Orange Pi5 kernel

^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    1) // SPDX-License-Identifier: GPL-2.0-or-later
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    2) /* Common capabilities, needed by capability.o.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    3)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    5) #include <linux/capability.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    6) #include <linux/audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    7) #include <linux/init.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    8) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300    9) #include <linux/lsm_hooks.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   10) #include <linux/file.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   11) #include <linux/mm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   12) #include <linux/mman.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   13) #include <linux/pagemap.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   14) #include <linux/swap.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   15) #include <linux/skbuff.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   16) #include <linux/netlink.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   17) #include <linux/ptrace.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   18) #include <linux/xattr.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   19) #include <linux/hugetlb.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   20) #include <linux/mount.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   21) #include <linux/sched.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   22) #include <linux/prctl.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   23) #include <linux/securebits.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   24) #include <linux/user_namespace.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   25) #include <linux/binfmts.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   26) #include <linux/personality.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   27) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   28) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   29)  * If a non-root user executes a setuid-root binary in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   30)  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   31)  * However if fE is also set, then the intent is for only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   32)  * the file capabilities to be applied, and the setuid-root
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   33)  * bit is left on either to change the uid (plausible) or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   34)  * to get full privilege on a kernel without file capabilities
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   35)  * support.  So in that case we do not raise capabilities.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   36)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   37)  * Warn if that happens, once per boot.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   38)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   39) static void warn_setuid_and_fcaps_mixed(const char *fname)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   40) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   41) 	static int warned;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   42) 	if (!warned) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   43) 		printk(KERN_INFO "warning: `%s' has both setuid-root and"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   44) 			" effective capabilities. Therefore not raising all"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   45) 			" capabilities.\n", fname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   46) 		warned = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   47) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   48) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   49) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   50) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   51)  * cap_capable - Determine whether a task has a particular effective capability
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   52)  * @cred: The credentials to use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   53)  * @ns:  The user namespace in which we need the capability
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   54)  * @cap: The capability to check for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   55)  * @opts: Bitmask of options defined in include/linux/security.h
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   56)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   57)  * Determine whether the nominated task has the specified capability amongst
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   58)  * its effective set, returning 0 if it does, -ve if it does not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   59)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   60)  * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   61)  * and has_capability() functions.  That is, it has the reverse semantics:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   62)  * cap_has_capability() returns 0 when a task has a capability, but the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   63)  * kernel's capable() and has_capability() returns 1 for this case.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   64)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   65) int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   66) 		int cap, unsigned int opts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   67) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   68) 	struct user_namespace *ns = targ_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   69) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   70) 	/* See if cred has the capability in the target user namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   71) 	 * by examining the target user namespace and all of the target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   72) 	 * user namespace's parents.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   73) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   74) 	for (;;) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   75) 		/* Do we have the necessary capabilities? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   76) 		if (ns == cred->user_ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   77) 			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   78) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   79) 		/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   80) 		 * If we're already at a lower level than we're looking for,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   81) 		 * we're done searching.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   82) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   83) 		if (ns->level <= cred->user_ns->level)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   84) 			return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   86) 		/* 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   87) 		 * The owner of the user namespace in the parent of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   88) 		 * user namespace has all caps.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   89) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   90) 		if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   91) 			return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   93) 		/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   94) 		 * If you have a capability in a parent user ns, then you have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   95) 		 * it over all children user namespaces as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   96) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   97) 		ns = ns->parent;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   98) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   99) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  100) 	/* We never get here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  101) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  102) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  103) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  104)  * cap_settime - Determine whether the current process may set the system clock
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  105)  * @ts: The time to set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  106)  * @tz: The timezone to set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  107)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  108)  * Determine whether the current process may set the system clock and timezone
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  109)  * information, returning 0 if permission granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  110)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  111) int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  112) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  113) 	if (!capable(CAP_SYS_TIME))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  114) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  115) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  116) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  117) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  118) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  119)  * cap_ptrace_access_check - Determine whether the current process may access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  120)  *			   another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  121)  * @child: The process to be accessed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  122)  * @mode: The mode of attachment.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  123)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  124)  * If we are in the same or an ancestor user_ns and have all the target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  125)  * task's capabilities, then ptrace access is allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  126)  * If we have the ptrace capability to the target user_ns, then ptrace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  127)  * access is allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  128)  * Else denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  129)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  130)  * Determine whether a process may access another, returning 0 if permission
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  131)  * granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  132)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  133) int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  134) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  135) 	int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  136) 	const struct cred *cred, *child_cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  137) 	const kernel_cap_t *caller_caps;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  138) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  139) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  140) 	cred = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  141) 	child_cred = __task_cred(child);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  142) 	if (mode & PTRACE_MODE_FSCREDS)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  143) 		caller_caps = &cred->cap_effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  144) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  145) 		caller_caps = &cred->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  146) 	if (cred->user_ns == child_cred->user_ns &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  147) 	    cap_issubset(child_cred->cap_permitted, *caller_caps))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  148) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  149) 	if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  150) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  151) 	ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  152) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  153) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  154) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  155) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  156) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  157) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  158)  * cap_ptrace_traceme - Determine whether another process may trace the current
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  159)  * @parent: The task proposed to be the tracer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  160)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  161)  * If parent is in the same or an ancestor user_ns and has all current's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  162)  * capabilities, then ptrace access is allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  163)  * If parent has the ptrace capability to current's user_ns, then ptrace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  164)  * access is allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  165)  * Else denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  166)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  167)  * Determine whether the nominated task is permitted to trace the current
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  168)  * process, returning 0 if permission is granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  169)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  170) int cap_ptrace_traceme(struct task_struct *parent)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  171) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  172) 	int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  173) 	const struct cred *cred, *child_cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  174) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  175) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  176) 	cred = __task_cred(parent);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  177) 	child_cred = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  178) 	if (cred->user_ns == child_cred->user_ns &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  179) 	    cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  180) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  181) 	if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  182) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  183) 	ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  184) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  185) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  186) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  187) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  188) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  189) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  190)  * cap_capget - Retrieve a task's capability sets
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  191)  * @target: The task from which to retrieve the capability sets
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  192)  * @effective: The place to record the effective set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  193)  * @inheritable: The place to record the inheritable set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  194)  * @permitted: The place to record the permitted set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  195)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  196)  * This function retrieves the capabilities of the nominated task and returns
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  197)  * them to the caller.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  198)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  199) int cap_capget(struct task_struct *target, kernel_cap_t *effective,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  200) 	       kernel_cap_t *inheritable, kernel_cap_t *permitted)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  201) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  202) 	const struct cred *cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  203) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  204) 	/* Derived from kernel/capability.c:sys_capget. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  205) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  206) 	cred = __task_cred(target);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  207) 	*effective   = cred->cap_effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  208) 	*inheritable = cred->cap_inheritable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  209) 	*permitted   = cred->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  210) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  211) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  212) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  213) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  214) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  215)  * Determine whether the inheritable capabilities are limited to the old
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  216)  * permitted set.  Returns 1 if they are limited, 0 if they are not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  217)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  218) static inline int cap_inh_is_capped(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  219) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  220) 	/* they are so limited unless the current task has the CAP_SETPCAP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  221) 	 * capability
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  222) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  223) 	if (cap_capable(current_cred(), current_cred()->user_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  224) 			CAP_SETPCAP, CAP_OPT_NONE) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  225) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  226) 	return 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  227) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  228) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  229) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  230)  * cap_capset - Validate and apply proposed changes to current's capabilities
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  231)  * @new: The proposed new credentials; alterations should be made here
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  232)  * @old: The current task's current credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  233)  * @effective: A pointer to the proposed new effective capabilities set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  234)  * @inheritable: A pointer to the proposed new inheritable capabilities set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  235)  * @permitted: A pointer to the proposed new permitted capabilities set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  236)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  237)  * This function validates and applies a proposed mass change to the current
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  238)  * process's capability sets.  The changes are made to the proposed new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  239)  * credentials, and assuming no error, will be committed by the caller of LSM.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  240)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  241) int cap_capset(struct cred *new,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  242) 	       const struct cred *old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  243) 	       const kernel_cap_t *effective,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  244) 	       const kernel_cap_t *inheritable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  245) 	       const kernel_cap_t *permitted)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  246) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  247) 	if (cap_inh_is_capped() &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  248) 	    !cap_issubset(*inheritable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  249) 			  cap_combine(old->cap_inheritable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  250) 				      old->cap_permitted)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  251) 		/* incapable of using this inheritable set */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  252) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  253) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  254) 	if (!cap_issubset(*inheritable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  255) 			  cap_combine(old->cap_inheritable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  256) 				      old->cap_bset)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  257) 		/* no new pI capabilities outside bounding set */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  258) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  259) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  260) 	/* verify restrictions on target's new Permitted set */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  261) 	if (!cap_issubset(*permitted, old->cap_permitted))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  262) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  263) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  264) 	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  265) 	if (!cap_issubset(*effective, *permitted))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  266) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  267) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  268) 	new->cap_effective   = *effective;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  269) 	new->cap_inheritable = *inheritable;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  270) 	new->cap_permitted   = *permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  271) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  272) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  273) 	 * Mask off ambient bits that are no longer both permitted and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  274) 	 * inheritable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  275) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  276) 	new->cap_ambient = cap_intersect(new->cap_ambient,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  277) 					 cap_intersect(*permitted,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  278) 						       *inheritable));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  279) 	if (WARN_ON(!cap_ambient_invariant_ok(new)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  280) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  281) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  282) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  283) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  284) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  285)  * cap_inode_need_killpriv - Determine if inode change affects privileges
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  286)  * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  287)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  288)  * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  289)  * affects the security markings on that inode, and if it is, should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  290)  * inode_killpriv() be invoked or the change rejected.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  291)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  292)  * Returns 1 if security.capability has a value, meaning inode_killpriv()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  293)  * is required, 0 otherwise, meaning inode_killpriv() is not required.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  294)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  295) int cap_inode_need_killpriv(struct dentry *dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  296) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  297) 	struct inode *inode = d_backing_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  298) 	int error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  299) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  300) 	error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  301) 			       XATTR_NOSECURITY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  302) 	return error > 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  303) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  304) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  305) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  306)  * cap_inode_killpriv - Erase the security markings on an inode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  307)  * @dentry: The inode/dentry to alter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  308)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  309)  * Erase the privilege-enhancing security markings on an inode.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  310)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  311)  * Returns 0 if successful, -ve on error.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  312)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  313) int cap_inode_killpriv(struct dentry *dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  314) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  315) 	int error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  316) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  317) 	error = __vfs_removexattr(dentry, XATTR_NAME_CAPS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  318) 	if (error == -EOPNOTSUPP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  319) 		error = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  320) 	return error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  321) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  322) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  323) static bool rootid_owns_currentns(kuid_t kroot)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  324) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  325) 	struct user_namespace *ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  326) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  327) 	if (!uid_valid(kroot))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  328) 		return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  329) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  330) 	for (ns = current_user_ns(); ; ns = ns->parent) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  331) 		if (from_kuid(ns, kroot) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  332) 			return true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  333) 		if (ns == &init_user_ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  334) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  335) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  336) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  337) 	return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  338) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  339) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  340) static __u32 sansflags(__u32 m)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  341) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  342) 	return m & ~VFS_CAP_FLAGS_EFFECTIVE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  343) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  344) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  345) static bool is_v2header(size_t size, const struct vfs_cap_data *cap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  346) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  347) 	if (size != XATTR_CAPS_SZ_2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  348) 		return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  349) 	return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  350) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  351) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  352) static bool is_v3header(size_t size, const struct vfs_cap_data *cap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  353) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  354) 	if (size != XATTR_CAPS_SZ_3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  355) 		return false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  356) 	return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  357) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  358) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  359) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  360)  * getsecurity: We are called for security.* before any attempt to read the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  361)  * xattr from the inode itself.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  362)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  363)  * This gives us a chance to read the on-disk value and convert it.  If we
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  364)  * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  365)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  366)  * Note we are not called by vfs_getxattr_alloc(), but that is only called
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  367)  * by the integrity subsystem, which really wants the unconverted values -
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  368)  * so that's good.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  369)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  370) int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  371) 			  bool alloc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  372) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  373) 	int size, ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  374) 	kuid_t kroot;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  375) 	u32 nsmagic, magic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  376) 	uid_t root, mappedroot;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  377) 	char *tmpbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  378) 	struct vfs_cap_data *cap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  379) 	struct vfs_ns_cap_data *nscap = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  380) 	struct dentry *dentry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  381) 	struct user_namespace *fs_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  382) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  383) 	if (strcmp(name, "capability") != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  384) 		return -EOPNOTSUPP;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  385) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  386) 	dentry = d_find_any_alias(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  387) 	if (!dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  388) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  389) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  390) 	size = sizeof(struct vfs_ns_cap_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  391) 	ret = (int) vfs_getxattr_alloc(dentry, XATTR_NAME_CAPS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  392) 				 &tmpbuf, size, GFP_NOFS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  393) 	dput(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  394) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  395) 	if (ret < 0 || !tmpbuf)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  396) 		return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  397) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  398) 	fs_ns = inode->i_sb->s_user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  399) 	cap = (struct vfs_cap_data *) tmpbuf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  400) 	if (is_v2header((size_t) ret, cap)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  401) 		root = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  402) 	} else if (is_v3header((size_t) ret, cap)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  403) 		nscap = (struct vfs_ns_cap_data *) tmpbuf;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  404) 		root = le32_to_cpu(nscap->rootid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  405) 	} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  406) 		size = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  407) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  408) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  409) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  410) 	kroot = make_kuid(fs_ns, root);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  411) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  412) 	/* If the root kuid maps to a valid uid in current ns, then return
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  413) 	 * this as a nscap. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  414) 	mappedroot = from_kuid(current_user_ns(), kroot);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  415) 	if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  416) 		size = sizeof(struct vfs_ns_cap_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  417) 		if (alloc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  418) 			if (!nscap) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  419) 				/* v2 -> v3 conversion */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  420) 				nscap = kzalloc(size, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  421) 				if (!nscap) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  422) 					size = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  423) 					goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  424) 				}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  425) 				nsmagic = VFS_CAP_REVISION_3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  426) 				magic = le32_to_cpu(cap->magic_etc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  427) 				if (magic & VFS_CAP_FLAGS_EFFECTIVE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  428) 					nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  429) 				memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  430) 				nscap->magic_etc = cpu_to_le32(nsmagic);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  431) 			} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  432) 				/* use allocated v3 buffer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  433) 				tmpbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  434) 			}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  435) 			nscap->rootid = cpu_to_le32(mappedroot);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  436) 			*buffer = nscap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  437) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  438) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  439) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  440) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  441) 	if (!rootid_owns_currentns(kroot)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  442) 		size = -EOVERFLOW;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  443) 		goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  444) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  445) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  446) 	/* This comes from a parent namespace.  Return as a v2 capability */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  447) 	size = sizeof(struct vfs_cap_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  448) 	if (alloc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  449) 		if (nscap) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  450) 			/* v3 -> v2 conversion */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  451) 			cap = kzalloc(size, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  452) 			if (!cap) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  453) 				size = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  454) 				goto out_free;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  455) 			}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  456) 			magic = VFS_CAP_REVISION_2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  457) 			nsmagic = le32_to_cpu(nscap->magic_etc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  458) 			if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  459) 				magic |= VFS_CAP_FLAGS_EFFECTIVE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  460) 			memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  461) 			cap->magic_etc = cpu_to_le32(magic);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  462) 		} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  463) 			/* use unconverted v2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  464) 			tmpbuf = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  465) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  466) 		*buffer = cap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  467) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  468) out_free:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  469) 	kfree(tmpbuf);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  470) 	return size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  471) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  472) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  473) static kuid_t rootid_from_xattr(const void *value, size_t size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  474) 				struct user_namespace *task_ns)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  475) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  476) 	const struct vfs_ns_cap_data *nscap = value;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  477) 	uid_t rootid = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  478) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  479) 	if (size == XATTR_CAPS_SZ_3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  480) 		rootid = le32_to_cpu(nscap->rootid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  481) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  482) 	return make_kuid(task_ns, rootid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  483) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  484) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  485) static bool validheader(size_t size, const struct vfs_cap_data *cap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  486) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  487) 	return is_v2header(size, cap) || is_v3header(size, cap);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  488) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  489) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  490) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  491)  * User requested a write of security.capability.  If needed, update the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  492)  * xattr to change from v2 to v3, or to fixup the v3 rootid.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  493)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  494)  * If all is ok, we return the new size, on error return < 0.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  495)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  496) int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  497) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  498) 	struct vfs_ns_cap_data *nscap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  499) 	uid_t nsrootid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  500) 	const struct vfs_cap_data *cap = *ivalue;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  501) 	__u32 magic, nsmagic;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  502) 	struct inode *inode = d_backing_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  503) 	struct user_namespace *task_ns = current_user_ns(),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  504) 		*fs_ns = inode->i_sb->s_user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  505) 	kuid_t rootid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  506) 	size_t newsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  507) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  508) 	if (!*ivalue)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  509) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  510) 	if (!validheader(size, cap))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  511) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  512) 	if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  513) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  514) 	if (size == XATTR_CAPS_SZ_2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  515) 		if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  516) 			/* user is privileged, just write the v2 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  517) 			return size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  518) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  519) 	rootid = rootid_from_xattr(*ivalue, size, task_ns);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  520) 	if (!uid_valid(rootid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  521) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  522) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  523) 	nsrootid = from_kuid(fs_ns, rootid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  524) 	if (nsrootid == -1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  525) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  526) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  527) 	newsize = sizeof(struct vfs_ns_cap_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  528) 	nscap = kmalloc(newsize, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  529) 	if (!nscap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  530) 		return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  531) 	nscap->rootid = cpu_to_le32(nsrootid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  532) 	nsmagic = VFS_CAP_REVISION_3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  533) 	magic = le32_to_cpu(cap->magic_etc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  534) 	if (magic & VFS_CAP_FLAGS_EFFECTIVE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  535) 		nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  536) 	nscap->magic_etc = cpu_to_le32(nsmagic);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  537) 	memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  538) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  539) 	kvfree(*ivalue);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  540) 	*ivalue = nscap;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  541) 	return newsize;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  542) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  543) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  544) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  545)  * Calculate the new process capability sets from the capability sets attached
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  546)  * to a file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  547)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  548) static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  549) 					  struct linux_binprm *bprm,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  550) 					  bool *effective,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  551) 					  bool *has_fcap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  552) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  553) 	struct cred *new = bprm->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  554) 	unsigned i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  555) 	int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  556) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  557) 	if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  558) 		*effective = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  559) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  560) 	if (caps->magic_etc & VFS_CAP_REVISION_MASK)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  561) 		*has_fcap = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  562) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  563) 	CAP_FOR_EACH_U32(i) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  564) 		__u32 permitted = caps->permitted.cap[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  565) 		__u32 inheritable = caps->inheritable.cap[i];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  566) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  567) 		/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  568) 		 * pP' = (X & fP) | (pI & fI)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  569) 		 * The addition of pA' is handled later.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  570) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  571) 		new->cap_permitted.cap[i] =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  572) 			(new->cap_bset.cap[i] & permitted) |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  573) 			(new->cap_inheritable.cap[i] & inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  574) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  575) 		if (permitted & ~new->cap_permitted.cap[i])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  576) 			/* insufficient to execute correctly */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  577) 			ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  578) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  579) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  580) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  581) 	 * For legacy apps, with no internal support for recognizing they
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  582) 	 * do not have enough capabilities, we return an error if they are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  583) 	 * missing some "forced" (aka file-permitted) capabilities.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  584) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  585) 	return *effective ? ret : 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  586) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  587) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  588) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  589)  * Extract the on-exec-apply capability sets for an executable file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  590)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  591) int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  592) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  593) 	struct inode *inode = d_backing_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  594) 	__u32 magic_etc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  595) 	unsigned tocopy, i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  596) 	int size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  597) 	struct vfs_ns_cap_data data, *nscaps = &data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  598) 	struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  599) 	kuid_t rootkuid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  600) 	struct user_namespace *fs_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  601) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  602) 	memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  603) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  604) 	if (!inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  605) 		return -ENODATA;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  606) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  607) 	fs_ns = inode->i_sb->s_user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  608) 	size = __vfs_getxattr((struct dentry *)dentry, inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  609) 			      XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  610) 			      XATTR_NOSECURITY);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  611) 	if (size == -ENODATA || size == -EOPNOTSUPP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  612) 		/* no data, that's ok */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  613) 		return -ENODATA;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  614) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  615) 	if (size < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  616) 		return size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  617) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  618) 	if (size < sizeof(magic_etc))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  619) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  620) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  621) 	cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  622) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  623) 	rootkuid = make_kuid(fs_ns, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  624) 	switch (magic_etc & VFS_CAP_REVISION_MASK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  625) 	case VFS_CAP_REVISION_1:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  626) 		if (size != XATTR_CAPS_SZ_1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  627) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  628) 		tocopy = VFS_CAP_U32_1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  629) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  630) 	case VFS_CAP_REVISION_2:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  631) 		if (size != XATTR_CAPS_SZ_2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  632) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  633) 		tocopy = VFS_CAP_U32_2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  634) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  635) 	case VFS_CAP_REVISION_3:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  636) 		if (size != XATTR_CAPS_SZ_3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  637) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  638) 		tocopy = VFS_CAP_U32_3;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  639) 		rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  640) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  641) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  642) 	default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  643) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  644) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  645) 	/* Limit the caps to the mounter of the filesystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  646) 	 * or the more limited uid specified in the xattr.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  647) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  648) 	if (!rootid_owns_currentns(rootkuid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  649) 		return -ENODATA;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  650) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  651) 	CAP_FOR_EACH_U32(i) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  652) 		if (i >= tocopy)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  653) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  654) 		cpu_caps->permitted.cap[i] = le32_to_cpu(caps->data[i].permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  655) 		cpu_caps->inheritable.cap[i] = le32_to_cpu(caps->data[i].inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  656) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  657) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  658) 	cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  659) 	cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  660) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  661) 	cpu_caps->rootid = rootkuid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  662) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  663) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  664) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  665) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  666) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  667)  * Attempt to get the on-exec apply capability sets for an executable file from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  668)  * its xattrs and, if present, apply them to the proposed credentials being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  669)  * constructed by execve().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  670)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  671) static int get_file_caps(struct linux_binprm *bprm, struct file *file,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  672) 			 bool *effective, bool *has_fcap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  673) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  674) 	int rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  675) 	struct cpu_vfs_cap_data vcaps;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  676) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  677) 	cap_clear(bprm->cred->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  678) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  679) 	if (!file_caps_enabled)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  680) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  681) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  682) 	if (!mnt_may_suid(file->f_path.mnt))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  683) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  684) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  685) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  686) 	 * This check is redundant with mnt_may_suid() but is kept to make
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  687) 	 * explicit that capability bits are limited to s_user_ns and its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  688) 	 * descendants.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  689) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  690) 	if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  691) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  692) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  693) 	rc = get_vfs_caps_from_disk(file->f_path.dentry, &vcaps);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  694) 	if (rc < 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  695) 		if (rc == -EINVAL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  696) 			printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  697) 					bprm->filename);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  698) 		else if (rc == -ENODATA)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  699) 			rc = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  700) 		goto out;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  701) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  702) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  703) 	rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  704) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  705) out:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  706) 	if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  707) 		cap_clear(bprm->cred->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  708) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  709) 	return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  710) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  711) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  712) static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  713) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  714) static inline bool __is_real(kuid_t uid, struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  715) { return uid_eq(cred->uid, uid); }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  716) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  717) static inline bool __is_eff(kuid_t uid, struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  718) { return uid_eq(cred->euid, uid); }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  719) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  720) static inline bool __is_suid(kuid_t uid, struct cred *cred)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  721) { return !__is_real(uid, cred) && __is_eff(uid, cred); }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  722) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  723) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  724)  * handle_privileged_root - Handle case of privileged root
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  725)  * @bprm: The execution parameters, including the proposed creds
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  726)  * @has_fcap: Are any file capabilities set?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  727)  * @effective: Do we have effective root privilege?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  728)  * @root_uid: This namespace' root UID WRT initial USER namespace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  729)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  730)  * Handle the case where root is privileged and hasn't been neutered by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  731)  * SECURE_NOROOT.  If file capabilities are set, they won't be combined with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  732)  * set UID root and nothing is changed.  If we are root, cap_permitted is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  733)  * updated.  If we have become set UID root, the effective bit is set.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  734)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  735) static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  736) 				   bool *effective, kuid_t root_uid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  737) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  738) 	const struct cred *old = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  739) 	struct cred *new = bprm->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  740) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  741) 	if (!root_privileged())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  742) 		return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  743) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  744) 	 * If the legacy file capability is set, then don't set privs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  745) 	 * for a setuid root binary run by a non-root user.  Do set it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  746) 	 * for a root user just to cause least surprise to an admin.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  747) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  748) 	if (has_fcap && __is_suid(root_uid, new)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  749) 		warn_setuid_and_fcaps_mixed(bprm->filename);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  750) 		return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  751) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  752) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  753) 	 * To support inheritance of root-permissions and suid-root
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  754) 	 * executables under compatibility mode, we override the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  755) 	 * capability sets for the file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  756) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  757) 	if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  758) 		/* pP' = (cap_bset & ~0) | (pI & ~0) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  759) 		new->cap_permitted = cap_combine(old->cap_bset,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  760) 						 old->cap_inheritable);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  761) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  762) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  763) 	 * If only the real uid is 0, we do not set the effective bit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  764) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  765) 	if (__is_eff(root_uid, new))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  766) 		*effective = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  767) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  768) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  769) #define __cap_gained(field, target, source) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  770) 	!cap_issubset(target->cap_##field, source->cap_##field)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  771) #define __cap_grew(target, source, cred) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  772) 	!cap_issubset(cred->cap_##target, cred->cap_##source)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  773) #define __cap_full(field, cred) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  774) 	cap_issubset(CAP_FULL_SET, cred->cap_##field)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  775) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  776) static inline bool __is_setuid(struct cred *new, const struct cred *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  777) { return !uid_eq(new->euid, old->uid); }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  778) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  779) static inline bool __is_setgid(struct cred *new, const struct cred *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  780) { return !gid_eq(new->egid, old->gid); }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  781) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  782) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  783)  * 1) Audit candidate if current->cap_effective is set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  784)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  785)  * We do not bother to audit if 3 things are true:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  786)  *   1) cap_effective has all caps
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  787)  *   2) we became root *OR* are were already root
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  788)  *   3) root is supposed to have all caps (SECURE_NOROOT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  789)  * Since this is just a normal root execing a process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  790)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  791)  * Number 1 above might fail if you don't have a full bset, but I think
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  792)  * that is interesting information to audit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  793)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  794)  * A number of other conditions require logging:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  795)  * 2) something prevented setuid root getting all caps
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  796)  * 3) non-setuid root gets fcaps
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  797)  * 4) non-setuid root gets ambient
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  798)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  799) static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  800) 				     kuid_t root, bool has_fcap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  801) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  802) 	bool ret = false;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  803) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  804) 	if ((__cap_grew(effective, ambient, new) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  805) 	     !(__cap_full(effective, new) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  806) 	       (__is_eff(root, new) || __is_real(root, new)) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  807) 	       root_privileged())) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  808) 	    (root_privileged() &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  809) 	     __is_suid(root, new) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  810) 	     !__cap_full(effective, new)) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  811) 	    (!__is_setuid(new, old) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  812) 	     ((has_fcap &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  813) 	       __cap_gained(permitted, new, old)) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  814) 	      __cap_gained(ambient, new, old))))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  815) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  816) 		ret = true;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  817) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  818) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  819) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  820) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  821) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  822)  * cap_bprm_creds_from_file - Set up the proposed credentials for execve().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  823)  * @bprm: The execution parameters, including the proposed creds
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  824)  * @file: The file to pull the credentials from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  825)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  826)  * Set up the proposed credentials for a new execution context being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  827)  * constructed by execve().  The proposed creds in @bprm->cred is altered,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  828)  * which won't take effect immediately.  Returns 0 if successful, -ve on error.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  829)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  830) int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  831) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  832) 	/* Process setpcap binaries and capabilities for uid 0 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  833) 	const struct cred *old = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  834) 	struct cred *new = bprm->cred;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  835) 	bool effective = false, has_fcap = false, is_setid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  836) 	int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  837) 	kuid_t root_uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  838) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  839) 	if (WARN_ON(!cap_ambient_invariant_ok(old)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  840) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  841) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  842) 	ret = get_file_caps(bprm, file, &effective, &has_fcap);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  843) 	if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  844) 		return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  845) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  846) 	root_uid = make_kuid(new->user_ns, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  847) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  848) 	handle_privileged_root(bprm, has_fcap, &effective, root_uid);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  849) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  850) 	/* if we have fs caps, clear dangerous personality flags */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  851) 	if (__cap_gained(permitted, new, old))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  852) 		bprm->per_clear |= PER_CLEAR_ON_SETID;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  853) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  854) 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  855) 	 * credentials unless they have the appropriate permit.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  856) 	 *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  857) 	 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  858) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  859) 	is_setid = __is_setuid(new, old) || __is_setgid(new, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  860) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  861) 	if ((is_setid || __cap_gained(permitted, new, old)) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  862) 	    ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  863) 	     !ptracer_capable(current, new->user_ns))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  864) 		/* downgrade; they get no more than they had, and maybe less */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  865) 		if (!ns_capable(new->user_ns, CAP_SETUID) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  866) 		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  867) 			new->euid = new->uid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  868) 			new->egid = new->gid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  869) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  870) 		new->cap_permitted = cap_intersect(new->cap_permitted,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  871) 						   old->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  872) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  873) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  874) 	new->suid = new->fsuid = new->euid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  875) 	new->sgid = new->fsgid = new->egid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  876) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  877) 	/* File caps or setid cancels ambient. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  878) 	if (has_fcap || is_setid)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  879) 		cap_clear(new->cap_ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  880) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  881) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  882) 	 * Now that we've computed pA', update pP' to give:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  883) 	 *   pP' = (X & fP) | (pI & fI) | pA'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  884) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  885) 	new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  886) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  887) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  888) 	 * Set pE' = (fE ? pP' : pA').  Because pA' is zero if fE is set,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  889) 	 * this is the same as pE' = (fE ? pP' : 0) | pA'.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  890) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  891) 	if (effective)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  892) 		new->cap_effective = new->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  893) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  894) 		new->cap_effective = new->cap_ambient;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  895) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  896) 	if (WARN_ON(!cap_ambient_invariant_ok(new)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  897) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  898) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  899) 	if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  900) 		ret = audit_log_bprm_fcaps(bprm, new, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  901) 		if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  902) 			return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  903) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  904) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  905) 	new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  906) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  907) 	if (WARN_ON(!cap_ambient_invariant_ok(new)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  908) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  909) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  910) 	/* Check for privilege-elevated exec. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  911) 	if (is_setid ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  912) 	    (!__is_real(root_uid, new) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  913) 	     (effective ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  914) 	      __cap_grew(permitted, ambient, new))))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  915) 		bprm->secureexec = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  916) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  917) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  918) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  919) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  920) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  921)  * cap_inode_setxattr - Determine whether an xattr may be altered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  922)  * @dentry: The inode/dentry being altered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  923)  * @name: The name of the xattr to be changed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  924)  * @value: The value that the xattr will be changed to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  925)  * @size: The size of value
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  926)  * @flags: The replacement flag
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  927)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  928)  * Determine whether an xattr may be altered or set on an inode, returning 0 if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  929)  * permission is granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  930)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  931)  * This is used to make sure security xattrs don't get updated or set by those
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  932)  * who aren't privileged to do so.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  933)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  934) int cap_inode_setxattr(struct dentry *dentry, const char *name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  935) 		       const void *value, size_t size, int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  936) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  937) 	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  938) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  939) 	/* Ignore non-security xattrs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  940) 	if (strncmp(name, XATTR_SECURITY_PREFIX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  941) 			XATTR_SECURITY_PREFIX_LEN) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  942) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  943) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  944) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  945) 	 * For XATTR_NAME_CAPS the check will be done in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  946) 	 * cap_convert_nscap(), called by setxattr()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  947) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  948) 	if (strcmp(name, XATTR_NAME_CAPS) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  949) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  950) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  951) 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  952) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  953) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  954) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  955) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  956) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  957)  * cap_inode_removexattr - Determine whether an xattr may be removed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  958)  * @dentry: The inode/dentry being altered
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  959)  * @name: The name of the xattr to be changed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  960)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  961)  * Determine whether an xattr may be removed from an inode, returning 0 if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  962)  * permission is granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  963)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  964)  * This is used to make sure security xattrs don't get removed by those who
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  965)  * aren't privileged to remove them.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  966)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  967) int cap_inode_removexattr(struct dentry *dentry, const char *name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  968) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  969) 	struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  970) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  971) 	/* Ignore non-security xattrs */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  972) 	if (strncmp(name, XATTR_SECURITY_PREFIX,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  973) 			XATTR_SECURITY_PREFIX_LEN) != 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  974) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  975) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  976) 	if (strcmp(name, XATTR_NAME_CAPS) == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  977) 		/* security.capability gets namespaced */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  978) 		struct inode *inode = d_backing_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  979) 		if (!inode)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  980) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  981) 		if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  982) 			return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  983) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  984) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  985) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  986) 	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  987) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  988) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  989) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  990) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  991) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  992)  * cap_emulate_setxuid() fixes the effective / permitted capabilities of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  993)  * a process after a call to setuid, setreuid, or setresuid.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  994)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  995)  *  1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  996)  *  {r,e,s}uid != 0, the permitted and effective capabilities are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  997)  *  cleared.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  998)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  999)  *  2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1000)  *  capabilities of the process are cleared.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1001)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1002)  *  3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1003)  *  capabilities are set to the permitted capabilities.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1004)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1005)  *  fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1006)  *  never happen.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1007)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1008)  *  -astor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1009)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1010)  * cevans - New behaviour, Oct '99
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1011)  * A process may, via prctl(), elect to keep its capabilities when it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1012)  * calls setuid() and switches away from uid==0. Both permitted and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1013)  * effective sets will be retained.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1014)  * Without this change, it was impossible for a daemon to drop only some
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1015)  * of its privilege. The call to setuid(!=0) would drop all privileges!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1016)  * Keeping uid 0 is not an option because uid 0 owns too many vital
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1017)  * files..
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1018)  * Thanks to Olaf Kirch and Peter Benie for spotting this.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1019)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1020) static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1021) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1022) 	kuid_t root_uid = make_kuid(old->user_ns, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1023) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1024) 	if ((uid_eq(old->uid, root_uid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1025) 	     uid_eq(old->euid, root_uid) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1026) 	     uid_eq(old->suid, root_uid)) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1027) 	    (!uid_eq(new->uid, root_uid) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1028) 	     !uid_eq(new->euid, root_uid) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1029) 	     !uid_eq(new->suid, root_uid))) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1030) 		if (!issecure(SECURE_KEEP_CAPS)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1031) 			cap_clear(new->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1032) 			cap_clear(new->cap_effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1033) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1034) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1035) 		/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1036) 		 * Pre-ambient programs expect setresuid to nonroot followed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1037) 		 * by exec to drop capabilities.  We should make sure that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1038) 		 * this remains the case.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1039) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1040) 		cap_clear(new->cap_ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1041) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1042) 	if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1043) 		cap_clear(new->cap_effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1044) 	if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1045) 		new->cap_effective = new->cap_permitted;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1046) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1047) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1048) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1049)  * cap_task_fix_setuid - Fix up the results of setuid() call
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1050)  * @new: The proposed credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1051)  * @old: The current task's current credentials
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1052)  * @flags: Indications of what has changed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1053)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1054)  * Fix up the results of setuid() call before the credential changes are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1055)  * actually applied, returning 0 to grant the changes, -ve to deny them.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1056)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1057) int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1058) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1059) 	switch (flags) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1060) 	case LSM_SETID_RE:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1061) 	case LSM_SETID_ID:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1062) 	case LSM_SETID_RES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1063) 		/* juggle the capabilities to follow [RES]UID changes unless
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1064) 		 * otherwise suppressed */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1065) 		if (!issecure(SECURE_NO_SETUID_FIXUP))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1066) 			cap_emulate_setxuid(new, old);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1067) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1068) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1069) 	case LSM_SETID_FS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1070) 		/* juggle the capabilties to follow FSUID changes, unless
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1071) 		 * otherwise suppressed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1072) 		 *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1073) 		 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1074) 		 *          if not, we might be a bit too harsh here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1075) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1076) 		if (!issecure(SECURE_NO_SETUID_FIXUP)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1077) 			kuid_t root_uid = make_kuid(old->user_ns, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1078) 			if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1079) 				new->cap_effective =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1080) 					cap_drop_fs_set(new->cap_effective);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1081) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1082) 			if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1083) 				new->cap_effective =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1084) 					cap_raise_fs_set(new->cap_effective,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1085) 							 new->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1086) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1087) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1088) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1089) 	default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1090) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1091) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1092) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1093) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1094) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1095) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1096) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1097)  * Rationale: code calling task_setscheduler, task_setioprio, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1098)  * task_setnice, assumes that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1099)  *   . if capable(cap_sys_nice), then those actions should be allowed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1100)  *   . if not capable(cap_sys_nice), but acting on your own processes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1101)  *   	then those actions should be allowed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1102)  * This is insufficient now since you can call code without suid, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1103)  * yet with increased caps.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1104)  * So we check for increased caps on the target process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1105)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1106) static int cap_safe_nice(struct task_struct *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1107) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1108) 	int is_subset, ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1109) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1110) 	rcu_read_lock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1111) 	is_subset = cap_issubset(__task_cred(p)->cap_permitted,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1112) 				 current_cred()->cap_permitted);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1113) 	if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1114) 		ret = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1115) 	rcu_read_unlock();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1116) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1117) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1118) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1119) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1120) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1121)  * cap_task_setscheduler - Detemine if scheduler policy change is permitted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1122)  * @p: The task to affect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1123)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1124)  * Detemine if the requested scheduler policy change is permitted for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1125)  * specified task, returning 0 if permission is granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1126)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1127) int cap_task_setscheduler(struct task_struct *p)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1128) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1129) 	return cap_safe_nice(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1130) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1131) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1132) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1133)  * cap_task_ioprio - Detemine if I/O priority change is permitted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1134)  * @p: The task to affect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1135)  * @ioprio: The I/O priority to set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1136)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1137)  * Detemine if the requested I/O priority change is permitted for the specified
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1138)  * task, returning 0 if permission is granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1139)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1140) int cap_task_setioprio(struct task_struct *p, int ioprio)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1141) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1142) 	return cap_safe_nice(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1143) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1144) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1145) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1146)  * cap_task_ioprio - Detemine if task priority change is permitted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1147)  * @p: The task to affect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1148)  * @nice: The nice value to set
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1149)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1150)  * Detemine if the requested task priority change is permitted for the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1151)  * specified task, returning 0 if permission is granted, -ve if denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1152)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1153) int cap_task_setnice(struct task_struct *p, int nice)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1154) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1155) 	return cap_safe_nice(p);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1156) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1157) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1158) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1159)  * Implement PR_CAPBSET_DROP.  Attempt to remove the specified capability from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1160)  * the current task's bounding set.  Returns 0 on success, -ve on error.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1161)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1162) static int cap_prctl_drop(unsigned long cap)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1163) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1164) 	struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1165) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1166) 	if (!ns_capable(current_user_ns(), CAP_SETPCAP))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1167) 		return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1168) 	if (!cap_valid(cap))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1169) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1170) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1171) 	new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1172) 	if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1173) 		return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1174) 	cap_lower(new->cap_bset, cap);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1175) 	return commit_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1176) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1177) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1178) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1179)  * cap_task_prctl - Implement process control functions for this security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1180)  * @option: The process control function requested
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1181)  * @arg2, @arg3, @arg4, @arg5: The argument data for this function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1182)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1183)  * Allow process control functions (sys_prctl()) to alter capabilities; may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1184)  * also deny access to other functions not otherwise implemented here.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1185)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1186)  * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1187)  * here, other -ve on error.  If -ENOSYS is returned, sys_prctl() and other LSM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1188)  * modules will consider performing the function.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1189)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1190) int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1191) 		   unsigned long arg4, unsigned long arg5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1192) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1193) 	const struct cred *old = current_cred();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1194) 	struct cred *new;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1195) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1196) 	switch (option) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1197) 	case PR_CAPBSET_READ:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1198) 		if (!cap_valid(arg2))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1199) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1200) 		return !!cap_raised(old->cap_bset, arg2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1201) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1202) 	case PR_CAPBSET_DROP:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1203) 		return cap_prctl_drop(arg2);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1204) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1205) 	/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1206) 	 * The next four prctl's remain to assist with transitioning a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1207) 	 * system from legacy UID=0 based privilege (when filesystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1208) 	 * capabilities are not in use) to a system using filesystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1209) 	 * capabilities only - as the POSIX.1e draft intended.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1210) 	 *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1211) 	 * Note:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1212) 	 *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1213) 	 *  PR_SET_SECUREBITS =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1214) 	 *      issecure_mask(SECURE_KEEP_CAPS_LOCKED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1215) 	 *    | issecure_mask(SECURE_NOROOT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1216) 	 *    | issecure_mask(SECURE_NOROOT_LOCKED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1217) 	 *    | issecure_mask(SECURE_NO_SETUID_FIXUP)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1218) 	 *    | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1219) 	 *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1220) 	 * will ensure that the current process and all of its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1221) 	 * children will be locked into a pure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1222) 	 * capability-based-privilege environment.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1223) 	 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1224) 	case PR_SET_SECUREBITS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1225) 		if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1226) 		     & (old->securebits ^ arg2))			/*[1]*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1227) 		    || ((old->securebits & SECURE_ALL_LOCKS & ~arg2))	/*[2]*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1228) 		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))	/*[3]*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1229) 		    || (cap_capable(current_cred(),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1230) 				    current_cred()->user_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1231) 				    CAP_SETPCAP,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1232) 				    CAP_OPT_NONE) != 0)			/*[4]*/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1233) 			/*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1234) 			 * [1] no changing of bits that are locked
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1235) 			 * [2] no unlocking of locks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1236) 			 * [3] no setting of unsupported bits
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1237) 			 * [4] doing anything requires privilege (go read about
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1238) 			 *     the "sendmail capabilities bug")
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1239) 			 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1240) 		    )
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1241) 			/* cannot change a locked bit */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1242) 			return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1243) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1244) 		new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1245) 		if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1246) 			return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1247) 		new->securebits = arg2;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1248) 		return commit_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1249) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1250) 	case PR_GET_SECUREBITS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1251) 		return old->securebits;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1252) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1253) 	case PR_GET_KEEPCAPS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1254) 		return !!issecure(SECURE_KEEP_CAPS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1255) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1256) 	case PR_SET_KEEPCAPS:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1257) 		if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1258) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1259) 		if (issecure(SECURE_KEEP_CAPS_LOCKED))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1260) 			return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1261) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1262) 		new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1263) 		if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1264) 			return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1265) 		if (arg2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1266) 			new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1267) 		else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1268) 			new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1269) 		return commit_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1270) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1271) 	case PR_CAP_AMBIENT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1272) 		if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1273) 			if (arg3 | arg4 | arg5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1274) 				return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1275) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1276) 			new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1277) 			if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1278) 				return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1279) 			cap_clear(new->cap_ambient);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1280) 			return commit_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1281) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1282) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1283) 		if (((!cap_valid(arg3)) | arg4 | arg5))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1284) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1285) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1286) 		if (arg2 == PR_CAP_AMBIENT_IS_SET) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1287) 			return !!cap_raised(current_cred()->cap_ambient, arg3);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1288) 		} else if (arg2 != PR_CAP_AMBIENT_RAISE &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1289) 			   arg2 != PR_CAP_AMBIENT_LOWER) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1290) 			return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1291) 		} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1292) 			if (arg2 == PR_CAP_AMBIENT_RAISE &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1293) 			    (!cap_raised(current_cred()->cap_permitted, arg3) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1294) 			     !cap_raised(current_cred()->cap_inheritable,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1295) 					 arg3) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1296) 			     issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1297) 				return -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1298) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1299) 			new = prepare_creds();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1300) 			if (!new)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1301) 				return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1302) 			if (arg2 == PR_CAP_AMBIENT_RAISE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1303) 				cap_raise(new->cap_ambient, arg3);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1304) 			else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1305) 				cap_lower(new->cap_ambient, arg3);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1306) 			return commit_creds(new);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1307) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1308) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1309) 	default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1310) 		/* No functionality available - continue with default */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1311) 		return -ENOSYS;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1312) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1313) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1314) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1315) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1316)  * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1317)  * @mm: The VM space in which the new mapping is to be made
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1318)  * @pages: The size of the mapping
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1319)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1320)  * Determine whether the allocation of a new virtual mapping by the current
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1321)  * task is permitted, returning 1 if permission is granted, 0 if not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1322)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1323) int cap_vm_enough_memory(struct mm_struct *mm, long pages)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1324) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1325) 	int cap_sys_admin = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1326) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1327) 	if (cap_capable(current_cred(), &init_user_ns,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1328) 				CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1329) 		cap_sys_admin = 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1330) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1331) 	return cap_sys_admin;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1332) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1333) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1334) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1335)  * cap_mmap_addr - check if able to map given addr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1336)  * @addr: address attempting to be mapped
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1337)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1338)  * If the process is attempting to map memory below dac_mmap_min_addr they need
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1339)  * CAP_SYS_RAWIO.  The other parameters to this function are unused by the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1340)  * capability security module.  Returns 0 if this mapping should be allowed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1341)  * -EPERM if not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1342)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1343) int cap_mmap_addr(unsigned long addr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1344) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1345) 	int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1346) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1347) 	if (addr < dac_mmap_min_addr) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1348) 		ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1349) 				  CAP_OPT_NONE);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1350) 		/* set PF_SUPERPRIV if it turns out we allow the low mmap */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1351) 		if (ret == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1352) 			current->flags |= PF_SUPERPRIV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1353) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1354) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1355) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1356) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1357) int cap_mmap_file(struct file *file, unsigned long reqprot,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1358) 		  unsigned long prot, unsigned long flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1359) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1360) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1361) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1362) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1363) #ifdef CONFIG_SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1364) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1365) static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1366) 	LSM_HOOK_INIT(capable, cap_capable),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1367) 	LSM_HOOK_INIT(settime, cap_settime),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1368) 	LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1369) 	LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1370) 	LSM_HOOK_INIT(capget, cap_capget),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1371) 	LSM_HOOK_INIT(capset, cap_capset),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1372) 	LSM_HOOK_INIT(bprm_creds_from_file, cap_bprm_creds_from_file),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1373) 	LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1374) 	LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1375) 	LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1376) 	LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1377) 	LSM_HOOK_INIT(mmap_file, cap_mmap_file),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1378) 	LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1379) 	LSM_HOOK_INIT(task_prctl, cap_task_prctl),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1380) 	LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1381) 	LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1382) 	LSM_HOOK_INIT(task_setnice, cap_task_setnice),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1383) 	LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1384) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1385) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1386) static int __init capability_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1387) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1388) 	security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1389) 				"capability");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1390) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1391) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1392) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1393) DEFINE_LSM(capability) = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1394) 	.name = "capability",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1395) 	.order = LSM_ORDER_FIRST,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1396) 	.init = capability_init,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1397) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1398) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1399) #endif /* CONFIG_SECURITY */