|
|
|
/*
|
|
|
|
* linux/kernel/capability.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1997 Andrew Main <zefram@fysh.org>
|
|
|
|
*
|
V3 file capabilities: alter behavior of cap_setpcap
The non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,
can change the capabilities of another process, p2. This is not the
meaning that was intended for this capability at all, and this
implementation came about purely because, without filesystem capabilities,
there was no way to use capabilities without one process bestowing them on
another.
Since we now have a filesystem support for capabilities we can fix the
implementation of CAP_SETPCAP.
The most significant thing about this change is that, with it in effect, no
process can set the capabilities of another process.
The capabilities of a program are set via the capability convolution
rules:
pI(post-exec) = pI(pre-exec)
pP(post-exec) = (X(aka cap_bset) & fP) | (pI(post-exec) & fI)
pE(post-exec) = fE ? pP(post-exec) : 0
at exec() time. As such, the only influence the pre-exec() program can
have on the post-exec() program's capabilities are through the pI
capability set.
The correct implementation for CAP_SETPCAP (and that enabled by this patch)
is that it can be used to add extra pI capabilities to the current process
- to be picked up by subsequent exec()s when the above convolution rules
are applied.
Here is how it works:
Let's say we have a process, p. It has capability sets, pE, pP and pI.
Generally, p, can change the value of its own pI to pI' where
(pI' & ~pI) & ~pP = 0.
That is, the only new things in pI' that were not present in pI need to
be present in pP.
The role of CAP_SETPCAP is basically to permit changes to pI beyond
the above:
if (pE & CAP_SETPCAP) {
pI' = anything; /* ie., even (pI' & ~pI) & ~pP != 0 */
}
This capability is useful for things like login, which (say, via
pam_cap) might want to raise certain inheritable capabilities for use
by the children of the logged-in user's shell, but those capabilities
are not useful to or needed by the login program itself.
One such use might be to limit who can run ping. You set the
capabilities of the 'ping' program to be "= cap_net_raw+i", and then
only shells that have (pI & CAP_NET_RAW) will be able to run
it. Without CAP_SETPCAP implemented as described above, login(pam_cap)
would have to also have (pP & CAP_NET_RAW) in order to raise this
capability and pass it on through the inheritable set.
Signed-off-by: Andrew Morgan <morgan@kernel.org>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
18 years ago
|
|
|
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/capability.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/security.h>
|
|
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <linux/pid_namespace.h>
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This lock protects task->cap_* for all tasks including current.
|
|
|
|
* Locking rule: acquire this prior to tasklist_lock.
|
|
|
|
*/
|
|
|
|
static DEFINE_SPINLOCK(task_capability_lock);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Leveraged for setting/resetting capabilities
|
|
|
|
*/
|
|
|
|
|
|
|
|
const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
|
|
|
|
const kernel_cap_t __cap_full_set = CAP_FULL_SET;
|
|
|
|
const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(__cap_empty_set);
|
|
|
|
EXPORT_SYMBOL(__cap_full_set);
|
|
|
|
EXPORT_SYMBOL(__cap_init_eff_set);
|
|
|
|
|
file capabilities: add no_file_caps switch (v4)
Add a no_file_caps boot option when file capabilities are
compiled into the kernel (CONFIG_SECURITY_FILE_CAPABILITIES=y).
This allows distributions to ship a kernel with file capabilities
compiled in, without forcing users to use (and understand and
trust) them.
When no_file_caps is specified at boot, then when a process executes
a file, any file capabilities stored with that file will not be
used in the calculation of the process' new capability sets.
This means that booting with the no_file_caps boot option will
not be the same as booting a kernel with file capabilities
compiled out - in particular a task with CAP_SETPCAP will not
have any chance of passing capabilities to another task (which
isn't "really" possible anyway, and which may soon by killed
altogether by David Howells in any case), and it will instead
be able to put new capabilities in its pI. However since fI
will always be empty and pI is masked with fI, it gains the
task nothing.
We also support the extra prctl options, setting securebits and
dropping capabilities from the per-process bounding set.
The other remaining difference is that killpriv, task_setscheduler,
setioprio, and setnice will continue to be hooked. That will
be noticable in the case where a root task changed its uid
while keeping some caps, and another task owned by the new uid
tries to change settings for the more privileged task.
Changelog:
Nov 05 2008: (v4) trivial port on top of always-start-\
with-clear-caps patch
Sep 23 2008: nixed file_caps_enabled when file caps are
not compiled in as it isn't used.
Document no_file_caps in kernel-parameters.txt.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
16 years ago
|
|
|
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
|
|
|
int file_caps_enabled = 1;
|
|
|
|
|
|
|
|
static int __init file_caps_disable(char *str)
|
|
|
|
{
|
|
|
|
file_caps_enabled = 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
__setup("no_file_caps", file_caps_disable);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* More recent versions of libcap are available from:
|
|
|
|
*
|
|
|
|
* http://www.kernel.org/pub/linux/libs/security/linux-privs/
|
|
|
|
*/
|
|
|
|
|
|
|
|
static void warn_legacy_capability_use(void)
|
|
|
|
{
|
|
|
|
static int warned;
|
|
|
|
if (!warned) {
|
|
|
|
char name[sizeof(current->comm)];
|
|
|
|
|
|
|
|
printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"
|
|
|
|
" (legacy support in use)\n",
|
|
|
|
get_task_comm(name, current));
|
|
|
|
warned = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Version 2 capabilities worked fine, but the linux/capability.h file
|
|
|
|
* that accompanied their introduction encouraged their use without
|
|
|
|
* the necessary user-space source code changes. As such, we have
|
|
|
|
* created a version 3 with equivalent functionality to version 2, but
|
|
|
|
* with a header change to protect legacy source code from using
|
|
|
|
* version 2 when it wanted to use version 1. If your system has code
|
|
|
|
* that trips the following warning, it is using version 2 specific
|
|
|
|
* capabilities and may be doing so insecurely.
|
|
|
|
*
|
|
|
|
* The remedy is to either upgrade your version of libcap (to 2.10+,
|
|
|
|
* if the application is linked against it), or recompile your
|
|
|
|
* application with modern kernel headers and this warning will go
|
|
|
|
* away.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static void warn_deprecated_v2(void)
|
|
|
|
{
|
|
|
|
static int warned;
|
|
|
|
|
|
|
|
if (!warned) {
|
|
|
|
char name[sizeof(current->comm)];
|
|
|
|
|
|
|
|
printk(KERN_INFO "warning: `%s' uses deprecated v2"
|
|
|
|
" capabilities in a way that may be insecure.\n",
|
|
|
|
get_task_comm(name, current));
|
|
|
|
warned = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Version check. Return the number of u32s in each capability flag
|
|
|
|
* array, or a negative value on error.
|
|
|
|
*/
|
|
|
|
static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
|
|
|
|
{
|
|
|
|
__u32 version;
|
|
|
|
|
|
|
|
if (get_user(version, &header->version))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
switch (version) {
|
|
|
|
case _LINUX_CAPABILITY_VERSION_1:
|
|
|
|
warn_legacy_capability_use();
|
|
|
|
*tocopy = _LINUX_CAPABILITY_U32S_1;
|
|
|
|
break;
|
|
|
|
case _LINUX_CAPABILITY_VERSION_2:
|
|
|
|
warn_deprecated_v2();
|
|
|
|
/*
|
|
|
|
* fall through - v3 is otherwise equivalent to v2.
|
|
|
|
*/
|
|
|
|
case _LINUX_CAPABILITY_VERSION_3:
|
|
|
|
*tocopy = _LINUX_CAPABILITY_U32S_3;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
|
|
|
|
return -EFAULT;
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Without filesystem capability support, we nominally support one process
|
|
|
|
* setting the capabilities of another
|
|
|
|
*/
|
|
|
|
static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
|
|
|
|
kernel_cap_t *pIp, kernel_cap_t *pPp)
|
|
|
|
{
|
|
|
|
struct task_struct *target;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
|
|
|
|
if (pid && pid != task_pid_vnr(current)) {
|
|
|
|
target = find_task_by_vpid(pid);
|
|
|
|
if (!target) {
|
|
|
|
ret = -ESRCH;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
target = current;
|
|
|
|
|
|
|
|
ret = security_capget(target, pEp, pIp, pPp);
|
|
|
|
|
|
|
|
out:
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* cap_set_pg - set capabilities for all processes in a given process
|
|
|
|
* group. We call this holding task_capability_lock and tasklist_lock.
|
|
|
|
*/
|
|
|
|
static inline int cap_set_pg(int pgrp_nr, kernel_cap_t *effective,
|
|
|
|
kernel_cap_t *inheritable,
|
|
|
|
kernel_cap_t *permitted)
|
|
|
|
{
|
|
|
|
struct task_struct *g, *target;
|
|
|
|
int ret = -EPERM;
|
|
|
|
int found = 0;
|
|
|
|
struct pid *pgrp;
|
|
|
|
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
|
|
|
|
pgrp = find_vpid(pgrp_nr);
|
|
|
|
do_each_pid_task(pgrp, PIDTYPE_PGID, g) {
|
|
|
|
target = g;
|
|
|
|
while_each_thread(g, target) {
|
|
|
|
if (!security_capset_check(target, effective,
|
|
|
|
inheritable, permitted)) {
|
|
|
|
security_capset_set(target, effective,
|
|
|
|
inheritable, permitted);
|
|
|
|
ret = 0;
|
|
|
|
}
|
|
|
|
found = 1;
|
|
|
|
}
|
|
|
|
} while_each_pid_task(pgrp, PIDTYPE_PGID, g);
|
|
|
|
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
|
|
|
|
if (!found)
|
|
|
|
ret = 0;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* cap_set_all - set capabilities for all processes other than init
|
|
|
|
* and self. We call this holding task_capability_lock and tasklist_lock.
|
|
|
|
*/
|
|
|
|
static inline int cap_set_all(kernel_cap_t *effective,
|
|
|
|
kernel_cap_t *inheritable,
|
|
|
|
kernel_cap_t *permitted)
|
|
|
|
{
|
|
|
|
struct task_struct *g, *target;
|
|
|
|
int ret = -EPERM;
|
|
|
|
int found = 0;
|
|
|
|
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
|
|
|
|
do_each_thread(g, target) {
|
|
|
|
if (target == current
|
|
|
|
|| is_container_init(target->group_leader))
|
|
|
|
continue;
|
|
|
|
found = 1;
|
|
|
|
if (security_capset_check(target, effective, inheritable,
|
|
|
|
permitted))
|
|
|
|
continue;
|
|
|
|
ret = 0;
|
|
|
|
security_capset_set(target, effective, inheritable, permitted);
|
|
|
|
} while_each_thread(g, target);
|
|
|
|
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
|
|
|
|
if (!found)
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Given the target pid does not refer to the current process we
|
|
|
|
* need more elaborate support... (This support is not present when
|
|
|
|
* filesystem capabilities are configured.)
|
|
|
|
*/
|
|
|
|
static inline int do_sys_capset_other_tasks(pid_t pid, kernel_cap_t *effective,
|
|
|
|
kernel_cap_t *inheritable,
|
|
|
|
kernel_cap_t *permitted)
|
|
|
|
{
|
|
|
|
struct task_struct *target;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (!capable(CAP_SETPCAP))
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
if (pid == -1) /* all procs other than current and init */
|
|
|
|
return cap_set_all(effective, inheritable, permitted);
|
|
|
|
|
|
|
|
else if (pid < 0) /* all procs in process group */
|
|
|
|
return cap_set_pg(-pid, effective, inheritable, permitted);
|
|
|
|
|
|
|
|
/* target != current */
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
|
|
|
|
target = find_task_by_vpid(pid);
|
|
|
|
if (!target)
|
|
|
|
ret = -ESRCH;
|
|
|
|
else {
|
|
|
|
ret = security_capset_check(target, effective, inheritable,
|
|
|
|
permitted);
|
|
|
|
|
|
|
|
/* having verified that the proposed changes are legal,
|
|
|
|
we now put them into effect. */
|
|
|
|
if (!ret)
|
|
|
|
security_capset_set(target, effective, inheritable,
|
|
|
|
permitted);
|
|
|
|
}
|
|
|
|
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
#else /* ie., def CONFIG_SECURITY_FILE_CAPABILITIES */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we have configured with filesystem capability support, then the
|
|
|
|
* only thing that can change the capabilities of the current process
|
|
|
|
* is the current process. As such, we can't be in this code at the
|
|
|
|
* same time as we are in the process of setting capabilities in this
|
|
|
|
* process. The net result is that we can limit our use of locks to
|
|
|
|
* when we are reading the caps of another process.
|
|
|
|
*/
|
|
|
|
static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
|
|
|
|
kernel_cap_t *pIp, kernel_cap_t *pPp)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (pid && (pid != task_pid_vnr(current))) {
|
|
|
|
struct task_struct *target;
|
|
|
|
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
|
|
|
|
target = find_task_by_vpid(pid);
|
|
|
|
if (!target)
|
|
|
|
ret = -ESRCH;
|
|
|
|
else
|
|
|
|
ret = security_capget(target, pEp, pIp, pPp);
|
|
|
|
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
} else
|
|
|
|
ret = security_capget(current, pEp, pIp, pPp);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* With filesystem capability support configured, the kernel does not
|
|
|
|
* permit the changing of capabilities in one process by another
|
|
|
|
* process. (CAP_SETPCAP has much less broad semantics when configured
|
|
|
|
* this way.)
|
|
|
|
*/
|
|
|
|
static inline int do_sys_capset_other_tasks(pid_t pid,
|
|
|
|
kernel_cap_t *effective,
|
|
|
|
kernel_cap_t *inheritable,
|
|
|
|
kernel_cap_t *permitted)
|
|
|
|
{
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Atomically modify the effective capabilities returning the original
|
|
|
|
* value. No permission check is performed here - it is assumed that the
|
|
|
|
* caller is permitted to set the desired effective capabilities.
|
|
|
|
*/
|
|
|
|
kernel_cap_t cap_set_effective(const kernel_cap_t pE_new)
|
|
|
|
{
|
|
|
|
kernel_cap_t pE_old;
|
|
|
|
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
|
|
|
|
pE_old = current->cap_effective;
|
|
|
|
current->cap_effective = pE_new;
|
|
|
|
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
|
|
|
|
return pE_old;
|
|
|
|
}
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(cap_set_effective);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* sys_capget - get the capabilities of a given process.
|
|
|
|
* @header: pointer to struct that contains capability version and
|
|
|
|
* target pid data
|
|
|
|
* @dataptr: pointer to struct that contains the effective, permitted,
|
|
|
|
* and inheritable capabilities that are returned
|
|
|
|
*
|
|
|
|
* Returns 0 on success and < 0 on error.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
pid_t pid;
|
|
|
|
unsigned tocopy;
|
|
|
|
kernel_cap_t pE, pI, pP;
|
|
|
|
|
|
|
|
ret = cap_validate_magic(header, &tocopy);
|
|
|
|
if (ret != 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
if (get_user(pid, &header->pid))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (pid < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
ret = cap_get_target_pid(pid, &pE, &pI, &pP);
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
|
|
|
unsigned i;
|
|
|
|
|
|
|
|
for (i = 0; i < tocopy; i++) {
|
|
|
|
kdata[i].effective = pE.cap[i];
|
|
|
|
kdata[i].permitted = pP.cap[i];
|
|
|
|
kdata[i].inheritable = pI.cap[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
|
|
|
|
* we silently drop the upper capabilities here. This
|
|
|
|
* has the effect of making older libcap
|
|
|
|
* implementations implicitly drop upper capability
|
|
|
|
* bits when they perform a: capget/modify/capset
|
|
|
|
* sequence.
|
|
|
|
*
|
|
|
|
* This behavior is considered fail-safe
|
|
|
|
* behavior. Upgrading the application to a newer
|
|
|
|
* version of libcap will enable access to the newer
|
|
|
|
* capabilities.
|
|
|
|
*
|
|
|
|
* An alternative would be to return an error here
|
|
|
|
* (-ERANGE), but that causes legacy applications to
|
|
|
|
* unexpectidly fail; the capget/modify/capset aborts
|
|
|
|
* before modification is attempted and the application
|
|
|
|
* fails.
|
|
|
|
*/
|
|
|
|
if (copy_to_user(dataptr, kdata, tocopy
|
|
|
|
* sizeof(struct __user_cap_data_struct))) {
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* sys_capset - set capabilities for a process or (*) a group of processes
|
|
|
|
* @header: pointer to struct that contains capability version and
|
|
|
|
* target pid data
|
|
|
|
* @data: pointer to struct that contains the effective, permitted,
|
|
|
|
* and inheritable capabilities
|
|
|
|
*
|
|
|
|
* Set capabilities for a given process, all processes, or all
|
|
|
|
* processes in a given process group.
|
|
|
|
*
|
|
|
|
* The restrictions on setting capabilities are specified as:
|
|
|
|
*
|
|
|
|
* [pid is for the 'target' task. 'current' is the calling task.]
|
|
|
|
*
|
|
|
|
* I: any raised capabilities must be a subset of the (old current) permitted
|
|
|
|
* P: any raised capabilities must be a subset of the (old current) permitted
|
|
|
|
* E: must be set to a subset of (new target) permitted
|
|
|
|
*
|
|
|
|
* Returns 0 on success and < 0 on error.
|
|
|
|
*/
|
|
|
|
asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
|
|
|
|
{
|
|
|
|
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
|
|
|
unsigned i, tocopy;
|
|
|
|
kernel_cap_t inheritable, permitted, effective;
|
|
|
|
int ret;
|
|
|
|
pid_t pid;
|
|
|
|
|
|
|
|
ret = cap_validate_magic(header, &tocopy);
|
|
|
|
if (ret != 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
if (get_user(pid, &header->pid))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (copy_from_user(&kdata, data, tocopy
|
|
|
|
* sizeof(struct __user_cap_data_struct))) {
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < tocopy; i++) {
|
|
|
|
effective.cap[i] = kdata[i].effective;
|
|
|
|
permitted.cap[i] = kdata[i].permitted;
|
|
|
|
inheritable.cap[i] = kdata[i].inheritable;
|
|
|
|
}
|
|
|
|
while (i < _KERNEL_CAPABILITY_U32S) {
|
|
|
|
effective.cap[i] = 0;
|
|
|
|
permitted.cap[i] = 0;
|
|
|
|
inheritable.cap[i] = 0;
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pid && (pid != task_pid_vnr(current)))
|
|
|
|
ret = do_sys_capset_other_tasks(pid, &effective, &inheritable,
|
|
|
|
&permitted);
|
|
|
|
else {
|
|
|
|
/*
|
|
|
|
* This lock is required even when filesystem
|
|
|
|
* capability support is configured - it protects the
|
|
|
|
* sys_capget() call from returning incorrect data in
|
|
|
|
* the case that the targeted process is not the
|
|
|
|
* current one.
|
|
|
|
*/
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
|
|
|
|
ret = security_capset_check(current, &effective, &inheritable,
|
|
|
|
&permitted);
|
|
|
|
/*
|
|
|
|
* Having verified that the proposed changes are
|
|
|
|
* legal, we now put them into effect.
|
|
|
|
*/
|
|
|
|
if (!ret)
|
|
|
|
security_capset_set(current, &effective, &inheritable,
|
|
|
|
&permitted);
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
security: Fix setting of PF_SUPERPRIV by __capable()
Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags
the target process if that is not the current process and it is trying to
change its own flags in a different way at the same time.
__capable() is using neither atomic ops nor locking to protect t->flags. This
patch removes __capable() and introduces has_capability() that doesn't set
PF_SUPERPRIV on the process being queried.
This patch further splits security_ptrace() in two:
(1) security_ptrace_may_access(). This passes judgement on whether one
process may access another only (PTRACE_MODE_ATTACH for ptrace() and
PTRACE_MODE_READ for /proc), and takes a pointer to the child process.
current is the parent.
(2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,
and takes only a pointer to the parent process. current is the child.
In Smack and commoncap, this uses has_capability() to determine whether
the parent will be permitted to use PTRACE_ATTACH if normal checks fail.
This does not set PF_SUPERPRIV.
Two of the instances of __capable() actually only act on current, and so have
been changed to calls to capable().
Of the places that were using __capable():
(1) The OOM killer calls __capable() thrice when weighing the killability of a
process. All of these now use has_capability().
(2) cap_ptrace() and smack_ptrace() were using __capable() to check to see
whether the parent was allowed to trace any process. As mentioned above,
these have been split. For PTRACE_ATTACH and /proc, capable() is now
used, and for PTRACE_TRACEME, has_capability() is used.
(3) cap_safe_nice() only ever saw current, so now uses capable().
(4) smack_setprocattr() rejected accesses to tasks other than current just
after calling __capable(), so the order of these two tests have been
switched and capable() is used instead.
(5) In smack_file_send_sigiotask(), we need to allow privileged processes to
receive SIGIO on files they're manipulating.
(6) In smack_task_wait(), we let a process wait for a privileged process,
whether or not the process doing the waiting is privileged.
I've tested this with the LTP SELinux and syscalls testscripts.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Morris <jmorris@namei.org>
17 years ago
|
|
|
/**
|
|
|
|
* capable - Determine if the current task has a superior capability in effect
|
|
|
|
* @cap: The capability to be tested for
|
|
|
|
*
|
|
|
|
* Return true if the current task has the given superior capability currently
|
|
|
|
* available for use, false if not.
|
|
|
|
*
|
|
|
|
* This sets PF_SUPERPRIV on the task if the capability is available on the
|
|
|
|
* assumption that it's about to be used.
|
|
|
|
*/
|
|
|
|
int capable(int cap)
|
|
|
|
{
|
security: Fix setting of PF_SUPERPRIV by __capable()
Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags
the target process if that is not the current process and it is trying to
change its own flags in a different way at the same time.
__capable() is using neither atomic ops nor locking to protect t->flags. This
patch removes __capable() and introduces has_capability() that doesn't set
PF_SUPERPRIV on the process being queried.
This patch further splits security_ptrace() in two:
(1) security_ptrace_may_access(). This passes judgement on whether one
process may access another only (PTRACE_MODE_ATTACH for ptrace() and
PTRACE_MODE_READ for /proc), and takes a pointer to the child process.
current is the parent.
(2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,
and takes only a pointer to the parent process. current is the child.
In Smack and commoncap, this uses has_capability() to determine whether
the parent will be permitted to use PTRACE_ATTACH if normal checks fail.
This does not set PF_SUPERPRIV.
Two of the instances of __capable() actually only act on current, and so have
been changed to calls to capable().
Of the places that were using __capable():
(1) The OOM killer calls __capable() thrice when weighing the killability of a
process. All of these now use has_capability().
(2) cap_ptrace() and smack_ptrace() were using __capable() to check to see
whether the parent was allowed to trace any process. As mentioned above,
these have been split. For PTRACE_ATTACH and /proc, capable() is now
used, and for PTRACE_TRACEME, has_capability() is used.
(3) cap_safe_nice() only ever saw current, so now uses capable().
(4) smack_setprocattr() rejected accesses to tasks other than current just
after calling __capable(), so the order of these two tests have been
switched and capable() is used instead.
(5) In smack_file_send_sigiotask(), we need to allow privileged processes to
receive SIGIO on files they're manipulating.
(6) In smack_task_wait(), we let a process wait for a privileged process,
whether or not the process doing the waiting is privileged.
I've tested this with the LTP SELinux and syscalls testscripts.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Morris <jmorris@namei.org>
17 years ago
|
|
|
if (has_capability(current, cap)) {
|
|
|
|
current->flags |= PF_SUPERPRIV;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(capable);
|