1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include <linux/prctl.h>
9 #include "alloc-util.h"
12 #include "capability-util.h"
16 #include "logarithm.h"
17 #include "parse-util.h"
19 #include "process-util.h"
20 #include "stat-util.h"
21 #include "user-util.h"
23 int have_effective_cap(int value
) {
24 _cleanup_cap_free_ cap_t cap
= NULL
;
25 cap_flag_value_t fv
= CAP_CLEAR
; /* To avoid false-positive use-of-uninitialized-value error reported
32 if (cap_get_flag(cap
, value
, CAP_EFFECTIVE
, &fv
) < 0)
38 unsigned cap_last_cap(void) {
39 static atomic_int saved
= INT_MAX
;
46 /* Available since linux-3.2 */
47 _cleanup_free_
char *content
= NULL
;
48 r
= read_one_line_file("/proc/sys/kernel/cap_last_cap", &content
);
50 log_debug_errno(r
, "Failed to read /proc/sys/kernel/cap_last_cap, ignoring: %m");
52 r
= safe_atoi(content
, &c
);
54 log_debug_errno(r
, "Failed to parse /proc/sys/kernel/cap_last_cap, ignoring: %m");
56 if (c
> CAP_LIMIT
) /* Safety for the future: if one day the kernel learns more than
57 * 64 caps, then we are in trouble (since we, as much userspace
58 * and kernel space store capability masks in uint64_t types). We
59 * also want to use UINT64_MAX as marker for "unset". Hence let's
60 * hence protect ourselves against that and always cap at 62 for
69 /* Fall back to syscall-probing for pre linux-3.2, or where /proc/ is not mounted */
70 unsigned long p
= (unsigned long) MIN(CAP_LAST_CAP
, CAP_LIMIT
);
72 if (prctl(PR_CAPBSET_READ
, p
) < 0) {
74 /* Hmm, look downwards, until we find one that works */
76 if (prctl(PR_CAPBSET_READ
, p
) >= 0)
81 /* Hmm, look upwards, until we find one that doesn't work */
82 for (; p
< CAP_LIMIT
; p
++)
83 if (prctl(PR_CAPBSET_READ
, p
+1) < 0)
92 int capability_update_inherited_set(cap_t caps
, uint64_t set
) {
93 /* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
94 * Do not apply them yet. */
96 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
97 cap_flag_value_t flag
= set
& (UINT64_C(1) << i
) ? CAP_SET
: CAP_CLEAR
;
102 if (cap_set_flag(caps
, CAP_INHERITABLE
, 1, &v
, flag
) < 0)
109 int capability_ambient_set_apply(uint64_t set
, bool also_inherit
) {
110 _cleanup_cap_free_ cap_t caps
= NULL
;
113 /* Remove capabilities requested in ambient set, but not in the bounding set */
114 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
115 if (!BIT_SET(set
, i
))
118 if (prctl(PR_CAPBSET_READ
, (unsigned long) i
) != 1) {
119 log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",
120 capability_to_name(i
));
125 /* Add the capabilities to the ambient set (an possibly also the inheritable set) */
128 caps
= cap_get_proc();
132 r
= capability_update_inherited_set(caps
, set
);
136 if (cap_set_proc(caps
) < 0)
140 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
141 if (BIT_SET(set
, i
)) {
142 /* Add the capability to the ambient set. */
143 if (prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_RAISE
, i
, 0, 0) < 0)
146 /* Drop the capability so we don't inherit capabilities we didn't ask for. */
147 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, i
, 0, 0);
151 if (prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_LOWER
, i
, 0, 0) < 0)
159 int capability_gain_cap_setpcap(cap_t
*ret_before_caps
) {
160 _cleanup_cap_free_ cap_t caps
= NULL
;
162 caps
= cap_get_proc();
166 if (cap_get_flag(caps
, CAP_SETPCAP
, CAP_EFFECTIVE
, &fv
) < 0)
170 _cleanup_cap_free_ cap_t temp_cap
= NULL
;
171 static const cap_value_t v
= CAP_SETPCAP
;
173 temp_cap
= cap_dup(caps
);
177 if (cap_set_flag(temp_cap
, CAP_EFFECTIVE
, 1, &v
, CAP_SET
) < 0)
180 if (cap_set_proc(temp_cap
) < 0)
181 log_debug_errno(errno
, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");
183 /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this just means
184 * we'll fail later, when we actually intend to drop some capabilities or try to set securebits. */
187 /* Return the capabilities as they have been before setting CAP_SETPCAP */
188 *ret_before_caps
= TAKE_PTR(caps
);
193 int capability_bounding_set_drop(uint64_t keep
, bool right_now
) {
194 _cleanup_cap_free_ cap_t before_cap
= NULL
, after_cap
= NULL
;
197 /* If we are run as PID 1 we will lack CAP_SETPCAP by default
198 * in the effective set (yes, the kernel drops that when
199 * executing init!), so get it back temporarily so that we can
200 * call PR_CAPBSET_DROP. */
202 r
= capability_gain_cap_setpcap(&before_cap
);
206 after_cap
= cap_dup(before_cap
);
210 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
213 if ((keep
& (UINT64_C(1) << i
)))
216 /* Drop it from the bounding set */
217 if (prctl(PR_CAPBSET_DROP
, i
) < 0) {
220 /* If dropping the capability failed, let's see if we didn't have it in the first place. If so,
221 * continue anyway, as dropping a capability we didn't have in the first place doesn't really
223 if (prctl(PR_CAPBSET_READ
, i
) != 0)
228 /* Also drop it from the inheritable set, so
229 * that anything we exec() loses the
230 * capability for good. */
231 if (cap_set_flag(after_cap
, CAP_INHERITABLE
, 1, &v
, CAP_CLEAR
) < 0) {
236 /* If we shall apply this right now drop it
237 * also from our own capability sets. */
239 if (cap_set_flag(after_cap
, CAP_PERMITTED
, 1, &v
, CAP_CLEAR
) < 0 ||
240 cap_set_flag(after_cap
, CAP_EFFECTIVE
, 1, &v
, CAP_CLEAR
) < 0) {
250 if (cap_set_proc(after_cap
) < 0) {
251 /* If there are no actual changes anyway then let's ignore this error. */
252 if (cap_compare(before_cap
, after_cap
) != 0)
259 static int drop_from_file(const char *fn
, uint64_t keep
) {
260 _cleanup_free_
char *p
= NULL
;
261 uint64_t current
, after
;
265 r
= read_one_line_file(fn
, &p
);
269 k
= sscanf(p
, "%" PRIu32
" %" PRIu32
, &lo
, &hi
);
273 current
= (uint64_t) lo
| ((uint64_t) hi
<< 32);
274 after
= current
& keep
;
276 if (current
== after
)
279 lo
= after
& UINT32_MAX
;
280 hi
= (after
>> 32) & UINT32_MAX
;
282 return write_string_filef(fn
, 0, "%" PRIu32
" %" PRIu32
, lo
, hi
);
285 int capability_bounding_set_drop_usermode(uint64_t keep
) {
288 r
= drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep
);
292 r
= drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep
);
299 int drop_privileges(uid_t uid
, gid_t gid
, uint64_t keep_capabilities
) {
302 /* Unfortunately we cannot leave privilege dropping to PID 1 here, since we want to run as user but
303 * want to keep some capabilities. Since file capabilities have been introduced this cannot be done
304 * across exec() anymore, unless our binary has the capability configured in the file system, which
305 * we want to avoid. */
307 if (setresgid(gid
, gid
, gid
) < 0)
308 return log_error_errno(errno
, "Failed to change group ID: %m");
310 r
= maybe_setgroups(0, NULL
);
312 return log_error_errno(r
, "Failed to drop auxiliary groups list: %m");
314 /* Ensure we keep the permitted caps across the setresuid(). Note that we do this even if we actually
315 * don't want to keep any capabilities, since we want to be able to drop them from the bounding set
316 * too, and we can only do that if we have capabilities. */
317 if (prctl(PR_SET_KEEPCAPS
, 1) < 0)
318 return log_error_errno(errno
, "Failed to enable keep capabilities flag: %m");
320 if (setresuid(uid
, uid
, uid
) < 0)
321 return log_error_errno(errno
, "Failed to change user ID: %m");
323 if (prctl(PR_SET_KEEPCAPS
, 0) < 0)
324 return log_error_errno(errno
, "Failed to disable keep capabilities flag: %m");
326 /* Drop all caps from the bounding set (as well as the inheritable/permitted/effective sets), except
327 * the ones we want to keep */
328 r
= capability_bounding_set_drop(keep_capabilities
, true);
330 return log_error_errno(r
, "Failed to drop capabilities: %m");
332 /* Now upgrade the permitted caps we still kept to effective caps */
333 if (keep_capabilities
!= 0) {
334 cap_value_t bits
[log2u64(keep_capabilities
) + 1];
335 _cleanup_cap_free_ cap_t d
= NULL
;
342 for (i
= 0; i
< ELEMENTSOF(bits
); i
++)
343 if (keep_capabilities
& (1ULL << i
))
346 /* use enough bits */
347 assert(i
== 64 || (keep_capabilities
>> i
) == 0);
348 /* don't use too many bits */
349 assert(keep_capabilities
& (UINT64_C(1) << (i
- 1)));
351 if (cap_set_flag(d
, CAP_EFFECTIVE
, j
, bits
, CAP_SET
) < 0 ||
352 cap_set_flag(d
, CAP_PERMITTED
, j
, bits
, CAP_SET
) < 0)
353 return log_error_errno(errno
, "Failed to enable capabilities bits: %m");
355 if (cap_set_proc(d
) < 0)
356 return log_error_errno(errno
, "Failed to increase capabilities: %m");
362 static int change_capability(cap_value_t cv
, cap_flag_value_t flag
) {
363 _cleanup_cap_free_ cap_t tmp_cap
= NULL
;
365 tmp_cap
= cap_get_proc();
369 if ((cap_set_flag(tmp_cap
, CAP_INHERITABLE
, 1, &cv
, flag
) < 0) ||
370 (cap_set_flag(tmp_cap
, CAP_PERMITTED
, 1, &cv
, flag
) < 0) ||
371 (cap_set_flag(tmp_cap
, CAP_EFFECTIVE
, 1, &cv
, flag
) < 0))
374 if (cap_set_proc(tmp_cap
) < 0)
380 int drop_capability(cap_value_t cv
) {
381 return change_capability(cv
, CAP_CLEAR
);
384 int keep_capability(cap_value_t cv
) {
385 return change_capability(cv
, CAP_SET
);
388 bool capability_quintet_mangle(CapabilityQuintet
*q
) {
389 uint64_t combined
, drop
= 0;
393 combined
= q
->effective
| q
->bounding
| q
->inheritable
| q
->permitted
| q
->ambient
;
395 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
396 if (!BIT_SET(combined
, i
))
399 if (prctl(PR_CAPBSET_READ
, (unsigned long) i
) > 0)
404 log_debug("Dropping capability not in the current bounding set: %s", capability_to_name(i
));
407 q
->effective
&= ~drop
;
408 q
->bounding
&= ~drop
;
409 q
->inheritable
&= ~drop
;
410 q
->permitted
&= ~drop
;
413 return drop
!= 0; /* Let the caller know we changed something */
416 int capability_quintet_enforce(const CapabilityQuintet
*q
) {
417 _cleanup_cap_free_ cap_t c
= NULL
, modified
= NULL
;
420 if (q
->ambient
!= CAP_MASK_UNSET
) {
421 bool changed
= false;
427 /* In order to raise the ambient caps set we first need to raise the matching
428 * inheritable + permitted cap */
429 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
430 uint64_t m
= UINT64_C(1) << i
;
431 cap_value_t cv
= (cap_value_t
) i
;
432 cap_flag_value_t old_value_inheritable
, old_value_permitted
;
434 if ((q
->ambient
& m
) == 0)
437 if (cap_get_flag(c
, cv
, CAP_INHERITABLE
, &old_value_inheritable
) < 0)
439 if (cap_get_flag(c
, cv
, CAP_PERMITTED
, &old_value_permitted
) < 0)
442 if (old_value_inheritable
== CAP_SET
&& old_value_permitted
== CAP_SET
)
445 if (cap_set_flag(c
, CAP_INHERITABLE
, 1, &cv
, CAP_SET
) < 0)
447 if (cap_set_flag(c
, CAP_PERMITTED
, 1, &cv
, CAP_SET
) < 0)
454 if (cap_set_proc(c
) < 0)
457 r
= capability_ambient_set_apply(q
->ambient
, false);
462 if (q
->inheritable
!= CAP_MASK_UNSET
|| q
->permitted
!= CAP_MASK_UNSET
|| q
->effective
!= CAP_MASK_UNSET
) {
463 bool changed
= false;
471 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
472 uint64_t m
= UINT64_C(1) << i
;
473 cap_value_t cv
= (cap_value_t
) i
;
475 if (q
->inheritable
!= CAP_MASK_UNSET
) {
476 cap_flag_value_t old_value
, new_value
;
478 if (cap_get_flag(c
, cv
, CAP_INHERITABLE
, &old_value
) < 0) {
479 if (errno
== EINVAL
) /* If the kernel knows more caps than this
480 * version of libcap, then this will return
481 * EINVAL. In that case, simply ignore it,
482 * pretend it doesn't exist. */
488 new_value
= (q
->inheritable
& m
) ? CAP_SET
: CAP_CLEAR
;
490 if (old_value
!= new_value
) {
493 if (cap_set_flag(c
, CAP_INHERITABLE
, 1, &cv
, new_value
) < 0)
498 if (q
->permitted
!= CAP_MASK_UNSET
) {
499 cap_flag_value_t old_value
, new_value
;
501 if (cap_get_flag(c
, cv
, CAP_PERMITTED
, &old_value
) < 0) {
508 new_value
= (q
->permitted
& m
) ? CAP_SET
: CAP_CLEAR
;
510 if (old_value
!= new_value
) {
513 if (cap_set_flag(c
, CAP_PERMITTED
, 1, &cv
, new_value
) < 0)
518 if (q
->effective
!= CAP_MASK_UNSET
) {
519 cap_flag_value_t old_value
, new_value
;
521 if (cap_get_flag(c
, cv
, CAP_EFFECTIVE
, &old_value
) < 0) {
528 new_value
= (q
->effective
& m
) ? CAP_SET
: CAP_CLEAR
;
530 if (old_value
!= new_value
) {
533 if (cap_set_flag(c
, CAP_EFFECTIVE
, 1, &cv
, new_value
) < 0)
540 /* In order to change the bounding caps, we need to keep CAP_SETPCAP for a bit
541 * longer. Let's add it to our list hence for now. */
542 if (q
->bounding
!= CAP_MASK_UNSET
) {
543 cap_value_t cv
= CAP_SETPCAP
;
545 modified
= cap_dup(c
);
549 if (cap_set_flag(modified
, CAP_PERMITTED
, 1, &cv
, CAP_SET
) < 0)
551 if (cap_set_flag(modified
, CAP_EFFECTIVE
, 1, &cv
, CAP_SET
) < 0)
554 if (cap_compare(modified
, c
) == 0) {
555 /* No change? then drop this nonsense again */
561 /* Now, let's enforce the caps for the first time. Note that this is where we acquire
562 * caps in any of the sets we currently don't have. We have to do this before
563 * dropping the bounding caps below, since at that point we can never acquire new
564 * caps in inherited/permitted/effective anymore, but only lose them. */
565 if (cap_set_proc(modified
?: c
) < 0)
570 if (q
->bounding
!= CAP_MASK_UNSET
) {
571 r
= capability_bounding_set_drop(q
->bounding
, false);
576 /* If needed, let's now set the caps again, this time in the final version, which differs from what
577 * we have already set only in the CAP_SETPCAP bit, which we needed for dropping the bounding
578 * bits. This call only undoes bits and doesn't acquire any which means the bounding caps don't
581 if (cap_set_proc(c
) < 0)
587 int capability_get_ambient(uint64_t *ret
) {
593 for (unsigned i
= 0; i
<= cap_last_cap(); i
++) {
594 r
= prctl(PR_CAP_AMBIENT
, PR_CAP_AMBIENT_IS_SET
, i
, 0, 0);
605 int pidref_get_capability(const PidRef
*pidref
, CapabilityQuintet
*ret
) {
608 if (!pidref_is_set(pidref
))
610 if (pidref_is_remote(pidref
))
613 const char *path
= procfs_file_alloca(pidref
->pid
, "status");
614 _cleanup_fclose_
FILE *f
= fopen(path
, "re");
616 if (errno
== ENOENT
&& proc_mounted() == 0)
622 CapabilityQuintet q
= CAPABILITY_QUINTET_NULL
;
624 _cleanup_free_
char *line
= NULL
;
626 r
= read_line(f
, LONG_LINE_MAX
, &line
);
632 static const struct {
636 { "CapBnd:", offsetof(CapabilityQuintet
, bounding
) },
637 { "CapInh:", offsetof(CapabilityQuintet
, inheritable
) },
638 { "CapPrm:", offsetof(CapabilityQuintet
, permitted
) },
639 { "CapEff:", offsetof(CapabilityQuintet
, effective
) },
640 { "CapAmb:", offsetof(CapabilityQuintet
, ambient
) },
643 FOREACH_ELEMENT(i
, fields
) {
645 const char *p
= first_word(line
, i
->field
);
649 uint64_t *v
= (uint64_t*) ((uint8_t*) &q
+ i
->offset
);
651 if (*v
!= CAP_MASK_UNSET
)
654 r
= safe_atoux64(p
, v
);
658 if (*v
== CAP_MASK_UNSET
)
663 if (!capability_quintet_is_fully_set(&q
))
666 r
= pidref_verify(pidref
);