5cd9c58fbe
Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags
the target process if that is not the current process and it is trying to
change its own flags in a different way at the same time.
__capable() is using neither atomic ops nor locking to protect t->flags. This
patch removes __capable() and introduces has_capability() that doesn't set
PF_SUPERPRIV on the process being queried.
This patch further splits security_ptrace() in two:
(1) security_ptrace_may_access(). This passes judgement on whether one
process may access another only (PTRACE_MODE_ATTACH for ptrace() and
PTRACE_MODE_READ for /proc), and takes a pointer to the child process.
current is the parent.
(2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,
and takes only a pointer to the parent process. current is the child.
In Smack and commoncap, this uses has_capability() to determine whether
the parent will be permitted to use PTRACE_ATTACH if normal checks fail.
This does not set PF_SUPERPRIV.
Two of the instances of __capable() actually only act on current, and so have
been changed to calls to capable().
Of the places that were using __capable():
(1) The OOM killer calls __capable() thrice when weighing the killability of a
process. All of these now use has_capability().
(2) cap_ptrace() and smack_ptrace() were using __capable() to check to see
whether the parent was allowed to trace any process. As mentioned above,
these have been split. For PTRACE_ATTACH and /proc, capable() is now
used, and for PTRACE_TRACEME, has_capability() is used.
(3) cap_safe_nice() only ever saw current, so now uses capable().
(4) smack_setprocattr() rejected accesses to tasks other than current just
after calling __capable(), so the order of these two tests have been
switched and capable() is used instead.
(5) In smack_file_send_sigiotask(), we need to allow privileged processes to
receive SIGIO on files they're manipulating.
(6) In smack_task_wait(), we let a process wait for a privileged process,
whether or not the process doing the waiting is privileged.
I've tested this with the LTP SELinux and syscalls testscripts.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Morris <jmorris@namei.org>
508 lines
13 KiB
C
508 lines
13 KiB
C
/*
|
|
* linux/kernel/capability.c
|
|
*
|
|
* Copyright (C) 1997 Andrew Main <zefram@fysh.org>
|
|
*
|
|
* Integrated into 2.1.97+, Andrew G. Morgan <morgan@kernel.org>
|
|
* 30 May 2002: Cleanup, Robert M. Love <rml@tech9.net>
|
|
*/
|
|
|
|
#include <linux/capability.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/module.h>
|
|
#include <linux/security.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include <asm/uaccess.h>
|
|
|
|
/*
|
|
* This lock protects task->cap_* for all tasks including current.
|
|
* Locking rule: acquire this prior to tasklist_lock.
|
|
*/
|
|
static DEFINE_SPINLOCK(task_capability_lock);
|
|
|
|
/*
|
|
* Leveraged for setting/resetting capabilities
|
|
*/
|
|
|
|
const kernel_cap_t __cap_empty_set = CAP_EMPTY_SET;
|
|
const kernel_cap_t __cap_full_set = CAP_FULL_SET;
|
|
const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET;
|
|
|
|
EXPORT_SYMBOL(__cap_empty_set);
|
|
EXPORT_SYMBOL(__cap_full_set);
|
|
EXPORT_SYMBOL(__cap_init_eff_set);
|
|
|
|
/*
|
|
* More recent versions of libcap are available from:
|
|
*
|
|
* http://www.kernel.org/pub/linux/libs/security/linux-privs/
|
|
*/
|
|
|
|
static void warn_legacy_capability_use(void)
|
|
{
|
|
static int warned;
|
|
if (!warned) {
|
|
char name[sizeof(current->comm)];
|
|
|
|
printk(KERN_INFO "warning: `%s' uses 32-bit capabilities"
|
|
" (legacy support in use)\n",
|
|
get_task_comm(name, current));
|
|
warned = 1;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Version 2 capabilities worked fine, but the linux/capability.h file
|
|
* that accompanied their introduction encouraged their use without
|
|
* the necessary user-space source code changes. As such, we have
|
|
* created a version 3 with equivalent functionality to version 2, but
|
|
* with a header change to protect legacy source code from using
|
|
* version 2 when it wanted to use version 1. If your system has code
|
|
* that trips the following warning, it is using version 2 specific
|
|
* capabilities and may be doing so insecurely.
|
|
*
|
|
* The remedy is to either upgrade your version of libcap (to 2.10+,
|
|
* if the application is linked against it), or recompile your
|
|
* application with modern kernel headers and this warning will go
|
|
* away.
|
|
*/
|
|
|
|
static void warn_deprecated_v2(void)
|
|
{
|
|
static int warned;
|
|
|
|
if (!warned) {
|
|
char name[sizeof(current->comm)];
|
|
|
|
printk(KERN_INFO "warning: `%s' uses deprecated v2"
|
|
" capabilities in a way that may be insecure.\n",
|
|
get_task_comm(name, current));
|
|
warned = 1;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Version check. Return the number of u32s in each capability flag
|
|
* array, or a negative value on error.
|
|
*/
|
|
static int cap_validate_magic(cap_user_header_t header, unsigned *tocopy)
|
|
{
|
|
__u32 version;
|
|
|
|
if (get_user(version, &header->version))
|
|
return -EFAULT;
|
|
|
|
switch (version) {
|
|
case _LINUX_CAPABILITY_VERSION_1:
|
|
warn_legacy_capability_use();
|
|
*tocopy = _LINUX_CAPABILITY_U32S_1;
|
|
break;
|
|
case _LINUX_CAPABILITY_VERSION_2:
|
|
warn_deprecated_v2();
|
|
/*
|
|
* fall through - v3 is otherwise equivalent to v2.
|
|
*/
|
|
case _LINUX_CAPABILITY_VERSION_3:
|
|
*tocopy = _LINUX_CAPABILITY_U32S_3;
|
|
break;
|
|
default:
|
|
if (put_user((u32)_KERNEL_CAPABILITY_VERSION, &header->version))
|
|
return -EFAULT;
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
|
|
|
|
/*
|
|
* Without filesystem capability support, we nominally support one process
|
|
* setting the capabilities of another
|
|
*/
|
|
static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
|
|
kernel_cap_t *pIp, kernel_cap_t *pPp)
|
|
{
|
|
struct task_struct *target;
|
|
int ret;
|
|
|
|
spin_lock(&task_capability_lock);
|
|
read_lock(&tasklist_lock);
|
|
|
|
if (pid && pid != task_pid_vnr(current)) {
|
|
target = find_task_by_vpid(pid);
|
|
if (!target) {
|
|
ret = -ESRCH;
|
|
goto out;
|
|
}
|
|
} else
|
|
target = current;
|
|
|
|
ret = security_capget(target, pEp, pIp, pPp);
|
|
|
|
out:
|
|
read_unlock(&tasklist_lock);
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* cap_set_pg - set capabilities for all processes in a given process
|
|
* group. We call this holding task_capability_lock and tasklist_lock.
|
|
*/
|
|
static inline int cap_set_pg(int pgrp_nr, kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
struct task_struct *g, *target;
|
|
int ret = -EPERM;
|
|
int found = 0;
|
|
struct pid *pgrp;
|
|
|
|
spin_lock(&task_capability_lock);
|
|
read_lock(&tasklist_lock);
|
|
|
|
pgrp = find_vpid(pgrp_nr);
|
|
do_each_pid_task(pgrp, PIDTYPE_PGID, g) {
|
|
target = g;
|
|
while_each_thread(g, target) {
|
|
if (!security_capset_check(target, effective,
|
|
inheritable, permitted)) {
|
|
security_capset_set(target, effective,
|
|
inheritable, permitted);
|
|
ret = 0;
|
|
}
|
|
found = 1;
|
|
}
|
|
} while_each_pid_task(pgrp, PIDTYPE_PGID, g);
|
|
|
|
read_unlock(&tasklist_lock);
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
if (!found)
|
|
ret = 0;
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* cap_set_all - set capabilities for all processes other than init
|
|
* and self. We call this holding task_capability_lock and tasklist_lock.
|
|
*/
|
|
static inline int cap_set_all(kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
struct task_struct *g, *target;
|
|
int ret = -EPERM;
|
|
int found = 0;
|
|
|
|
spin_lock(&task_capability_lock);
|
|
read_lock(&tasklist_lock);
|
|
|
|
do_each_thread(g, target) {
|
|
if (target == current
|
|
|| is_container_init(target->group_leader))
|
|
continue;
|
|
found = 1;
|
|
if (security_capset_check(target, effective, inheritable,
|
|
permitted))
|
|
continue;
|
|
ret = 0;
|
|
security_capset_set(target, effective, inheritable, permitted);
|
|
} while_each_thread(g, target);
|
|
|
|
read_unlock(&tasklist_lock);
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
if (!found)
|
|
ret = 0;
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Given the target pid does not refer to the current process we
|
|
* need more elaborate support... (This support is not present when
|
|
* filesystem capabilities are configured.)
|
|
*/
|
|
static inline int do_sys_capset_other_tasks(pid_t pid, kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
struct task_struct *target;
|
|
int ret;
|
|
|
|
if (!capable(CAP_SETPCAP))
|
|
return -EPERM;
|
|
|
|
if (pid == -1) /* all procs other than current and init */
|
|
return cap_set_all(effective, inheritable, permitted);
|
|
|
|
else if (pid < 0) /* all procs in process group */
|
|
return cap_set_pg(-pid, effective, inheritable, permitted);
|
|
|
|
/* target != current */
|
|
spin_lock(&task_capability_lock);
|
|
read_lock(&tasklist_lock);
|
|
|
|
target = find_task_by_vpid(pid);
|
|
if (!target)
|
|
ret = -ESRCH;
|
|
else {
|
|
ret = security_capset_check(target, effective, inheritable,
|
|
permitted);
|
|
|
|
/* having verified that the proposed changes are legal,
|
|
we now put them into effect. */
|
|
if (!ret)
|
|
security_capset_set(target, effective, inheritable,
|
|
permitted);
|
|
}
|
|
|
|
read_unlock(&tasklist_lock);
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
return ret;
|
|
}
|
|
|
|
#else /* ie., def CONFIG_SECURITY_FILE_CAPABILITIES */
|
|
|
|
/*
|
|
* If we have configured with filesystem capability support, then the
|
|
* only thing that can change the capabilities of the current process
|
|
* is the current process. As such, we can't be in this code at the
|
|
* same time as we are in the process of setting capabilities in this
|
|
* process. The net result is that we can limit our use of locks to
|
|
* when we are reading the caps of another process.
|
|
*/
|
|
static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
|
|
kernel_cap_t *pIp, kernel_cap_t *pPp)
|
|
{
|
|
int ret;
|
|
|
|
if (pid && (pid != task_pid_vnr(current))) {
|
|
struct task_struct *target;
|
|
|
|
spin_lock(&task_capability_lock);
|
|
read_lock(&tasklist_lock);
|
|
|
|
target = find_task_by_vpid(pid);
|
|
if (!target)
|
|
ret = -ESRCH;
|
|
else
|
|
ret = security_capget(target, pEp, pIp, pPp);
|
|
|
|
read_unlock(&tasklist_lock);
|
|
spin_unlock(&task_capability_lock);
|
|
} else
|
|
ret = security_capget(current, pEp, pIp, pPp);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* With filesystem capability support configured, the kernel does not
|
|
* permit the changing of capabilities in one process by another
|
|
* process. (CAP_SETPCAP has much less broad semantics when configured
|
|
* this way.)
|
|
*/
|
|
static inline int do_sys_capset_other_tasks(pid_t pid,
|
|
kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
return -EPERM;
|
|
}
|
|
|
|
#endif /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
|
|
|
|
/*
|
|
* Atomically modify the effective capabilities returning the original
|
|
* value. No permission check is performed here - it is assumed that the
|
|
* caller is permitted to set the desired effective capabilities.
|
|
*/
|
|
kernel_cap_t cap_set_effective(const kernel_cap_t pE_new)
|
|
{
|
|
kernel_cap_t pE_old;
|
|
|
|
spin_lock(&task_capability_lock);
|
|
|
|
pE_old = current->cap_effective;
|
|
current->cap_effective = pE_new;
|
|
|
|
spin_unlock(&task_capability_lock);
|
|
|
|
return pE_old;
|
|
}
|
|
|
|
EXPORT_SYMBOL(cap_set_effective);
|
|
|
|
/**
|
|
* sys_capget - get the capabilities of a given process.
|
|
* @header: pointer to struct that contains capability version and
|
|
* target pid data
|
|
* @dataptr: pointer to struct that contains the effective, permitted,
|
|
* and inheritable capabilities that are returned
|
|
*
|
|
* Returns 0 on success and < 0 on error.
|
|
*/
|
|
asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
|
|
{
|
|
int ret = 0;
|
|
pid_t pid;
|
|
unsigned tocopy;
|
|
kernel_cap_t pE, pI, pP;
|
|
|
|
ret = cap_validate_magic(header, &tocopy);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
if (get_user(pid, &header->pid))
|
|
return -EFAULT;
|
|
|
|
if (pid < 0)
|
|
return -EINVAL;
|
|
|
|
ret = cap_get_target_pid(pid, &pE, &pI, &pP);
|
|
|
|
if (!ret) {
|
|
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
|
unsigned i;
|
|
|
|
for (i = 0; i < tocopy; i++) {
|
|
kdata[i].effective = pE.cap[i];
|
|
kdata[i].permitted = pP.cap[i];
|
|
kdata[i].inheritable = pI.cap[i];
|
|
}
|
|
|
|
/*
|
|
* Note, in the case, tocopy < _KERNEL_CAPABILITY_U32S,
|
|
* we silently drop the upper capabilities here. This
|
|
* has the effect of making older libcap
|
|
* implementations implicitly drop upper capability
|
|
* bits when they perform a: capget/modify/capset
|
|
* sequence.
|
|
*
|
|
* This behavior is considered fail-safe
|
|
* behavior. Upgrading the application to a newer
|
|
* version of libcap will enable access to the newer
|
|
* capabilities.
|
|
*
|
|
* An alternative would be to return an error here
|
|
* (-ERANGE), but that causes legacy applications to
|
|
* unexpectidly fail; the capget/modify/capset aborts
|
|
* before modification is attempted and the application
|
|
* fails.
|
|
*/
|
|
if (copy_to_user(dataptr, kdata, tocopy
|
|
* sizeof(struct __user_cap_data_struct))) {
|
|
return -EFAULT;
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* sys_capset - set capabilities for a process or (*) a group of processes
|
|
* @header: pointer to struct that contains capability version and
|
|
* target pid data
|
|
* @data: pointer to struct that contains the effective, permitted,
|
|
* and inheritable capabilities
|
|
*
|
|
* Set capabilities for a given process, all processes, or all
|
|
* processes in a given process group.
|
|
*
|
|
* The restrictions on setting capabilities are specified as:
|
|
*
|
|
* [pid is for the 'target' task. 'current' is the calling task.]
|
|
*
|
|
* I: any raised capabilities must be a subset of the (old current) permitted
|
|
* P: any raised capabilities must be a subset of the (old current) permitted
|
|
* E: must be set to a subset of (new target) permitted
|
|
*
|
|
* Returns 0 on success and < 0 on error.
|
|
*/
|
|
asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
|
|
{
|
|
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
|
unsigned i, tocopy;
|
|
kernel_cap_t inheritable, permitted, effective;
|
|
int ret;
|
|
pid_t pid;
|
|
|
|
ret = cap_validate_magic(header, &tocopy);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
if (get_user(pid, &header->pid))
|
|
return -EFAULT;
|
|
|
|
if (copy_from_user(&kdata, data, tocopy
|
|
* sizeof(struct __user_cap_data_struct))) {
|
|
return -EFAULT;
|
|
}
|
|
|
|
for (i = 0; i < tocopy; i++) {
|
|
effective.cap[i] = kdata[i].effective;
|
|
permitted.cap[i] = kdata[i].permitted;
|
|
inheritable.cap[i] = kdata[i].inheritable;
|
|
}
|
|
while (i < _KERNEL_CAPABILITY_U32S) {
|
|
effective.cap[i] = 0;
|
|
permitted.cap[i] = 0;
|
|
inheritable.cap[i] = 0;
|
|
i++;
|
|
}
|
|
|
|
if (pid && (pid != task_pid_vnr(current)))
|
|
ret = do_sys_capset_other_tasks(pid, &effective, &inheritable,
|
|
&permitted);
|
|
else {
|
|
/*
|
|
* This lock is required even when filesystem
|
|
* capability support is configured - it protects the
|
|
* sys_capget() call from returning incorrect data in
|
|
* the case that the targeted process is not the
|
|
* current one.
|
|
*/
|
|
spin_lock(&task_capability_lock);
|
|
|
|
ret = security_capset_check(current, &effective, &inheritable,
|
|
&permitted);
|
|
/*
|
|
* Having verified that the proposed changes are
|
|
* legal, we now put them into effect.
|
|
*/
|
|
if (!ret)
|
|
security_capset_set(current, &effective, &inheritable,
|
|
&permitted);
|
|
spin_unlock(&task_capability_lock);
|
|
}
|
|
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* capable - Determine if the current task has a superior capability in effect
|
|
* @cap: The capability to be tested for
|
|
*
|
|
* Return true if the current task has the given superior capability currently
|
|
* available for use, false if not.
|
|
*
|
|
* This sets PF_SUPERPRIV on the task if the capability is available on the
|
|
* assumption that it's about to be used.
|
|
*/
|
|
int capable(int cap)
|
|
{
|
|
if (has_capability(current, cap)) {
|
|
current->flags |= PF_SUPERPRIV;
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(capable);
|