Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/kernel/capability.c
10814 views
1
/*

2
 * linux/kernel/capability.c

3
 *

4
 * Copyright (C) 1997  Andrew Main <[email protected]>

5
 *

6
 * Integrated into 2.1.97+,  Andrew G. Morgan <[email protected]>

7
 * 30 May 2002:	Cleanup, Robert M. Love <[email protected]>

8
 */

9


10
#include <linux/audit.h>

11
#include <linux/capability.h>

12
#include <linux/mm.h>

13
#include <linux/module.h>

14
#include <linux/security.h>

15
#include <linux/syscalls.h>

16
#include <linux/pid_namespace.h>

17
#include <linux/user_namespace.h>

18
#include <asm/uaccess.h>

19


20
/*

21
 * Leveraged for setting/resetting capabilities

22
 */

23


24
const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;

25


26
EXPORT_SYMBOL(__cap_empty_set);

27


28
int file_caps_enabled = 1;

29


30
static int __init file_caps_disable(char *str)

31
{

32
	file_caps_enabled = 0;

33
	return 1;

34
}

35
__setup("no_file_caps", file_caps_disable);

36


37
/*

38
 * More recent versions of libcap are available from:

39
 *

40
 *   http://www.kernel.org/pub/linux/libs/security/linux-privs/

41
 */

42


43
static void warn_legacy_capability_use(void)

44
{

45
	static int warned;

46
	if (!warned) {

47
		char name[sizeof(current->comm)];

48


49
		printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"

50
		       " (legacy support in use)\n",

51
		       get_task_comm(name, current));

52
		warned = 1;

53
	}

54
}

55


56
/*

57
 * Version 2 capabilities worked fine, but the linux/capability.h file

58
 * that accompanied their introduction encouraged their use without

59
 * the necessary user-space source code changes. As such, we have

60
 * created a version 3 with equivalent functionality to version 2, but

61
 * with a header change to protect legacy source code from using

62
 * version 2 when it wanted to use version 1. If your system has code

63
 * that trips the following warning, it is using version 2 specific

64
 * capabilities and may be doing so insecurely.

65
 *

66
 * The remedy is to either upgrade your version of libcap (to 2.10+,

67
 * if the application is linked against it), or recompile your

68
 * application with modern kernel headers and this warning will go

69
 * away.

70
 */

71


72
static void warn_deprecated_v2(void)

73
{

74
	static int warned;

75


76
	if (!warned) {

77
		char name[sizeof(current->comm)];

78


79
		printk(KERN_INFO "warning: `%s' uses deprecated v2"

80
		       " capabilities in a way that may be insecure.\n",

81
		       get_task_comm(name, current));

82
		warned = 1;

83
	}

84
}

85


86
/*

87
 * Version check. Return the number of u32s in each capability flag

88
 * array, or a negative value on error.

89
 */

90
static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)

91
{

92
	__u32 version;

93


94
	if (get_user(version, &header->version))

95
		return -EFAULT;

96


97
	switch (version) {

98
	case _LINUX_CAPABILITY_VERSION_1:

99
		warn_legacy_capability_use();

100
		*tocopy = _LINUX_CAPABILITY_U32S_1;

101
		break;

102
	case _LINUX_CAPABILITY_VERSION_2:

103
		warn_deprecated_v2();

104
		/*

105
		 * fall through - v3 is otherwise equivalent to v2.

106
		 */

107
	case _LINUX_CAPABILITY_VERSION_3:

108
		*tocopy = _LINUX_CAPABILITY_U32S_3;

109
		break;

110
	default:

111
		if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))

112
			return -EFAULT;

113
		return -EINVAL;

114
	}

115


116
	return 0;

117
}

118


119
/*

120
 * The only thing that can change the capabilities of the current

121
 * process is the current process. As such, we can't be in this code

122
 * at the same time as we are in the process of setting capabilities

123
 * in this process. The net result is that we can limit our use of

124
 * locks to when we are reading the caps of another process.

125
 */

126
static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,

127
				     kernel_cap_t *pIp, kernel_cap_t *pPp)

128
{

129
	int ret;

130


131
	if (pid && (pid != task_pid_vnr(current))) {

132
		struct task_struct *target;

133


134
		rcu_read_lock();

135


136
		target = find_task_by_vpid(pid);

137
		if (!target)

138
			ret = -ESRCH;

139
		else

140
			ret = security_capget(target, pEp, pIp, pPp);

141


142
		rcu_read_unlock();

143
	} else

144
		ret = security_capget(current, pEp, pIp, pPp);

145


146
	return ret;

147
}

148


149
/**

150
 * sys_capget - get the capabilities of a given process.

151
 * @header: pointer to struct that contains capability version and

152
 *	target pid data

153
 * @dataptr: pointer to struct that contains the effective, permitted,

154
 *	and inheritable capabilities that are returned

155
 *

156
 * Returns 0 on success and < 0 on error.

157
 */

158
SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)

159
{

160
	int ret = 0;

161
	pid_t pid;

162
	unsigned tocopy;

163
	kernel_cap_t pE, pI, pP;

164


165
	ret = cap_validate_magic(header, &tocopy);

166
	if ((dataptr == NULL) || (ret != 0))

167
		return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;

168


169
	if (get_user(pid, &header->pid))

170
		return -EFAULT;

171


172
	if (pid < 0)

173
		return -EINVAL;

174


175
	ret = cap_get_target_pid(pid, &pE, &pI, &pP);

176
	if (!ret) {

177
		struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];

178
		unsigned i;

179


180
		for (i = 0; i < tocopy; i++) {

181
			kdata[i].effective = pE.cap[i];

182
			kdata[i].permitted = pP.cap[i];

183
			kdata[i].inheritable = pI.cap[i];

184
		}

185


186
		/*

187
		 * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,

188
		 * we silently drop the upper capabilities here. This

189
		 * has the effect of making older libcap

190
		 * implementations implicitly drop upper capability

191
		 * bits when they perform a: capget/modify/capset

192
		 * sequence.

193
		 *

194
		 * This behavior is considered fail-safe

195
		 * behavior. Upgrading the application to a newer

196
		 * version of libcap will enable access to the newer

197
		 * capabilities.

198
		 *

199
		 * An alternative would be to return an error here

200
		 * (-ERANGE), but that causes legacy applications to

201
		 * unexpectidly fail; the capget/modify/capset aborts

202
		 * before modification is attempted and the application

203
		 * fails.

204
		 */

205
		if (copy_to_user(dataptr, kdata, tocopy

206
				 * sizeof(struct __user_cap_data_struct))) {

207
			return -EFAULT;

208
		}

209
	}

210


211
	return ret;

212
}

213


214
/**

215
 * sys_capset - set capabilities for a process or (*) a group of processes

216
 * @header: pointer to struct that contains capability version and

217
 *	target pid data

218
 * @data: pointer to struct that contains the effective, permitted,

219
 *	and inheritable capabilities

220
 *

221
 * Set capabilities for the current process only.  The ability to any other

222
 * process(es) has been deprecated and removed.

223
 *

224
 * The restrictions on setting capabilities are specified as:

225
 *

226
 * I: any raised capabilities must be a subset of the old permitted

227
 * P: any raised capabilities must be a subset of the old permitted

228
 * E: must be set to a subset of new permitted

229
 *

230
 * Returns 0 on success and < 0 on error.

231
 */

232
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)

233
{

234
	struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];

235
	unsigned i, tocopy, copybytes;

236
	kernel_cap_t inheritable, permitted, effective;

237
	struct cred *new;

238
	int ret;

239
	pid_t pid;

240


241
	ret = cap_validate_magic(header, &tocopy);

242
	if (ret != 0)

243
		return ret;

244


245
	if (get_user(pid, &header->pid))

246
		return -EFAULT;

247


248
	/* may only affect current now */

249
	if (pid != 0 && pid != task_pid_vnr(current))

250
		return -EPERM;

251


252
	copybytes = tocopy * sizeof(struct __user_cap_data_struct);

253
	if (copybytes > sizeof(kdata))

254
		return -EFAULT;

255


256
	if (copy_from_user(&kdata, data, copybytes))

257
		return -EFAULT;

258


259
	for (i = 0; i < tocopy; i++) {

260
		effective.cap[i] = kdata[i].effective;

261
		permitted.cap[i] = kdata[i].permitted;

262
		inheritable.cap[i] = kdata[i].inheritable;

263
	}

264
	while (i < _KERNEL_CAPABILITY_U32S) {

265
		effective.cap[i] = 0;

266
		permitted.cap[i] = 0;

267
		inheritable.cap[i] = 0;

268
		i++;

269
	}

270


271
	new = prepare_creds();

272
	if (!new)

273
		return -ENOMEM;

274


275
	ret = security_capset(new, current_cred(),

276
			      &effective, &inheritable, &permitted);

277
	if (ret < 0)

278
		goto error;

279


280
	audit_log_capset(pid, new, current_cred());

281


282
	return commit_creds(new);

283


284
error:

285
	abort_creds(new);

286
	return ret;

287
}

288


289
/**

290
 * has_capability - Does a task have a capability in init_user_ns

291
 * @t: The task in question

292
 * @cap: The capability to be tested for

293
 *

294
 * Return true if the specified task has the given superior capability

295
 * currently in effect to the initial user namespace, false if not.

296
 *

297
 * Note that this does not set PF_SUPERPRIV on the task.

298
 */

299
bool has_capability(struct task_struct *t, int cap)

300
{

301
	int ret = security_real_capable(t, &init_user_ns, cap);

302


303
	return (ret == 0);

304
}

305


306
/**

307
 * has_capability - Does a task have a capability in a specific user ns

308
 * @t: The task in question

309
 * @ns: target user namespace

310
 * @cap: The capability to be tested for

311
 *

312
 * Return true if the specified task has the given superior capability

313
 * currently in effect to the specified user namespace, false if not.

314
 *

315
 * Note that this does not set PF_SUPERPRIV on the task.

316
 */

317
bool has_ns_capability(struct task_struct *t,

318
		       struct user_namespace *ns, int cap)

319
{

320
	int ret = security_real_capable(t, ns, cap);

321


322
	return (ret == 0);

323
}

324


325
/**

326
 * has_capability_noaudit - Does a task have a capability (unaudited)

327
 * @t: The task in question

328
 * @cap: The capability to be tested for

329
 *

330
 * Return true if the specified task has the given superior capability

331
 * currently in effect to init_user_ns, false if not.  Don't write an

332
 * audit message for the check.

333
 *

334
 * Note that this does not set PF_SUPERPRIV on the task.

335
 */

336
bool has_capability_noaudit(struct task_struct *t, int cap)

337
{

338
	int ret = security_real_capable_noaudit(t, &init_user_ns, cap);

339


340
	return (ret == 0);

341
}

342


343
/**

344
 * capable - Determine if the current task has a superior capability in effect

345
 * @cap: The capability to be tested for

346
 *

347
 * Return true if the current task has the given superior capability currently

348
 * available for use, false if not.

349
 *

350
 * This sets PF_SUPERPRIV on the task if the capability is available on the

351
 * assumption that it's about to be used.

352
 */

353
bool capable(int cap)

354
{

355
	return ns_capable(&init_user_ns, cap);

356
}

357
EXPORT_SYMBOL(capable);

358


359
/**

360
 * ns_capable - Determine if the current task has a superior capability in effect

361
 * @ns:  The usernamespace we want the capability in

362
 * @cap: The capability to be tested for

363
 *

364
 * Return true if the current task has the given superior capability currently

365
 * available for use, false if not.

366
 *

367
 * This sets PF_SUPERPRIV on the task if the capability is available on the

368
 * assumption that it's about to be used.

369
 */

370
bool ns_capable(struct user_namespace *ns, int cap)

371
{

372
	if (unlikely(!cap_valid(cap))) {

373
		printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);

374
		BUG();

375
	}

376


377
	if (security_capable(ns, current_cred(), cap) == 0) {

378
		current->flags |= PF_SUPERPRIV;

379
		return true;

380
	}

381
	return false;

382
}

383
EXPORT_SYMBOL(ns_capable);

384


385
/**

386
 * task_ns_capable - Determine whether current task has a superior

387
 * capability targeted at a specific task's user namespace.

388
 * @t: The task whose user namespace is targeted.

389
 * @cap: The capability in question.

390
 *

391
 *  Return true if it does, false otherwise.

392
 */

393
bool task_ns_capable(struct task_struct *t, int cap)

394
{

395
	return ns_capable(task_cred_xxx(t, user)->user_ns, cap);

396
}

397
EXPORT_SYMBOL(task_ns_capable);

398


399
/**

400
 * nsown_capable - Check superior capability to one's own user_ns

401
 * @cap: The capability in question

402
 *

403
 * Return true if the current task has the given superior capability

404
 * targeted at its own user namespace.

405
 */

406
bool nsown_capable(int cap)

407
{

408
	return ns_capable(current_user_ns(), cap);

409
}

410


411