X-Git-Url: http://ftp.safe.ca/?a=blobdiff_plain;f=security%2Fcommoncap.c;h=e4c4b3fc0c04e49e553610a8bd4d433e55e9212a;hb=d8395c876bb8a560c8a032887e191b95499a25d6;hp=0f8a2ce3f3a6f09f9abc3e8885b24e2503b0e5c4;hpb=20510f2f4e2dabb0ff6c13901807627ec9452f98;p=safe%2Fjmp%2Flinux-2.6 diff --git a/security/commoncap.c b/security/commoncap.c index 0f8a2ce..e4c4b3f 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1,4 +1,4 @@ -/* Common capabilities, needed by capability.o and root_plug.o +/* Common capabilities, needed by capability.o and root_plug.o * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -22,6 +22,10 @@ #include #include #include +#include +#include +#include +#include int cap_netlink_send(struct sock *sk, struct sk_buff *skb) { @@ -29,8 +33,6 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb) return 0; } -EXPORT_SYMBOL(cap_netlink_send); - int cap_netlink_recv(struct sk_buff *skb, int cap) { if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) @@ -40,6 +42,12 @@ int cap_netlink_recv(struct sk_buff *skb, int cap) EXPORT_SYMBOL(cap_netlink_recv); +/* + * NOTE WELL: cap_capable() cannot be used like the kernel's capable() + * function. That is, it has the reverse semantics: cap_capable() + * returns 0 when a task has a capability, but the kernel's capable() + * returns 1 for this case. + */ int cap_capable (struct task_struct *tsk, int cap) { /* Derived from include/linux/sched.h:capable. */ @@ -55,33 +63,87 @@ int cap_settime(struct timespec *ts, struct timezone *tz) return 0; } -int cap_ptrace (struct task_struct *parent, struct task_struct *child) +int cap_ptrace_may_access(struct task_struct *child, unsigned int mode) { /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ - if (!cap_issubset(child->cap_permitted, parent->cap_permitted) && - !__capable(parent, CAP_SYS_PTRACE)) - return -EPERM; - return 0; + if (cap_issubset(child->cap_permitted, current->cap_permitted)) + return 0; + if (capable(CAP_SYS_PTRACE)) + return 0; + return -EPERM; +} + +int cap_ptrace_traceme(struct task_struct *parent) +{ + /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ + if (cap_issubset(current->cap_permitted, parent->cap_permitted)) + return 0; + if (has_capability(parent, CAP_SYS_PTRACE)) + return 0; + return -EPERM; } int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { /* Derived from kernel/capability.c:sys_capget. */ - *effective = cap_t (target->cap_effective); - *inheritable = cap_t (target->cap_inheritable); - *permitted = cap_t (target->cap_permitted); + *effective = target->cap_effective; + *inheritable = target->cap_inheritable; + *permitted = target->cap_permitted; return 0; } +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES + +static inline int cap_block_setpcap(struct task_struct *target) +{ + /* + * No support for remote process capability manipulation with + * filesystem capability support. + */ + return (target != current); +} + +static inline int cap_inh_is_capped(void) +{ + /* + * Return 1 if changes to the inheritable set are limited + * to the old permitted set. That is, if the current task + * does *not* possess the CAP_SETPCAP capability. + */ + return (cap_capable(current, CAP_SETPCAP) != 0); +} + +static inline int cap_limit_ptraced_target(void) { return 1; } + +#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */ + +static inline int cap_block_setpcap(struct task_struct *t) { return 0; } +static inline int cap_inh_is_capped(void) { return 1; } +static inline int cap_limit_ptraced_target(void) +{ + return !capable(CAP_SETPCAP); +} + +#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ + int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - /* Derived from kernel/capability.c:sys_capset. */ - /* verify restrictions on target's new Inheritable set */ - if (!cap_issubset (*inheritable, - cap_combine (target->cap_inheritable, - current->cap_permitted))) { + if (cap_block_setpcap(target)) { + return -EPERM; + } + if (cap_inh_is_capped() + && !cap_issubset(*inheritable, + cap_combine(target->cap_inheritable, + current->cap_permitted))) { + /* incapable of using this inheritable set */ + return -EPERM; + } + if (!cap_issubset(*inheritable, + cap_combine(target->cap_inheritable, + current->cap_bset))) { + /* no new pI capabilities outside bounding set */ return -EPERM; } @@ -108,56 +170,211 @@ void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, target->cap_permitted = *permitted; } -int cap_bprm_set_security (struct linux_binprm *bprm) +static inline void bprm_clear_caps(struct linux_binprm *bprm) { - /* Copied from fs/exec.c:prepare_binprm. */ + cap_clear(bprm->cap_post_exec_permitted); + bprm->cap_effective = false; +} - /* We don't have VFS support for capabilities yet */ - cap_clear (bprm->cap_inheritable); - cap_clear (bprm->cap_permitted); - cap_clear (bprm->cap_effective); +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES - /* To support inheritance of root-permissions and suid-root - * executables under compatibility mode, we raise all three - * capability sets for the file. - * - * If only the real uid is 0, we only raise the inheritable - * and permitted sets of the executable file. - */ +int cap_inode_need_killpriv(struct dentry *dentry) +{ + struct inode *inode = dentry->d_inode; + int error; - if (!issecure (SECURE_NOROOT)) { - if (bprm->e_uid == 0 || current->uid == 0) { - cap_set_full (bprm->cap_inheritable); - cap_set_full (bprm->cap_permitted); + if (!inode->i_op || !inode->i_op->getxattr) + return 0; + + error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0); + if (error <= 0) + return 0; + return 1; +} + +int cap_inode_killpriv(struct dentry *dentry) +{ + struct inode *inode = dentry->d_inode; + + if (!inode->i_op || !inode->i_op->removexattr) + return 0; + + return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS); +} + +static inline int cap_from_disk(struct vfs_cap_data *caps, + struct linux_binprm *bprm, unsigned size) +{ + __u32 magic_etc; + unsigned tocopy, i; + int ret; + + if (size < sizeof(magic_etc)) + return -EINVAL; + + magic_etc = le32_to_cpu(caps->magic_etc); + + switch ((magic_etc & VFS_CAP_REVISION_MASK)) { + case VFS_CAP_REVISION_1: + if (size != XATTR_CAPS_SZ_1) + return -EINVAL; + tocopy = VFS_CAP_U32_1; + break; + case VFS_CAP_REVISION_2: + if (size != XATTR_CAPS_SZ_2) + return -EINVAL; + tocopy = VFS_CAP_U32_2; + break; + default: + return -EINVAL; + } + + if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) { + bprm->cap_effective = true; + } else { + bprm->cap_effective = false; + } + + ret = 0; + + CAP_FOR_EACH_U32(i) { + __u32 value_cpu; + + if (i >= tocopy) { + /* + * Legacy capability sets have no upper bits + */ + bprm->cap_post_exec_permitted.cap[i] = 0; + continue; } - if (bprm->e_uid == 0) - cap_set_full (bprm->cap_effective); + /* + * pP' = (X & fP) | (pI & fI) + */ + value_cpu = le32_to_cpu(caps->data[i].permitted); + bprm->cap_post_exec_permitted.cap[i] = + (current->cap_bset.cap[i] & value_cpu) | + (current->cap_inheritable.cap[i] & + le32_to_cpu(caps->data[i].inheritable)); + if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) { + /* + * insufficient to execute correctly + */ + ret = -EPERM; + } + } + + /* + * For legacy apps, with no internal support for recognizing they + * do not have enough capabilities, we return an error if they are + * missing some "forced" (aka file-permitted) capabilities. + */ + return bprm->cap_effective ? ret : 0; +} + +/* Locate any VFS capabilities: */ +static int get_file_caps(struct linux_binprm *bprm) +{ + struct dentry *dentry; + int rc = 0; + struct vfs_cap_data vcaps; + struct inode *inode; + + if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) { + bprm_clear_caps(bprm); + return 0; + } + + dentry = dget(bprm->file->f_dentry); + inode = dentry->d_inode; + if (!inode->i_op || !inode->i_op->getxattr) + goto out; + + rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps, + XATTR_CAPS_SZ); + if (rc == -ENODATA || rc == -EOPNOTSUPP) { + /* no data, that's ok */ + rc = 0; + goto out; } + if (rc < 0) + goto out; + + rc = cap_from_disk(&vcaps, bprm, rc); + if (rc == -EINVAL) + printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", + __func__, rc, bprm->filename); + +out: + dput(dentry); + if (rc) + bprm_clear_caps(bprm); + + return rc; +} + +#else +int cap_inode_need_killpriv(struct dentry *dentry) +{ return 0; } -void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) +int cap_inode_killpriv(struct dentry *dentry) +{ + return 0; +} + +static inline int get_file_caps(struct linux_binprm *bprm) +{ + bprm_clear_caps(bprm); + return 0; +} +#endif + +int cap_bprm_set_security (struct linux_binprm *bprm) { - /* Derived from fs/exec.c:compute_creds. */ - kernel_cap_t new_permitted, working; + int ret; + + ret = get_file_caps(bprm); + + if (!issecure(SECURE_NOROOT)) { + /* + * To support inheritance of root-permissions and suid-root + * executables under compatibility mode, we override the + * capability sets for the file. + * + * If only the real uid is 0, we do not set the effective + * bit. + */ + if (bprm->e_uid == 0 || current->uid == 0) { + /* pP' = (cap_bset & ~0) | (pI & ~0) */ + bprm->cap_post_exec_permitted = cap_combine( + current->cap_bset, current->cap_inheritable + ); + bprm->cap_effective = (bprm->e_uid == 0); + ret = 0; + } + } - new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); - working = cap_intersect (bprm->cap_inheritable, - current->cap_inheritable); - new_permitted = cap_combine (new_permitted, working); + return ret; +} +void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) +{ if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || - !cap_issubset (new_permitted, current->cap_permitted)) { + !cap_issubset(bprm->cap_post_exec_permitted, + current->cap_permitted)) { set_dumpable(current->mm, suid_dumpable); + current->pdeath_signal = 0; if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { if (!capable(CAP_SETUID)) { bprm->e_uid = current->uid; bprm->e_gid = current->gid; } - if (!capable (CAP_SETPCAP)) { - new_permitted = cap_intersect (new_permitted, - current->cap_permitted); + if (cap_limit_ptraced_target()) { + bprm->cap_post_exec_permitted = cap_intersect( + bprm->cap_post_exec_permitted, + current->cap_permitted); } } } @@ -168,41 +385,53 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) /* For init, we want to retain the capabilities set * in the init_task struct. Thus we skip the usual * capability rules */ - if (!is_init(current)) { - current->cap_permitted = new_permitted; - current->cap_effective = - cap_intersect (new_permitted, bprm->cap_effective); + if (!is_global_init(current)) { + current->cap_permitted = bprm->cap_post_exec_permitted; + if (bprm->cap_effective) + current->cap_effective = bprm->cap_post_exec_permitted; + else + cap_clear(current->cap_effective); } /* AUD: Audit candidate if current->cap_effective is set */ - current->keep_capabilities = 0; + current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); } int cap_bprm_secureexec (struct linux_binprm *bprm) { - /* If/when this module is enhanced to incorporate capability - bits on files, the test below should be extended to also perform a - test between the old and new capability sets. For now, - it simply preserves the legacy decision algorithm used by - the old userland. */ + if (current->uid != 0) { + if (bprm->cap_effective) + return 1; + if (!cap_isclear(bprm->cap_post_exec_permitted)) + return 1; + } + return (current->euid != current->uid || current->egid != current->gid); } -int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, - size_t size, int flags) +int cap_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) { - if (!strncmp(name, XATTR_SECURITY_PREFIX, + if (!strcmp(name, XATTR_NAME_CAPS)) { + if (!capable(CAP_SETFCAP)) + return -EPERM; + return 0; + } else if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && !capable(CAP_SYS_ADMIN)) return -EPERM; return 0; } -int cap_inode_removexattr(struct dentry *dentry, char *name) +int cap_inode_removexattr(struct dentry *dentry, const char *name) { - if (!strncmp(name, XATTR_SECURITY_PREFIX, + if (!strcmp(name, XATTR_NAME_CAPS)) { + if (!capable(CAP_SETFCAP)) + return -EPERM; + return 0; + } else if (!strncmp(name, XATTR_SECURITY_PREFIX, sizeof(XATTR_SECURITY_PREFIX) - 1) && !capable(CAP_SYS_ADMIN)) return -EPERM; @@ -244,7 +473,7 @@ static inline void cap_emulate_setxuid (int old_ruid, int old_euid, { if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) && (current->uid != 0 && current->euid != 0 && current->suid != 0) && - !current->keep_capabilities) { + !issecure(SECURE_KEEP_CAPS)) { cap_clear (current->cap_permitted); cap_clear (current->cap_effective); } @@ -281,13 +510,15 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, if (!issecure (SECURE_NO_SETUID_FIXUP)) { if (old_fsuid == 0 && current->fsuid != 0) { - cap_t (current->cap_effective) &= - ~CAP_FS_MASK; + current->cap_effective = + cap_drop_fs_set( + current->cap_effective); } if (old_fsuid != 0 && current->fsuid == 0) { - cap_t (current->cap_effective) |= - (cap_t (current->cap_permitted) & - CAP_FS_MASK); + current->cap_effective = + cap_raise_fs_set( + current->cap_effective, + current->cap_permitted); } } break; @@ -299,12 +530,167 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, return 0; } +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES +/* + * Rationale: code calling task_setscheduler, task_setioprio, and + * task_setnice, assumes that + * . if capable(cap_sys_nice), then those actions should be allowed + * . if not capable(cap_sys_nice), but acting on your own processes, + * then those actions should be allowed + * This is insufficient now since you can call code without suid, but + * yet with increased caps. + * So we check for increased caps on the target process. + */ +static inline int cap_safe_nice(struct task_struct *p) +{ + if (!cap_issubset(p->cap_permitted, current->cap_permitted) && + !capable(CAP_SYS_NICE)) + return -EPERM; + return 0; +} + +int cap_task_setscheduler (struct task_struct *p, int policy, + struct sched_param *lp) +{ + return cap_safe_nice(p); +} + +int cap_task_setioprio (struct task_struct *p, int ioprio) +{ + return cap_safe_nice(p); +} + +int cap_task_setnice (struct task_struct *p, int nice) +{ + return cap_safe_nice(p); +} + +/* + * called from kernel/sys.c for prctl(PR_CABSET_DROP) + * done without task_capability_lock() because it introduces + * no new races - i.e. only another task doing capget() on + * this task could get inconsistent info. There can be no + * racing writer bc a task can only change its own caps. + */ +static long cap_prctl_drop(unsigned long cap) +{ + if (!capable(CAP_SETPCAP)) + return -EPERM; + if (!cap_valid(cap)) + return -EINVAL; + cap_lower(current->cap_bset, cap); + return 0; +} + +#else +int cap_task_setscheduler (struct task_struct *p, int policy, + struct sched_param *lp) +{ + return 0; +} +int cap_task_setioprio (struct task_struct *p, int ioprio) +{ + return 0; +} +int cap_task_setnice (struct task_struct *p, int nice) +{ + return 0; +} +#endif + +int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5, long *rc_p) +{ + long error = 0; + + switch (option) { + case PR_CAPBSET_READ: + if (!cap_valid(arg2)) + error = -EINVAL; + else + error = !!cap_raised(current->cap_bset, arg2); + break; +#ifdef CONFIG_SECURITY_FILE_CAPABILITIES + case PR_CAPBSET_DROP: + error = cap_prctl_drop(arg2); + break; + + /* + * The next four prctl's remain to assist with transitioning a + * system from legacy UID=0 based privilege (when filesystem + * capabilities are not in use) to a system using filesystem + * capabilities only - as the POSIX.1e draft intended. + * + * Note: + * + * PR_SET_SECUREBITS = + * issecure_mask(SECURE_KEEP_CAPS_LOCKED) + * | issecure_mask(SECURE_NOROOT) + * | issecure_mask(SECURE_NOROOT_LOCKED) + * | issecure_mask(SECURE_NO_SETUID_FIXUP) + * | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED) + * + * will ensure that the current process and all of its + * children will be locked into a pure + * capability-based-privilege environment. + */ + case PR_SET_SECUREBITS: + if ((((current->securebits & SECURE_ALL_LOCKS) >> 1) + & (current->securebits ^ arg2)) /*[1]*/ + || ((current->securebits & SECURE_ALL_LOCKS + & ~arg2)) /*[2]*/ + || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ + || (cap_capable(current, CAP_SETPCAP) != 0)) { /*[4]*/ + /* + * [1] no changing of bits that are locked + * [2] no unlocking of locks + * [3] no setting of unsupported bits + * [4] doing anything requires privilege (go read about + * the "sendmail capabilities bug") + */ + error = -EPERM; /* cannot change a locked bit */ + } else { + current->securebits = arg2; + } + break; + case PR_GET_SECUREBITS: + error = current->securebits; + break; + +#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */ + + case PR_GET_KEEPCAPS: + if (issecure(SECURE_KEEP_CAPS)) + error = 1; + break; + case PR_SET_KEEPCAPS: + if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */ + error = -EINVAL; + else if (issecure(SECURE_KEEP_CAPS_LOCKED)) + error = -EPERM; + else if (arg2) + current->securebits |= issecure_mask(SECURE_KEEP_CAPS); + else + current->securebits &= + ~issecure_mask(SECURE_KEEP_CAPS); + break; + + default: + /* No functionality available - continue with default */ + return 0; + } + + /* Functionality provided */ + *rc_p = error; + return 1; +} + void cap_task_reparent_to_init (struct task_struct *p) { - p->cap_effective = CAP_INIT_EFF_SET; - p->cap_inheritable = CAP_INIT_INH_SET; - p->cap_permitted = CAP_FULL_SET; - p->keep_capabilities = 0; + cap_set_init_eff(p->cap_effective); + cap_clear(p->cap_inheritable); + cap_set_full(p->cap_permitted); + p->securebits = SECUREBITS_DEFAULT; return; } @@ -324,18 +710,3 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) return __vm_enough_memory(mm, pages, cap_sys_admin); } -EXPORT_SYMBOL(cap_capable); -EXPORT_SYMBOL(cap_settime); -EXPORT_SYMBOL(cap_ptrace); -EXPORT_SYMBOL(cap_capget); -EXPORT_SYMBOL(cap_capset_check); -EXPORT_SYMBOL(cap_capset_set); -EXPORT_SYMBOL(cap_bprm_set_security); -EXPORT_SYMBOL(cap_bprm_apply_creds); -EXPORT_SYMBOL(cap_bprm_secureexec); -EXPORT_SYMBOL(cap_inode_setxattr); -EXPORT_SYMBOL(cap_inode_removexattr); -EXPORT_SYMBOL(cap_task_post_setuid); -EXPORT_SYMBOL(cap_task_reparent_to_init); -EXPORT_SYMBOL(cap_syslog); -EXPORT_SYMBOL(cap_vm_enough_memory);