diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 96 |
1 files changed, 69 insertions, 27 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 64c2ed9c9015..a93b3b733079 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -27,6 +27,7 @@ | |||
| 27 | #include <linux/sched.h> | 27 | #include <linux/sched.h> |
| 28 | #include <linux/prctl.h> | 28 | #include <linux/prctl.h> |
| 29 | #include <linux/securebits.h> | 29 | #include <linux/securebits.h> |
| 30 | #include <linux/user_namespace.h> | ||
| 30 | 31 | ||
| 31 | /* | 32 | /* |
| 32 | * If a non-root user executes a setuid-root binary in | 33 | * If a non-root user executes a setuid-root binary in |
| @@ -52,13 +53,12 @@ static void warn_setuid_and_fcaps_mixed(const char *fname) | |||
| 52 | 53 | ||
| 53 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) | 54 | int cap_netlink_send(struct sock *sk, struct sk_buff *skb) |
| 54 | { | 55 | { |
| 55 | NETLINK_CB(skb).eff_cap = current_cap(); | ||
| 56 | return 0; | 56 | return 0; |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | int cap_netlink_recv(struct sk_buff *skb, int cap) | 59 | int cap_netlink_recv(struct sk_buff *skb, int cap) |
| 60 | { | 60 | { |
| 61 | if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) | 61 | if (!cap_raised(current_cap(), cap)) |
| 62 | return -EPERM; | 62 | return -EPERM; |
| 63 | return 0; | 63 | return 0; |
| 64 | } | 64 | } |
| @@ -68,6 +68,7 @@ EXPORT_SYMBOL(cap_netlink_recv); | |||
| 68 | * cap_capable - Determine whether a task has a particular effective capability | 68 | * cap_capable - Determine whether a task has a particular effective capability |
| 69 | * @tsk: The task to query | 69 | * @tsk: The task to query |
| 70 | * @cred: The credentials to use | 70 | * @cred: The credentials to use |
| 71 | * @ns: The user namespace in which we need the capability | ||
| 71 | * @cap: The capability to check for | 72 | * @cap: The capability to check for |
| 72 | * @audit: Whether to write an audit message or not | 73 | * @audit: Whether to write an audit message or not |
| 73 | * | 74 | * |
| @@ -79,10 +80,30 @@ EXPORT_SYMBOL(cap_netlink_recv); | |||
| 79 | * cap_has_capability() returns 0 when a task has a capability, but the | 80 | * cap_has_capability() returns 0 when a task has a capability, but the |
| 80 | * kernel's capable() and has_capability() returns 1 for this case. | 81 | * kernel's capable() and has_capability() returns 1 for this case. |
| 81 | */ | 82 | */ |
| 82 | int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, | 83 | int cap_capable(struct task_struct *tsk, const struct cred *cred, |
| 83 | int audit) | 84 | struct user_namespace *targ_ns, int cap, int audit) |
| 84 | { | 85 | { |
| 85 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; | 86 | for (;;) { |
| 87 | /* The creator of the user namespace has all caps. */ | ||
| 88 | if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) | ||
| 89 | return 0; | ||
| 90 | |||
| 91 | /* Do we have the necessary capabilities? */ | ||
| 92 | if (targ_ns == cred->user->user_ns) | ||
| 93 | return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; | ||
| 94 | |||
| 95 | /* Have we tried all of the parent namespaces? */ | ||
| 96 | if (targ_ns == &init_user_ns) | ||
| 97 | return -EPERM; | ||
| 98 | |||
| 99 | /* | ||
| 100 | *If you have a capability in a parent user ns, then you have | ||
| 101 | * it over all children user namespaces as well. | ||
| 102 | */ | ||
| 103 | targ_ns = targ_ns->creator->user_ns; | ||
| 104 | } | ||
| 105 | |||
| 106 | /* We never get here */ | ||
| 86 | } | 107 | } |
| 87 | 108 | ||
| 88 | /** | 109 | /** |
| @@ -93,7 +114,7 @@ int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, | |||
| 93 | * Determine whether the current process may set the system clock and timezone | 114 | * Determine whether the current process may set the system clock and timezone |
| 94 | * information, returning 0 if permission granted, -ve if denied. | 115 | * information, returning 0 if permission granted, -ve if denied. |
| 95 | */ | 116 | */ |
| 96 | int cap_settime(struct timespec *ts, struct timezone *tz) | 117 | int cap_settime(const struct timespec *ts, const struct timezone *tz) |
| 97 | { | 118 | { |
| 98 | if (!capable(CAP_SYS_TIME)) | 119 | if (!capable(CAP_SYS_TIME)) |
| 99 | return -EPERM; | 120 | return -EPERM; |
| @@ -106,18 +127,30 @@ int cap_settime(struct timespec *ts, struct timezone *tz) | |||
| 106 | * @child: The process to be accessed | 127 | * @child: The process to be accessed |
| 107 | * @mode: The mode of attachment. | 128 | * @mode: The mode of attachment. |
| 108 | * | 129 | * |
| 130 | * If we are in the same or an ancestor user_ns and have all the target | ||
| 131 | * task's capabilities, then ptrace access is allowed. | ||
| 132 | * If we have the ptrace capability to the target user_ns, then ptrace | ||
| 133 | * access is allowed. | ||
| 134 | * Else denied. | ||
| 135 | * | ||
| 109 | * Determine whether a process may access another, returning 0 if permission | 136 | * Determine whether a process may access another, returning 0 if permission |
| 110 | * granted, -ve if denied. | 137 | * granted, -ve if denied. |
| 111 | */ | 138 | */ |
| 112 | int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) | 139 | int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) |
| 113 | { | 140 | { |
| 114 | int ret = 0; | 141 | int ret = 0; |
| 142 | const struct cred *cred, *child_cred; | ||
| 115 | 143 | ||
| 116 | rcu_read_lock(); | 144 | rcu_read_lock(); |
| 117 | if (!cap_issubset(__task_cred(child)->cap_permitted, | 145 | cred = current_cred(); |
| 118 | current_cred()->cap_permitted) && | 146 | child_cred = __task_cred(child); |
| 119 | !capable(CAP_SYS_PTRACE)) | 147 | if (cred->user->user_ns == child_cred->user->user_ns && |
| 120 | ret = -EPERM; | 148 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
| 149 | goto out; | ||
| 150 | if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 151 | goto out; | ||
| 152 | ret = -EPERM; | ||
| 153 | out: | ||
| 121 | rcu_read_unlock(); | 154 | rcu_read_unlock(); |
| 122 | return ret; | 155 | return ret; |
| 123 | } | 156 | } |
| @@ -126,18 +159,30 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) | |||
| 126 | * cap_ptrace_traceme - Determine whether another process may trace the current | 159 | * cap_ptrace_traceme - Determine whether another process may trace the current |
| 127 | * @parent: The task proposed to be the tracer | 160 | * @parent: The task proposed to be the tracer |
| 128 | * | 161 | * |
| 162 | * If parent is in the same or an ancestor user_ns and has all current's | ||
| 163 | * capabilities, then ptrace access is allowed. | ||
| 164 | * If parent has the ptrace capability to current's user_ns, then ptrace | ||
| 165 | * access is allowed. | ||
| 166 | * Else denied. | ||
| 167 | * | ||
| 129 | * Determine whether the nominated task is permitted to trace the current | 168 | * Determine whether the nominated task is permitted to trace the current |
| 130 | * process, returning 0 if permission is granted, -ve if denied. | 169 | * process, returning 0 if permission is granted, -ve if denied. |
| 131 | */ | 170 | */ |
| 132 | int cap_ptrace_traceme(struct task_struct *parent) | 171 | int cap_ptrace_traceme(struct task_struct *parent) |
| 133 | { | 172 | { |
| 134 | int ret = 0; | 173 | int ret = 0; |
| 174 | const struct cred *cred, *child_cred; | ||
| 135 | 175 | ||
| 136 | rcu_read_lock(); | 176 | rcu_read_lock(); |
| 137 | if (!cap_issubset(current_cred()->cap_permitted, | 177 | cred = __task_cred(parent); |
| 138 | __task_cred(parent)->cap_permitted) && | 178 | child_cred = current_cred(); |
| 139 | !has_capability(parent, CAP_SYS_PTRACE)) | 179 | if (cred->user->user_ns == child_cred->user->user_ns && |
| 140 | ret = -EPERM; | 180 | cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) |
| 181 | goto out; | ||
| 182 | if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 183 | goto out; | ||
| 184 | ret = -EPERM; | ||
| 185 | out: | ||
| 141 | rcu_read_unlock(); | 186 | rcu_read_unlock(); |
| 142 | return ret; | 187 | return ret; |
| 143 | } | 188 | } |
| @@ -177,7 +222,8 @@ static inline int cap_inh_is_capped(void) | |||
| 177 | /* they are so limited unless the current task has the CAP_SETPCAP | 222 | /* they are so limited unless the current task has the CAP_SETPCAP |
| 178 | * capability | 223 | * capability |
| 179 | */ | 224 | */ |
| 180 | if (cap_capable(current, current_cred(), CAP_SETPCAP, | 225 | if (cap_capable(current, current_cred(), |
| 226 | current_cred()->user->user_ns, CAP_SETPCAP, | ||
| 181 | SECURITY_CAP_AUDIT) == 0) | 227 | SECURITY_CAP_AUDIT) == 0) |
| 182 | return 0; | 228 | return 0; |
| 183 | return 1; | 229 | return 1; |
| @@ -483,15 +529,10 @@ skip: | |||
| 483 | new->suid = new->fsuid = new->euid; | 529 | new->suid = new->fsuid = new->euid; |
| 484 | new->sgid = new->fsgid = new->egid; | 530 | new->sgid = new->fsgid = new->egid; |
| 485 | 531 | ||
| 486 | /* For init, we want to retain the capabilities set in the initial | 532 | if (effective) |
| 487 | * task. Thus we skip the usual capability rules | 533 | new->cap_effective = new->cap_permitted; |
| 488 | */ | 534 | else |
| 489 | if (!is_global_init(current)) { | 535 | cap_clear(new->cap_effective); |
| 490 | if (effective) | ||
| 491 | new->cap_effective = new->cap_permitted; | ||
| 492 | else | ||
| 493 | cap_clear(new->cap_effective); | ||
| 494 | } | ||
| 495 | bprm->cap_effective = effective; | 536 | bprm->cap_effective = effective; |
| 496 | 537 | ||
| 497 | /* | 538 | /* |
| @@ -829,7 +870,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
| 829 | & (new->securebits ^ arg2)) /*[1]*/ | 870 | & (new->securebits ^ arg2)) /*[1]*/ |
| 830 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ | 871 | || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ |
| 831 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ | 872 | || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ |
| 832 | || (cap_capable(current, current_cred(), CAP_SETPCAP, | 873 | || (cap_capable(current, current_cred(), |
| 874 | current_cred()->user->user_ns, CAP_SETPCAP, | ||
| 833 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ | 875 | SECURITY_CAP_AUDIT) != 0) /*[4]*/ |
| 834 | /* | 876 | /* |
| 835 | * [1] no changing of bits that are locked | 877 | * [1] no changing of bits that are locked |
| @@ -894,7 +936,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages) | |||
| 894 | { | 936 | { |
| 895 | int cap_sys_admin = 0; | 937 | int cap_sys_admin = 0; |
| 896 | 938 | ||
| 897 | if (cap_capable(current, current_cred(), CAP_SYS_ADMIN, | 939 | if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN, |
| 898 | SECURITY_CAP_NOAUDIT) == 0) | 940 | SECURITY_CAP_NOAUDIT) == 0) |
| 899 | cap_sys_admin = 1; | 941 | cap_sys_admin = 1; |
| 900 | return __vm_enough_memory(mm, pages, cap_sys_admin); | 942 | return __vm_enough_memory(mm, pages, cap_sys_admin); |
| @@ -921,7 +963,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot, | |||
| 921 | int ret = 0; | 963 | int ret = 0; |
| 922 | 964 | ||
| 923 | if (addr < dac_mmap_min_addr) { | 965 | if (addr < dac_mmap_min_addr) { |
| 924 | ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO, | 966 | ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO, |
| 925 | SECURITY_CAP_AUDIT); | 967 | SECURITY_CAP_AUDIT); |
| 926 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ | 968 | /* set PF_SUPERPRIV if it turns out we allow the low mmap */ |
| 927 | if (ret == 0) | 969 | if (ret == 0) |