kernel/capability.c

   1 /*
   2  * linux/kernel/capability.c
   3  *
   4  * Copyright (C) 1997  Andrew Main <zefram@fysh.org>
   5  *
   6  * Integrated into 2.1.97+,  Andrew G. Morgan <morgan@kernel.org>
   7  * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
   8  */
   9
  10 #include <linux/audit.h>
  11 #include <linux/capability.h>
  12 #include <linux/mm.h>
  13 #include <linux/module.h>
  14 #include <linux/security.h>
  15 #include <linux/syscalls.h>
  16 #include <linux/pid_namespace.h>
  17 #include <asm/uaccess.h>
  18
  19 /*
  20  * This lock protects task->cap_* for all tasks including current.
  21  * Locking rule: acquire this prior to tasklist_lock.
  22  */
  23 static DEFINE_SPINLOCK(task_capability_lock);
  24
  25 /*
  26  * Leveraged for setting/resetting capabilities
  27  */
  28
  29 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
  30 const kernel_cap_t __cap_full_set = CAP_FULL_SET;
  31 const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
  32
  33 EXPORT_SYMBOL(__cap_empty_set);
  34 EXPORT_SYMBOL(__cap_full_set);
  35 EXPORT_SYMBOL(__cap_init_eff_set);
  36
  37 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
  38 int file_caps_enabled = 1;
  39
  40 static int __init file_caps_disable(char *str)
  41 {
  42         file_caps_enabled = 0;
  43         return 1;
  44 }
  45 __setup("no_file_caps", file_caps_disable);
  46 #endif
  47
  48 /*
  49  * More recent versions of libcap are available from:
  50  *
  51  *   http://www.kernel.org/pub/linux/libs/security/linux-privs/
  52  */
  53
  54 static void warn_legacy_capability_use(void)
  55 {
  56         static int warned;
  57         if (!warned) {
  58                 char name[sizeof(current->comm)];
  59
  60                 printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"
  61                        " (legacy support in use)\n",
  62                        get_task_comm(name, current));
  63                 warned = 1;
  64         }
  65 }
  66
  67 /*
  68  * Version 2 capabilities worked fine, but the linux/capability.h file
  69  * that accompanied their introduction encouraged their use without
  70  * the necessary user-space source code changes. As such, we have
  71  * created a version 3 with equivalent functionality to version 2, but
  72  * with a header change to protect legacy source code from using
  73  * version 2 when it wanted to use version 1. If your system has code
  74  * that trips the following warning, it is using version 2 specific
  75  * capabilities and may be doing so insecurely.
  76  *
  77  * The remedy is to either upgrade your version of libcap (to 2.10+,
  78  * if the application is linked against it), or recompile your
  79  * application with modern kernel headers and this warning will go
  80  * away.
  81  */
  82
  83 static void warn_deprecated_v2(void)
  84 {
  85         static int warned;
  86
  87         if (!warned) {
  88                 char name[sizeof(current->comm)];
  89
  90                 printk(KERN_INFO "warning: `%s' uses deprecated v2"
  91                        " capabilities in a way that may be insecure.\n",
  92                        get_task_comm(name, current));
  93                 warned = 1;
  94         }
  95 }
  96
  97 /*
  98  * Version check. Return the number of u32s in each capability flag
  99  * array, or a negative value on error.
 100  */
 101 static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
 102 {
 103         __u32 version;
 104
 105         if (get_user(version, &header->version))
 106                 return -EFAULT;
 107
 108         switch (version) {
 109         case _LINUX_CAPABILITY_VERSION_1:
 110                 warn_legacy_capability_use();
 111                 *tocopy = _LINUX_CAPABILITY_U32S_1;
 112                 break;
 113         case _LINUX_CAPABILITY_VERSION_2:
 114                 warn_deprecated_v2();
 115                 /*
 116                  * fall through - v3 is otherwise equivalent to v2.
 117                  */
 118         case _LINUX_CAPABILITY_VERSION_3:
 119                 *tocopy = _LINUX_CAPABILITY_U32S_3;
 120                 break;
 121         default:
 122                 if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
 123                         return -EFAULT;
 124                 return -EINVAL;
 125         }
 126
 127         return 0;
 128 }
 129
 130 #ifndef CONFIG_SECURITY_FILE_CAPABILITIES
 131
 132 /*
 133  * Without filesystem capability support, we nominally support one process
 134  * setting the capabilities of another
 135  */
 136 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
 137                                      kernel_cap_t *pIp, kernel_cap_t *pPp)
 138 {
 139         struct task_struct *target;
 140         int ret;
 141
 142         spin_lock(&task_capability_lock);
 143         read_lock(&tasklist_lock);
 144
 145         if (pid && pid != task_pid_vnr(current)) {
 146                 target = find_task_by_vpid(pid);
 147                 if (!target) {
 148                         ret = -ESRCH;
 149                         goto out;
 150                 }
 151         } else
 152                 target = current;
 153
 154         ret = security_capget(target, pEp, pIp, pPp);
 155
 156 out:
 157         read_unlock(&tasklist_lock);
 158         spin_unlock(&task_capability_lock);
 159
 160         return ret;
 161 }
 162
 163 /*
 164  * cap_set_pg - set capabilities for all processes in a given process
 165  * group.  We call this holding task_capability_lock and tasklist_lock.
 166  */
 167 static inline int cap_set_pg(int pgrp_nr, kernel_cap_t *effective,
 168                              kernel_cap_t *inheritable,
 169                              kernel_cap_t *permitted)
 170 {
 171         struct task_struct *g, *target;
 172         int ret = -EPERM;
 173         int found = 0;
 174         struct pid *pgrp;
 175
 176         spin_lock(&task_capability_lock);
 177         read_lock(&tasklist_lock);
 178
 179         pgrp = find_vpid(pgrp_nr);
 180         do_each_pid_task(pgrp, PIDTYPE_PGID, g) {
 181                 target = g;
 182                 while_each_thread(g, target) {
 183                         if (!security_capset_check(target, effective,
 184                                                    inheritable, permitted)) {
 185                                 security_capset_set(target, effective,
 186                                                     inheritable, permitted);
 187                                 ret = 0;
 188                         }
 189                         found = 1;
 190                 }
 191         } while_each_pid_task(pgrp, PIDTYPE_PGID, g);
 192
 193         read_unlock(&tasklist_lock);
 194         spin_unlock(&task_capability_lock);
 195
 196         if (!found)
 197                 ret = 0;
 198         return ret;
 199 }
 200
 201 /*
 202  * cap_set_all - set capabilities for all processes other than init
 203  * and self.  We call this holding task_capability_lock and tasklist_lock.
 204  */
 205 static inline int cap_set_all(kernel_cap_t *effective,
 206                               kernel_cap_t *inheritable,
 207                               kernel_cap_t *permitted)
 208 {
 209         struct task_struct *g, *target;
 210         int ret = -EPERM;
 211         int found = 0;
 212
 213         spin_lock(&task_capability_lock);
 214         read_lock(&tasklist_lock);
 215
 216         do_each_thread(g, target) {
 217                 if (target == current
 218                     || is_container_init(target->group_leader))
 219                         continue;
 220                 found = 1;
 221                 if (security_capset_check(target, effective, inheritable,
 222                                           permitted))
 223                         continue;
 224                 ret = 0;
 225                 security_capset_set(target, effective, inheritable, permitted);
 226         } while_each_thread(g, target);
 227
 228         read_unlock(&tasklist_lock);
 229         spin_unlock(&task_capability_lock);
 230
 231         if (!found)
 232                 ret = 0;
 233
 234         return ret;
 235 }
 236
 237 /*
 238  * Given the target pid does not refer to the current process we
 239  * need more elaborate support... (This support is not present when
 240  * filesystem capabilities are configured.)
 241  */
 242 static inline int do_sys_capset_other_tasks(pid_t pid, kernel_cap_t *effective,
 243                                             kernel_cap_t *inheritable,
 244                                             kernel_cap_t *permitted)
 245 {
 246         struct task_struct *target;
 247         int ret;
 248
 249         if (!capable(CAP_SETPCAP))
 250                 return -EPERM;
 251
 252         if (pid == -1)            /* all procs other than current and init */
 253                 return cap_set_all(effective, inheritable, permitted);
 254
 255         else if (pid < 0)                    /* all procs in process group */
 256                 return cap_set_pg(-pid, effective, inheritable, permitted);
 257
 258         /* target != current */
 259         spin_lock(&task_capability_lock);
 260         read_lock(&tasklist_lock);
 261
 262         target = find_task_by_vpid(pid);
 263         if (!target)
 264                 ret = -ESRCH;
 265         else {
 266                 ret = security_capset_check(target, effective, inheritable,
 267                                             permitted);
 268
 269                 /* having verified that the proposed changes are legal,
 270                    we now put them into effect. */
 271                 if (!ret)
 272                         security_capset_set(target, effective, inheritable,
 273                                             permitted);
 274         }
 275
 276         read_unlock(&tasklist_lock);
 277         spin_unlock(&task_capability_lock);
 278
 279         return ret;
 280 }
 281
 282 #else /* ie., def CONFIG_SECURITY_FILE_CAPABILITIES */
 283
 284 /*
 285  * If we have configured with filesystem capability support, then the
 286  * only thing that can change the capabilities of the current process
 287  * is the current process. As such, we can't be in this code at the
 288  * same time as we are in the process of setting capabilities in this
 289  * process. The net result is that we can limit our use of locks to
 290  * when we are reading the caps of another process.
 291  */
 292 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
 293                                      kernel_cap_t *pIp, kernel_cap_t *pPp)
 294 {
 295         int ret;
 296
 297         if (pid && (pid != task_pid_vnr(current))) {
 298                 struct task_struct *target;
 299
 300                 spin_lock(&task_capability_lock);
 301                 read_lock(&tasklist_lock);
 302
 303                 target = find_task_by_vpid(pid);
 304                 if (!target)
 305                         ret = -ESRCH;
 306                 else
 307                         ret = security_capget(target, pEp, pIp, pPp);
 308
 309                 read_unlock(&tasklist_lock);
 310                 spin_unlock(&task_capability_lock);
 311         } else
 312                 ret = security_capget(current, pEp, pIp, pPp);
 313
 314         return ret;
 315 }
 316
 317 /*
 318  * With filesystem capability support configured, the kernel does not
 319  * permit the changing of capabilities in one process by another
 320  * process. (CAP_SETPCAP has much less broad semantics when configured
 321  * this way.)
 322  */
 323 static inline int do_sys_capset_other_tasks(pid_t pid,
 324                                             kernel_cap_t *effective,
 325                                             kernel_cap_t *inheritable,
 326                                             kernel_cap_t *permitted)
 327 {
 328         return -EPERM;
 329 }
 330
 331 #endif /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
 332
 333 /*
 334  * Atomically modify the effective capabilities returning the original
 335  * value. No permission check is performed here - it is assumed that the
 336  * caller is permitted to set the desired effective capabilities.
 337  */
 338 kernel_cap_t cap_set_effective(const kernel_cap_t pE_new)
 339 {
 340         kernel_cap_t pE_old;
 341
 342         spin_lock(&task_capability_lock);
 343
 344         pE_old = current->cap_effective;
 345         current->cap_effective = pE_new;
 346
 347         spin_unlock(&task_capability_lock);
 348
 349         return pE_old;
 350 }
 351
 352 EXPORT_SYMBOL(cap_set_effective);
 353
 354 /**
 355  * sys_capget - get the capabilities of a given process.
 356  * @header: pointer to struct that contains capability version and
 357  *      target pid data
 358  * @dataptr: pointer to struct that contains the effective, permitted,
 359  *      and inheritable capabilities that are returned
 360  *
 361  * Returns 0 on success and < 0 on error.
 362  */
 363 asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
 364 {
 365         int ret = 0;
 366         pid_t pid;
 367         unsigned tocopy;
 368         kernel_cap_t pE, pI, pP;
 369
 370         ret = cap_validate_magic(header, &tocopy);
 371         if (ret != 0)
 372                 return ret;
 373
 374         if (get_user(pid, &header->pid))
 375                 return -EFAULT;
 376
 377         if (pid < 0)
 378                 return -EINVAL;
 379
 380         ret = cap_get_target_pid(pid, &pE, &pI, &pP);
 381
 382         if (!ret) {
 383                 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
 384                 unsigned i;
 385
 386                 for (i = 0; i < tocopy; i++) {
 387                         kdata[i].effective = pE.cap[i];
 388                         kdata[i].permitted = pP.cap[i];
 389                         kdata[i].inheritable = pI.cap[i];
 390                 }
 391
 392                 /*
 393                  * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
 394                  * we silently drop the upper capabilities here. This
 395                  * has the effect of making older libcap
 396                  * implementations implicitly drop upper capability
 397                  * bits when they perform a: capget/modify/capset
 398                  * sequence.
 399                  *
 400                  * This behavior is considered fail-safe
 401                  * behavior. Upgrading the application to a newer
 402                  * version of libcap will enable access to the newer
 403                  * capabilities.
 404                  *
 405                  * An alternative would be to return an error here
 406                  * (-ERANGE), but that causes legacy applications to
 407                  * unexpectidly fail; the capget/modify/capset aborts
 408                  * before modification is attempted and the application
 409                  * fails.
 410                  */
 411                 if (copy_to_user(dataptr, kdata, tocopy
 412                                  * sizeof(struct __user_cap_data_struct))) {
 413                         return -EFAULT;
 414                 }
 415         }
 416
 417         return ret;
 418 }
 419
 420 /**
 421  * sys_capset - set capabilities for a process or (*) a group of processes
 422  * @header: pointer to struct that contains capability version and
 423  *      target pid data
 424  * @data: pointer to struct that contains the effective, permitted,
 425  *      and inheritable capabilities
 426  *
 427  * Set capabilities for a given process, all processes, or all
 428  * processes in a given process group.
 429  *
 430  * The restrictions on setting capabilities are specified as:
 431  *
 432  * [pid is for the 'target' task.  'current' is the calling task.]
 433  *
 434  * I: any raised capabilities must be a subset of the (old current) permitted
 435  * P: any raised capabilities must be a subset of the (old current) permitted
 436  * E: must be set to a subset of (new target) permitted
 437  *
 438  * Returns 0 on success and < 0 on error.
 439  */
 440 asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
 441 {
 442         struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
 443         unsigned i, tocopy;
 444         kernel_cap_t inheritable, permitted, effective;
 445         int ret;
 446         pid_t pid;
 447
 448         ret = cap_validate_magic(header, &tocopy);
 449         if (ret != 0)
 450                 return ret;
 451
 452         if (get_user(pid, &header->pid))
 453                 return -EFAULT;
 454
 455         if (copy_from_user(&kdata, data, tocopy
 456                            * sizeof(struct __user_cap_data_struct))) {
 457                 return -EFAULT;
 458         }
 459
 460         for (i = 0; i < tocopy; i++) {
 461                 effective.cap[i] = kdata[i].effective;
 462                 permitted.cap[i] = kdata[i].permitted;
 463                 inheritable.cap[i] = kdata[i].inheritable;
 464         }
 465         while (i < _KERNEL_CAPABILITY_U32S) {
 466                 effective.cap[i] = 0;
 467                 permitted.cap[i] = 0;
 468                 inheritable.cap[i] = 0;
 469                 i++;
 470         }
 471
 472         ret = audit_log_capset(pid, &effective, &inheritable, &permitted);
 473         if (ret)
 474                 return ret;
 475
 476         if (pid && (pid != task_pid_vnr(current)))
 477                 ret = do_sys_capset_other_tasks(pid, &effective, &inheritable,
 478                                                 &permitted);
 479         else {
 480                 /*
 481                  * This lock is required even when filesystem
 482                  * capability support is configured - it protects the
 483                  * sys_capget() call from returning incorrect data in
 484                  * the case that the targeted process is not the
 485                  * current one.
 486                  */
 487                 spin_lock(&task_capability_lock);
 488
 489                 ret = security_capset_check(current, &effective, &inheritable,
 490                                             &permitted);
 491                 /*
 492                  * Having verified that the proposed changes are
 493                  * legal, we now put them into effect.
 494                  */
 495                 if (!ret)
 496                         security_capset_set(current, &effective, &inheritable,
 497                                             &permitted);
 498                 spin_unlock(&task_capability_lock);
 499         }
 500
 501
 502         return ret;
 503 }
 504
 505 /**
 506  * capable - Determine if the current task has a superior capability in effect
 507  * @cap: The capability to be tested for
 508  *
 509  * Return true if the current task has the given superior capability currently
 510  * available for use, false if not.
 511  *
 512  * This sets PF_SUPERPRIV on the task if the capability is available on the
 513  * assumption that it's about to be used.
 514  */
 515 int capable(int cap)
 516 {
 517         if (unlikely(!cap_valid(cap))) {
 518                 printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
 519                 BUG();
 520         }
 521
 522         if (has_capability(current, cap)) {
 523                 current->flags |= PF_SUPERPRIV;
 524                 return 1;
 525         }
 526         return 0;
 527 }
 528 EXPORT_SYMBOL(capable);