~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/kernel/capability.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /kernel/capability.c (Version linux-6.11.5) and /kernel/capability.c (Version linux-6.1.114)


  1 // SPDX-License-Identifier: GPL-2.0                 1 // SPDX-License-Identifier: GPL-2.0
  2 /*                                                  2 /*
  3  * linux/kernel/capability.c                        3  * linux/kernel/capability.c
  4  *                                                  4  *
  5  * Copyright (C) 1997  Andrew Main <zefram@fys      5  * Copyright (C) 1997  Andrew Main <zefram@fysh.org>
  6  *                                                  6  *
  7  * Integrated into 2.1.97+,  Andrew G. Morgan       7  * Integrated into 2.1.97+,  Andrew G. Morgan <morgan@kernel.org>
  8  * 30 May 2002: Cleanup, Robert M. Love <rml@t      8  * 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
  9  */                                                 9  */
 10                                                    10 
 11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt        11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 12                                                    12 
 13 #include <linux/audit.h>                           13 #include <linux/audit.h>
 14 #include <linux/capability.h>                      14 #include <linux/capability.h>
 15 #include <linux/mm.h>                              15 #include <linux/mm.h>
 16 #include <linux/export.h>                          16 #include <linux/export.h>
 17 #include <linux/security.h>                        17 #include <linux/security.h>
 18 #include <linux/syscalls.h>                        18 #include <linux/syscalls.h>
 19 #include <linux/pid_namespace.h>                   19 #include <linux/pid_namespace.h>
 20 #include <linux/user_namespace.h>                  20 #include <linux/user_namespace.h>
 21 #include <linux/uaccess.h>                         21 #include <linux/uaccess.h>
 22                                                    22 
                                                   >>  23 /*
                                                   >>  24  * Leveraged for setting/resetting capabilities
                                                   >>  25  */
                                                   >>  26 
                                                   >>  27 const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
                                                   >>  28 EXPORT_SYMBOL(__cap_empty_set);
                                                   >>  29 
 23 int file_caps_enabled = 1;                         30 int file_caps_enabled = 1;
 24                                                    31 
 25 static int __init file_caps_disable(char *str)     32 static int __init file_caps_disable(char *str)
 26 {                                                  33 {
 27         file_caps_enabled = 0;                     34         file_caps_enabled = 0;
 28         return 1;                                  35         return 1;
 29 }                                                  36 }
 30 __setup("no_file_caps", file_caps_disable);        37 __setup("no_file_caps", file_caps_disable);
 31                                                    38 
 32 #ifdef CONFIG_MULTIUSER                            39 #ifdef CONFIG_MULTIUSER
 33 /*                                                 40 /*
 34  * More recent versions of libcap are availabl     41  * More recent versions of libcap are available from:
 35  *                                                 42  *
 36  *   http://www.kernel.org/pub/linux/libs/secu     43  *   http://www.kernel.org/pub/linux/libs/security/linux-privs/
 37  */                                                44  */
 38                                                    45 
 39 static void warn_legacy_capability_use(void)       46 static void warn_legacy_capability_use(void)
 40 {                                                  47 {
 41         char name[sizeof(current->comm)];          48         char name[sizeof(current->comm)];
 42                                                    49 
 43         pr_info_once("warning: `%s' uses 32-bi     50         pr_info_once("warning: `%s' uses 32-bit capabilities (legacy support in use)\n",
 44                      get_task_comm(name, curre     51                      get_task_comm(name, current));
 45 }                                                  52 }
 46                                                    53 
 47 /*                                                 54 /*
 48  * Version 2 capabilities worked fine, but the     55  * Version 2 capabilities worked fine, but the linux/capability.h file
 49  * that accompanied their introduction encoura     56  * that accompanied their introduction encouraged their use without
 50  * the necessary user-space source code change     57  * the necessary user-space source code changes. As such, we have
 51  * created a version 3 with equivalent functio     58  * created a version 3 with equivalent functionality to version 2, but
 52  * with a header change to protect legacy sour     59  * with a header change to protect legacy source code from using
 53  * version 2 when it wanted to use version 1.      60  * version 2 when it wanted to use version 1. If your system has code
 54  * that trips the following warning, it is usi     61  * that trips the following warning, it is using version 2 specific
 55  * capabilities and may be doing so insecurely     62  * capabilities and may be doing so insecurely.
 56  *                                                 63  *
 57  * The remedy is to either upgrade your versio     64  * The remedy is to either upgrade your version of libcap (to 2.10+,
 58  * if the application is linked against it), o     65  * if the application is linked against it), or recompile your
 59  * application with modern kernel headers and      66  * application with modern kernel headers and this warning will go
 60  * away.                                           67  * away.
 61  */                                                68  */
 62                                                    69 
 63 static void warn_deprecated_v2(void)               70 static void warn_deprecated_v2(void)
 64 {                                                  71 {
 65         char name[sizeof(current->comm)];          72         char name[sizeof(current->comm)];
 66                                                    73 
 67         pr_info_once("warning: `%s' uses depre     74         pr_info_once("warning: `%s' uses deprecated v2 capabilities in a way that may be insecure\n",
 68                      get_task_comm(name, curre     75                      get_task_comm(name, current));
 69 }                                                  76 }
 70                                                    77 
 71 /*                                                 78 /*
 72  * Version check. Return the number of u32s in     79  * Version check. Return the number of u32s in each capability flag
 73  * array, or a negative value on error.            80  * array, or a negative value on error.
 74  */                                                81  */
 75 static int cap_validate_magic(cap_user_header_     82 static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
 76 {                                                  83 {
 77         __u32 version;                             84         __u32 version;
 78                                                    85 
 79         if (get_user(version, &header->version     86         if (get_user(version, &header->version))
 80                 return -EFAULT;                    87                 return -EFAULT;
 81                                                    88 
 82         switch (version) {                         89         switch (version) {
 83         case _LINUX_CAPABILITY_VERSION_1:          90         case _LINUX_CAPABILITY_VERSION_1:
 84                 warn_legacy_capability_use();      91                 warn_legacy_capability_use();
 85                 *tocopy = _LINUX_CAPABILITY_U3     92                 *tocopy = _LINUX_CAPABILITY_U32S_1;
 86                 break;                             93                 break;
 87         case _LINUX_CAPABILITY_VERSION_2:          94         case _LINUX_CAPABILITY_VERSION_2:
 88                 warn_deprecated_v2();              95                 warn_deprecated_v2();
 89                 fallthrough;    /* v3 is other     96                 fallthrough;    /* v3 is otherwise equivalent to v2 */
 90         case _LINUX_CAPABILITY_VERSION_3:          97         case _LINUX_CAPABILITY_VERSION_3:
 91                 *tocopy = _LINUX_CAPABILITY_U3     98                 *tocopy = _LINUX_CAPABILITY_U32S_3;
 92                 break;                             99                 break;
 93         default:                                  100         default:
 94                 if (put_user((u32)_KERNEL_CAPA    101                 if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
 95                         return -EFAULT;           102                         return -EFAULT;
 96                 return -EINVAL;                   103                 return -EINVAL;
 97         }                                         104         }
 98                                                   105 
 99         return 0;                                 106         return 0;
100 }                                                 107 }
101                                                   108 
102 /*                                                109 /*
103  * The only thing that can change the capabili    110  * The only thing that can change the capabilities of the current
104  * process is the current process. As such, we    111  * process is the current process. As such, we can't be in this code
105  * at the same time as we are in the process o    112  * at the same time as we are in the process of setting capabilities
106  * in this process. The net result is that we     113  * in this process. The net result is that we can limit our use of
107  * locks to when we are reading the caps of an    114  * locks to when we are reading the caps of another process.
108  */                                               115  */
109 static inline int cap_get_target_pid(pid_t pid    116 static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
110                                      kernel_ca    117                                      kernel_cap_t *pIp, kernel_cap_t *pPp)
111 {                                                 118 {
112         int ret;                                  119         int ret;
113                                                   120 
114         if (pid && (pid != task_pid_vnr(curren    121         if (pid && (pid != task_pid_vnr(current))) {
115                 const struct task_struct *targ !! 122                 struct task_struct *target;
116                                                   123 
117                 rcu_read_lock();                  124                 rcu_read_lock();
118                                                   125 
119                 target = find_task_by_vpid(pid    126                 target = find_task_by_vpid(pid);
120                 if (!target)                      127                 if (!target)
121                         ret = -ESRCH;             128                         ret = -ESRCH;
122                 else                              129                 else
123                         ret = security_capget(    130                         ret = security_capget(target, pEp, pIp, pPp);
124                                                   131 
125                 rcu_read_unlock();                132                 rcu_read_unlock();
126         } else                                    133         } else
127                 ret = security_capget(current,    134                 ret = security_capget(current, pEp, pIp, pPp);
128                                                   135 
129         return ret;                               136         return ret;
130 }                                                 137 }
131                                                   138 
132 /**                                               139 /**
133  * sys_capget - get the capabilities of a give    140  * sys_capget - get the capabilities of a given process.
134  * @header: pointer to struct that contains ca    141  * @header: pointer to struct that contains capability version and
135  *      target pid data                           142  *      target pid data
136  * @dataptr: pointer to struct that contains t    143  * @dataptr: pointer to struct that contains the effective, permitted,
137  *      and inheritable capabilities that are     144  *      and inheritable capabilities that are returned
138  *                                                145  *
139  * Returns 0 on success and < 0 on error.         146  * Returns 0 on success and < 0 on error.
140  */                                               147  */
141 SYSCALL_DEFINE2(capget, cap_user_header_t, hea    148 SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
142 {                                                 149 {
143         int ret = 0;                              150         int ret = 0;
144         pid_t pid;                                151         pid_t pid;
145         unsigned tocopy;                          152         unsigned tocopy;
146         kernel_cap_t pE, pI, pP;                  153         kernel_cap_t pE, pI, pP;
147         struct __user_cap_data_struct kdata[2] << 
148                                                   154 
149         ret = cap_validate_magic(header, &toco    155         ret = cap_validate_magic(header, &tocopy);
150         if ((dataptr == NULL) || (ret != 0))      156         if ((dataptr == NULL) || (ret != 0))
151                 return ((dataptr == NULL) && (    157                 return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
152                                                   158 
153         if (get_user(pid, &header->pid))          159         if (get_user(pid, &header->pid))
154                 return -EFAULT;                   160                 return -EFAULT;
155                                                   161 
156         if (pid < 0)                              162         if (pid < 0)
157                 return -EINVAL;                   163                 return -EINVAL;
158                                                   164 
159         ret = cap_get_target_pid(pid, &pE, &pI    165         ret = cap_get_target_pid(pid, &pE, &pI, &pP);
160         if (ret)                               !! 166         if (!ret) {
161                 return ret;                    !! 167                 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
162                                                !! 168                 unsigned i;
163         /*                                     !! 169 
164          * Annoying legacy format with 64-bit  !! 170                 for (i = 0; i < tocopy; i++) {
165          * as two sets of 32-bit fields, so we !! 171                         kdata[i].effective = pE.cap[i];
166          * capability values up.               !! 172                         kdata[i].permitted = pP.cap[i];
167          */                                    !! 173                         kdata[i].inheritable = pI.cap[i];
168         kdata[0].effective   = pE.val; kdata[1 !! 174                 }
169         kdata[0].permitted   = pP.val; kdata[1 !! 175 
170         kdata[0].inheritable = pI.val; kdata[1 !! 176                 /*
171                                                !! 177                  * Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
172         /*                                     !! 178                  * we silently drop the upper capabilities here. This
173          * Note, in the case, tocopy < _KERNEL !! 179                  * has the effect of making older libcap
174          * we silently drop the upper capabili !! 180                  * implementations implicitly drop upper capability
175          * has the effect of making older libc !! 181                  * bits when they perform a: capget/modify/capset
176          * implementations implicitly drop upp !! 182                  * sequence.
177          * bits when they perform a: capget/mo !! 183                  *
178          * sequence.                           !! 184                  * This behavior is considered fail-safe
179          *                                     !! 185                  * behavior. Upgrading the application to a newer
180          * This behavior is considered fail-sa !! 186                  * version of libcap will enable access to the newer
181          * behavior. Upgrading the application !! 187                  * capabilities.
182          * version of libcap will enable acces !! 188                  *
183          * capabilities.                       !! 189                  * An alternative would be to return an error here
184          *                                     !! 190                  * (-ERANGE), but that causes legacy applications to
185          * An alternative would be to return a !! 191                  * unexpectedly fail; the capget/modify/capset aborts
186          * (-ERANGE), but that causes legacy a !! 192                  * before modification is attempted and the application
187          * unexpectedly fail; the capget/modif !! 193                  * fails.
188          * before modification is attempted an !! 194                  */
189          * fails.                              !! 195                 if (copy_to_user(dataptr, kdata, tocopy
190          */                                    !! 196                                  * sizeof(struct __user_cap_data_struct))) {
191         if (copy_to_user(dataptr, kdata, tocop !! 197                         return -EFAULT;
192                 return -EFAULT;                !! 198                 }
193                                                !! 199         }
194         return 0;                              << 
195 }                                              << 
196                                                   200 
197 static kernel_cap_t mk_kernel_cap(u32 low, u32 !! 201         return ret;
198 {                                              << 
199         return (kernel_cap_t) { (low | ((u64)h << 
200 }                                                 202 }
201                                                   203 
202 /**                                               204 /**
203  * sys_capset - set capabilities for a process    205  * sys_capset - set capabilities for a process or (*) a group of processes
204  * @header: pointer to struct that contains ca    206  * @header: pointer to struct that contains capability version and
205  *      target pid data                           207  *      target pid data
206  * @data: pointer to struct that contains the     208  * @data: pointer to struct that contains the effective, permitted,
207  *      and inheritable capabilities              209  *      and inheritable capabilities
208  *                                                210  *
209  * Set capabilities for the current process on    211  * Set capabilities for the current process only.  The ability to any other
210  * process(es) has been deprecated and removed    212  * process(es) has been deprecated and removed.
211  *                                                213  *
212  * The restrictions on setting capabilities ar    214  * The restrictions on setting capabilities are specified as:
213  *                                                215  *
214  * I: any raised capabilities must be a subset    216  * I: any raised capabilities must be a subset of the old permitted
215  * P: any raised capabilities must be a subset    217  * P: any raised capabilities must be a subset of the old permitted
216  * E: must be set to a subset of new permitted    218  * E: must be set to a subset of new permitted
217  *                                                219  *
218  * Returns 0 on success and < 0 on error.         220  * Returns 0 on success and < 0 on error.
219  */                                               221  */
220 SYSCALL_DEFINE2(capset, cap_user_header_t, hea    222 SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
221 {                                                 223 {
222         struct __user_cap_data_struct kdata[2] !! 224         struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
223         unsigned tocopy, copybytes;            !! 225         unsigned i, tocopy, copybytes;
224         kernel_cap_t inheritable, permitted, e    226         kernel_cap_t inheritable, permitted, effective;
225         struct cred *new;                         227         struct cred *new;
226         int ret;                                  228         int ret;
227         pid_t pid;                                229         pid_t pid;
228                                                   230 
229         ret = cap_validate_magic(header, &toco    231         ret = cap_validate_magic(header, &tocopy);
230         if (ret != 0)                             232         if (ret != 0)
231                 return ret;                       233                 return ret;
232                                                   234 
233         if (get_user(pid, &header->pid))          235         if (get_user(pid, &header->pid))
234                 return -EFAULT;                   236                 return -EFAULT;
235                                                   237 
236         /* may only affect current now */         238         /* may only affect current now */
237         if (pid != 0 && pid != task_pid_vnr(cu    239         if (pid != 0 && pid != task_pid_vnr(current))
238                 return -EPERM;                    240                 return -EPERM;
239                                                   241 
240         copybytes = tocopy * sizeof(struct __u    242         copybytes = tocopy * sizeof(struct __user_cap_data_struct);
241         if (copybytes > sizeof(kdata))            243         if (copybytes > sizeof(kdata))
242                 return -EFAULT;                   244                 return -EFAULT;
243                                                   245 
244         if (copy_from_user(&kdata, data, copyb    246         if (copy_from_user(&kdata, data, copybytes))
245                 return -EFAULT;                   247                 return -EFAULT;
246                                                   248 
247         effective   = mk_kernel_cap(kdata[0].e !! 249         for (i = 0; i < tocopy; i++) {
248         permitted   = mk_kernel_cap(kdata[0].p !! 250                 effective.cap[i] = kdata[i].effective;
249         inheritable = mk_kernel_cap(kdata[0].i !! 251                 permitted.cap[i] = kdata[i].permitted;
                                                   >> 252                 inheritable.cap[i] = kdata[i].inheritable;
                                                   >> 253         }
                                                   >> 254         while (i < _KERNEL_CAPABILITY_U32S) {
                                                   >> 255                 effective.cap[i] = 0;
                                                   >> 256                 permitted.cap[i] = 0;
                                                   >> 257                 inheritable.cap[i] = 0;
                                                   >> 258                 i++;
                                                   >> 259         }
                                                   >> 260 
                                                   >> 261         effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
                                                   >> 262         permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
                                                   >> 263         inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
250                                                   264 
251         new = prepare_creds();                    265         new = prepare_creds();
252         if (!new)                                 266         if (!new)
253                 return -ENOMEM;                   267                 return -ENOMEM;
254                                                   268 
255         ret = security_capset(new, current_cre    269         ret = security_capset(new, current_cred(),
256                               &effective, &inh    270                               &effective, &inheritable, &permitted);
257         if (ret < 0)                              271         if (ret < 0)
258                 goto error;                       272                 goto error;
259                                                   273 
260         audit_log_capset(new, current_cred());    274         audit_log_capset(new, current_cred());
261                                                   275 
262         return commit_creds(new);                 276         return commit_creds(new);
263                                                   277 
264 error:                                            278 error:
265         abort_creds(new);                         279         abort_creds(new);
266         return ret;                               280         return ret;
267 }                                                 281 }
268                                                   282 
269 /**                                               283 /**
270  * has_ns_capability - Does a task have a capa    284  * has_ns_capability - Does a task have a capability in a specific user ns
271  * @t: The task in question                       285  * @t: The task in question
272  * @ns: target user namespace                     286  * @ns: target user namespace
273  * @cap: The capability to be tested for          287  * @cap: The capability to be tested for
274  *                                                288  *
275  * Return true if the specified task has the g    289  * Return true if the specified task has the given superior capability
276  * currently in effect to the specified user n    290  * currently in effect to the specified user namespace, false if not.
277  *                                                291  *
278  * Note that this does not set PF_SUPERPRIV on    292  * Note that this does not set PF_SUPERPRIV on the task.
279  */                                               293  */
280 bool has_ns_capability(struct task_struct *t,     294 bool has_ns_capability(struct task_struct *t,
281                        struct user_namespace *    295                        struct user_namespace *ns, int cap)
282 {                                                 296 {
283         int ret;                                  297         int ret;
284                                                   298 
285         rcu_read_lock();                          299         rcu_read_lock();
286         ret = security_capable(__task_cred(t),    300         ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NONE);
287         rcu_read_unlock();                        301         rcu_read_unlock();
288                                                   302 
289         return (ret == 0);                        303         return (ret == 0);
290 }                                                 304 }
291                                                   305 
292 /**                                               306 /**
293  * has_capability - Does a task have a capabil    307  * has_capability - Does a task have a capability in init_user_ns
294  * @t: The task in question                       308  * @t: The task in question
295  * @cap: The capability to be tested for          309  * @cap: The capability to be tested for
296  *                                                310  *
297  * Return true if the specified task has the g    311  * Return true if the specified task has the given superior capability
298  * currently in effect to the initial user nam    312  * currently in effect to the initial user namespace, false if not.
299  *                                                313  *
300  * Note that this does not set PF_SUPERPRIV on    314  * Note that this does not set PF_SUPERPRIV on the task.
301  */                                               315  */
302 bool has_capability(struct task_struct *t, int    316 bool has_capability(struct task_struct *t, int cap)
303 {                                                 317 {
304         return has_ns_capability(t, &init_user    318         return has_ns_capability(t, &init_user_ns, cap);
305 }                                                 319 }
306 EXPORT_SYMBOL(has_capability);                    320 EXPORT_SYMBOL(has_capability);
307                                                   321 
308 /**                                               322 /**
309  * has_ns_capability_noaudit - Does a task hav    323  * has_ns_capability_noaudit - Does a task have a capability (unaudited)
310  * in a specific user ns.                         324  * in a specific user ns.
311  * @t: The task in question                       325  * @t: The task in question
312  * @ns: target user namespace                     326  * @ns: target user namespace
313  * @cap: The capability to be tested for          327  * @cap: The capability to be tested for
314  *                                                328  *
315  * Return true if the specified task has the g    329  * Return true if the specified task has the given superior capability
316  * currently in effect to the specified user n    330  * currently in effect to the specified user namespace, false if not.
317  * Do not write an audit message for the check    331  * Do not write an audit message for the check.
318  *                                                332  *
319  * Note that this does not set PF_SUPERPRIV on    333  * Note that this does not set PF_SUPERPRIV on the task.
320  */                                               334  */
321 bool has_ns_capability_noaudit(struct task_str    335 bool has_ns_capability_noaudit(struct task_struct *t,
322                                struct user_nam    336                                struct user_namespace *ns, int cap)
323 {                                                 337 {
324         int ret;                                  338         int ret;
325                                                   339 
326         rcu_read_lock();                          340         rcu_read_lock();
327         ret = security_capable(__task_cred(t),    341         ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NOAUDIT);
328         rcu_read_unlock();                        342         rcu_read_unlock();
329                                                   343 
330         return (ret == 0);                        344         return (ret == 0);
331 }                                                 345 }
332                                                   346 
333 /**                                               347 /**
334  * has_capability_noaudit - Does a task have a    348  * has_capability_noaudit - Does a task have a capability (unaudited) in the
335  * initial user ns                                349  * initial user ns
336  * @t: The task in question                       350  * @t: The task in question
337  * @cap: The capability to be tested for          351  * @cap: The capability to be tested for
338  *                                                352  *
339  * Return true if the specified task has the g    353  * Return true if the specified task has the given superior capability
340  * currently in effect to init_user_ns, false     354  * currently in effect to init_user_ns, false if not.  Don't write an
341  * audit message for the check.                   355  * audit message for the check.
342  *                                                356  *
343  * Note that this does not set PF_SUPERPRIV on    357  * Note that this does not set PF_SUPERPRIV on the task.
344  */                                               358  */
345 bool has_capability_noaudit(struct task_struct    359 bool has_capability_noaudit(struct task_struct *t, int cap)
346 {                                                 360 {
347         return has_ns_capability_noaudit(t, &i    361         return has_ns_capability_noaudit(t, &init_user_ns, cap);
348 }                                                 362 }
349 EXPORT_SYMBOL(has_capability_noaudit);            363 EXPORT_SYMBOL(has_capability_noaudit);
350                                                   364 
351 static bool ns_capable_common(struct user_name    365 static bool ns_capable_common(struct user_namespace *ns,
352                               int cap,            366                               int cap,
353                               unsigned int opt    367                               unsigned int opts)
354 {                                                 368 {
355         int capable;                              369         int capable;
356                                                   370 
357         if (unlikely(!cap_valid(cap))) {          371         if (unlikely(!cap_valid(cap))) {
358                 pr_crit("capable() called with    372                 pr_crit("capable() called with invalid cap=%u\n", cap);
359                 BUG();                            373                 BUG();
360         }                                         374         }
361                                                   375 
362         capable = security_capable(current_cre    376         capable = security_capable(current_cred(), ns, cap, opts);
363         if (capable == 0) {                       377         if (capable == 0) {
364                 current->flags |= PF_SUPERPRIV    378                 current->flags |= PF_SUPERPRIV;
365                 return true;                      379                 return true;
366         }                                         380         }
367         return false;                             381         return false;
368 }                                                 382 }
369                                                   383 
370 /**                                               384 /**
371  * ns_capable - Determine if the current task     385  * ns_capable - Determine if the current task has a superior capability in effect
372  * @ns:  The usernamespace we want the capabil    386  * @ns:  The usernamespace we want the capability in
373  * @cap: The capability to be tested for          387  * @cap: The capability to be tested for
374  *                                                388  *
375  * Return true if the current task has the giv    389  * Return true if the current task has the given superior capability currently
376  * available for use, false if not.               390  * available for use, false if not.
377  *                                                391  *
378  * This sets PF_SUPERPRIV on the task if the c    392  * This sets PF_SUPERPRIV on the task if the capability is available on the
379  * assumption that it's about to be used.         393  * assumption that it's about to be used.
380  */                                               394  */
381 bool ns_capable(struct user_namespace *ns, int    395 bool ns_capable(struct user_namespace *ns, int cap)
382 {                                                 396 {
383         return ns_capable_common(ns, cap, CAP_    397         return ns_capable_common(ns, cap, CAP_OPT_NONE);
384 }                                                 398 }
385 EXPORT_SYMBOL(ns_capable);                        399 EXPORT_SYMBOL(ns_capable);
386                                                   400 
387 /**                                               401 /**
388  * ns_capable_noaudit - Determine if the curre    402  * ns_capable_noaudit - Determine if the current task has a superior capability
389  * (unaudited) in effect                          403  * (unaudited) in effect
390  * @ns:  The usernamespace we want the capabil    404  * @ns:  The usernamespace we want the capability in
391  * @cap: The capability to be tested for          405  * @cap: The capability to be tested for
392  *                                                406  *
393  * Return true if the current task has the giv    407  * Return true if the current task has the given superior capability currently
394  * available for use, false if not.               408  * available for use, false if not.
395  *                                                409  *
396  * This sets PF_SUPERPRIV on the task if the c    410  * This sets PF_SUPERPRIV on the task if the capability is available on the
397  * assumption that it's about to be used.         411  * assumption that it's about to be used.
398  */                                               412  */
399 bool ns_capable_noaudit(struct user_namespace     413 bool ns_capable_noaudit(struct user_namespace *ns, int cap)
400 {                                                 414 {
401         return ns_capable_common(ns, cap, CAP_    415         return ns_capable_common(ns, cap, CAP_OPT_NOAUDIT);
402 }                                                 416 }
403 EXPORT_SYMBOL(ns_capable_noaudit);                417 EXPORT_SYMBOL(ns_capable_noaudit);
404                                                   418 
405 /**                                               419 /**
406  * ns_capable_setid - Determine if the current    420  * ns_capable_setid - Determine if the current task has a superior capability
407  * in effect, while signalling that this check    421  * in effect, while signalling that this check is being done from within a
408  * setid or setgroups syscall.                    422  * setid or setgroups syscall.
409  * @ns:  The usernamespace we want the capabil    423  * @ns:  The usernamespace we want the capability in
410  * @cap: The capability to be tested for          424  * @cap: The capability to be tested for
411  *                                                425  *
412  * Return true if the current task has the giv    426  * Return true if the current task has the given superior capability currently
413  * available for use, false if not.               427  * available for use, false if not.
414  *                                                428  *
415  * This sets PF_SUPERPRIV on the task if the c    429  * This sets PF_SUPERPRIV on the task if the capability is available on the
416  * assumption that it's about to be used.         430  * assumption that it's about to be used.
417  */                                               431  */
418 bool ns_capable_setid(struct user_namespace *n    432 bool ns_capable_setid(struct user_namespace *ns, int cap)
419 {                                                 433 {
420         return ns_capable_common(ns, cap, CAP_    434         return ns_capable_common(ns, cap, CAP_OPT_INSETID);
421 }                                                 435 }
422 EXPORT_SYMBOL(ns_capable_setid);                  436 EXPORT_SYMBOL(ns_capable_setid);
423                                                   437 
424 /**                                               438 /**
425  * capable - Determine if the current task has    439  * capable - Determine if the current task has a superior capability in effect
426  * @cap: The capability to be tested for          440  * @cap: The capability to be tested for
427  *                                                441  *
428  * Return true if the current task has the giv    442  * Return true if the current task has the given superior capability currently
429  * available for use, false if not.               443  * available for use, false if not.
430  *                                                444  *
431  * This sets PF_SUPERPRIV on the task if the c    445  * This sets PF_SUPERPRIV on the task if the capability is available on the
432  * assumption that it's about to be used.         446  * assumption that it's about to be used.
433  */                                               447  */
434 bool capable(int cap)                             448 bool capable(int cap)
435 {                                                 449 {
436         return ns_capable(&init_user_ns, cap);    450         return ns_capable(&init_user_ns, cap);
437 }                                                 451 }
438 EXPORT_SYMBOL(capable);                           452 EXPORT_SYMBOL(capable);
439 #endif /* CONFIG_MULTIUSER */                     453 #endif /* CONFIG_MULTIUSER */
440                                                   454 
441 /**                                               455 /**
442  * file_ns_capable - Determine if the file's o    456  * file_ns_capable - Determine if the file's opener had a capability in effect
443  * @file:  The file we want to check              457  * @file:  The file we want to check
444  * @ns:  The usernamespace we want the capabil    458  * @ns:  The usernamespace we want the capability in
445  * @cap: The capability to be tested for          459  * @cap: The capability to be tested for
446  *                                                460  *
447  * Return true if task that opened the file ha    461  * Return true if task that opened the file had a capability in effect
448  * when the file was opened.                      462  * when the file was opened.
449  *                                                463  *
450  * This does not set PF_SUPERPRIV because the     464  * This does not set PF_SUPERPRIV because the caller may not
451  * actually be privileged.                        465  * actually be privileged.
452  */                                               466  */
453 bool file_ns_capable(const struct file *file,     467 bool file_ns_capable(const struct file *file, struct user_namespace *ns,
454                      int cap)                     468                      int cap)
455 {                                                 469 {
456                                                   470 
457         if (WARN_ON_ONCE(!cap_valid(cap)))        471         if (WARN_ON_ONCE(!cap_valid(cap)))
458                 return false;                     472                 return false;
459                                                   473 
460         if (security_capable(file->f_cred, ns,    474         if (security_capable(file->f_cred, ns, cap, CAP_OPT_NONE) == 0)
461                 return true;                      475                 return true;
462                                                   476 
463         return false;                             477         return false;
464 }                                                 478 }
465 EXPORT_SYMBOL(file_ns_capable);                   479 EXPORT_SYMBOL(file_ns_capable);
466                                                   480 
467 /**                                               481 /**
468  * privileged_wrt_inode_uidgid - Do capabiliti    482  * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode?
469  * @ns: The user namespace in question            483  * @ns: The user namespace in question
470  * @idmap: idmap of the mount @inode was found << 
471  * @inode: The inode in question                  484  * @inode: The inode in question
472  *                                                485  *
473  * Return true if the inode uid and gid are wi    486  * Return true if the inode uid and gid are within the namespace.
474  */                                               487  */
475 bool privileged_wrt_inode_uidgid(struct user_n    488 bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
476                                  struct mnt_id !! 489                                  struct user_namespace *mnt_userns,
477                                  const struct     490                                  const struct inode *inode)
478 {                                                 491 {
479         return vfsuid_has_mapping(ns, i_uid_in !! 492         return kuid_has_mapping(ns, i_uid_into_mnt(mnt_userns, inode)) &&
480                vfsgid_has_mapping(ns, i_gid_in !! 493                kgid_has_mapping(ns, i_gid_into_mnt(mnt_userns, inode));
481 }                                                 494 }
482                                                   495 
483 /**                                               496 /**
484  * capable_wrt_inode_uidgid - Check nsown_capa    497  * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
485  * @idmap: idmap of the mount @inode was found << 
486  * @inode: The inode in question                  498  * @inode: The inode in question
487  * @cap: The capability in question               499  * @cap: The capability in question
488  *                                                500  *
489  * Return true if the current task has the giv    501  * Return true if the current task has the given capability targeted at
490  * its own user namespace and that the given i    502  * its own user namespace and that the given inode's uid and gid are
491  * mapped into the current user namespace.        503  * mapped into the current user namespace.
492  */                                               504  */
493 bool capable_wrt_inode_uidgid(struct mnt_idmap !! 505 bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns,
494                               const struct ino    506                               const struct inode *inode, int cap)
495 {                                                 507 {
496         struct user_namespace *ns = current_us    508         struct user_namespace *ns = current_user_ns();
497                                                   509 
498         return ns_capable(ns, cap) &&             510         return ns_capable(ns, cap) &&
499                privileged_wrt_inode_uidgid(ns, !! 511                privileged_wrt_inode_uidgid(ns, mnt_userns, inode);
500 }                                                 512 }
501 EXPORT_SYMBOL(capable_wrt_inode_uidgid);          513 EXPORT_SYMBOL(capable_wrt_inode_uidgid);
502                                                   514 
503 /**                                               515 /**
504  * ptracer_capable - Determine if the ptracer     516  * ptracer_capable - Determine if the ptracer holds CAP_SYS_PTRACE in the namespace
505  * @tsk: The task that may be ptraced             517  * @tsk: The task that may be ptraced
506  * @ns: The user namespace to search for CAP_S    518  * @ns: The user namespace to search for CAP_SYS_PTRACE in
507  *                                                519  *
508  * Return true if the task that is ptracing th    520  * Return true if the task that is ptracing the current task had CAP_SYS_PTRACE
509  * in the specified user namespace.               521  * in the specified user namespace.
510  */                                               522  */
511 bool ptracer_capable(struct task_struct *tsk,     523 bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns)
512 {                                                 524 {
513         int ret = 0;  /* An absent tracer adds    525         int ret = 0;  /* An absent tracer adds no restrictions */
514         const struct cred *cred;                  526         const struct cred *cred;
515                                                   527 
516         rcu_read_lock();                          528         rcu_read_lock();
517         cred = rcu_dereference(tsk->ptracer_cr    529         cred = rcu_dereference(tsk->ptracer_cred);
518         if (cred)                                 530         if (cred)
519                 ret = security_capable(cred, n    531                 ret = security_capable(cred, ns, CAP_SYS_PTRACE,
520                                        CAP_OPT    532                                        CAP_OPT_NOAUDIT);
521         rcu_read_unlock();                        533         rcu_read_unlock();
522         return (ret == 0);                        534         return (ret == 0);
523 }                                                 535 }
524                                                   536 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php