");
333 if (prctl(PR_SET_KEEPCAPS
, 0) < 0)
334 return log_error_errno(errno
, "Failed to disable keep capabilities flag: %m");
336 /* Drop all caps from the bounding set (as well as the inheritable/permitted/effective sets), except
337 * the ones we want to keep */
338 r
= capability_bounding_set_drop(keep_capabilities
, true);
340 return log_error_errno(r
, "Failed to drop capabilities: %m");
342 /* Now upgrade the permitted caps we still kept to effective caps */
343 if (keep_capabilities
!= 0) {
344 cap_value_t bits
[log2u64(keep_capabilities
) + 1];
345 _cleanup_cap_free_ cap_t d
= NULL
;
352 for (i
= 0; i
< ELEMENTSOF(bits
); i
++)
353 if (keep_capabilities
& (1ULL << i
))
356 /* use enough bits */
357 assert(i
== 64 || (keep_capabilities
>> i
) == 0);
358 /* don't use too many bits */
359 assert(keep_capabilities
& (UINT64_C(1) << (i
- 1)));
361 if (cap_set_flag(d
, CAP_EFFECTIVE
, j
, bits
, CAP_SET
) < 0 ||
362 cap_set_flag(d
, CAP_PERMITTED
, j
, bits
, CAP_SET
) < 0)
363 return log_error_errno(errno
, "Failed to enable capabilities bits: %m");
365 if (cap_set_proc(d
) < 0)
366 return log_error_errno(errno
, "Failed to increase capabilities: %m");
372 static int change_capability(cap_value_t cv
, cap_flag_value_t flag
) {
373 _cleanup_cap_free_ cap_t tmp_cap
= NULL
;
375 tmp_cap
= cap_get_proc();
379 if ((cap_set_flag(tmp_cap
, CAP_INHERITABLE
, 1, &cv
, flag
) < 0) ||
380 (cap_set_flag(tmp_cap
, CAP_PERMITTED
, 1, &cv
, flag
) < 0) ||
381 (cap_set_flag(tmp_cap
, CAP_EFFECTIVE
, 1, &cv
, flag
) < 0))
384 if (cap_set_proc(tmp_cap
) < 0)
390 int drop_capability(cap_value_t cv
) {
391 return change_capability(cv
, CAP_CLEAR
);
394 int keep_capability(cap_value_t cv
) {
395 return change_capability(cv
, CAP_SET
);
398 bool ambient_capabilities_supported(void) {
399 static int cache
= -1;
404 /* If PR_CAP_AMBIENT returns something valid, or an unexpected error code we assume that ambient caps are
407 cache
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, CAP_KILL
, 0, 0) >= 0 ||
408 !IN_SET(errno
, EINVAL
, EOPNOTSUPP
, ENOSYS
);
413 bool capability_quintet_mangle(CapabilityQuintet
*q
) {
414 uint64_t combined
, drop
= 0;
415 bool ambient_supported
;
419 combined
= q
->effective
| q
->bounding
| q
->inheritable
| q
->permitted
;
421 ambient_supported
= q
->ambient
!= CAP_MASK_UNSET
;
422 if (ambient_supported
)
423 combined
|= q
->ambient
;
425 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
426 unsigned long bit
= UINT64_C(1) << i
;
427 if (!FLAGS_SET(combined
, bit
))
430 if (prctl(PR_CAPBSET_READ
, i
) > 0)
435 log_debug("Not in the current bounding set: %s", capability_to_name(i
));
438 q
->effective
&= ~drop
;
439 q
->bounding
&= ~drop
;
440 q
->inheritable
&= ~drop
;
441 q
->permitted
&= ~drop
;
443 if (ambient_supported
)
446 return drop
!= 0; /* Let the caller know we changed something */
449 int capability_quintet_enforce(const CapabilityQuintet
*q
) {
450 _cleanup_cap_free_ cap_t c
= NULL
, modified
= NULL
;
453 if (q
->ambient
!= CAP_MASK_UNSET
) {
454 bool changed
= false;
460 /* In order to raise the ambient caps set we first need to raise the matching
461 * inheritable + permitted cap */
462 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
463 uint64_t m
= UINT64_C(1) << i
;
464 cap_value_t cv
= (cap_value_t
) i
;
465 cap_flag_value_t old_value_inheritable
, old_value_permitted
;
467 if ((q
->ambient
& m
) == 0)
470 if (cap_get_flag(c
, cv
, CAP_INHERITABLE
, &old_value_inheritable
) < 0)
472 if (cap_get_flag(c
, cv
, CAP_PERMITTED
, &old_value_permitted
) < 0)
475 if (old_value_inheritable
== CAP_SET
&& old_value_permitted
== CAP_SET
)
478 if (cap_set_flag(c
, CAP_INHERITABLE
, 1, &cv
, CAP_SET
) < 0)
480 if (cap_set_flag(c
, CAP_PERMITTED
, 1, &cv
, CAP_SET
) < 0)
487 if (cap_set_proc(c
) < 0)
490 r
= capability_ambient_set_apply(q
->ambient
, false);
495 if (q
->inheritable
!= CAP_MASK_UNSET
|| q
->permitted
!= CAP_MASK_UNSET
|| q
->effective
!= CAP_MASK_UNSET
) {
496 bool changed
= false;
504 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
505 uint64_t m
= UINT64_C(1) << i
;
506 cap_value_t cv
= (cap_value_t
) i
;
508 if (q
->inheritable
!= CAP_MASK_UNSET
) {
509 cap_flag_value_t old_value
, new_value
;
511 if (cap_get_flag(c
, cv
, CAP_INHERITABLE
, &old_value
) < 0) {
512 if (errno
== EINVAL
) /* If the kernel knows more caps than this
513 * version of libcap, then this will return
514 * EINVAL. In that case, simply ignore it,
515 * pretend it doesn't exist. */
521 new_value
= (q
->inheritable
& m
) ? CAP_SET
: CAP_CLEAR
;
523 if (old_value
!= new_value
) {
526 if (cap_set_flag(c
, CAP_INHERITABLE
, 1, &cv
, new_value
) < 0)
531 if (q
->permitted
!= CAP_MASK_UNSET
) {
532 cap_flag_value_t old_value
, new_value
;
534 if (cap_get_flag(c
, cv
, CAP_PERMITTED
, &old_value
) < 0) {
541 new_value
= (q
->permitted
& m
) ? CAP_SET
: CAP_CLEAR
;
543 if (old_value
!= new_value
) {
546 if (cap_set_flag(c
, CAP_PERMITTED
, 1, &cv
, new_value
) < 0)
551 if (q
->effective
!= CAP_MASK_UNSET
) {
552 cap_flag_value_t old_value
, new_value
;
554 if (cap_get_flag(c
, cv
, CAP_EFFECTIVE
, &old_value
) < 0) {
561 new_value
= (q
->effective
& m
) ? CAP_SET
: CAP_CLEAR
;
563 if (old_value
!= new_value
) {
566 if (cap_set_flag(c
, CAP_EFFECTIVE
, 1, &cv
, new_value
) < 0)
573 /* In order to change the bounding caps, we need to keep CAP_SETPCAP for a bit
574 * longer. Let's add it to our list hence for now. */
575 if (q
->bounding
!= CAP_MASK_UNSET
) {
576 cap_value_t cv
= CAP_SETPCAP
;
578 modified
= cap_dup(c
);
582 if (cap_set_flag(modified
, CAP_PERMITTED
, 1, &cv
, CAP_SET
) < 0)
584 if (cap_set_flag(modified
, CAP_EFFECTIVE
, 1, &cv
, CAP_SET
) < 0)
587 if (cap_compare(modified
, c
) == 0) {
588 /* No change? then drop this nonsense again */
594 /* Now, let's enforce the caps for the first time. Note that this is where we acquire
595 * caps in any of the sets we currently don't have. We have to do this before
596 * dropping the bounding caps below, since at that point we can never acquire new
597 * caps in inherited/permitted/effective anymore, but only lose them. */
598 if (cap_set_proc(modified
?: c
) < 0)
603 if (q
->bounding
!= CAP_MASK_UNSET
) {
604 r
= capability_bounding_set_drop(q
->bounding
, false);
609 /* If needed, let's now set the caps again, this time in the final version, which differs from what
610 * we have already set only in the CAP_SETPCAP bit, which we needed for dropping the bounding
611 * bits. This call only undoes bits and doesn't acquire any which means the bounding caps don't
614 if (cap_set_proc(c
) < 0)
620 int capability_get_ambient(uint64_t *ret
) {
626 if (!ambient_capabilities_supported()) {
631 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
632 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, i
, 0, 0);
637 a
|= UINT64_C(1) << i
;