mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-30 14:46:47 +07:00
ca05a99a54
Source code out there hard-codes a notion of what the _LINUX_CAPABILITY_VERSION #define means in terms of the semantics of the raw capability system calls capget() and capset(). Its unfortunate, but true. Since the confusing header file has been in a released kernel, there is software that is erroneously using 64-bit capabilities with the semantics of 32-bit compatibilities. These recently compiled programs may suffer corruption of their memory when sys_getcap() overwrites more memory than they are coded to expect, and the raising of added capabilities when using sys_capset(). As such, this patch does a number of things to clean up the situation for all. It 1. forces the _LINUX_CAPABILITY_VERSION define to always retain its legacy value. 2. adopts a new #define strategy for the kernel's internal implementation of the preferred magic. 3. deprecates v2 capability magic in favor of a new (v3) magic number. The functionality of v3 is entirely equivalent to v2, the only difference being that the v2 magic causes the kernel to log a "deprecated" warning so the admin can find applications that may be using v2 inappropriately. [User space code continues to be encouraged to use the libcap API which protects the application from details like this. libcap-2.10 is the first to support v3 capabilities.] Fixes issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=447518. Thanks to Bojan Smojver for the report. [akpm@linux-foundation.org: s/depreciate/deprecate/g] [akpm@linux-foundation.org: be robust about put_user size] [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Andrew G. Morgan <morgan@kernel.org> Cc: Serge E. Hallyn <serue@us.ibm.com> Cc: Bojan Smojver <bojan@rexursive.com> Cc: stable@kernel.org Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
510 lines
15 KiB
C
510 lines
15 KiB
C
/*
|
|
* This is <linux/capability.h>
|
|
*
|
|
* Andrew G. Morgan <morgan@kernel.org>
|
|
* Alexander Kjeldaas <astor@guardian.no>
|
|
* with help from Aleph1, Roland Buresund and Andrew Main.
|
|
*
|
|
* See here for the libcap library ("POSIX draft" compliance):
|
|
*
|
|
* ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
|
|
*/
|
|
|
|
#ifndef _LINUX_CAPABILITY_H
|
|
#define _LINUX_CAPABILITY_H
|
|
|
|
#include <linux/types.h>
|
|
|
|
struct task_struct;
|
|
|
|
/* User-level do most of the mapping between kernel and user
|
|
capabilities based on the version tag given by the kernel. The
|
|
kernel might be somewhat backwards compatible, but don't bet on
|
|
it. */
|
|
|
|
/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
|
|
a set of three capability sets. The transposition of 3*the
|
|
following structure to such a composite is better handled in a user
|
|
library since the draft standard requires the use of malloc/free
|
|
etc.. */
|
|
|
|
#define _LINUX_CAPABILITY_VERSION_1 0x19980330
|
|
#define _LINUX_CAPABILITY_U32S_1 1
|
|
|
|
#define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */
|
|
#define _LINUX_CAPABILITY_U32S_2 2
|
|
|
|
#define _LINUX_CAPABILITY_VERSION_3 0x20080522
|
|
#define _LINUX_CAPABILITY_U32S_3 2
|
|
|
|
typedef struct __user_cap_header_struct {
|
|
__u32 version;
|
|
int pid;
|
|
} __user *cap_user_header_t;
|
|
|
|
typedef struct __user_cap_data_struct {
|
|
__u32 effective;
|
|
__u32 permitted;
|
|
__u32 inheritable;
|
|
} __user *cap_user_data_t;
|
|
|
|
|
|
#define XATTR_CAPS_SUFFIX "capability"
|
|
#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
|
|
|
|
#define VFS_CAP_REVISION_MASK 0xFF000000
|
|
#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
|
|
#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
|
|
|
|
#define VFS_CAP_REVISION_1 0x01000000
|
|
#define VFS_CAP_U32_1 1
|
|
#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
|
|
|
|
#define VFS_CAP_REVISION_2 0x02000000
|
|
#define VFS_CAP_U32_2 2
|
|
#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
|
|
|
|
#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
|
|
#define VFS_CAP_U32 VFS_CAP_U32_2
|
|
#define VFS_CAP_REVISION VFS_CAP_REVISION_2
|
|
|
|
|
|
struct vfs_cap_data {
|
|
__le32 magic_etc; /* Little endian */
|
|
struct {
|
|
__le32 permitted; /* Little endian */
|
|
__le32 inheritable; /* Little endian */
|
|
} data[VFS_CAP_U32];
|
|
};
|
|
|
|
#ifndef __KERNEL__
|
|
|
|
/*
|
|
* Backwardly compatible definition for source code - trapped in a
|
|
* 32-bit world. If you find you need this, please consider using
|
|
* libcap to untrap yourself...
|
|
*/
|
|
#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1
|
|
#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1
|
|
|
|
#else
|
|
|
|
#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
|
|
#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
|
|
|
|
typedef struct kernel_cap_struct {
|
|
__u32 cap[_KERNEL_CAPABILITY_U32S];
|
|
} kernel_cap_t;
|
|
|
|
#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
|
|
#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
|
|
|
|
#endif
|
|
|
|
|
|
/**
|
|
** POSIX-draft defined capabilities.
|
|
**/
|
|
|
|
/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
|
|
overrides the restriction of changing file ownership and group
|
|
ownership. */
|
|
|
|
#define CAP_CHOWN 0
|
|
|
|
/* Override all DAC access, including ACL execute access if
|
|
[_POSIX_ACL] is defined. Excluding DAC access covered by
|
|
CAP_LINUX_IMMUTABLE. */
|
|
|
|
#define CAP_DAC_OVERRIDE 1
|
|
|
|
/* Overrides all DAC restrictions regarding read and search on files
|
|
and directories, including ACL restrictions if [_POSIX_ACL] is
|
|
defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
|
|
|
|
#define CAP_DAC_READ_SEARCH 2
|
|
|
|
/* Overrides all restrictions about allowed operations on files, where
|
|
file owner ID must be equal to the user ID, except where CAP_FSETID
|
|
is applicable. It doesn't override MAC and DAC restrictions. */
|
|
|
|
#define CAP_FOWNER 3
|
|
|
|
/* Overrides the following restrictions that the effective user ID
|
|
shall match the file owner ID when setting the S_ISUID and S_ISGID
|
|
bits on that file; that the effective group ID (or one of the
|
|
supplementary group IDs) shall match the file owner ID when setting
|
|
the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
|
|
cleared on successful return from chown(2) (not implemented). */
|
|
|
|
#define CAP_FSETID 4
|
|
|
|
/* Overrides the restriction that the real or effective user ID of a
|
|
process sending a signal must match the real or effective user ID
|
|
of the process receiving the signal. */
|
|
|
|
#define CAP_KILL 5
|
|
|
|
/* Allows setgid(2) manipulation */
|
|
/* Allows setgroups(2) */
|
|
/* Allows forged gids on socket credentials passing. */
|
|
|
|
#define CAP_SETGID 6
|
|
|
|
/* Allows set*uid(2) manipulation (including fsuid). */
|
|
/* Allows forged pids on socket credentials passing. */
|
|
|
|
#define CAP_SETUID 7
|
|
|
|
|
|
/**
|
|
** Linux-specific capabilities
|
|
**/
|
|
|
|
/* Without VFS support for capabilities:
|
|
* Transfer any capability in your permitted set to any pid,
|
|
* remove any capability in your permitted set from any pid
|
|
* With VFS support for capabilities (neither of above, but)
|
|
* Add any capability from current's capability bounding set
|
|
* to the current process' inheritable set
|
|
* Allow taking bits out of capability bounding set
|
|
* Allow modification of the securebits for a process
|
|
*/
|
|
|
|
#define CAP_SETPCAP 8
|
|
|
|
/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
|
|
|
|
#define CAP_LINUX_IMMUTABLE 9
|
|
|
|
/* Allows binding to TCP/UDP sockets below 1024 */
|
|
/* Allows binding to ATM VCIs below 32 */
|
|
|
|
#define CAP_NET_BIND_SERVICE 10
|
|
|
|
/* Allow broadcasting, listen to multicast */
|
|
|
|
#define CAP_NET_BROADCAST 11
|
|
|
|
/* Allow interface configuration */
|
|
/* Allow administration of IP firewall, masquerading and accounting */
|
|
/* Allow setting debug option on sockets */
|
|
/* Allow modification of routing tables */
|
|
/* Allow setting arbitrary process / process group ownership on
|
|
sockets */
|
|
/* Allow binding to any address for transparent proxying */
|
|
/* Allow setting TOS (type of service) */
|
|
/* Allow setting promiscuous mode */
|
|
/* Allow clearing driver statistics */
|
|
/* Allow multicasting */
|
|
/* Allow read/write of device-specific registers */
|
|
/* Allow activation of ATM control sockets */
|
|
|
|
#define CAP_NET_ADMIN 12
|
|
|
|
/* Allow use of RAW sockets */
|
|
/* Allow use of PACKET sockets */
|
|
|
|
#define CAP_NET_RAW 13
|
|
|
|
/* Allow locking of shared memory segments */
|
|
/* Allow mlock and mlockall (which doesn't really have anything to do
|
|
with IPC) */
|
|
|
|
#define CAP_IPC_LOCK 14
|
|
|
|
/* Override IPC ownership checks */
|
|
|
|
#define CAP_IPC_OWNER 15
|
|
|
|
/* Insert and remove kernel modules - modify kernel without limit */
|
|
#define CAP_SYS_MODULE 16
|
|
|
|
/* Allow ioperm/iopl access */
|
|
/* Allow sending USB messages to any device via /proc/bus/usb */
|
|
|
|
#define CAP_SYS_RAWIO 17
|
|
|
|
/* Allow use of chroot() */
|
|
|
|
#define CAP_SYS_CHROOT 18
|
|
|
|
/* Allow ptrace() of any process */
|
|
|
|
#define CAP_SYS_PTRACE 19
|
|
|
|
/* Allow configuration of process accounting */
|
|
|
|
#define CAP_SYS_PACCT 20
|
|
|
|
/* Allow configuration of the secure attention key */
|
|
/* Allow administration of the random device */
|
|
/* Allow examination and configuration of disk quotas */
|
|
/* Allow configuring the kernel's syslog (printk behaviour) */
|
|
/* Allow setting the domainname */
|
|
/* Allow setting the hostname */
|
|
/* Allow calling bdflush() */
|
|
/* Allow mount() and umount(), setting up new smb connection */
|
|
/* Allow some autofs root ioctls */
|
|
/* Allow nfsservctl */
|
|
/* Allow VM86_REQUEST_IRQ */
|
|
/* Allow to read/write pci config on alpha */
|
|
/* Allow irix_prctl on mips (setstacksize) */
|
|
/* Allow flushing all cache on m68k (sys_cacheflush) */
|
|
/* Allow removing semaphores */
|
|
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
|
|
and shared memory */
|
|
/* Allow locking/unlocking of shared memory segment */
|
|
/* Allow turning swap on/off */
|
|
/* Allow forged pids on socket credentials passing */
|
|
/* Allow setting readahead and flushing buffers on block devices */
|
|
/* Allow setting geometry in floppy driver */
|
|
/* Allow turning DMA on/off in xd driver */
|
|
/* Allow administration of md devices (mostly the above, but some
|
|
extra ioctls) */
|
|
/* Allow tuning the ide driver */
|
|
/* Allow access to the nvram device */
|
|
/* Allow administration of apm_bios, serial and bttv (TV) device */
|
|
/* Allow manufacturer commands in isdn CAPI support driver */
|
|
/* Allow reading non-standardized portions of pci configuration space */
|
|
/* Allow DDI debug ioctl on sbpcd driver */
|
|
/* Allow setting up serial ports */
|
|
/* Allow sending raw qic-117 commands */
|
|
/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
|
|
arbitrary SCSI commands */
|
|
/* Allow setting encryption key on loopback filesystem */
|
|
/* Allow setting zone reclaim policy */
|
|
|
|
#define CAP_SYS_ADMIN 21
|
|
|
|
/* Allow use of reboot() */
|
|
|
|
#define CAP_SYS_BOOT 22
|
|
|
|
/* Allow raising priority and setting priority on other (different
|
|
UID) processes */
|
|
/* Allow use of FIFO and round-robin (realtime) scheduling on own
|
|
processes and setting the scheduling algorithm used by another
|
|
process. */
|
|
/* Allow setting cpu affinity on other processes */
|
|
|
|
#define CAP_SYS_NICE 23
|
|
|
|
/* Override resource limits. Set resource limits. */
|
|
/* Override quota limits. */
|
|
/* Override reserved space on ext2 filesystem */
|
|
/* Modify data journaling mode on ext3 filesystem (uses journaling
|
|
resources) */
|
|
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
|
|
you can override using fsuid too */
|
|
/* Override size restrictions on IPC message queues */
|
|
/* Allow more than 64hz interrupts from the real-time clock */
|
|
/* Override max number of consoles on console allocation */
|
|
/* Override max number of keymaps */
|
|
|
|
#define CAP_SYS_RESOURCE 24
|
|
|
|
/* Allow manipulation of system clock */
|
|
/* Allow irix_stime on mips */
|
|
/* Allow setting the real-time clock */
|
|
|
|
#define CAP_SYS_TIME 25
|
|
|
|
/* Allow configuration of tty devices */
|
|
/* Allow vhangup() of tty */
|
|
|
|
#define CAP_SYS_TTY_CONFIG 26
|
|
|
|
/* Allow the privileged aspects of mknod() */
|
|
|
|
#define CAP_MKNOD 27
|
|
|
|
/* Allow taking of leases on files */
|
|
|
|
#define CAP_LEASE 28
|
|
|
|
#define CAP_AUDIT_WRITE 29
|
|
|
|
#define CAP_AUDIT_CONTROL 30
|
|
|
|
#define CAP_SETFCAP 31
|
|
|
|
/* Override MAC access.
|
|
The base kernel enforces no MAC policy.
|
|
An LSM may enforce a MAC policy, and if it does and it chooses
|
|
to implement capability based overrides of that policy, this is
|
|
the capability it should use to do so. */
|
|
|
|
#define CAP_MAC_OVERRIDE 32
|
|
|
|
/* Allow MAC configuration or state changes.
|
|
The base kernel requires no MAC configuration.
|
|
An LSM may enforce a MAC policy, and if it does and it chooses
|
|
to implement capability based checks on modifications to that
|
|
policy or the data required to maintain it, this is the
|
|
capability it should use to do so. */
|
|
|
|
#define CAP_MAC_ADMIN 33
|
|
|
|
#define CAP_LAST_CAP CAP_MAC_ADMIN
|
|
|
|
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
|
|
|
|
/*
|
|
* Bit location of each capability (used by user-space library and kernel)
|
|
*/
|
|
|
|
#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
|
|
#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
/*
|
|
* Internal kernel functions only
|
|
*/
|
|
|
|
#define CAP_FOR_EACH_U32(__capi) \
|
|
for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
|
|
|
|
# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
|
|
| CAP_TO_MASK(CAP_DAC_OVERRIDE) \
|
|
| CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
|
|
| CAP_TO_MASK(CAP_FOWNER) \
|
|
| CAP_TO_MASK(CAP_FSETID))
|
|
|
|
# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
|
|
|
|
#if _KERNEL_CAPABILITY_U32S != 2
|
|
# error Fix up hand-coded capability macro initializers
|
|
#else /* HAND-CODED capability initializers */
|
|
|
|
# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
|
|
# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
|
|
# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
|
|
# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
|
|
# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \
|
|
CAP_FS_MASK_B1 } })
|
|
|
|
#endif /* _KERNEL_CAPABILITY_U32S != 2 */
|
|
|
|
#define CAP_INIT_INH_SET CAP_EMPTY_SET
|
|
|
|
# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
|
|
# define cap_set_full(c) do { (c) = __cap_full_set; } while (0)
|
|
# define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0)
|
|
|
|
#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
|
|
#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
|
|
#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
|
|
|
|
#define CAP_BOP_ALL(c, a, b, OP) \
|
|
do { \
|
|
unsigned __capi; \
|
|
CAP_FOR_EACH_U32(__capi) { \
|
|
c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
|
|
} \
|
|
} while (0)
|
|
|
|
#define CAP_UOP_ALL(c, a, OP) \
|
|
do { \
|
|
unsigned __capi; \
|
|
CAP_FOR_EACH_U32(__capi) { \
|
|
c.cap[__capi] = OP a.cap[__capi]; \
|
|
} \
|
|
} while (0)
|
|
|
|
static inline kernel_cap_t cap_combine(const kernel_cap_t a,
|
|
const kernel_cap_t b)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, b, |);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
|
|
const kernel_cap_t b)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, b, &);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop(const kernel_cap_t a,
|
|
const kernel_cap_t drop)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, drop, &~);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_invert(const kernel_cap_t c)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_UOP_ALL(dest, c, ~);
|
|
return dest;
|
|
}
|
|
|
|
static inline int cap_isclear(const kernel_cap_t a)
|
|
{
|
|
unsigned __capi;
|
|
CAP_FOR_EACH_U32(__capi) {
|
|
if (a.cap[__capi] != 0)
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
|
|
{
|
|
kernel_cap_t dest;
|
|
dest = cap_drop(a, set);
|
|
return cap_isclear(dest);
|
|
}
|
|
|
|
/* Used to decide between falling back on the old suser() or fsuser(). */
|
|
|
|
static inline int cap_is_fs_cap(int cap)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return cap_drop(a, __cap_fs_set);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
|
|
const kernel_cap_t permitted)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return cap_combine(a,
|
|
cap_intersect(permitted, __cap_fs_set));
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
|
|
return cap_drop(a, __cap_fs_set);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
|
|
const kernel_cap_t permitted)
|
|
{
|
|
const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
|
|
return cap_combine(a,
|
|
cap_intersect(permitted, __cap_nfsd_set));
|
|
}
|
|
|
|
extern const kernel_cap_t __cap_empty_set;
|
|
extern const kernel_cap_t __cap_full_set;
|
|
extern const kernel_cap_t __cap_init_eff_set;
|
|
|
|
int capable(int cap);
|
|
int __capable(struct task_struct *t, int cap);
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
#endif /* !_LINUX_CAPABILITY_H */
|