Lines Matching +full:cap +full:- +full:get
1 // SPDX-License-Identifier: GPL-2.0-or-later
34 * If a non-root user executes a setuid-root binary in
37 * the file capabilities to be applied, and the setuid-root
39 * to get full privilege on a kernel without file capabilities
48 printk(KERN_INFO "warning: `%s' has both setuid-root and" in warn_setuid_and_fcaps_mixed()
56 * cap_capable_helper - Determine whether a task has a particular effective
61 * @cap: The capability to check for
64 * its effective set, returning 0 if it does, -ve if it does not.
71 int cap) in cap_capable_helper()
82 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; in cap_capable_helper()
88 if (ns->level <= cred_ns->level) in cap_capable_helper()
89 return -EPERM; in cap_capable_helper()
95 if ((ns->parent == cred_ns) && uid_eq(ns->owner, cred->euid)) in cap_capable_helper()
102 ns = ns->parent; in cap_capable_helper()
105 /* We never get here */ in cap_capable_helper()
109 * cap_capable - Determine whether a task has a particular effective capability
112 * @cap: The capability to check for
116 * its effective set, returning 0 if it does, -ve if it does not.
124 int cap, unsigned int opts) in cap_capable()
126 const struct user_namespace *cred_ns = cred->user_ns; in cap_capable()
127 int ret = cap_capable_helper(cred, target_ns, cred_ns, cap); in cap_capable()
129 trace_cap_capable(cred, target_ns, cred_ns, cap, ret); in cap_capable()
134 * cap_settime - Determine whether the current process may set the system clock
139 * information, returning 0 if permission granted, -ve if denied.
144 return -EPERM; in cap_settime()
149 * cap_ptrace_access_check - Determine whether the current process may access
161 * granted, -ve if denied.
173 caller_caps = &cred->cap_effective; in cap_ptrace_access_check()
175 caller_caps = &cred->cap_permitted; in cap_ptrace_access_check()
176 if (cred->user_ns == child_cred->user_ns && in cap_ptrace_access_check()
177 cap_issubset(child_cred->cap_permitted, *caller_caps)) in cap_ptrace_access_check()
179 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) in cap_ptrace_access_check()
181 ret = -EPERM; in cap_ptrace_access_check()
188 * cap_ptrace_traceme - Determine whether another process may trace the current
198 * process, returning 0 if permission is granted, -ve if denied.
208 if (cred->user_ns == child_cred->user_ns && in cap_ptrace_traceme()
209 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) in cap_ptrace_traceme()
211 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE)) in cap_ptrace_traceme()
213 ret = -EPERM; in cap_ptrace_traceme()
220 * cap_capget - Retrieve a task's capability sets
237 *effective = cred->cap_effective; in cap_capget()
238 *inheritable = cred->cap_inheritable; in cap_capget()
239 *permitted = cred->cap_permitted; in cap_capget()
253 if (cap_capable(current_cred(), current_cred()->user_ns, in cap_inh_is_capped()
260 * cap_capset - Validate and apply proposed changes to current's capabilities
279 cap_combine(old->cap_inheritable, in cap_capset()
280 old->cap_permitted))) in cap_capset()
282 return -EPERM; in cap_capset()
285 cap_combine(old->cap_inheritable, in cap_capset()
286 old->cap_bset))) in cap_capset()
288 return -EPERM; in cap_capset()
291 if (!cap_issubset(*permitted, old->cap_permitted)) in cap_capset()
292 return -EPERM; in cap_capset()
296 return -EPERM; in cap_capset()
298 new->cap_effective = *effective; in cap_capset()
299 new->cap_inheritable = *inheritable; in cap_capset()
300 new->cap_permitted = *permitted; in cap_capset()
306 new->cap_ambient = cap_intersect(new->cap_ambient, in cap_capset()
310 return -EINVAL; in cap_capset()
315 * cap_inode_need_killpriv - Determine if inode change affects privileges
335 * cap_inode_killpriv - Erase the security markings on an inode
340 * Erase the privilege-enhancing security markings on an inode.
345 * permissions. On non-idmapped mounts or if permission checking is to be
348 * Return: 0 if successful, -ve on error.
355 if (error == -EOPNOTSUPP) in cap_inode_killpriv()
369 for (ns = current_user_ns();; ns = ns->parent) { in rootid_owns_currentns()
384 static bool is_v2header(int size, const struct vfs_cap_data *cap) in is_v2header() argument
388 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2; in is_v2header()
391 static bool is_v3header(int size, const struct vfs_cap_data *cap) in is_v3header() argument
395 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3; in is_v3header()
402 * This gives us a chance to read the on-disk value and convert it. If we
403 * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
406 * by the integrity subsystem, which really wants the unconverted values -
419 struct vfs_cap_data *cap; in cap_inode_getsecurity() local
425 return -EOPNOTSUPP; in cap_inode_getsecurity()
429 return -EINVAL; in cap_inode_getsecurity()
437 fs_ns = inode->i_sb->s_user_ns; in cap_inode_getsecurity()
438 cap = (struct vfs_cap_data *) tmpbuf; in cap_inode_getsecurity()
439 if (is_v2header(size, cap)) { in cap_inode_getsecurity()
441 } else if (is_v3header(size, cap)) { in cap_inode_getsecurity()
443 root = le32_to_cpu(nscap->rootid); in cap_inode_getsecurity()
445 size = -EINVAL; in cap_inode_getsecurity()
457 if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) { in cap_inode_getsecurity()
461 /* v2 -> v3 conversion */ in cap_inode_getsecurity()
464 size = -ENOMEM; in cap_inode_getsecurity()
468 magic = le32_to_cpu(cap->magic_etc); in cap_inode_getsecurity()
471 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); in cap_inode_getsecurity()
472 nscap->magic_etc = cpu_to_le32(nsmagic); in cap_inode_getsecurity()
477 nscap->rootid = cpu_to_le32(mappedroot); in cap_inode_getsecurity()
484 size = -EOVERFLOW; in cap_inode_getsecurity()
492 /* v3 -> v2 conversion */ in cap_inode_getsecurity()
493 cap = kzalloc(size, GFP_ATOMIC); in cap_inode_getsecurity()
494 if (!cap) { in cap_inode_getsecurity()
495 size = -ENOMEM; in cap_inode_getsecurity()
499 nsmagic = le32_to_cpu(nscap->magic_etc); in cap_inode_getsecurity()
502 memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32); in cap_inode_getsecurity()
503 cap->magic_etc = cpu_to_le32(magic); in cap_inode_getsecurity()
508 *buffer = cap; in cap_inode_getsecurity()
516 * rootid_from_xattr - translate root uid of vfs caps
529 rootid = le32_to_cpu(nscap->rootid); in rootid_from_xattr()
534 static bool validheader(size_t size, const struct vfs_cap_data *cap) in validheader() argument
536 return is_v2header(size, cap) || is_v3header(size, cap); in validheader()
540 * cap_convert_nscap - check vfs caps
553 * permissions. On non-idmapped mounts or if permission checking is to be
563 const struct vfs_cap_data *cap = *ivalue; in cap_convert_nscap() local
567 *fs_ns = inode->i_sb->s_user_ns; in cap_convert_nscap()
573 return -EINVAL; in cap_convert_nscap()
574 if (!validheader(size, cap)) in cap_convert_nscap()
575 return -EINVAL; in cap_convert_nscap()
577 return -EPERM; in cap_convert_nscap()
579 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP)) in cap_convert_nscap()
585 return -EINVAL; in cap_convert_nscap()
589 return -EINVAL; in cap_convert_nscap()
592 if (nsrootid == -1) in cap_convert_nscap()
593 return -EINVAL; in cap_convert_nscap()
598 return -ENOMEM; in cap_convert_nscap()
599 nscap->rootid = cpu_to_le32(nsrootid); in cap_convert_nscap()
601 magic = le32_to_cpu(cap->magic_etc); in cap_convert_nscap()
604 nscap->magic_etc = cpu_to_le32(nsmagic); in cap_convert_nscap()
605 memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32); in cap_convert_nscap()
620 struct cred *new = bprm->cred; in bprm_caps_from_vfs_caps()
623 if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE) in bprm_caps_from_vfs_caps()
626 if (caps->magic_etc & VFS_CAP_REVISION_MASK) in bprm_caps_from_vfs_caps()
633 new->cap_permitted.val = in bprm_caps_from_vfs_caps()
634 (new->cap_bset.val & caps->permitted.val) | in bprm_caps_from_vfs_caps()
635 (new->cap_inheritable.val & caps->inheritable.val); in bprm_caps_from_vfs_caps()
637 if (caps->permitted.val & ~new->cap_permitted.val) in bprm_caps_from_vfs_caps()
639 ret = -EPERM; in bprm_caps_from_vfs_caps()
644 * missing some "forced" (aka file-permitted) capabilities. in bprm_caps_from_vfs_caps()
650 * get_vfs_caps_from_disk - retrieve vfs caps from disk
656 * Extract the on-exec-apply capability sets for an executable file.
661 * permissions. On non-idmapped mounts or if permission checking is to be
680 return -ENODATA; in get_vfs_caps_from_disk()
682 fs_ns = inode->i_sb->s_user_ns; in get_vfs_caps_from_disk()
685 if (size == -ENODATA || size == -EOPNOTSUPP) in get_vfs_caps_from_disk()
687 return -ENODATA; in get_vfs_caps_from_disk()
693 return -EINVAL; in get_vfs_caps_from_disk()
695 cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc); in get_vfs_caps_from_disk()
701 return -EINVAL; in get_vfs_caps_from_disk()
705 return -EINVAL; in get_vfs_caps_from_disk()
709 return -EINVAL; in get_vfs_caps_from_disk()
710 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid)); in get_vfs_caps_from_disk()
714 return -EINVAL; in get_vfs_caps_from_disk()
719 return -ENODATA; in get_vfs_caps_from_disk()
725 return -ENODATA; in get_vfs_caps_from_disk()
727 cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted); in get_vfs_caps_from_disk()
728 cpu_caps->inheritable.val = le32_to_cpu(caps->data[0].inheritable); in get_vfs_caps_from_disk()
731 * Rev1 had just a single 32-bit word, later expanded in get_vfs_caps_from_disk()
735 cpu_caps->permitted.val += (u64)le32_to_cpu(caps->data[1].permitted) << 32; in get_vfs_caps_from_disk()
736 cpu_caps->inheritable.val += (u64)le32_to_cpu(caps->data[1].inheritable) << 32; in get_vfs_caps_from_disk()
739 cpu_caps->permitted.val &= CAP_VALID_MASK; in get_vfs_caps_from_disk()
740 cpu_caps->inheritable.val &= CAP_VALID_MASK; in get_vfs_caps_from_disk()
742 cpu_caps->rootid = vfsuid_into_kuid(rootvfsuid); in get_vfs_caps_from_disk()
748 * Attempt to get the on-exec apply capability sets for an executable file from
758 cap_clear(bprm->cred->cap_permitted); in get_file_caps()
763 if (!mnt_may_suid(file->f_path.mnt)) in get_file_caps()
771 if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns)) in get_file_caps()
775 file->f_path.dentry, &vcaps); in get_file_caps()
777 if (rc == -EINVAL) in get_file_caps()
779 bprm->filename); in get_file_caps()
780 else if (rc == -ENODATA) in get_file_caps()
789 cap_clear(bprm->cred->cap_permitted); in get_file_caps()
797 { return uid_eq(cred->uid, uid); } in __is_real()
800 { return uid_eq(cred->euid, uid); } in __is_eff()
806 * handle_privileged_root - Handle case of privileged root
821 struct cred *new = bprm->cred; in handle_privileged_root()
827 * for a setuid root binary run by a non-root user. Do set it in handle_privileged_root()
831 warn_setuid_and_fcaps_mixed(bprm->filename); in handle_privileged_root()
835 * To support inheritance of root-permissions and suid-root in handle_privileged_root()
841 new->cap_permitted = cap_combine(old->cap_bset, in handle_privileged_root()
842 old->cap_inheritable); in handle_privileged_root()
852 !cap_issubset(target->cap_##field, source->cap_##field)
854 !cap_issubset(cred->cap_##target, cred->cap_##source)
856 cap_issubset(CAP_FULL_SET, cred->cap_##field)
859 { return !uid_eq(new->euid, old->uid); } in __is_setuid()
862 { return !gid_eq(new->egid, old->gid); } in __is_setgid()
865 * 1) Audit candidate if current->cap_effective is set
878 * 3) non-setuid root gets fcaps
879 * 4) non-setuid root gets ambient
904 * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
909 * constructed by execve(). The proposed creds in @bprm->cred is altered,
912 * Return: 0 if successful, -ve on error.
918 struct cred *new = bprm->cred; in cap_bprm_creds_from_file()
924 return -EPERM; in cap_bprm_creds_from_file()
930 root_uid = make_kuid(new->user_ns, 0); in cap_bprm_creds_from_file()
936 bprm->per_clear |= PER_CLEAR_ON_SETID; in cap_bprm_creds_from_file()
941 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. in cap_bprm_creds_from_file()
946 ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) || in cap_bprm_creds_from_file()
947 !ptracer_capable(current, new->user_ns))) { in cap_bprm_creds_from_file()
948 /* downgrade; they get no more than they had, and maybe less */ in cap_bprm_creds_from_file()
949 if (!ns_capable(new->user_ns, CAP_SETUID) || in cap_bprm_creds_from_file()
950 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { in cap_bprm_creds_from_file()
951 new->euid = new->uid; in cap_bprm_creds_from_file()
952 new->egid = new->gid; in cap_bprm_creds_from_file()
954 new->cap_permitted = cap_intersect(new->cap_permitted, in cap_bprm_creds_from_file()
955 old->cap_permitted); in cap_bprm_creds_from_file()
958 new->suid = new->fsuid = new->euid; in cap_bprm_creds_from_file()
959 new->sgid = new->fsgid = new->egid; in cap_bprm_creds_from_file()
963 cap_clear(new->cap_ambient); in cap_bprm_creds_from_file()
969 new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient); in cap_bprm_creds_from_file()
976 new->cap_effective = new->cap_permitted; in cap_bprm_creds_from_file()
978 new->cap_effective = new->cap_ambient; in cap_bprm_creds_from_file()
981 return -EPERM; in cap_bprm_creds_from_file()
989 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); in cap_bprm_creds_from_file()
992 return -EPERM; in cap_bprm_creds_from_file()
994 /* Check for privilege-elevated exec. */ in cap_bprm_creds_from_file()
999 bprm->secureexec = 1; in cap_bprm_creds_from_file()
1005 * cap_inode_setxattr - Determine whether an xattr may be altered
1013 * permission is granted, -ve if denied.
1015 * This is used to make sure security xattrs don't get updated or set by those
1021 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; in cap_inode_setxattr()
1023 /* Ignore non-security xattrs */ in cap_inode_setxattr()
1036 return -EPERM; in cap_inode_setxattr()
1041 * cap_inode_removexattr - Determine whether an xattr may be removed
1048 * permission is granted, -ve if denied.
1053 * permissions. On non-idmapped mounts or if permission checking is to be
1056 * This is used to make sure security xattrs don't get removed by those who
1062 struct user_namespace *user_ns = dentry->d_sb->s_user_ns; in cap_inode_removexattr()
1064 /* Ignore non-security xattrs */ in cap_inode_removexattr()
1073 return -EINVAL; in cap_inode_removexattr()
1075 return -EPERM; in cap_inode_removexattr()
1080 return -EPERM; in cap_inode_removexattr()
1101 * -astor
1103 * cevans - New behaviour, Oct '99
1115 kuid_t root_uid = make_kuid(old->user_ns, 0); in cap_emulate_setxuid()
1117 if ((uid_eq(old->uid, root_uid) || in cap_emulate_setxuid()
1118 uid_eq(old->euid, root_uid) || in cap_emulate_setxuid()
1119 uid_eq(old->suid, root_uid)) && in cap_emulate_setxuid()
1120 (!uid_eq(new->uid, root_uid) && in cap_emulate_setxuid()
1121 !uid_eq(new->euid, root_uid) && in cap_emulate_setxuid()
1122 !uid_eq(new->suid, root_uid))) { in cap_emulate_setxuid()
1124 cap_clear(new->cap_permitted); in cap_emulate_setxuid()
1125 cap_clear(new->cap_effective); in cap_emulate_setxuid()
1129 * Pre-ambient programs expect setresuid to nonroot followed in cap_emulate_setxuid()
1133 cap_clear(new->cap_ambient); in cap_emulate_setxuid()
1135 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid)) in cap_emulate_setxuid()
1136 cap_clear(new->cap_effective); in cap_emulate_setxuid()
1137 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid)) in cap_emulate_setxuid()
1138 new->cap_effective = new->cap_permitted; in cap_emulate_setxuid()
1142 * cap_task_fix_setuid - Fix up the results of setuid() call
1150 * Return: 0 to grant the changes, -ve to deny them.
1168 * FIXME - is fsuser used for all CAP_FS_MASK capabilities? in cap_task_fix_setuid()
1172 kuid_t root_uid = make_kuid(old->user_ns, 0); in cap_task_fix_setuid()
1173 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid)) in cap_task_fix_setuid()
1174 new->cap_effective = in cap_task_fix_setuid()
1175 cap_drop_fs_set(new->cap_effective); in cap_task_fix_setuid()
1177 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid)) in cap_task_fix_setuid()
1178 new->cap_effective = in cap_task_fix_setuid()
1179 cap_raise_fs_set(new->cap_effective, in cap_task_fix_setuid()
1180 new->cap_permitted); in cap_task_fix_setuid()
1185 return -EINVAL; in cap_task_fix_setuid()
1206 is_subset = cap_issubset(__task_cred(p)->cap_permitted, in cap_safe_nice()
1207 current_cred()->cap_permitted); in cap_safe_nice()
1208 if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) in cap_safe_nice()
1209 ret = -EPERM; in cap_safe_nice()
1216 * cap_task_setscheduler - Determine if scheduler policy change is permitted
1222 * Return: 0 if permission is granted, -ve if denied.
1230 * cap_task_setioprio - Determine if I/O priority change is permitted
1237 * Return: 0 if permission is granted, -ve if denied.
1245 * cap_task_setnice - Determine if task priority change is permitted
1252 * Return: 0 if permission is granted, -ve if denied.
1261 * the current task's bounding set. Returns 0 on success, -ve on error.
1263 static int cap_prctl_drop(unsigned long cap) in cap_prctl_drop() argument
1268 return -EPERM; in cap_prctl_drop()
1269 if (!cap_valid(cap)) in cap_prctl_drop()
1270 return -EINVAL; in cap_prctl_drop()
1274 return -ENOMEM; in cap_prctl_drop()
1275 cap_lower(new->cap_bset, cap); in cap_prctl_drop()
1280 * cap_task_prctl - Implement process control functions for this security module
1290 * Return: 0 or +ve on success, -ENOSYS if this function is not implemented
1291 * here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM
1303 return -EINVAL; in cap_task_prctl()
1304 return !!cap_raised(old->cap_bset, arg2); in cap_task_prctl()
1313 * capabilities only - as the POSIX.1e draft intended. in cap_task_prctl()
1326 * capability-based-privilege environment. in cap_task_prctl()
1329 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1) in cap_task_prctl()
1330 & (old->securebits ^ arg2)) /*[1]*/ in cap_task_prctl()
1331 || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ in cap_task_prctl()
1340 return -EPERM; in cap_task_prctl()
1349 if (cap_capable(current_cred(), current_cred()->user_ns, in cap_task_prctl()
1354 const unsigned long changed = old->securebits ^ arg2; in cap_task_prctl()
1356 /* For legacy reason, denies non-change. */ in cap_task_prctl()
1358 return -EPERM; in cap_task_prctl()
1362 return -EPERM; in cap_task_prctl()
1367 return -ENOMEM; in cap_task_prctl()
1368 new->securebits = arg2; in cap_task_prctl()
1372 return old->securebits; in cap_task_prctl()
1379 return -EINVAL; in cap_task_prctl()
1381 return -EPERM; in cap_task_prctl()
1385 return -ENOMEM; in cap_task_prctl()
1387 new->securebits |= issecure_mask(SECURE_KEEP_CAPS); in cap_task_prctl()
1389 new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); in cap_task_prctl()
1395 return -EINVAL; in cap_task_prctl()
1399 return -ENOMEM; in cap_task_prctl()
1400 cap_clear(new->cap_ambient); in cap_task_prctl()
1405 return -EINVAL; in cap_task_prctl()
1408 return !!cap_raised(current_cred()->cap_ambient, arg3); in cap_task_prctl()
1411 return -EINVAL; in cap_task_prctl()
1414 (!cap_raised(current_cred()->cap_permitted, arg3) || in cap_task_prctl()
1415 !cap_raised(current_cred()->cap_inheritable, in cap_task_prctl()
1418 return -EPERM; in cap_task_prctl()
1422 return -ENOMEM; in cap_task_prctl()
1424 cap_raise(new->cap_ambient, arg3); in cap_task_prctl()
1426 cap_lower(new->cap_ambient, arg3); in cap_task_prctl()
1431 /* No functionality available - continue with default */ in cap_task_prctl()
1432 return -ENOSYS; in cap_task_prctl()
1437 * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1453 * cap_mmap_addr - check if able to map given addr
1460 * Return: 0 if this mapping should be allowed or -EPERM if not.
1471 current->flags |= PF_SUPERPRIV; in cap_mmap_addr()