Add 64-bit capability support to the kernel

The patch supports legacy (32-bit) capability userspace, and where possible
translates 32-bit capabilities to/from userspace and the VFS to 64-bit
kernel space capabilities.  If a capability set cannot be compressed into
32-bits for consumption by user space, the system call fails, with -ERANGE.

FWIW libcap-2.00 supports this change (and earlier capability formats)

 http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/

[akpm@linux-foundation.org: coding-syle fixes]
[akpm@linux-foundation.org: use get_task_comm()]
[ezk@cs.sunysb.edu: build fix]
[akpm@linux-foundation.org: do not initialise statics to 0 or NULL]
[akpm@linux-foundation.org: unused var]
[serue@us.ibm.com: export __cap_ symbols]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: James Morris <jmorris@namei.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Andrew Morgan 2008-02-04 22:29:42 -08:00 committed by Linus Torvalds
parent 8f6936f4d2
commit e338d263a7
7 changed files with 349 additions and 125 deletions

View File

@ -11,8 +11,6 @@
#include <linux/nfsd/nfsd.h> #include <linux/nfsd/nfsd.h>
#include <linux/nfsd/export.h> #include <linux/nfsd/export.h>
#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))
int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp) int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
{ {
struct exp_flavor_info *f; struct exp_flavor_info *f;
@ -69,9 +67,11 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
ret = set_current_groups(cred.cr_group_info); ret = set_current_groups(cred.cr_group_info);
put_group_info(cred.cr_group_info); put_group_info(cred.cr_group_info);
if ((cred.cr_uid)) { if ((cred.cr_uid)) {
cap_t(current->cap_effective) &= ~CAP_NFSD_MASK; current->cap_effective =
cap_drop_nfsd_set(current->cap_effective);
} else { } else {
cap_t(current->cap_effective) |= (CAP_NFSD_MASK & current->cap_effective =
cap_raise_nfsd_set(current->cap_effective,
current->cap_permitted); current->cap_permitted);
} }
return ret; return ret;

View File

@ -281,14 +281,23 @@ static inline char *task_sig(struct task_struct *p, char *buffer)
return buffer; return buffer;
} }
static char *render_cap_t(const char *header, kernel_cap_t *a, char *buffer)
{
unsigned __capi;
buffer += sprintf(buffer, "%s", header);
CAP_FOR_EACH_U32(__capi) {
buffer += sprintf(buffer, "%08x",
a->cap[(_LINUX_CAPABILITY_U32S-1) - __capi]);
}
return buffer + sprintf(buffer, "\n");
}
static inline char *task_cap(struct task_struct *p, char *buffer) static inline char *task_cap(struct task_struct *p, char *buffer)
{ {
return buffer + sprintf(buffer, "CapInh:\t%016x\n" buffer = render_cap_t("CapInh:\t", &p->cap_inheritable, buffer);
"CapPrm:\t%016x\n" buffer = render_cap_t("CapPrm:\t", &p->cap_permitted, buffer);
"CapEff:\t%016x\n", return render_cap_t("CapEff:\t", &p->cap_effective, buffer);
cap_t(p->cap_inheritable),
cap_t(p->cap_permitted),
cap_t(p->cap_effective));
} }
static inline char *task_context_switch_counts(struct task_struct *p, static inline char *task_context_switch_counts(struct task_struct *p,

View File

@ -23,13 +23,20 @@ struct task_struct;
kernel might be somewhat backwards compatible, but don't bet on kernel might be somewhat backwards compatible, but don't bet on
it. */ it. */
/* XXX - Note, cap_t, is defined by POSIX to be an "opaque" pointer to /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
a set of three capability sets. The transposition of 3*the a set of three capability sets. The transposition of 3*the
following structure to such a composite is better handled in a user following structure to such a composite is better handled in a user
library since the draft standard requires the use of malloc/free library since the draft standard requires the use of malloc/free
etc.. */ etc.. */
#define _LINUX_CAPABILITY_VERSION 0x19980330 #define _LINUX_CAPABILITY_VERSION_1 0x19980330
#define _LINUX_CAPABILITY_U32S_1 1
#define _LINUX_CAPABILITY_VERSION_2 0x20071026
#define _LINUX_CAPABILITY_U32S_2 2
#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2
#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2
typedef struct __user_cap_header_struct { typedef struct __user_cap_header_struct {
__u32 version; __u32 version;
@ -42,43 +49,42 @@ typedef struct __user_cap_data_struct {
__u32 inheritable; __u32 inheritable;
} __user *cap_user_data_t; } __user *cap_user_data_t;
#define XATTR_CAPS_SUFFIX "capability" #define XATTR_CAPS_SUFFIX "capability"
#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
#define XATTR_CAPS_SZ (3*sizeof(__le32))
#define VFS_CAP_REVISION_MASK 0xFF000000 #define VFS_CAP_REVISION_MASK 0xFF000000
#define VFS_CAP_REVISION_1 0x01000000
#define VFS_CAP_REVISION VFS_CAP_REVISION_1
#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
#define VFS_CAP_FLAGS_EFFECTIVE 0x000001 #define VFS_CAP_FLAGS_EFFECTIVE 0x000001
#define VFS_CAP_REVISION_1 0x01000000
#define VFS_CAP_U32_1 1
#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
#define VFS_CAP_REVISION_2 0x02000000
#define VFS_CAP_U32_2 2
#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
#define VFS_CAP_U32 VFS_CAP_U32_2
#define VFS_CAP_REVISION VFS_CAP_REVISION_2
struct vfs_cap_data { struct vfs_cap_data {
__u32 magic_etc; /* Little endian */ __le32 magic_etc; /* Little endian */
struct { struct {
__u32 permitted; /* Little endian */ __le32 permitted; /* Little endian */
__u32 inheritable; /* Little endian */ __le32 inheritable; /* Little endian */
} data[1]; } data[VFS_CAP_U32];
}; };
#ifdef __KERNEL__ #ifdef __KERNEL__
/* #define STRICT_CAP_T_TYPECHECKS */
#ifdef STRICT_CAP_T_TYPECHECKS
typedef struct kernel_cap_struct { typedef struct kernel_cap_struct {
__u32 cap; __u32 cap[_LINUX_CAPABILITY_U32S];
} kernel_cap_t; } kernel_cap_t;
#else #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
typedef __u32 kernel_cap_t;
#endif
#define _USER_CAP_HEADER_SIZE (2*sizeof(__u32))
#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) #define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
#endif #endif
@ -121,10 +127,6 @@ typedef __u32 kernel_cap_t;
#define CAP_FSETID 4 #define CAP_FSETID 4
/* Used to decide between falling back on the old suser() or fsuser(). */
#define CAP_FS_MASK 0x1f
/* Overrides the restriction that the real or effective user ID of a /* Overrides the restriction that the real or effective user ID of a
process sending a signal must match the real or effective user ID process sending a signal must match the real or effective user ID
of the process receiving the signal. */ of the process receiving the signal. */
@ -147,8 +149,12 @@ typedef __u32 kernel_cap_t;
** Linux-specific capabilities ** Linux-specific capabilities
**/ **/
/* Transfer any capability in your permitted set to any pid, /* Without VFS support for capabilities:
remove any capability in your permitted set from any pid */ * Transfer any capability in your permitted set to any pid,
* remove any capability in your permitted set from any pid
* With VFS support for capabilities (neither of above, but)
* Add any capability to the current process' inheritable set
*/
#define CAP_SETPCAP 8 #define CAP_SETPCAP 8
@ -309,70 +315,153 @@ typedef __u32 kernel_cap_t;
#define CAP_SETFCAP 31 #define CAP_SETFCAP 31
/*
* Bit location of each capability (used by user-space library and kernel)
*/
#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
#ifdef __KERNEL__ #ifdef __KERNEL__
/* /*
* Internal kernel functions only * Internal kernel functions only
*/ */
#ifdef STRICT_CAP_T_TYPECHECKS #define CAP_FOR_EACH_U32(__capi) \
for (__capi = 0; __capi < _LINUX_CAPABILITY_U32S; ++__capi)
#define to_cap_t(x) { x } # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
#define cap_t(x) (x).cap | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
| CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
| CAP_TO_MASK(CAP_FOWNER) \
| CAP_TO_MASK(CAP_FSETID))
#else #if _LINUX_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
#else /* HAND-CODED capability initializers */
#define to_cap_t(x) (x) # define CAP_EMPTY_SET {{ 0, 0 }}
#define cap_t(x) (x) # define CAP_FULL_SET {{ ~0, ~0 }}
# define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}
# define CAP_FS_SET {{ CAP_FS_MASK_B0, 0 }}
# define CAP_NFSD_SET {{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), 0 }}
#endif #endif /* _LINUX_CAPABILITY_U32S != 2 */
#define CAP_EMPTY_SET to_cap_t(0) #define CAP_INIT_INH_SET CAP_EMPTY_SET
#define CAP_FULL_SET to_cap_t(~0)
#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
#define CAP_INIT_INH_SET to_cap_t(0)
#define CAP_TO_MASK(x) (1 << (x)) # define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
#define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag)) # define cap_set_full(c) do { (c) = __cap_full_set; } while (0)
#define cap_lower(c, flag) (cap_t(c) &= ~CAP_TO_MASK(flag)) # define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0)
#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
static inline kernel_cap_t cap_combine(kernel_cap_t a, kernel_cap_t b) #define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
#define CAP_BOP_ALL(c, a, b, OP) \
do { \
unsigned __capi; \
CAP_FOR_EACH_U32(__capi) { \
c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
} \
} while (0)
#define CAP_UOP_ALL(c, a, OP) \
do { \
unsigned __capi; \
CAP_FOR_EACH_U32(__capi) { \
c.cap[__capi] = OP a.cap[__capi]; \
} \
} while (0)
static inline kernel_cap_t cap_combine(const kernel_cap_t a,
const kernel_cap_t b)
{ {
kernel_cap_t dest; kernel_cap_t dest;
cap_t(dest) = cap_t(a) | cap_t(b); CAP_BOP_ALL(dest, a, b, |);
return dest; return dest;
} }
static inline kernel_cap_t cap_intersect(kernel_cap_t a, kernel_cap_t b) static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
const kernel_cap_t b)
{ {
kernel_cap_t dest; kernel_cap_t dest;
cap_t(dest) = cap_t(a) & cap_t(b); CAP_BOP_ALL(dest, a, b, &);
return dest; return dest;
} }
static inline kernel_cap_t cap_drop(kernel_cap_t a, kernel_cap_t drop) static inline kernel_cap_t cap_drop(const kernel_cap_t a,
const kernel_cap_t drop)
{ {
kernel_cap_t dest; kernel_cap_t dest;
cap_t(dest) = cap_t(a) & ~cap_t(drop); CAP_BOP_ALL(dest, a, drop, &~);
return dest; return dest;
} }
static inline kernel_cap_t cap_invert(kernel_cap_t c) static inline kernel_cap_t cap_invert(const kernel_cap_t c)
{ {
kernel_cap_t dest; kernel_cap_t dest;
cap_t(dest) = ~cap_t(c); CAP_UOP_ALL(dest, c, ~);
return dest; return dest;
} }
#define cap_isclear(c) (!cap_t(c)) static inline int cap_isclear(const kernel_cap_t a)
#define cap_issubset(a,set) (!(cap_t(a) & ~cap_t(set))) {
unsigned __capi;
CAP_FOR_EACH_U32(__capi) {
if (a.cap[__capi] != 0)
return 0;
}
return 1;
}
#define cap_clear(c) do { cap_t(c) = 0; } while(0) static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
#define cap_set_full(c) do { cap_t(c) = ~0; } while(0) {
#define cap_mask(c,mask) do { cap_t(c) &= cap_t(mask); } while(0) kernel_cap_t dest;
dest = cap_drop(a, set);
return cap_isclear(dest);
}
#define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK) /* Used to decide between falling back on the old suser() or fsuser(). */
static inline int cap_is_fs_cap(int cap)
{
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
}
static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
{
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
return cap_drop(a, __cap_fs_set);
}
static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
const kernel_cap_t permitted)
{
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
return cap_combine(a,
cap_intersect(permitted, __cap_fs_set));
}
static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
{
const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
return cap_drop(a, __cap_fs_set);
}
static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
const kernel_cap_t permitted)
{
const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
return cap_combine(a,
cap_intersect(permitted, __cap_nfsd_set));
}
extern const kernel_cap_t __cap_empty_set;
extern const kernel_cap_t __cap_full_set;
extern const kernel_cap_t __cap_init_eff_set;
int capable(int cap); int capable(int cap);
int __capable(struct task_struct *t, int cap); int __capable(struct task_struct *t, int cap);

View File

@ -21,6 +21,37 @@
*/ */
static DEFINE_SPINLOCK(task_capability_lock); static DEFINE_SPINLOCK(task_capability_lock);
/*
* Leveraged for setting/resetting capabilities
*/
const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
const kernel_cap_t __cap_full_set = CAP_FULL_SET;
const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
EXPORT_SYMBOL(__cap_empty_set);
EXPORT_SYMBOL(__cap_full_set);
EXPORT_SYMBOL(__cap_init_eff_set);
/*
* More recent versions of libcap are available from:
*
* http://www.kernel.org/pub/linux/libs/security/linux-privs/
*/
static void warn_legacy_capability_use(void)
{
static int warned;
if (!warned) {
char name[sizeof(current->comm)];
printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"
" (legacy support in use)\n",
get_task_comm(name, current));
warned = 1;
}
}
/* /*
* For sys_getproccap() and sys_setproccap(), any of the three * For sys_getproccap() and sys_setproccap(), any of the three
* capability set pointers may be NULL -- indicating that that set is * capability set pointers may be NULL -- indicating that that set is
@ -42,12 +73,21 @@ asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
pid_t pid; pid_t pid;
__u32 version; __u32 version;
struct task_struct *target; struct task_struct *target;
struct __user_cap_data_struct data; unsigned tocopy;
kernel_cap_t pE, pI, pP;
if (get_user(version, &header->version)) if (get_user(version, &header->version))
return -EFAULT; return -EFAULT;
if (version != _LINUX_CAPABILITY_VERSION) { switch (version) {
case _LINUX_CAPABILITY_VERSION_1:
warn_legacy_capability_use();
tocopy = _LINUX_CAPABILITY_U32S_1;
break;
case _LINUX_CAPABILITY_VERSION_2:
tocopy = _LINUX_CAPABILITY_U32S_2;
break;
default:
if (put_user(_LINUX_CAPABILITY_VERSION, &header->version)) if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
return -EFAULT; return -EFAULT;
return -EINVAL; return -EINVAL;
@ -71,14 +111,47 @@ asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
} else } else
target = current; target = current;
ret = security_capget(target, &data.effective, &data.inheritable, &data.permitted); ret = security_capget(target, &pE, &pI, &pP);
out: out:
read_unlock(&tasklist_lock); read_unlock(&tasklist_lock);
spin_unlock(&task_capability_lock); spin_unlock(&task_capability_lock);
if (!ret && copy_to_user(dataptr, &data, sizeof data)) if (!ret) {
struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
unsigned i;
for (i = 0; i < tocopy; i++) {
kdata[i].effective = pE.cap[i];
kdata[i].permitted = pP.cap[i];
kdata[i].inheritable = pI.cap[i];
}
/*
* Note, in the case, tocopy < _LINUX_CAPABILITY_U32S,
* we silently drop the upper capabilities here. This
* has the effect of making older libcap
* implementations implicitly drop upper capability
* bits when they perform a: capget/modify/capset
* sequence.
*
* This behavior is considered fail-safe
* behavior. Upgrading the application to a newer
* version of libcap will enable access to the newer
* capabilities.
*
* An alternative would be to return an error here
* (-ERANGE), but that causes legacy applications to
* unexpectidly fail; the capget/modify/capset aborts
* before modification is attempted and the application
* fails.
*/
if (copy_to_user(dataptr, kdata, tocopy
* sizeof(struct __user_cap_data_struct))) {
return -EFAULT; return -EFAULT;
}
}
return ret; return ret;
} }
@ -167,6 +240,8 @@ static inline int cap_set_all(kernel_cap_t *effective,
*/ */
asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
{ {
struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
unsigned i, tocopy;
kernel_cap_t inheritable, permitted, effective; kernel_cap_t inheritable, permitted, effective;
__u32 version; __u32 version;
struct task_struct *target; struct task_struct *target;
@ -176,7 +251,15 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
if (get_user(version, &header->version)) if (get_user(version, &header->version))
return -EFAULT; return -EFAULT;
if (version != _LINUX_CAPABILITY_VERSION) { switch (version) {
case _LINUX_CAPABILITY_VERSION_1:
warn_legacy_capability_use();
tocopy = _LINUX_CAPABILITY_U32S_1;
break;
case _LINUX_CAPABILITY_VERSION_2:
tocopy = _LINUX_CAPABILITY_U32S_2;
break;
default:
if (put_user(_LINUX_CAPABILITY_VERSION, &header->version)) if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
return -EFAULT; return -EFAULT;
return -EINVAL; return -EINVAL;
@ -188,10 +271,22 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
if (pid && pid != task_pid_vnr(current) && !capable(CAP_SETPCAP)) if (pid && pid != task_pid_vnr(current) && !capable(CAP_SETPCAP))
return -EPERM; return -EPERM;
if (copy_from_user(&effective, &data->effective, sizeof(effective)) || if (copy_from_user(&kdata, data, tocopy
copy_from_user(&inheritable, &data->inheritable, sizeof(inheritable)) || * sizeof(struct __user_cap_data_struct))) {
copy_from_user(&permitted, &data->permitted, sizeof(permitted)))
return -EFAULT; return -EFAULT;
}
for (i = 0; i < tocopy; i++) {
effective.cap[i] = kdata[i].effective;
permitted.cap[i] = kdata[i].permitted;
inheritable.cap[i] = kdata[i].inheritable;
}
while (i < _LINUX_CAPABILITY_U32S) {
effective.cap[i] = 0;
permitted.cap[i] = 0;
inheritable.cap[i] = 0;
i++;
}
spin_lock(&task_capability_lock); spin_lock(&task_capability_lock);
read_lock(&tasklist_lock); read_lock(&tasklist_lock);

View File

@ -125,8 +125,7 @@ unsigned long badness(struct task_struct *p, unsigned long uptime)
* Superuser processes are usually more important, so we make it * Superuser processes are usually more important, so we make it
* less likely that we kill those. * less likely that we kill those.
*/ */
if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) || if (__capable(p, CAP_SYS_ADMIN) || p->uid == 0 || p->euid == 0)
p->uid == 0 || p->euid == 0)
points /= 4; points /= 4;
/* /*
@ -135,7 +134,7 @@ unsigned long badness(struct task_struct *p, unsigned long uptime)
* tend to only have this flag set on applications they think * tend to only have this flag set on applications they think
* of as important. * of as important.
*/ */
if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO)) if (__capable(p, CAP_SYS_RAWIO))
points /= 4; points /= 4;
/* /*

View File

@ -93,9 +93,9 @@ int cap_capget (struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
/* Derived from kernel/capability.c:sys_capget. */ /* Derived from kernel/capability.c:sys_capget. */
*effective = cap_t (target->cap_effective); *effective = target->cap_effective;
*inheritable = cap_t (target->cap_inheritable); *inheritable = target->cap_inheritable;
*permitted = cap_t (target->cap_permitted); *permitted = target->cap_permitted;
return 0; return 0;
} }
@ -197,28 +197,51 @@ int cap_inode_killpriv(struct dentry *dentry)
return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
} }
static inline int cap_from_disk(__le32 *caps, struct linux_binprm *bprm, static inline int cap_from_disk(struct vfs_cap_data *caps,
int size) struct linux_binprm *bprm, unsigned size)
{ {
__u32 magic_etc; __u32 magic_etc;
unsigned tocopy, i;
if (size != XATTR_CAPS_SZ) if (size < sizeof(magic_etc))
return -EINVAL; return -EINVAL;
magic_etc = le32_to_cpu(caps[0]); magic_etc = le32_to_cpu(caps->magic_etc);
switch ((magic_etc & VFS_CAP_REVISION_MASK)) { switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
case VFS_CAP_REVISION: case VFS_CAP_REVISION_1:
if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) if (size != XATTR_CAPS_SZ_1)
bprm->cap_effective = true; return -EINVAL;
else tocopy = VFS_CAP_U32_1;
bprm->cap_effective = false; break;
bprm->cap_permitted = to_cap_t(le32_to_cpu(caps[1])); case VFS_CAP_REVISION_2:
bprm->cap_inheritable = to_cap_t(le32_to_cpu(caps[2])); if (size != XATTR_CAPS_SZ_2)
return 0; return -EINVAL;
tocopy = VFS_CAP_U32_2;
break;
default: default:
return -EINVAL; return -EINVAL;
} }
if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
bprm->cap_effective = true;
} else {
bprm->cap_effective = false;
}
for (i = 0; i < tocopy; ++i) {
bprm->cap_permitted.cap[i] =
le32_to_cpu(caps->data[i].permitted);
bprm->cap_inheritable.cap[i] =
le32_to_cpu(caps->data[i].inheritable);
}
while (i < VFS_CAP_U32) {
bprm->cap_permitted.cap[i] = 0;
bprm->cap_inheritable.cap[i] = 0;
i++;
}
return 0;
} }
/* Locate any VFS capabilities: */ /* Locate any VFS capabilities: */
@ -226,7 +249,7 @@ static int get_file_caps(struct linux_binprm *bprm)
{ {
struct dentry *dentry; struct dentry *dentry;
int rc = 0; int rc = 0;
__le32 v1caps[XATTR_CAPS_SZ]; struct vfs_cap_data vcaps;
struct inode *inode; struct inode *inode;
if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) { if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
@ -239,7 +262,7 @@ static int get_file_caps(struct linux_binprm *bprm)
if (!inode->i_op || !inode->i_op->getxattr) if (!inode->i_op || !inode->i_op->getxattr)
goto out; goto out;
rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &v1caps, rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
XATTR_CAPS_SZ); XATTR_CAPS_SZ);
if (rc == -ENODATA || rc == -EOPNOTSUPP) { if (rc == -ENODATA || rc == -EOPNOTSUPP) {
/* no data, that's ok */ /* no data, that's ok */
@ -249,7 +272,7 @@ static int get_file_caps(struct linux_binprm *bprm)
if (rc < 0) if (rc < 0)
goto out; goto out;
rc = cap_from_disk(v1caps, bprm, rc); rc = cap_from_disk(&vcaps, bprm, rc);
if (rc) if (rc)
printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
__FUNCTION__, rc, bprm->filename); __FUNCTION__, rc, bprm->filename);
@ -344,8 +367,10 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
* capability rules */ * capability rules */
if (!is_global_init(current)) { if (!is_global_init(current)) {
current->cap_permitted = new_permitted; current->cap_permitted = new_permitted;
current->cap_effective = bprm->cap_effective ? if (bprm->cap_effective)
new_permitted : 0; current->cap_effective = new_permitted;
else
cap_clear(current->cap_effective);
} }
/* AUD: Audit candidate if current->cap_effective is set */ /* AUD: Audit candidate if current->cap_effective is set */
@ -467,13 +492,15 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
if (!issecure (SECURE_NO_SETUID_FIXUP)) { if (!issecure (SECURE_NO_SETUID_FIXUP)) {
if (old_fsuid == 0 && current->fsuid != 0) { if (old_fsuid == 0 && current->fsuid != 0) {
cap_t (current->cap_effective) &= current->cap_effective =
~CAP_FS_MASK; cap_drop_fs_set(
current->cap_effective);
} }
if (old_fsuid != 0 && current->fsuid == 0) { if (old_fsuid != 0 && current->fsuid == 0) {
cap_t (current->cap_effective) |= current->cap_effective =
(cap_t (current->cap_permitted) & cap_raise_fs_set(
CAP_FS_MASK); current->cap_effective,
current->cap_permitted);
} }
} }
break; break;
@ -577,9 +604,9 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
void cap_task_reparent_to_init (struct task_struct *p) void cap_task_reparent_to_init (struct task_struct *p)
{ {
p->cap_effective = CAP_INIT_EFF_SET; cap_set_init_eff(p->cap_effective);
p->cap_inheritable = CAP_INIT_INH_SET; cap_clear(p->cap_inheritable);
p->cap_permitted = CAP_FULL_SET; cap_set_full(p->cap_permitted);
p->keep_capabilities = 0; p->keep_capabilities = 0;
return; return;
} }

View File

@ -36,14 +36,19 @@ static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
static int dummy_capget (struct task_struct *target, kernel_cap_t * effective, static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
kernel_cap_t * inheritable, kernel_cap_t * permitted) kernel_cap_t * inheritable, kernel_cap_t * permitted)
{ {
*effective = *inheritable = *permitted = 0;
if (target->euid == 0) { if (target->euid == 0) {
*permitted |= (~0 & ~CAP_FS_MASK); cap_set_full(*permitted);
*effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK); cap_set_init_eff(*effective);
} else {
cap_clear(*permitted);
cap_clear(*effective);
} }
if (target->fsuid == 0) {
*permitted |= CAP_FS_MASK; cap_clear(*inheritable);
*effective |= CAP_FS_MASK;
if (target->fsuid != 0) {
*permitted = cap_drop_fs_set(*permitted);
*effective = cap_drop_fs_set(*effective);
} }
return 0; return 0;
} }