mirror of
https://github.com/torvalds/linux.git
synced 2024-12-15 07:33:56 +00:00
40852275a9
This change ensures that the set*uid family of syscalls in kernel/sys.c (setreuid, setuid, setresuid, setfsuid) all call ns_capable_common with the CAP_OPT_INSETID flag, so capability checks in the security_capable hook can know whether they are being called from within a set*uid syscall. This change is a no-op by itself, but is needed for the proposed SafeSetID LSM. Signed-off-by: Micah Morton <mortonm@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
531 lines
15 KiB
C
531 lines
15 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* linux/kernel/capability.c
|
|
*
|
|
* Copyright (C) 1997 Andrew Main <zefram@fysh.org>
|
|
*
|
|
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org>
|
|
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/audit.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/export.h>
|
|
#include <linux/security.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <linux/user_namespace.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
/*
|
|
* Leveraged for setting/resetting capabilities
|
|
*/
|
|
|
|
const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
|
|
EXPORT_SYMBOL(__cap_empty_set);
|
|
|
|
int file_caps_enabled = 1;
|
|
|
|
static int __init file_caps_disable(char *str)
|
|
{
|
|
file_caps_enabled = 0;
|
|
return 1;
|
|
}
|
|
__setup("no_file_caps", file_caps_disable);
|
|
|
|
#ifdef CONFIG_MULTIUSER
|
|
/*
|
|
* More recent versions of libcap are available from:
|
|
*
|
|
* http://www.kernel.org/pub/linux/libs/security/linux-privs/
|
|
*/
|
|
|
|
static void warn_legacy_capability_use(void)
|
|
{
|
|
char name[sizeof(current->comm)];
|
|
|
|
pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n",
|
|
get_task_comm(name, current));
|
|
}
|
|
|
|
/*
|
|
* Version 2 capabilities worked fine, but the linux/capability.h file
|
|
* that accompanied their introduction encouraged their use without
|
|
* the necessary user-space source code changes. As such, we have
|
|
* created a version 3 with equivalent functionality to version 2, but
|
|
* with a header change to protect legacy source code from using
|
|
* version 2 when it wanted to use version 1. If your system has code
|
|
* that trips the following warning, it is using version 2 specific
|
|
* capabilities and may be doing so insecurely.
|
|
*
|
|
* The remedy is to either upgrade your version of libcap (to 2.10+,
|
|
* if the application is linked against it), or recompile your
|
|
* application with modern kernel headers and this warning will go
|
|
* away.
|
|
*/
|
|
|
|
static void warn_deprecated_v2(void)
|
|
{
|
|
char name[sizeof(current->comm)];
|
|
|
|
pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n",
|
|
get_task_comm(name, current));
|
|
}
|
|
|
|
/*
|
|
* Version check. Return the number of u32s in each capability flag
|
|
* array, or a negative value on error.
|
|
*/
|
|
static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
|
|
{
|
|
__u32 version;
|
|
|
|
if (get_user(version, &header->version))
|
|
return -EFAULT;
|
|
|
|
switch (version) {
|
|
case _LINUX_CAPABILITY_VERSION_1:
|
|
warn_legacy_capability_use();
|
|
*tocopy = _LINUX_CAPABILITY_U32S_1;
|
|
break;
|
|
case _LINUX_CAPABILITY_VERSION_2:
|
|
warn_deprecated_v2();
|
|
/* fall through - v3 is otherwise equivalent to v2. */
|
|
case _LINUX_CAPABILITY_VERSION_3:
|
|
*tocopy = _LINUX_CAPABILITY_U32S_3;
|
|
break;
|
|
default:
|
|
if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
|
|
return -EFAULT;
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* The only thing that can change the capabilities of the current
|
|
* process is the current process. As such, we can't be in this code
|
|
* at the same time as we are in the process of setting capabilities
|
|
* in this process. The net result is that we can limit our use of
|
|
* locks to when we are reading the caps of another process.
|
|
*/
|
|
static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
|
|
kernel_cap_t *pIp, kernel_cap_t *pPp)
|
|
{
|
|
int ret;
|
|
|
|
if (pid && (pid != task_pid_vnr(current))) {
|
|
struct task_struct *target;
|
|
|
|
rcu_read_lock();
|
|
|
|
target = find_task_by_vpid(pid);
|
|
if (!target)
|
|
ret = -ESRCH;
|
|
else
|
|
ret = security_capget(target, pEp, pIp, pPp);
|
|
|
|
rcu_read_unlock();
|
|
} else
|
|
ret = security_capget(current, pEp, pIp, pPp);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* sys_capget - get the capabilities of a given process.
|
|
* @header: pointer to struct that contains capability version and
|
|
* target pid data
|
|
* @dataptr: pointer to struct that contains the effective, permitted,
|
|
* and inheritable capabilities that are returned
|
|
*
|
|
* Returns 0 on success and < 0 on error.
|
|
*/
|
|
SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
|
|
{
|
|
int ret = 0;
|
|
pid_t pid;
|
|
unsigned tocopy;
|
|
kernel_cap_t pE, pI, pP;
|
|
|
|
ret = cap_validate_magic(header, &tocopy);
|
|
if ((dataptr == NULL) || (ret != 0))
|
|
return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
|
|
|
|
if (get_user(pid, &header->pid))
|
|
return -EFAULT;
|
|
|
|
if (pid < 0)
|
|
return -EINVAL;
|
|
|
|
ret = cap_get_target_pid(pid, &pE, &pI, &pP);
|
|
if (!ret) {
|
|
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
|
unsigned i;
|
|
|
|
for (i = 0; i < tocopy; i++) {
|
|
kdata[i].effective = pE.cap[i];
|
|
kdata[i].permitted = pP.cap[i];
|
|
kdata[i].inheritable = pI.cap[i];
|
|
}
|
|
|
|
/*
|
|
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
|
|
* we silently drop the upper capabilities here. This
|
|
* has the effect of making older libcap
|
|
* implementations implicitly drop upper capability
|
|
* bits when they perform a: capget/modify/capset
|
|
* sequence.
|
|
*
|
|
* This behavior is considered fail-safe
|
|
* behavior. Upgrading the application to a newer
|
|
* version of libcap will enable access to the newer
|
|
* capabilities.
|
|
*
|
|
* An alternative would be to return an error here
|
|
* (-ERANGE), but that causes legacy applications to
|
|
* unexpectedly fail; the capget/modify/capset aborts
|
|
* before modification is attempted and the application
|
|
* fails.
|
|
*/
|
|
if (copy_to_user(dataptr, kdata, tocopy
|
|
* sizeof(struct __user_cap_data_struct))) {
|
|
return -EFAULT;
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* sys_capset - set capabilities for a process or (*) a group of processes
|
|
* @header: pointer to struct that contains capability version and
|
|
* target pid data
|
|
* @data: pointer to struct that contains the effective, permitted,
|
|
* and inheritable capabilities
|
|
*
|
|
* Set capabilities for the current process only. The ability to any other
|
|
* process(es) has been deprecated and removed.
|
|
*
|
|
* The restrictions on setting capabilities are specified as:
|
|
*
|
|
* I: any raised capabilities must be a subset of the old permitted
|
|
* P: any raised capabilities must be a subset of the old permitted
|
|
* E: must be set to a subset of new permitted
|
|
*
|
|
* Returns 0 on success and < 0 on error.
|
|
*/
|
|
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
|
|
{
|
|
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
|
unsigned i, tocopy, copybytes;
|
|
kernel_cap_t inheritable, permitted, effective;
|
|
struct cred *new;
|
|
int ret;
|
|
pid_t pid;
|
|
|
|
ret = cap_validate_magic(header, &tocopy);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
if (get_user(pid, &header->pid))
|
|
return -EFAULT;
|
|
|
|
/* may only affect current now */
|
|
if (pid != 0 && pid != task_pid_vnr(current))
|
|
return -EPERM;
|
|
|
|
copybytes = tocopy * sizeof(struct __user_cap_data_struct);
|
|
if (copybytes > sizeof(kdata))
|
|
return -EFAULT;
|
|
|
|
if (copy_from_user(&kdata, data, copybytes))
|
|
return -EFAULT;
|
|
|
|
for (i = 0; i < tocopy; i++) {
|
|
effective.cap[i] = kdata[i].effective;
|
|
permitted.cap[i] = kdata[i].permitted;
|
|
inheritable.cap[i] = kdata[i].inheritable;
|
|
}
|
|
while (i < _KERNEL_CAPABILITY_U32S) {
|
|
effective.cap[i] = 0;
|
|
permitted.cap[i] = 0;
|
|
inheritable.cap[i] = 0;
|
|
i++;
|
|
}
|
|
|
|
effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
|
|
permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
|
|
inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
|
|
|
|
new = prepare_creds();
|
|
if (!new)
|
|
return -ENOMEM;
|
|
|
|
ret = security_capset(new, current_cred(),
|
|
&effective, &inheritable, &permitted);
|
|
if (ret < 0)
|
|
goto error;
|
|
|
|
audit_log_capset(new, current_cred());
|
|
|
|
return commit_creds(new);
|
|
|
|
error:
|
|
abort_creds(new);
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* has_ns_capability - Does a task have a capability in a specific user ns
|
|
* @t: The task in question
|
|
* @ns: target user namespace
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the specified task has the given superior capability
|
|
* currently in effect to the specified user namespace, false if not.
|
|
*
|
|
* Note that this does not set PF_SUPERPRIV on the task.
|
|
*/
|
|
bool has_ns_capability(struct task_struct *t,
|
|
struct user_namespace *ns, int cap)
|
|
{
|
|
int ret;
|
|
|
|
rcu_read_lock();
|
|
ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NONE);
|
|
rcu_read_unlock();
|
|
|
|
return (ret == 0);
|
|
}
|
|
|
|
/**
|
|
* has_capability - Does a task have a capability in init_user_ns
|
|
* @t: The task in question
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the specified task has the given superior capability
|
|
* currently in effect to the initial user namespace, false if not.
|
|
*
|
|
* Note that this does not set PF_SUPERPRIV on the task.
|
|
*/
|
|
bool has_capability(struct task_struct *t, int cap)
|
|
{
|
|
return has_ns_capability(t, &init_user_ns, cap);
|
|
}
|
|
EXPORT_SYMBOL(has_capability);
|
|
|
|
/**
|
|
* has_ns_capability_noaudit - Does a task have a capability (unaudited)
|
|
* in a specific user ns.
|
|
* @t: The task in question
|
|
* @ns: target user namespace
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the specified task has the given superior capability
|
|
* currently in effect to the specified user namespace, false if not.
|
|
* Do not write an audit message for the check.
|
|
*
|
|
* Note that this does not set PF_SUPERPRIV on the task.
|
|
*/
|
|
bool has_ns_capability_noaudit(struct task_struct *t,
|
|
struct user_namespace *ns, int cap)
|
|
{
|
|
int ret;
|
|
|
|
rcu_read_lock();
|
|
ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NOAUDIT);
|
|
rcu_read_unlock();
|
|
|
|
return (ret == 0);
|
|
}
|
|
|
|
/**
|
|
* has_capability_noaudit - Does a task have a capability (unaudited) in the
|
|
* initial user ns
|
|
* @t: The task in question
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the specified task has the given superior capability
|
|
* currently in effect to init_user_ns, false if not. Don't write an
|
|
* audit message for the check.
|
|
*
|
|
* Note that this does not set PF_SUPERPRIV on the task.
|
|
*/
|
|
bool has_capability_noaudit(struct task_struct *t, int cap)
|
|
{
|
|
return has_ns_capability_noaudit(t, &init_user_ns, cap);
|
|
}
|
|
|
|
static bool ns_capable_common(struct user_namespace *ns,
|
|
int cap,
|
|
unsigned int opts)
|
|
{
|
|
int capable;
|
|
|
|
if (unlikely(!cap_valid(cap))) {
|
|
pr_crit("capable() called with invalid cap=%u\n", cap);
|
|
BUG();
|
|
}
|
|
|
|
capable = security_capable(current_cred(), ns, cap, opts);
|
|
if (capable == 0) {
|
|
current->flags |= PF_SUPERPRIV;
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* ns_capable - Determine if the current task has a superior capability in effect
|
|
* @ns: The usernamespace we want the capability in
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the current task has the given superior capability currently
|
|
* available for use, false if not.
|
|
*
|
|
* This sets PF_SUPERPRIV on the task if the capability is available on the
|
|
* assumption that it's about to be used.
|
|
*/
|
|
bool ns_capable(struct user_namespace *ns, int cap)
|
|
{
|
|
return ns_capable_common(ns, cap, CAP_OPT_NONE);
|
|
}
|
|
EXPORT_SYMBOL(ns_capable);
|
|
|
|
/**
|
|
* ns_capable_noaudit - Determine if the current task has a superior capability
|
|
* (unaudited) in effect
|
|
* @ns: The usernamespace we want the capability in
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the current task has the given superior capability currently
|
|
* available for use, false if not.
|
|
*
|
|
* This sets PF_SUPERPRIV on the task if the capability is available on the
|
|
* assumption that it's about to be used.
|
|
*/
|
|
bool ns_capable_noaudit(struct user_namespace *ns, int cap)
|
|
{
|
|
return ns_capable_common(ns, cap, CAP_OPT_NOAUDIT);
|
|
}
|
|
EXPORT_SYMBOL(ns_capable_noaudit);
|
|
|
|
/**
|
|
* ns_capable_setid - Determine if the current task has a superior capability
|
|
* in effect, while signalling that this check is being done from within a
|
|
* setid syscall.
|
|
* @ns: The usernamespace we want the capability in
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the current task has the given superior capability currently
|
|
* available for use, false if not.
|
|
*
|
|
* This sets PF_SUPERPRIV on the task if the capability is available on the
|
|
* assumption that it's about to be used.
|
|
*/
|
|
bool ns_capable_setid(struct user_namespace *ns, int cap)
|
|
{
|
|
return ns_capable_common(ns, cap, CAP_OPT_INSETID);
|
|
}
|
|
EXPORT_SYMBOL(ns_capable_setid);
|
|
|
|
/**
|
|
* capable - Determine if the current task has a superior capability in effect
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the current task has the given superior capability currently
|
|
* available for use, false if not.
|
|
*
|
|
* This sets PF_SUPERPRIV on the task if the capability is available on the
|
|
* assumption that it's about to be used.
|
|
*/
|
|
bool capable(int cap)
|
|
{
|
|
return ns_capable(&init_user_ns, cap);
|
|
}
|
|
EXPORT_SYMBOL(capable);
|
|
#endif /* CONFIG_MULTIUSER */
|
|
|
|
/**
|
|
* file_ns_capable - Determine if the file's opener had a capability in effect
|
|
* @file: The file we want to check
|
|
* @ns: The usernamespace we want the capability in
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if task that opened the file had a capability in effect
|
|
* when the file was opened.
|
|
*
|
|
* This does not set PF_SUPERPRIV because the caller may not
|
|
* actually be privileged.
|
|
*/
|
|
bool file_ns_capable(const struct file *file, struct user_namespace *ns,
|
|
int cap)
|
|
{
|
|
|
|
if (WARN_ON_ONCE(!cap_valid(cap)))
|
|
return false;
|
|
|
|
if (security_capable(file->f_cred, ns, cap, CAP_OPT_NONE) == 0)
|
|
return true;
|
|
|
|
return false;
|
|
}
|
|
EXPORT_SYMBOL(file_ns_capable);
|
|
|
|
/**
|
|
* privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
|
|
* @ns: The user namespace in question
|
|
* @inode: The inode in question
|
|
*
|
|
* Return true if the inode uid and gid are within the namespace.
|
|
*/
|
|
bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode)
|
|
{
|
|
return kuid_has_mapping(ns, inode->i_uid) &&
|
|
kgid_has_mapping(ns, inode->i_gid);
|
|
}
|
|
|
|
/**
|
|
* capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
|
|
* @inode: The inode in question
|
|
* @cap: The capability in question
|
|
*
|
|
* Return true if the current task has the given capability targeted at
|
|
* its own user namespace and that the given inode's uid and gid are
|
|
* mapped into the current user namespace.
|
|
*/
|
|
bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
|
|
{
|
|
struct user_namespace *ns = current_user_ns();
|
|
|
|
return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode);
|
|
}
|
|
EXPORT_SYMBOL(capable_wrt_inode_uidgid);
|
|
|
|
/**
|
|
* ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace
|
|
* @tsk: The task that may be ptraced
|
|
* @ns: The user namespace to search for CAP_SYS_PTRACE in
|
|
*
|
|
* Return true if the task that is ptracing the current task had CAP_SYS_PTRACE
|
|
* in the specified user namespace.
|
|
*/
|
|
bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
|
|
{
|
|
int ret = 0; /* An absent tracer adds no restrictions */
|
|
const struct cred *cred;
|
|
|
|
rcu_read_lock();
|
|
cred = rcu_dereference(tsk->ptracer_cred);
|
|
if (cred)
|
|
ret = security_capable(cred, ns, CAP_SYS_PTRACE,
|
|
CAP_OPT_NOAUDIT);
|
|
rcu_read_unlock();
|
|
return (ret == 0);
|
|
}
|