Greg Kroah-Hartman | b244131 | 2017-11-01 15:07:57 +0100 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0 |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 2 | /* |
| 3 | * linux/kernel/capability.c |
| 4 | * |
| 5 | * Copyright (C) 1997 Andrew Main <zefram@fysh.org> |
| 6 | * |
Andrew Morgan | 72c2d58 | 2007-10-18 03:05:59 -0700 | [diff] [blame] | 7 | * Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 8 | * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net> |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 9 | */ |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 10 | |
Joe Perches | f5645d3 | 2014-02-21 14:19:30 -0800 | [diff] [blame] | 11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
| 12 | |
Eric Paris | e68b75a0 | 2008-11-11 21:48:22 +1100 | [diff] [blame] | 13 | #include <linux/audit.h> |
Randy.Dunlap | c59ede7 | 2006-01-11 12:17:46 -0800 | [diff] [blame] | 14 | #include <linux/capability.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 15 | #include <linux/mm.h> |
Paul Gortmaker | 9984de1 | 2011-05-23 14:51:41 -0400 | [diff] [blame] | 16 | #include <linux/export.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 17 | #include <linux/security.h> |
| 18 | #include <linux/syscalls.h> |
Serge E. Hallyn | b460cbc | 2007-10-18 23:39:52 -0700 | [diff] [blame] | 19 | #include <linux/pid_namespace.h> |
Serge E. Hallyn | 3486740 | 2011-03-23 16:43:17 -0700 | [diff] [blame] | 20 | #include <linux/user_namespace.h> |
Linus Torvalds | 7c0f6ba | 2016-12-24 11:46:01 -0800 | [diff] [blame] | 21 | #include <linux/uaccess.h> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 22 | |
Serge E. Hallyn | 1f29fae | 2008-11-05 16:08:52 -0600 | [diff] [blame] | 23 | int file_caps_enabled = 1; |
| 24 | |
| 25 | static int __init file_caps_disable(char *str) |
| 26 | { |
| 27 | file_caps_enabled = 0; |
| 28 | return 1; |
| 29 | } |
| 30 | __setup("no_file_caps", file_caps_disable); |
Serge E. Hallyn | 1f29fae | 2008-11-05 16:08:52 -0600 | [diff] [blame] | 31 | |
Iulia Manda | 2813893 | 2015-04-15 16:16:41 -0700 | [diff] [blame] | 32 | #ifdef CONFIG_MULTIUSER |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 33 | /* |
| 34 | * More recent versions of libcap are available from: |
| 35 | * |
| 36 | * http://www.kernel.org/pub/linux/libs/security/linux-privs/ |
| 37 | */ |
| 38 | |
| 39 | static void warn_legacy_capability_use(void) |
| 40 | { |
Joe Perches | f5645d3 | 2014-02-21 14:19:30 -0800 | [diff] [blame] | 41 | char name[sizeof(current->comm)]; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 42 | |
Joe Perches | f5645d3 | 2014-02-21 14:19:30 -0800 | [diff] [blame] | 43 | pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n", |
| 44 | get_task_comm(name, current)); |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 45 | } |
| 46 | |
| 47 | /* |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 48 | * Version 2 capabilities worked fine, but the linux/capability.h file |
| 49 | * that accompanied their introduction encouraged their use without |
| 50 | * the necessary user-space source code changes. As such, we have |
| 51 | * created a version 3 with equivalent functionality to version 2, but |
| 52 | * with a header change to protect legacy source code from using |
| 53 | * version 2 when it wanted to use version 1. If your system has code |
| 54 | * that trips the following warning, it is using version 2 specific |
| 55 | * capabilities and may be doing so insecurely. |
| 56 | * |
| 57 | * The remedy is to either upgrade your version of libcap (to 2.10+, |
| 58 | * if the application is linked against it), or recompile your |
| 59 | * application with modern kernel headers and this warning will go |
| 60 | * away. |
| 61 | */ |
| 62 | |
| 63 | static void warn_deprecated_v2(void) |
| 64 | { |
Joe Perches | f5645d3 | 2014-02-21 14:19:30 -0800 | [diff] [blame] | 65 | char name[sizeof(current->comm)]; |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 66 | |
Joe Perches | f5645d3 | 2014-02-21 14:19:30 -0800 | [diff] [blame] | 67 | pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n", |
| 68 | get_task_comm(name, current)); |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 69 | } |
| 70 | |
| 71 | /* |
| 72 | * Version check. Return the number of u32s in each capability flag |
| 73 | * array, or a negative value on error. |
| 74 | */ |
| 75 | static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy) |
| 76 | { |
| 77 | __u32 version; |
| 78 | |
| 79 | if (get_user(version, &header->version)) |
| 80 | return -EFAULT; |
| 81 | |
| 82 | switch (version) { |
| 83 | case _LINUX_CAPABILITY_VERSION_1: |
| 84 | warn_legacy_capability_use(); |
| 85 | *tocopy = _LINUX_CAPABILITY_U32S_1; |
| 86 | break; |
| 87 | case _LINUX_CAPABILITY_VERSION_2: |
| 88 | warn_deprecated_v2(); |
Gustavo A. R. Silva | df561f66 | 2020-08-23 17:36:59 -0500 | [diff] [blame] | 89 | fallthrough; /* v3 is otherwise equivalent to v2 */ |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 90 | case _LINUX_CAPABILITY_VERSION_3: |
| 91 | *tocopy = _LINUX_CAPABILITY_U32S_3; |
| 92 | break; |
| 93 | default: |
| 94 | if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version)) |
| 95 | return -EFAULT; |
| 96 | return -EINVAL; |
| 97 | } |
| 98 | |
| 99 | return 0; |
| 100 | } |
| 101 | |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 102 | /* |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 103 | * The only thing that can change the capabilities of the current |
| 104 | * process is the current process. As such, we can't be in this code |
| 105 | * at the same time as we are in the process of setting capabilities |
| 106 | * in this process. The net result is that we can limit our use of |
| 107 | * locks to when we are reading the caps of another process. |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 108 | */ |
| 109 | static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp, |
| 110 | kernel_cap_t *pIp, kernel_cap_t *pPp) |
| 111 | { |
| 112 | int ret; |
| 113 | |
| 114 | if (pid && (pid != task_pid_vnr(current))) { |
Khadija Kamran | 6672efb | 2023-08-07 11:59:29 +0500 | [diff] [blame] | 115 | const struct task_struct *target; |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 116 | |
Thomas Gleixner | 86fc80f | 2009-12-09 17:13:31 +0100 | [diff] [blame] | 117 | rcu_read_lock(); |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 118 | |
| 119 | target = find_task_by_vpid(pid); |
| 120 | if (!target) |
| 121 | ret = -ESRCH; |
| 122 | else |
| 123 | ret = security_capget(target, pEp, pIp, pPp); |
| 124 | |
Thomas Gleixner | 86fc80f | 2009-12-09 17:13:31 +0100 | [diff] [blame] | 125 | rcu_read_unlock(); |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 126 | } else |
| 127 | ret = security_capget(current, pEp, pIp, pPp); |
| 128 | |
| 129 | return ret; |
| 130 | } |
| 131 | |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 132 | /** |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 133 | * sys_capget - get the capabilities of a given process. |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 134 | * @header: pointer to struct that contains capability version and |
| 135 | * target pid data |
| 136 | * @dataptr: pointer to struct that contains the effective, permitted, |
| 137 | * and inheritable capabilities that are returned |
| 138 | * |
| 139 | * Returns 0 on success and < 0 on error. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 140 | */ |
Heiko Carstens | b290ebe | 2009-01-14 14:14:06 +0100 | [diff] [blame] | 141 | SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 142 | { |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 143 | int ret = 0; |
| 144 | pid_t pid; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 145 | unsigned tocopy; |
| 146 | kernel_cap_t pE, pI, pP; |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 147 | struct __user_cap_data_struct kdata[2]; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 148 | |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 149 | ret = cap_validate_magic(header, &tocopy); |
Andrew G. Morgan | c4a5af5 | 2009-11-23 04:57:52 +0000 | [diff] [blame] | 150 | if ((dataptr == NULL) || (ret != 0)) |
| 151 | return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 152 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 153 | if (get_user(pid, &header->pid)) |
| 154 | return -EFAULT; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 155 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 156 | if (pid < 0) |
| 157 | return -EINVAL; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 158 | |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 159 | ret = cap_get_target_pid(pid, &pE, &pI, &pP); |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 160 | if (ret) |
| 161 | return ret; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 162 | |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 163 | /* |
| 164 | * Annoying legacy format with 64-bit capabilities exposed |
| 165 | * as two sets of 32-bit fields, so we need to split the |
| 166 | * capability values up. |
| 167 | */ |
| 168 | kdata[0].effective = pE.val; kdata[1].effective = pE.val >> 32; |
| 169 | kdata[0].permitted = pP.val; kdata[1].permitted = pP.val >> 32; |
| 170 | kdata[0].inheritable = pI.val; kdata[1].inheritable = pI.val >> 32; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 171 | |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 172 | /* |
| 173 | * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S, |
| 174 | * we silently drop the upper capabilities here. This |
| 175 | * has the effect of making older libcap |
| 176 | * implementations implicitly drop upper capability |
| 177 | * bits when they perform a: capget/modify/capset |
| 178 | * sequence. |
| 179 | * |
| 180 | * This behavior is considered fail-safe |
| 181 | * behavior. Upgrading the application to a newer |
| 182 | * version of libcap will enable access to the newer |
| 183 | * capabilities. |
| 184 | * |
| 185 | * An alternative would be to return an error here |
| 186 | * (-ERANGE), but that causes legacy applications to |
| 187 | * unexpectedly fail; the capget/modify/capset aborts |
| 188 | * before modification is attempted and the application |
| 189 | * fails. |
| 190 | */ |
| 191 | if (copy_to_user(dataptr, kdata, tocopy * sizeof(kdata[0]))) |
| 192 | return -EFAULT; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 193 | |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 194 | return 0; |
| 195 | } |
| 196 | |
| 197 | static kernel_cap_t mk_kernel_cap(u32 low, u32 high) |
| 198 | { |
| 199 | return (kernel_cap_t) { (low | ((u64)high << 32)) & CAP_VALID_MASK }; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 200 | } |
| 201 | |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 202 | /** |
Andrew G. Morgan | ab763c7 | 2008-07-23 21:28:25 -0700 | [diff] [blame] | 203 | * sys_capset - set capabilities for a process or (*) a group of processes |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 204 | * @header: pointer to struct that contains capability version and |
| 205 | * target pid data |
| 206 | * @data: pointer to struct that contains the effective, permitted, |
| 207 | * and inheritable capabilities |
| 208 | * |
David Howells | 1cdcbec | 2008-11-14 10:39:14 +1100 | [diff] [blame] | 209 | * Set capabilities for the current process only. The ability to any other |
| 210 | * process(es) has been deprecated and removed. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 211 | * |
| 212 | * The restrictions on setting capabilities are specified as: |
| 213 | * |
David Howells | 1cdcbec | 2008-11-14 10:39:14 +1100 | [diff] [blame] | 214 | * I: any raised capabilities must be a subset of the old permitted |
| 215 | * P: any raised capabilities must be a subset of the old permitted |
| 216 | * E: must be set to a subset of new permitted |
Randy Dunlap | 207a7ba | 2005-07-27 11:45:10 -0700 | [diff] [blame] | 217 | * |
| 218 | * Returns 0 on success and < 0 on error. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 219 | */ |
Heiko Carstens | b290ebe | 2009-01-14 14:14:06 +0100 | [diff] [blame] | 220 | SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 221 | { |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 222 | struct __user_cap_data_struct kdata[2] = { { 0, }, }; |
| 223 | unsigned tocopy, copybytes; |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 224 | kernel_cap_t inheritable, permitted, effective; |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 225 | struct cred *new; |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 226 | int ret; |
| 227 | pid_t pid; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 228 | |
Andrew G. Morgan | ca05a99 | 2008-05-27 22:05:17 -0700 | [diff] [blame] | 229 | ret = cap_validate_magic(header, &tocopy); |
| 230 | if (ret != 0) |
| 231 | return ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 232 | |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 233 | if (get_user(pid, &header->pid)) |
| 234 | return -EFAULT; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 235 | |
David Howells | 1cdcbec | 2008-11-14 10:39:14 +1100 | [diff] [blame] | 236 | /* may only affect current now */ |
| 237 | if (pid != 0 && pid != task_pid_vnr(current)) |
| 238 | return -EPERM; |
| 239 | |
Arjan van de Ven | 825332e | 2009-10-14 08:17:36 +1100 | [diff] [blame] | 240 | copybytes = tocopy * sizeof(struct __user_cap_data_struct); |
| 241 | if (copybytes > sizeof(kdata)) |
| 242 | return -EFAULT; |
| 243 | |
| 244 | if (copy_from_user(&kdata, data, copybytes)) |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 245 | return -EFAULT; |
Andrew Morgan | e338d26 | 2008-02-04 22:29:42 -0800 | [diff] [blame] | 246 | |
Linus Torvalds | f122a08 | 2023-02-28 11:39:09 -0800 | [diff] [blame] | 247 | effective = mk_kernel_cap(kdata[0].effective, kdata[1].effective); |
| 248 | permitted = mk_kernel_cap(kdata[0].permitted, kdata[1].permitted); |
| 249 | inheritable = mk_kernel_cap(kdata[0].inheritable, kdata[1].inheritable); |
Eric Paris | 7d8b6c6 | 2014-07-23 15:36:26 -0400 | [diff] [blame] | 250 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 251 | new = prepare_creds(); |
| 252 | if (!new) |
| 253 | return -ENOMEM; |
| 254 | |
| 255 | ret = security_capset(new, current_cred(), |
| 256 | &effective, &inheritable, &permitted); |
| 257 | if (ret < 0) |
| 258 | goto error; |
| 259 | |
Eric W. Biederman | ca24a23 | 2013-03-19 00:02:25 -0700 | [diff] [blame] | 260 | audit_log_capset(new, current_cred()); |
Eric Paris | e68b75a0 | 2008-11-11 21:48:22 +1100 | [diff] [blame] | 261 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 262 | return commit_creds(new); |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 263 | |
David Howells | d84f4f9 | 2008-11-14 10:39:23 +1100 | [diff] [blame] | 264 | error: |
| 265 | abort_creds(new); |
Daniel Walker | 314f70f | 2007-10-18 03:06:08 -0700 | [diff] [blame] | 266 | return ret; |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 267 | } |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 268 | |
David Howells | 5cd9c58 | 2008-08-14 11:37:28 +0100 | [diff] [blame] | 269 | /** |
Eric Paris | 25e7570 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 270 | * has_ns_capability - Does a task have a capability in a specific user ns |
Serge E. Hallyn | 3263245 | 2011-03-23 16:43:21 -0700 | [diff] [blame] | 271 | * @t: The task in question |
| 272 | * @ns: target user namespace |
| 273 | * @cap: The capability to be tested for |
| 274 | * |
| 275 | * Return true if the specified task has the given superior capability |
| 276 | * currently in effect to the specified user namespace, false if not. |
| 277 | * |
| 278 | * Note that this does not set PF_SUPERPRIV on the task. |
| 279 | */ |
| 280 | bool has_ns_capability(struct task_struct *t, |
| 281 | struct user_namespace *ns, int cap) |
| 282 | { |
Eric Paris | 2920a84 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 283 | int ret; |
| 284 | |
| 285 | rcu_read_lock(); |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 286 | ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NONE); |
Eric Paris | 2920a84 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 287 | rcu_read_unlock(); |
Serge E. Hallyn | 3263245 | 2011-03-23 16:43:21 -0700 | [diff] [blame] | 288 | |
| 289 | return (ret == 0); |
| 290 | } |
| 291 | |
| 292 | /** |
Eric Paris | 25e7570 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 293 | * has_capability - Does a task have a capability in init_user_ns |
| 294 | * @t: The task in question |
| 295 | * @cap: The capability to be tested for |
| 296 | * |
| 297 | * Return true if the specified task has the given superior capability |
| 298 | * currently in effect to the initial user namespace, false if not. |
| 299 | * |
| 300 | * Note that this does not set PF_SUPERPRIV on the task. |
| 301 | */ |
| 302 | bool has_capability(struct task_struct *t, int cap) |
| 303 | { |
| 304 | return has_ns_capability(t, &init_user_ns, cap); |
| 305 | } |
Jike Song | 19c816e | 2017-01-12 16:52:02 +0800 | [diff] [blame] | 306 | EXPORT_SYMBOL(has_capability); |
Eric Paris | 25e7570 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 307 | |
| 308 | /** |
Eric Paris | 7b61d64 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 309 | * has_ns_capability_noaudit - Does a task have a capability (unaudited) |
| 310 | * in a specific user ns. |
| 311 | * @t: The task in question |
| 312 | * @ns: target user namespace |
| 313 | * @cap: The capability to be tested for |
| 314 | * |
| 315 | * Return true if the specified task has the given superior capability |
| 316 | * currently in effect to the specified user namespace, false if not. |
| 317 | * Do not write an audit message for the check. |
| 318 | * |
| 319 | * Note that this does not set PF_SUPERPRIV on the task. |
| 320 | */ |
| 321 | bool has_ns_capability_noaudit(struct task_struct *t, |
| 322 | struct user_namespace *ns, int cap) |
| 323 | { |
| 324 | int ret; |
| 325 | |
| 326 | rcu_read_lock(); |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 327 | ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NOAUDIT); |
Eric Paris | 7b61d64 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 328 | rcu_read_unlock(); |
| 329 | |
| 330 | return (ret == 0); |
| 331 | } |
| 332 | |
| 333 | /** |
| 334 | * has_capability_noaudit - Does a task have a capability (unaudited) in the |
| 335 | * initial user ns |
Serge E. Hallyn | 3263245 | 2011-03-23 16:43:21 -0700 | [diff] [blame] | 336 | * @t: The task in question |
| 337 | * @cap: The capability to be tested for |
| 338 | * |
| 339 | * Return true if the specified task has the given superior capability |
| 340 | * currently in effect to init_user_ns, false if not. Don't write an |
| 341 | * audit message for the check. |
| 342 | * |
| 343 | * Note that this does not set PF_SUPERPRIV on the task. |
| 344 | */ |
| 345 | bool has_capability_noaudit(struct task_struct *t, int cap) |
| 346 | { |
Eric Paris | 7b61d64 | 2012-01-03 12:25:15 -0500 | [diff] [blame] | 347 | return has_ns_capability_noaudit(t, &init_user_ns, cap); |
Serge E. Hallyn | 3263245 | 2011-03-23 16:43:21 -0700 | [diff] [blame] | 348 | } |
Darrick J. Wong | eba0549 | 2022-02-25 16:18:30 -0800 | [diff] [blame] | 349 | EXPORT_SYMBOL(has_capability_noaudit); |
Serge E. Hallyn | 3263245 | 2011-03-23 16:43:21 -0700 | [diff] [blame] | 350 | |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 351 | static bool ns_capable_common(struct user_namespace *ns, |
| 352 | int cap, |
| 353 | unsigned int opts) |
Tyler Hicks | 98f368e | 2016-06-02 23:43:21 -0500 | [diff] [blame] | 354 | { |
| 355 | int capable; |
| 356 | |
| 357 | if (unlikely(!cap_valid(cap))) { |
| 358 | pr_crit("capable() called with invalid cap=%u\n", cap); |
| 359 | BUG(); |
| 360 | } |
| 361 | |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 362 | capable = security_capable(current_cred(), ns, cap, opts); |
Tyler Hicks | 98f368e | 2016-06-02 23:43:21 -0500 | [diff] [blame] | 363 | if (capable == 0) { |
| 364 | current->flags |= PF_SUPERPRIV; |
| 365 | return true; |
| 366 | } |
| 367 | return false; |
| 368 | } |
| 369 | |
Serge E. Hallyn | 3263245 | 2011-03-23 16:43:21 -0700 | [diff] [blame] | 370 | /** |
Serge E. Hallyn | 3486740 | 2011-03-23 16:43:17 -0700 | [diff] [blame] | 371 | * ns_capable - Determine if the current task has a superior capability in effect |
| 372 | * @ns: The usernamespace we want the capability in |
| 373 | * @cap: The capability to be tested for |
| 374 | * |
| 375 | * Return true if the current task has the given superior capability currently |
| 376 | * available for use, false if not. |
| 377 | * |
| 378 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
| 379 | * assumption that it's about to be used. |
| 380 | */ |
| 381 | bool ns_capable(struct user_namespace *ns, int cap) |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 382 | { |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 383 | return ns_capable_common(ns, cap, CAP_OPT_NONE); |
Chris Wright | 12b5989 | 2006-03-25 03:07:41 -0800 | [diff] [blame] | 384 | } |
Serge E. Hallyn | 3486740 | 2011-03-23 16:43:17 -0700 | [diff] [blame] | 385 | EXPORT_SYMBOL(ns_capable); |
| 386 | |
Tyler Hicks | 98f368e | 2016-06-02 23:43:21 -0500 | [diff] [blame] | 387 | /** |
| 388 | * ns_capable_noaudit - Determine if the current task has a superior capability |
| 389 | * (unaudited) in effect |
| 390 | * @ns: The usernamespace we want the capability in |
| 391 | * @cap: The capability to be tested for |
| 392 | * |
| 393 | * Return true if the current task has the given superior capability currently |
| 394 | * available for use, false if not. |
| 395 | * |
| 396 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
| 397 | * assumption that it's about to be used. |
| 398 | */ |
| 399 | bool ns_capable_noaudit(struct user_namespace *ns, int cap) |
| 400 | { |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 401 | return ns_capable_common(ns, cap, CAP_OPT_NOAUDIT); |
Tyler Hicks | 98f368e | 2016-06-02 23:43:21 -0500 | [diff] [blame] | 402 | } |
| 403 | EXPORT_SYMBOL(ns_capable_noaudit); |
Iulia Manda | 2813893 | 2015-04-15 16:16:41 -0700 | [diff] [blame] | 404 | |
| 405 | /** |
Micah Morton | 4085227 | 2019-01-22 14:42:09 -0800 | [diff] [blame] | 406 | * ns_capable_setid - Determine if the current task has a superior capability |
| 407 | * in effect, while signalling that this check is being done from within a |
Thomas Cedeno | 111767c | 2020-07-16 19:13:57 +0000 | [diff] [blame] | 408 | * setid or setgroups syscall. |
Micah Morton | 4085227 | 2019-01-22 14:42:09 -0800 | [diff] [blame] | 409 | * @ns: The usernamespace we want the capability in |
| 410 | * @cap: The capability to be tested for |
| 411 | * |
| 412 | * Return true if the current task has the given superior capability currently |
| 413 | * available for use, false if not. |
| 414 | * |
| 415 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
| 416 | * assumption that it's about to be used. |
| 417 | */ |
| 418 | bool ns_capable_setid(struct user_namespace *ns, int cap) |
| 419 | { |
| 420 | return ns_capable_common(ns, cap, CAP_OPT_INSETID); |
| 421 | } |
| 422 | EXPORT_SYMBOL(ns_capable_setid); |
| 423 | |
| 424 | /** |
Iulia Manda | 2813893 | 2015-04-15 16:16:41 -0700 | [diff] [blame] | 425 | * capable - Determine if the current task has a superior capability in effect |
| 426 | * @cap: The capability to be tested for |
| 427 | * |
| 428 | * Return true if the current task has the given superior capability currently |
| 429 | * available for use, false if not. |
| 430 | * |
| 431 | * This sets PF_SUPERPRIV on the task if the capability is available on the |
| 432 | * assumption that it's about to be used. |
| 433 | */ |
| 434 | bool capable(int cap) |
| 435 | { |
| 436 | return ns_capable(&init_user_ns, cap); |
| 437 | } |
| 438 | EXPORT_SYMBOL(capable); |
| 439 | #endif /* CONFIG_MULTIUSER */ |
| 440 | |
Serge E. Hallyn | 3486740 | 2011-03-23 16:43:17 -0700 | [diff] [blame] | 441 | /** |
Linus Torvalds | 935d8aa | 2013-04-14 10:06:31 -0700 | [diff] [blame] | 442 | * file_ns_capable - Determine if the file's opener had a capability in effect |
| 443 | * @file: The file we want to check |
| 444 | * @ns: The usernamespace we want the capability in |
| 445 | * @cap: The capability to be tested for |
| 446 | * |
| 447 | * Return true if task that opened the file had a capability in effect |
| 448 | * when the file was opened. |
| 449 | * |
| 450 | * This does not set PF_SUPERPRIV because the caller may not |
| 451 | * actually be privileged. |
| 452 | */ |
Fabian Frederick | a6c8c69 | 2014-06-04 16:11:19 -0700 | [diff] [blame] | 453 | bool file_ns_capable(const struct file *file, struct user_namespace *ns, |
| 454 | int cap) |
Linus Torvalds | 935d8aa | 2013-04-14 10:06:31 -0700 | [diff] [blame] | 455 | { |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 456 | |
Linus Torvalds | 935d8aa | 2013-04-14 10:06:31 -0700 | [diff] [blame] | 457 | if (WARN_ON_ONCE(!cap_valid(cap))) |
| 458 | return false; |
| 459 | |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 460 | if (security_capable(file->f_cred, ns, cap, CAP_OPT_NONE) == 0) |
Linus Torvalds | 935d8aa | 2013-04-14 10:06:31 -0700 | [diff] [blame] | 461 | return true; |
| 462 | |
| 463 | return false; |
| 464 | } |
| 465 | EXPORT_SYMBOL(file_ns_capable); |
| 466 | |
| 467 | /** |
Eric W. Biederman | f84df2a | 2016-11-16 22:06:51 -0600 | [diff] [blame] | 468 | * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? |
| 469 | * @ns: The user namespace in question |
Gaosheng Cui | a495108 | 2023-05-11 09:27:15 +0800 | [diff] [blame] | 470 | * @idmap: idmap of the mount @inode was found from |
Eric W. Biederman | f84df2a | 2016-11-16 22:06:51 -0600 | [diff] [blame] | 471 | * @inode: The inode in question |
| 472 | * |
| 473 | * Return true if the inode uid and gid are within the namespace. |
| 474 | */ |
Christian Brauner | 0558c1b | 2021-01-21 14:19:23 +0100 | [diff] [blame] | 475 | bool privileged_wrt_inode_uidgid(struct user_namespace *ns, |
Christian Brauner | 9452e93 | 2023-01-13 12:49:27 +0100 | [diff] [blame] | 476 | struct mnt_idmap *idmap, |
Christian Brauner | 0558c1b | 2021-01-21 14:19:23 +0100 | [diff] [blame] | 477 | const struct inode *inode) |
Eric W. Biederman | f84df2a | 2016-11-16 22:06:51 -0600 | [diff] [blame] | 478 | { |
Christian Brauner | e67fe63 | 2023-01-13 12:49:30 +0100 | [diff] [blame] | 479 | return vfsuid_has_mapping(ns, i_uid_into_vfsuid(idmap, inode)) && |
| 480 | vfsgid_has_mapping(ns, i_gid_into_vfsgid(idmap, inode)); |
Eric W. Biederman | f84df2a | 2016-11-16 22:06:51 -0600 | [diff] [blame] | 481 | } |
| 482 | |
| 483 | /** |
Andy Lutomirski | 23adbe1 | 2014-06-10 12:45:42 -0700 | [diff] [blame] | 484 | * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
Gaosheng Cui | a495108 | 2023-05-11 09:27:15 +0800 | [diff] [blame] | 485 | * @idmap: idmap of the mount @inode was found from |
Eric W. Biederman | 1a48e2a | 2011-11-14 16:24:06 -0800 | [diff] [blame] | 486 | * @inode: The inode in question |
| 487 | * @cap: The capability in question |
| 488 | * |
Andy Lutomirski | 23adbe1 | 2014-06-10 12:45:42 -0700 | [diff] [blame] | 489 | * Return true if the current task has the given capability targeted at |
| 490 | * its own user namespace and that the given inode's uid and gid are |
| 491 | * mapped into the current user namespace. |
Eric W. Biederman | 1a48e2a | 2011-11-14 16:24:06 -0800 | [diff] [blame] | 492 | */ |
Christian Brauner | 9452e93 | 2023-01-13 12:49:27 +0100 | [diff] [blame] | 493 | bool capable_wrt_inode_uidgid(struct mnt_idmap *idmap, |
Christian Brauner | 0558c1b | 2021-01-21 14:19:23 +0100 | [diff] [blame] | 494 | const struct inode *inode, int cap) |
Eric W. Biederman | 1a48e2a | 2011-11-14 16:24:06 -0800 | [diff] [blame] | 495 | { |
| 496 | struct user_namespace *ns = current_user_ns(); |
| 497 | |
Christian Brauner | 0558c1b | 2021-01-21 14:19:23 +0100 | [diff] [blame] | 498 | return ns_capable(ns, cap) && |
Christian Brauner | 9452e93 | 2023-01-13 12:49:27 +0100 | [diff] [blame] | 499 | privileged_wrt_inode_uidgid(ns, idmap, inode); |
Eric W. Biederman | 1a48e2a | 2011-11-14 16:24:06 -0800 | [diff] [blame] | 500 | } |
Andy Lutomirski | 23adbe1 | 2014-06-10 12:45:42 -0700 | [diff] [blame] | 501 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); |
Eric W. Biederman | 64b875f | 2016-11-14 18:48:07 -0600 | [diff] [blame] | 502 | |
| 503 | /** |
| 504 | * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace |
| 505 | * @tsk: The task that may be ptraced |
| 506 | * @ns: The user namespace to search for CAP_SYS_PTRACE in |
| 507 | * |
| 508 | * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE |
| 509 | * in the specified user namespace. |
| 510 | */ |
| 511 | bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns) |
| 512 | { |
| 513 | int ret = 0; /* An absent tracer adds no restrictions */ |
| 514 | const struct cred *cred; |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 515 | |
Eric W. Biederman | 64b875f | 2016-11-14 18:48:07 -0600 | [diff] [blame] | 516 | rcu_read_lock(); |
| 517 | cred = rcu_dereference(tsk->ptracer_cred); |
| 518 | if (cred) |
Micah Morton | c1a85a0 | 2019-01-07 16:10:53 -0800 | [diff] [blame] | 519 | ret = security_capable(cred, ns, CAP_SYS_PTRACE, |
| 520 | CAP_OPT_NOAUDIT); |
Eric W. Biederman | 64b875f | 2016-11-14 18:48:07 -0600 | [diff] [blame] | 521 | rcu_read_unlock(); |
| 522 | return (ret == 0); |
| 523 | } |