1 /*
2 * Copyright (c) 1997-8,2007,11,19-21 Andrew G Morgan <[email protected]>
3 *
4 * This file deals with getting and setting capabilities on processes.
5 */
6
7 #ifndef _GNU_SOURCE
8 #define _GNU_SOURCE
9 #endif
10
11 #include <errno.h>
12 #include <fcntl.h> /* Obtain O_* constant definitions */
13 #include <grp.h>
14 #include <sys/prctl.h>
15 #include <sys/securebits.h>
16 #include <sys/syscall.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <sys/wait.h>
20
21 #include "libcap.h"
22
23 /*
24 * libcap uses this abstraction for all system calls that change
25 * kernel managed capability state. This permits the user to redirect
26 * it for testing and also to better implement posix semantics when
27 * using pthreads.
28 */
29
_cap_syscall3(long int syscall_nr,long int arg1,long int arg2,long int arg3)30 static long int _cap_syscall3(long int syscall_nr,
31 long int arg1, long int arg2, long int arg3)
32 {
33 return syscall(syscall_nr, arg1, arg2, arg3);
34 }
35
_cap_syscall6(long int syscall_nr,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5,long int arg6)36 static long int _cap_syscall6(long int syscall_nr,
37 long int arg1, long int arg2, long int arg3,
38 long int arg4, long int arg5, long int arg6)
39 {
40 return syscall(syscall_nr, arg1, arg2, arg3, arg4, arg5, arg6);
41 }
42
43 /*
44 * to keep the structure of the code conceptually similar in C and Go
45 * implementations, we introduce this abstraction for invoking state
46 * writing system calls. In psx+pthreaded code, the fork
47 * implementation provided by nptl ensures that we can consistently
48 * use the multithreaded syscalls even in the child after a fork().
49 */
50 struct syscaller_s {
51 long int (*three)(long int syscall_nr,
52 long int arg1, long int arg2, long int arg3);
53 long int (*six)(long int syscall_nr,
54 long int arg1, long int arg2, long int arg3,
55 long int arg4, long int arg5, long int arg6);
56 };
57
58 /* use this syscaller for multi-threaded code */
59 static struct syscaller_s multithread = {
60 .three = _cap_syscall3,
61 .six = _cap_syscall6
62 };
63
64 /* use this syscaller for single-threaded code */
65 static struct syscaller_s singlethread = {
66 .three = _cap_syscall3,
67 .six = _cap_syscall6
68 };
69
70 /*
71 * This gets reset to 0 if we are *not* linked with libpsx.
72 */
73 static int _libcap_overrode_syscalls = 1;
74
75 /*
76 * psx_load_syscalls() is weakly defined so we can have it overridden
77 * by libpsx if that library is linked. Specifically, when libcap
78 * calls psx_load_sycalls() it is prepared to override the default
79 * values for the syscalls that libcap uses to change security state.
80 * As can be seen here this present function is mostly a
81 * no-op. However, if libpsx is linked, the one present in that
82 * library (not being weak) will replace this one and the
83 * _libcap_overrode_syscalls value isn't forced to zero.
84 *
85 * Note: we hardcode the prototype for the psx_load_syscalls()
86 * function here so the compiler isn't worried. If we force the build
87 * to include the header, we are close to requiring the optional
88 * libpsx to be linked.
89 */
90 void psx_load_syscalls(long int (**syscall_fn)(long int,
91 long int, long int, long int),
92 long int (**syscall6_fn)(long int,
93 long int, long int, long int,
94 long int, long int, long int));
95
96 __attribute__((weak))
psx_load_syscalls(long int (** syscall_fn)(long int,long int,long int,long int),long int (** syscall6_fn)(long int,long int,long int,long int,long int,long int,long int))97 void psx_load_syscalls(long int (**syscall_fn)(long int,
98 long int, long int, long int),
99 long int (**syscall6_fn)(long int,
100 long int, long int, long int,
101 long int, long int, long int))
102 {
103 _libcap_overrode_syscalls = 0;
104 }
105
106 /*
107 * cap_set_syscall overrides the state setting syscalls that libcap does.
108 * Generally, you don't need to call this manually: libcap tries hard to
109 * set things up appropriately.
110 */
cap_set_syscall(long int (* new_syscall)(long int,long int,long int,long int),long int (* new_syscall6)(long int,long int,long int,long int,long int,long int,long int))111 void cap_set_syscall(long int (*new_syscall)(long int,
112 long int, long int, long int),
113 long int (*new_syscall6)(long int, long int,
114 long int, long int,
115 long int, long int,
116 long int)) {
117 if (new_syscall == NULL) {
118 psx_load_syscalls(&multithread.three, &multithread.six);
119 } else {
120 multithread.three = new_syscall;
121 multithread.six = new_syscall6;
122 }
123 }
124
_libcap_capset(struct syscaller_s * sc,cap_user_header_t header,const cap_user_data_t data)125 static int _libcap_capset(struct syscaller_s *sc,
126 cap_user_header_t header, const cap_user_data_t data)
127 {
128 if (_libcap_overrode_syscalls) {
129 return sc->three(SYS_capset, (long int) header, (long int) data, 0);
130 }
131 return capset(header, data);
132 }
133
_libcap_wprctl3(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2)134 static int _libcap_wprctl3(struct syscaller_s *sc,
135 long int pr_cmd, long int arg1, long int arg2)
136 {
137 if (_libcap_overrode_syscalls) {
138 int result;
139 result = sc->three(SYS_prctl, pr_cmd, arg1, arg2);
140 if (result >= 0) {
141 return result;
142 }
143 errno = -result;
144 return -1;
145 }
146 return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
147 }
148
_libcap_wprctl6(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)149 static int _libcap_wprctl6(struct syscaller_s *sc,
150 long int pr_cmd, long int arg1, long int arg2,
151 long int arg3, long int arg4, long int arg5)
152 {
153 if (_libcap_overrode_syscalls) {
154 int result;
155 result = sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
156 if (result >= 0) {
157 return result;
158 }
159 errno = -result;
160 return -1;
161 }
162 return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
163 }
164
165 /*
166 * cap_get_proc obtains the capability set for the current process.
167 */
cap_get_proc(void)168 cap_t cap_get_proc(void)
169 {
170 cap_t result;
171
172 /* allocate a new capability set */
173 result = cap_init();
174 if (result) {
175 _cap_debug("getting current process' capabilities");
176
177 /* fill the capability sets via a system call */
178 if (capget(&result->head, &result->u[0].set)) {
179 cap_free(result);
180 result = NULL;
181 }
182 }
183
184 return result;
185 }
186
_cap_set_proc(struct syscaller_s * sc,cap_t cap_d)187 static int _cap_set_proc(struct syscaller_s *sc, cap_t cap_d) {
188 int retval;
189
190 if (!good_cap_t(cap_d)) {
191 errno = EINVAL;
192 return -1;
193 }
194
195 _cap_debug("setting process capabilities");
196 _cap_mu_lock(&cap_d->mutex);
197 retval = _libcap_capset(sc, &cap_d->head, &cap_d->u[0].set);
198 _cap_mu_unlock(&cap_d->mutex);
199
200 return retval;
201 }
202
cap_set_proc(cap_t cap_d)203 int cap_set_proc(cap_t cap_d)
204 {
205 return _cap_set_proc(&multithread, cap_d);
206 }
207
208 /* the following two functions are not required by POSIX */
209
210 /* read the caps on a specific process */
211
capgetp(pid_t pid,cap_t cap_d)212 int capgetp(pid_t pid, cap_t cap_d)
213 {
214 int error;
215
216 if (!good_cap_t(cap_d)) {
217 errno = EINVAL;
218 return -1;
219 }
220
221 _cap_debug("getting process capabilities for proc %d", pid);
222
223 _cap_mu_lock(&cap_d->mutex);
224 cap_d->head.pid = pid;
225 error = capget(&cap_d->head, &cap_d->u[0].set);
226 cap_d->head.pid = 0;
227 _cap_mu_unlock(&cap_d->mutex);
228
229 return error;
230 }
231
232 /* allocate space for and return capabilities of target process */
233
cap_get_pid(pid_t pid)234 cap_t cap_get_pid(pid_t pid)
235 {
236 cap_t result;
237
238 result = cap_init();
239 if (result) {
240 if (capgetp(pid, result) != 0) {
241 int my_errno;
242
243 my_errno = errno;
244 cap_free(result);
245 errno = my_errno;
246 result = NULL;
247 }
248 }
249
250 return result;
251 }
252
253 /*
254 * set the caps on a specific process/pg etc.. The kernel has long
255 * since deprecated this asynchronous interface. DON'T EXPECT THIS TO
256 * EVER WORK AGAIN.
257 */
258
capsetp(pid_t pid,cap_t cap_d)259 int capsetp(pid_t pid, cap_t cap_d)
260 {
261 int error;
262
263 if (!good_cap_t(cap_d)) {
264 errno = EINVAL;
265 return -1;
266 }
267
268 _cap_debug("setting process capabilities for proc %d", pid);
269 _cap_mu_lock(&cap_d->mutex);
270 cap_d->head.pid = pid;
271 error = capset(&cap_d->head, &cap_d->u[0].set);
272 cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
273 cap_d->head.pid = 0;
274 _cap_mu_unlock(&cap_d->mutex);
275
276 return error;
277 }
278
279 /* the kernel api requires unsigned long arguments */
280 #define pr_arg(x) ((unsigned long) x)
281
282 /* get a capability from the bounding set */
283
cap_get_bound(cap_value_t cap)284 int cap_get_bound(cap_value_t cap)
285 {
286 return prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
287 }
288
_cap_drop_bound(struct syscaller_s * sc,cap_value_t cap)289 static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
290 {
291 return _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
292 }
293
294 /* drop a capability from the bounding set */
295
cap_drop_bound(cap_value_t cap)296 int cap_drop_bound(cap_value_t cap) {
297 return _cap_drop_bound(&multithread, cap);
298 }
299
300 /* get a capability from the ambient set */
301
cap_get_ambient(cap_value_t cap)302 int cap_get_ambient(cap_value_t cap)
303 {
304 int result;
305 result = prctl(PR_CAP_AMBIENT, pr_arg(PR_CAP_AMBIENT_IS_SET),
306 pr_arg(cap), pr_arg(0), pr_arg(0));
307 if (result < 0) {
308 errno = -result;
309 return -1;
310 }
311 return result;
312 }
313
_cap_set_ambient(struct syscaller_s * sc,cap_value_t cap,cap_flag_value_t set)314 static int _cap_set_ambient(struct syscaller_s *sc,
315 cap_value_t cap, cap_flag_value_t set)
316 {
317 int val;
318 switch (set) {
319 case CAP_SET:
320 val = PR_CAP_AMBIENT_RAISE;
321 break;
322 case CAP_CLEAR:
323 val = PR_CAP_AMBIENT_LOWER;
324 break;
325 default:
326 errno = EINVAL;
327 return -1;
328 }
329 return _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
330 pr_arg(0), pr_arg(0), pr_arg(0));
331 }
332
333 /*
334 * cap_set_ambient modifies a single ambient capability value.
335 */
cap_set_ambient(cap_value_t cap,cap_flag_value_t set)336 int cap_set_ambient(cap_value_t cap, cap_flag_value_t set)
337 {
338 return _cap_set_ambient(&multithread, cap, set);
339 }
340
_cap_reset_ambient(struct syscaller_s * sc)341 static int _cap_reset_ambient(struct syscaller_s *sc)
342 {
343 int olderrno = errno;
344 cap_value_t c;
345 int result = 0;
346
347 for (c = 0; !result; c++) {
348 result = cap_get_ambient(c);
349 if (result == -1) {
350 errno = olderrno;
351 return 0;
352 }
353 }
354
355 return _libcap_wprctl6(sc, PR_CAP_AMBIENT,
356 pr_arg(PR_CAP_AMBIENT_CLEAR_ALL),
357 pr_arg(0), pr_arg(0), pr_arg(0), pr_arg(0));
358 }
359
360 /*
361 * cap_reset_ambient erases all ambient capabilities - this reads the
362 * ambient caps before performing the erase to workaround the corner
363 * case where the set is empty already but the ambient cap API is
364 * locked.
365 */
cap_reset_ambient(void)366 int cap_reset_ambient(void)
367 {
368 return _cap_reset_ambient(&multithread);
369 }
370
371 /*
372 * Read the security mode of the current process.
373 */
cap_get_secbits(void)374 unsigned cap_get_secbits(void)
375 {
376 return (unsigned) prctl(PR_GET_SECUREBITS, pr_arg(0), pr_arg(0));
377 }
378
_cap_set_secbits(struct syscaller_s * sc,unsigned bits)379 static int _cap_set_secbits(struct syscaller_s *sc, unsigned bits)
380 {
381 return _libcap_wprctl3(sc, PR_SET_SECUREBITS, bits, 0);
382 }
383
384 /*
385 * Set the secbits of the current process.
386 */
cap_set_secbits(unsigned bits)387 int cap_set_secbits(unsigned bits)
388 {
389 return _cap_set_secbits(&multithread, bits);
390 }
391
392 /*
393 * Attempt to raise the no new privs prctl value.
394 */
_cap_set_no_new_privs(struct syscaller_s * sc)395 static void _cap_set_no_new_privs(struct syscaller_s *sc)
396 {
397 (void) _libcap_wprctl6(sc, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0);
398 }
399
400 /*
401 * cap_prctl performs a prctl() 6 argument call on the current
402 * thread. Use cap_prctlw() if you want to perform a POSIX semantics
403 * prctl() system call.
404 */
cap_prctl(long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)405 int cap_prctl(long int pr_cmd, long int arg1, long int arg2,
406 long int arg3, long int arg4, long int arg5)
407 {
408 return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
409 }
410
411 /*
412 * cap_prctlw performs a POSIX semantics prctl() call. That is a 6 arg
413 * prctl() call that executes on all available threads when libpsx is
414 * linked. The suffix 'w' refers to the fact one only ever needs to
415 * invoke this is if the call will write some kernel state.
416 */
cap_prctlw(long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)417 int cap_prctlw(long int pr_cmd, long int arg1, long int arg2,
418 long int arg3, long int arg4, long int arg5)
419 {
420 return _libcap_wprctl6(&multithread, pr_cmd, arg1, arg2, arg3, arg4, arg5);
421 }
422
423 /*
424 * Some predefined constants
425 */
426 #define CAP_SECURED_BITS_BASIC \
427 (SECBIT_NOROOT | SECBIT_NOROOT_LOCKED | \
428 SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED | \
429 SECBIT_KEEP_CAPS_LOCKED)
430
431 #define CAP_SECURED_BITS_AMBIENT (CAP_SECURED_BITS_BASIC | \
432 SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED)
433
434 static cap_value_t raise_cap_setpcap[] = {CAP_SETPCAP};
435
_cap_set_mode(struct syscaller_s * sc,cap_mode_t flavor)436 static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor)
437 {
438 int ret;
439 unsigned secbits = CAP_SECURED_BITS_AMBIENT;
440 cap_t working = cap_get_proc();
441
442 if (working == NULL) {
443 _cap_debug("getting current process' capabilities failed");
444 return -1;
445 }
446
447 ret = cap_set_flag(working, CAP_EFFECTIVE, 1, raise_cap_setpcap, CAP_SET) |
448 _cap_set_proc(sc, working);
449 if (ret == 0) {
450 cap_flag_t c;
451
452 switch (flavor) {
453 case CAP_MODE_NOPRIV:
454 /* fall through */
455 case CAP_MODE_PURE1E_INIT:
456 (void) cap_clear_flag(working, CAP_INHERITABLE);
457 /* fall through */
458 case CAP_MODE_PURE1E:
459 if (!CAP_AMBIENT_SUPPORTED()) {
460 secbits = CAP_SECURED_BITS_BASIC;
461 } else {
462 ret = _cap_reset_ambient(sc);
463 if (ret) {
464 break; /* ambient dropping failed */
465 }
466 }
467 ret = _cap_set_secbits(sc, secbits);
468 if (flavor != CAP_MODE_NOPRIV) {
469 break;
470 }
471
472 /* just for "case CAP_MODE_NOPRIV:" */
473
474 for (c = 0; cap_get_bound(c) >= 0; c++) {
475 (void) _cap_drop_bound(sc, c);
476 }
477 (void) cap_clear_flag(working, CAP_PERMITTED);
478
479 /* for good measure */
480 _cap_set_no_new_privs(sc);
481 break;
482 case CAP_MODE_HYBRID:
483 ret = _cap_set_secbits(sc, 0);
484 break;
485 default:
486 errno = EINVAL;
487 ret = -1;
488 break;
489 }
490 }
491
492 (void) cap_clear_flag(working, CAP_EFFECTIVE);
493 ret = _cap_set_proc(sc, working) | ret;
494 (void) cap_free(working);
495 return ret;
496 }
497
498 /*
499 * cap_set_mode locks the overarching capability framework of the
500 * present process and thus its children to a predefined flavor. Once
501 * set, these modes cannot be undone by the affected process tree and
502 * can only be done by "cap_setpcap" permitted processes. Note, a side
503 * effect of this function, whether it succeeds or fails, is to clear
504 * at least the CAP_EFFECTIVE flags for the current process.
505 */
cap_set_mode(cap_mode_t flavor)506 int cap_set_mode(cap_mode_t flavor)
507 {
508 return _cap_set_mode(&multithread, flavor);
509 }
510
511 /*
512 * cap_get_mode attempts to determine what the current capability mode
513 * is. If it can find no match in the libcap pre-defined modes, it
514 * returns CAP_MODE_UNCERTAIN.
515 */
cap_get_mode(void)516 cap_mode_t cap_get_mode(void)
517 {
518 unsigned secbits = cap_get_secbits();
519
520 if (secbits == 0) {
521 return CAP_MODE_HYBRID;
522 }
523 if ((secbits & CAP_SECURED_BITS_BASIC) != CAP_SECURED_BITS_BASIC) {
524 return CAP_MODE_UNCERTAIN;
525 }
526
527 /* validate ambient is not set */
528 int olderrno = errno;
529 int ret = 0, cf;
530 cap_value_t c;
531 for (c = 0; !ret; c++) {
532 ret = cap_get_ambient(c);
533 if (ret == -1) {
534 errno = olderrno;
535 if (c && secbits != CAP_SECURED_BITS_AMBIENT) {
536 return CAP_MODE_UNCERTAIN;
537 }
538 ret = 0;
539 break;
540 }
541 if (ret) {
542 return CAP_MODE_UNCERTAIN;
543 }
544 }
545
546 /*
547 * Explore how capabilities differ from empty.
548 */
549 cap_t working = cap_get_proc();
550 cap_t empty = cap_init();
551 if (working == NULL || empty == NULL) {
552 _cap_debug("working=%p, empty=%p - need both non-NULL", working, empty);
553 ret = -1;
554 } else {
555 cf = cap_compare(empty, working);
556 }
557 cap_free(empty);
558 cap_free(working);
559 if (ret != 0) {
560 return CAP_MODE_UNCERTAIN;
561 }
562
563 if (CAP_DIFFERS(cf, CAP_INHERITABLE)) {
564 return CAP_MODE_PURE1E;
565 }
566 if (CAP_DIFFERS(cf, CAP_PERMITTED) || CAP_DIFFERS(cf, CAP_EFFECTIVE)) {
567 return CAP_MODE_PURE1E_INIT;
568 }
569
570 for (c = 0; ; c++) {
571 int v = cap_get_bound(c);
572 if (v == -1) {
573 break;
574 }
575 if (v) {
576 return CAP_MODE_PURE1E_INIT;
577 }
578 }
579
580 return CAP_MODE_NOPRIV;
581 }
582
_cap_setuid(struct syscaller_s * sc,uid_t uid)583 static int _cap_setuid(struct syscaller_s *sc, uid_t uid)
584 {
585 const cap_value_t raise_cap_setuid[] = {CAP_SETUID};
586 cap_t working = cap_get_proc();
587 if (working == NULL) {
588 return -1;
589 }
590
591 (void) cap_set_flag(working, CAP_EFFECTIVE,
592 1, raise_cap_setuid, CAP_SET);
593 /*
594 * Note, we are cognizant of not using glibc's setuid in the case
595 * that we've modified the way libcap is doing setting
596 * syscalls. This is because prctl needs to be working in a POSIX
597 * compliant way for the code below to work, so we are either
598 * all-broken or not-broken and don't allow for "sort of working".
599 */
600 (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 1, 0);
601 int ret = _cap_set_proc(sc, working);
602 if (ret == 0) {
603 if (_libcap_overrode_syscalls) {
604 ret = sc->three(SYS_setuid, (long int) uid, 0, 0);
605 if (ret < 0) {
606 errno = -ret;
607 ret = -1;
608 }
609 } else {
610 ret = setuid(uid);
611 }
612 }
613 int olderrno = errno;
614 (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 0, 0);
615 (void) cap_clear_flag(working, CAP_EFFECTIVE);
616 (void) _cap_set_proc(sc, working);
617 (void) cap_free(working);
618
619 errno = olderrno;
620 return ret;
621 }
622
623 /*
624 * cap_setuid attempts to set the uid of the process without dropping
625 * any permitted capabilities in the process. A side effect of a call
626 * to this function is that the effective set will be cleared by the
627 * time the function returns.
628 */
cap_setuid(uid_t uid)629 int cap_setuid(uid_t uid)
630 {
631 return _cap_setuid(&multithread, uid);
632 }
633
634 #if defined(__arm__) || defined(__i386__) || \
635 defined(__i486__) || defined(__i586__) || defined(__i686__)
636 #define sys_setgroups_variant SYS_setgroups32
637 #else
638 #define sys_setgroups_variant SYS_setgroups
639 #endif
640
_cap_setgroups(struct syscaller_s * sc,gid_t gid,size_t ngroups,const gid_t groups[])641 static int _cap_setgroups(struct syscaller_s *sc,
642 gid_t gid, size_t ngroups, const gid_t groups[])
643 {
644 const cap_value_t raise_cap_setgid[] = {CAP_SETGID};
645 cap_t working = cap_get_proc();
646 if (working == NULL) {
647 return -1;
648 }
649
650 (void) cap_set_flag(working, CAP_EFFECTIVE,
651 1, raise_cap_setgid, CAP_SET);
652 /*
653 * Note, we are cognizant of not using glibc's setgid etc in the
654 * case that we've modified the way libcap is doing setting
655 * syscalls. This is because prctl needs to be working in a POSIX
656 * compliant way for the other functions of this file so we are
657 * all-broken or not-broken and don't allow for "sort of working".
658 */
659 int ret = _cap_set_proc(sc, working);
660 if (_libcap_overrode_syscalls) {
661 if (ret == 0) {
662 ret = sc->three(SYS_setgid, (long int) gid, 0, 0);
663 }
664 if (ret == 0) {
665 ret = sc->three(sys_setgroups_variant, (long int) ngroups,
666 (long int) groups, 0);
667 }
668 if (ret < 0) {
669 errno = -ret;
670 ret = -1;
671 }
672 } else {
673 if (ret == 0) {
674 ret = setgid(gid);
675 }
676 if (ret == 0) {
677 ret = setgroups(ngroups, groups);
678 }
679 }
680 int olderrno = errno;
681
682 (void) cap_clear_flag(working, CAP_EFFECTIVE);
683 (void) _cap_set_proc(sc, working);
684 (void) cap_free(working);
685
686 errno = olderrno;
687 return ret;
688 }
689
690 /*
691 * cap_setgroups combines setting the gid with changing the set of
692 * supplemental groups for a user into one call that raises the needed
693 * capabilities to do it for the duration of the call. A side effect
694 * of a call to this function is that the effective set will be
695 * cleared by the time the function returns.
696 */
cap_setgroups(gid_t gid,size_t ngroups,const gid_t groups[])697 int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[])
698 {
699 return _cap_setgroups(&multithread, gid, ngroups, groups);
700 }
701
702 /*
703 * cap_iab_get_proc returns a cap_iab_t value initialized by the
704 * current process state related to these iab bits.
705 */
cap_iab_get_proc(void)706 cap_iab_t cap_iab_get_proc(void)
707 {
708 cap_iab_t iab;
709 cap_t current;
710
711 iab = cap_iab_init();
712 if (iab == NULL) {
713 _cap_debug("no memory for IAB tuple");
714 return NULL;
715 }
716
717 current = cap_get_proc();
718 if (current == NULL) {
719 _cap_debug("no memory for cap_t");
720 cap_free(iab);
721 return NULL;
722 }
723
724 cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE);
725 cap_free(current);
726
727 cap_value_t c;
728 for (c = cap_max_bits(); c; ) {
729 --c;
730 int o = c >> 5;
731 __u32 mask = 1U << (c & 31);
732 if (cap_get_bound(c) == 0) {
733 iab->nb[o] |= mask;
734 }
735 if (cap_get_ambient(c) == 1) {
736 iab->a[o] |= mask;
737 }
738 }
739 return iab;
740 }
741
742 /*
743 * _cap_iab_set_proc sets the iab collection using the requested syscaller.
744 * The iab value is locked by the caller.
745 */
_cap_iab_set_proc(struct syscaller_s * sc,cap_iab_t iab)746 static int _cap_iab_set_proc(struct syscaller_s *sc, cap_iab_t iab)
747 {
748 int ret, i, raising = 0;
749 cap_value_t c;
750 cap_t working, temp = cap_get_proc();
751
752 if (temp == NULL) {
753 return -1;
754 }
755
756 for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) {
757 __u32 newI = iab->i[i];
758 __u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] |
759 temp->u[i].flat[CAP_PERMITTED];
760 raising |= (newI & ~oldIP) | iab->a[i] | iab->nb[i];
761 temp->u[i].flat[CAP_INHERITABLE] = newI;
762
763 }
764
765 working = cap_dup(temp);
766 if (working == NULL) {
767 ret = -1;
768 goto defer;
769 }
770 if (raising) {
771 ret = cap_set_flag(working, CAP_EFFECTIVE,
772 1, raise_cap_setpcap, CAP_SET);
773 if (ret) {
774 goto defer;
775 }
776 }
777 if ((ret = _cap_set_proc(sc, working))) {
778 goto defer;
779 }
780 if ((ret = _cap_reset_ambient(sc))) {
781 goto done;
782 }
783
784 for (c = cap_max_bits(); c-- != 0; ) {
785 unsigned offset = c >> 5;
786 __u32 mask = 1U << (c & 31);
787 if (iab->a[offset] & mask) {
788 ret = _cap_set_ambient(sc, c, CAP_SET);
789 if (ret) {
790 goto done;
791 }
792 }
793 if (iab->nb[offset] & mask) {
794 /* drop the bounding bit */
795 ret = _cap_drop_bound(sc, c);
796 if (ret) {
797 goto done;
798 }
799 }
800 }
801
802 done:
803 (void) cap_set_proc(temp);
804
805 defer:
806 cap_free(working);
807 cap_free(temp);
808
809 return ret;
810 }
811
812 /*
813 * cap_iab_set_proc sets the iab capability vectors of the current
814 * process.
815 */
cap_iab_set_proc(cap_iab_t iab)816 int cap_iab_set_proc(cap_iab_t iab)
817 {
818 int retval;
819 if (!good_cap_iab_t(iab)) {
820 errno = EINVAL;
821 return -1;
822 }
823 _cap_mu_lock(&iab->mutex);
824 retval = _cap_iab_set_proc(&multithread, iab);
825 _cap_mu_unlock(&iab->mutex);
826 return retval;
827 }
828
829 /*
830 * cap_launcher_callback primes the launcher with a callback that will
831 * be invoked after the fork() but before any privilege has changed
832 * and before the execve(). This can be used to augment the state of
833 * the child process within the cap_launch() process. You can cancel
834 * any callback associated with a launcher by calling this function
835 * with a callback_fn value NULL.
836 *
837 * If the callback function returns anything other than 0, it is
838 * considered to have failed and the launch will be aborted - further,
839 * errno will be communicated to the parent.
840 */
cap_launcher_callback(cap_launch_t attr,int (callback_fn)(void * detail))841 int cap_launcher_callback(cap_launch_t attr, int (callback_fn)(void *detail))
842 {
843 if (!good_cap_launch_t(attr)) {
844 errno = EINVAL;
845 return -1;
846 }
847 _cap_mu_lock(&attr->mutex);
848 attr->custom_setup_fn = callback_fn;
849 _cap_mu_unlock(&attr->mutex);
850 return 0;
851 }
852
853 /*
854 * cap_launcher_setuid primes the launcher to attempt a change of uid.
855 */
cap_launcher_setuid(cap_launch_t attr,uid_t uid)856 int cap_launcher_setuid(cap_launch_t attr, uid_t uid)
857 {
858 if (!good_cap_launch_t(attr)) {
859 errno = EINVAL;
860 return -1;
861 }
862 _cap_mu_lock(&attr->mutex);
863 attr->uid = uid;
864 attr->change_uids = 1;
865 _cap_mu_unlock(&attr->mutex);
866 return 0;
867 }
868
869 /*
870 * cap_launcher_setgroups primes the launcher to attempt a change of
871 * gid and groups.
872 */
cap_launcher_setgroups(cap_launch_t attr,gid_t gid,int ngroups,const gid_t * groups)873 int cap_launcher_setgroups(cap_launch_t attr, gid_t gid,
874 int ngroups, const gid_t *groups)
875 {
876 if (!good_cap_launch_t(attr)) {
877 errno = EINVAL;
878 return -1;
879 }
880 _cap_mu_lock(&attr->mutex);
881 attr->gid = gid;
882 attr->ngroups = ngroups;
883 attr->groups = groups;
884 attr->change_gids = 1;
885 _cap_mu_unlock(&attr->mutex);
886 return 0;
887 }
888
889 /*
890 * cap_launcher_set_mode primes the launcher to attempt a change of
891 * mode.
892 */
cap_launcher_set_mode(cap_launch_t attr,cap_mode_t flavor)893 int cap_launcher_set_mode(cap_launch_t attr, cap_mode_t flavor)
894 {
895 if (!good_cap_launch_t(attr)) {
896 errno = EINVAL;
897 return -1;
898 }
899 _cap_mu_lock(&attr->mutex);
900 attr->mode = flavor;
901 attr->change_mode = 1;
902 _cap_mu_unlock(&attr->mutex);
903 return 0;
904 }
905
906 /*
907 * cap_launcher_set_iab primes the launcher to attempt to change the
908 * IAB values of the launched child. The launcher locks iab while it
909 * is owned by the launcher: this prevents the user from
910 * asynchronously changing its value while it is associated with the
911 * launcher.
912 */
cap_launcher_set_iab(cap_launch_t attr,cap_iab_t iab)913 cap_iab_t cap_launcher_set_iab(cap_launch_t attr, cap_iab_t iab)
914 {
915 if (!good_cap_launch_t(attr)) {
916 errno = EINVAL;
917 return NULL;
918 }
919 _cap_mu_lock(&attr->mutex);
920 cap_iab_t old = attr->iab;
921 attr->iab = iab;
922 if (old != NULL) {
923 _cap_mu_unlock(&old->mutex);
924 }
925 if (iab != NULL) {
926 _cap_mu_lock(&iab->mutex);
927 }
928 _cap_mu_unlock(&attr->mutex);
929 return old;
930 }
931
932 /*
933 * cap_launcher_set_chroot sets the intended chroot for the launched
934 * child.
935 */
cap_launcher_set_chroot(cap_launch_t attr,const char * chroot)936 int cap_launcher_set_chroot(cap_launch_t attr, const char *chroot)
937 {
938 if (!good_cap_launch_t(attr)) {
939 errno = EINVAL;
940 return -1;
941 }
942 _cap_mu_lock(&attr->mutex);
943 attr->chroot = _libcap_strdup(chroot);
944 _cap_mu_unlock(&attr->mutex);
945 return 0;
946 }
947
_cap_chroot(struct syscaller_s * sc,const char * root)948 static int _cap_chroot(struct syscaller_s *sc, const char *root)
949 {
950 const cap_value_t raise_cap_sys_chroot[] = {CAP_SYS_CHROOT};
951 cap_t working = cap_get_proc();
952 if (working == NULL) {
953 return -1;
954 }
955
956 (void) cap_set_flag(working, CAP_EFFECTIVE,
957 1, raise_cap_sys_chroot, CAP_SET);
958 int ret = _cap_set_proc(sc, working);
959 if (ret == 0) {
960 if (_libcap_overrode_syscalls) {
961 ret = sc->three(SYS_chroot, (long int) root, 0, 0);
962 if (ret < 0) {
963 errno = -ret;
964 ret = -1;
965 }
966 } else {
967 ret = chroot(root);
968 }
969 if (ret == 0) {
970 ret = chdir("/");
971 }
972 }
973 int olderrno = errno;
974 (void) cap_clear_flag(working, CAP_EFFECTIVE);
975 (void) _cap_set_proc(sc, working);
976 (void) cap_free(working);
977
978 errno = olderrno;
979 return ret;
980 }
981
982 /*
983 * _cap_launch is invoked in the forked child, it cannot return but is
984 * required to exit, if the execve fails. It will write the errno
985 * value for any failure over the filedescriptor, fd, and exit with
986 * status 1.
987 */
988 __attribute__ ((noreturn))
_cap_launch(int fd,cap_launch_t attr,void * detail)989 static void _cap_launch(int fd, cap_launch_t attr, void *detail) {
990 struct syscaller_s *sc = &singlethread;
991 int my_errno;
992
993 if (attr->custom_setup_fn && attr->custom_setup_fn(detail)) {
994 goto defer;
995 }
996 if (attr->arg0 == NULL) {
997 /* handle the successful cap_func_launcher completion */
998 exit(0);
999 }
1000
1001 if (attr->change_uids && _cap_setuid(sc, attr->uid)) {
1002 goto defer;
1003 }
1004 if (attr->change_gids &&
1005 _cap_setgroups(sc, attr->gid, attr->ngroups, attr->groups)) {
1006 goto defer;
1007 }
1008 if (attr->change_mode && _cap_set_mode(sc, attr->mode)) {
1009 goto defer;
1010 }
1011 if (attr->iab && _cap_iab_set_proc(sc, attr->iab)) {
1012 goto defer;
1013 }
1014 if (attr->chroot != NULL && _cap_chroot(sc, attr->chroot)) {
1015 goto defer;
1016 }
1017
1018 /*
1019 * Some type wrangling to work around what the kernel API really
1020 * means: not "const char **".
1021 */
1022 const void *temp_args = attr->argv;
1023 const void *temp_envp = attr->envp;
1024
1025 execve(attr->arg0, temp_args, temp_envp);
1026 /* if the exec worked, execution will not reach here */
1027
1028 defer:
1029 /*
1030 * getting here means an error has occurred and errno is
1031 * communicated to the parent
1032 */
1033 my_errno = errno;
1034 for (;;) {
1035 int n = write(fd, &my_errno, sizeof(my_errno));
1036 if (n < 0 && errno == EAGAIN) {
1037 continue;
1038 }
1039 break;
1040 }
1041 close(fd);
1042 exit(1);
1043 }
1044
1045 /*
1046 * cap_launch performs a wrapped fork+(callback and/or exec) that
1047 * works in both an unthreaded environment and also where libcap is
1048 * linked with psx+pthreads. The function supports dropping privilege
1049 * in the forked thread, but retaining privilege in the parent
1050 * thread(s).
1051 *
1052 * When applying the IAB vector inside the fork, since the ambient set
1053 * is fragile with respect to changes in I or P, the function
1054 * carefully orders setting of these inheritable characteristics, to
1055 * make sure they stick.
1056 *
1057 * This function will return an error of -1 setting errno if the
1058 * launch failed.
1059 */
cap_launch(cap_launch_t attr,void * detail)1060 pid_t cap_launch(cap_launch_t attr, void *detail) {
1061 int my_errno;
1062 int ps[2];
1063 pid_t child;
1064
1065 if (!good_cap_launch_t(attr)) {
1066 errno = EINVAL;
1067 return -1;
1068 }
1069 _cap_mu_lock(&attr->mutex);
1070
1071 /* The launch must have a purpose */
1072 if (attr->custom_setup_fn == NULL &&
1073 (attr->arg0 == NULL || attr->argv == NULL)) {
1074 errno = EINVAL;
1075 _cap_mu_unlock_return(&attr->mutex, -1);
1076 }
1077
1078 if (pipe2(ps, O_CLOEXEC) != 0) {
1079 _cap_mu_unlock_return(&attr->mutex, -1);
1080 }
1081
1082 child = fork();
1083 my_errno = errno;
1084
1085 if (!child) {
1086 close(ps[0]);
1087 prctl(PR_SET_NAME, "cap-launcher", 0, 0, 0);
1088 _cap_launch(ps[1], attr, detail);
1089 /* no return from above function */
1090 }
1091
1092 /* child has its own copy, and parent no longer needs it locked. */
1093 _cap_mu_unlock(&attr->mutex);
1094 close(ps[1]);
1095 if (child < 0) {
1096 goto defer;
1097 }
1098
1099 /*
1100 * Extend this function's return codes to include setup failures
1101 * in the child.
1102 */
1103 for (;;) {
1104 int ignored;
1105 int n = read(ps[0], &my_errno, sizeof(my_errno));
1106 if (n == 0) {
1107 goto defer;
1108 }
1109 if (n < 0 && errno == EAGAIN) {
1110 continue;
1111 }
1112 waitpid(child, &ignored, 0);
1113 child = -1;
1114 my_errno = ECHILD;
1115 break;
1116 }
1117
1118 defer:
1119 close(ps[0]);
1120 errno = my_errno;
1121 return child;
1122 }
1123