mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-22 20:23:57 +08:00
6cc7a765c2
Up till now the IP{,V6}_TRANSPARENT socket options (which actually set the same bit in the socket struct) have required CAP_NET_ADMIN privileges to set or clear the option. - we make clearing the bit not require any privileges. - we allow CAP_NET_ADMIN to set the bit (as before this change) - we allow CAP_NET_RAW to set this bit, because raw sockets already pretty much effectively allow you to emulate socket transparency. Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
558 lines
17 KiB
C
558 lines
17 KiB
C
/*
|
|
* This is <linux/capability.h>
|
|
*
|
|
* Andrew G. Morgan <morgan@kernel.org>
|
|
* Alexander Kjeldaas <astor@guardian.no>
|
|
* with help from Aleph1, Roland Buresund and Andrew Main.
|
|
*
|
|
* See here for the libcap library ("POSIX draft" compliance):
|
|
*
|
|
* ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
|
|
*/
|
|
|
|
#ifndef _LINUX_CAPABILITY_H
|
|
#define _LINUX_CAPABILITY_H
|
|
|
|
#include <linux/types.h>
|
|
|
|
struct task_struct;
|
|
|
|
/* User-level do most of the mapping between kernel and user
|
|
capabilities based on the version tag given by the kernel. The
|
|
kernel might be somewhat backwards compatible, but don't bet on
|
|
it. */
|
|
|
|
/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
|
|
a set of three capability sets. The transposition of 3*the
|
|
following structure to such a composite is better handled in a user
|
|
library since the draft standard requires the use of malloc/free
|
|
etc.. */
|
|
|
|
#define _LINUX_CAPABILITY_VERSION_1 0x19980330
|
|
#define _LINUX_CAPABILITY_U32S_1 1
|
|
|
|
#define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */
|
|
#define _LINUX_CAPABILITY_U32S_2 2
|
|
|
|
#define _LINUX_CAPABILITY_VERSION_3 0x20080522
|
|
#define _LINUX_CAPABILITY_U32S_3 2
|
|
|
|
typedef struct __user_cap_header_struct {
|
|
__u32 version;
|
|
int pid;
|
|
} __user *cap_user_header_t;
|
|
|
|
typedef struct __user_cap_data_struct {
|
|
__u32 effective;
|
|
__u32 permitted;
|
|
__u32 inheritable;
|
|
} __user *cap_user_data_t;
|
|
|
|
|
|
#define VFS_CAP_REVISION_MASK 0xFF000000
|
|
#define VFS_CAP_REVISION_SHIFT 24
|
|
#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
|
|
#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
|
|
|
|
#define VFS_CAP_REVISION_1 0x01000000
|
|
#define VFS_CAP_U32_1 1
|
|
#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
|
|
|
|
#define VFS_CAP_REVISION_2 0x02000000
|
|
#define VFS_CAP_U32_2 2
|
|
#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
|
|
|
|
#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
|
|
#define VFS_CAP_U32 VFS_CAP_U32_2
|
|
#define VFS_CAP_REVISION VFS_CAP_REVISION_2
|
|
|
|
struct vfs_cap_data {
|
|
__le32 magic_etc; /* Little endian */
|
|
struct {
|
|
__le32 permitted; /* Little endian */
|
|
__le32 inheritable; /* Little endian */
|
|
} data[VFS_CAP_U32];
|
|
};
|
|
|
|
#ifndef __KERNEL__
|
|
|
|
/*
|
|
* Backwardly compatible definition for source code - trapped in a
|
|
* 32-bit world. If you find you need this, please consider using
|
|
* libcap to untrap yourself...
|
|
*/
|
|
#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1
|
|
#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1
|
|
|
|
#else
|
|
|
|
#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
|
|
#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
|
|
|
|
extern int file_caps_enabled;
|
|
|
|
typedef struct kernel_cap_struct {
|
|
__u32 cap[_KERNEL_CAPABILITY_U32S];
|
|
} kernel_cap_t;
|
|
|
|
/* exact same as vfs_cap_data but in cpu endian and always filled completely */
|
|
struct cpu_vfs_cap_data {
|
|
__u32 magic_etc;
|
|
kernel_cap_t permitted;
|
|
kernel_cap_t inheritable;
|
|
};
|
|
|
|
#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
|
|
#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
|
|
|
|
#endif
|
|
|
|
|
|
/**
|
|
** POSIX-draft defined capabilities.
|
|
**/
|
|
|
|
/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
|
|
overrides the restriction of changing file ownership and group
|
|
ownership. */
|
|
|
|
#define CAP_CHOWN 0
|
|
|
|
/* Override all DAC access, including ACL execute access if
|
|
[_POSIX_ACL] is defined. Excluding DAC access covered by
|
|
CAP_LINUX_IMMUTABLE. */
|
|
|
|
#define CAP_DAC_OVERRIDE 1
|
|
|
|
/* Overrides all DAC restrictions regarding read and search on files
|
|
and directories, including ACL restrictions if [_POSIX_ACL] is
|
|
defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
|
|
|
|
#define CAP_DAC_READ_SEARCH 2
|
|
|
|
/* Overrides all restrictions about allowed operations on files, where
|
|
file owner ID must be equal to the user ID, except where CAP_FSETID
|
|
is applicable. It doesn't override MAC and DAC restrictions. */
|
|
|
|
#define CAP_FOWNER 3
|
|
|
|
/* Overrides the following restrictions that the effective user ID
|
|
shall match the file owner ID when setting the S_ISUID and S_ISGID
|
|
bits on that file; that the effective group ID (or one of the
|
|
supplementary group IDs) shall match the file owner ID when setting
|
|
the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
|
|
cleared on successful return from chown(2) (not implemented). */
|
|
|
|
#define CAP_FSETID 4
|
|
|
|
/* Overrides the restriction that the real or effective user ID of a
|
|
process sending a signal must match the real or effective user ID
|
|
of the process receiving the signal. */
|
|
|
|
#define CAP_KILL 5
|
|
|
|
/* Allows setgid(2) manipulation */
|
|
/* Allows setgroups(2) */
|
|
/* Allows forged gids on socket credentials passing. */
|
|
|
|
#define CAP_SETGID 6
|
|
|
|
/* Allows set*uid(2) manipulation (including fsuid). */
|
|
/* Allows forged pids on socket credentials passing. */
|
|
|
|
#define CAP_SETUID 7
|
|
|
|
|
|
/**
|
|
** Linux-specific capabilities
|
|
**/
|
|
|
|
/* Without VFS support for capabilities:
|
|
* Transfer any capability in your permitted set to any pid,
|
|
* remove any capability in your permitted set from any pid
|
|
* With VFS support for capabilities (neither of above, but)
|
|
* Add any capability from current's capability bounding set
|
|
* to the current process' inheritable set
|
|
* Allow taking bits out of capability bounding set
|
|
* Allow modification of the securebits for a process
|
|
*/
|
|
|
|
#define CAP_SETPCAP 8
|
|
|
|
/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
|
|
|
|
#define CAP_LINUX_IMMUTABLE 9
|
|
|
|
/* Allows binding to TCP/UDP sockets below 1024 */
|
|
/* Allows binding to ATM VCIs below 32 */
|
|
|
|
#define CAP_NET_BIND_SERVICE 10
|
|
|
|
/* Allow broadcasting, listen to multicast */
|
|
|
|
#define CAP_NET_BROADCAST 11
|
|
|
|
/* Allow interface configuration */
|
|
/* Allow administration of IP firewall, masquerading and accounting */
|
|
/* Allow setting debug option on sockets */
|
|
/* Allow modification of routing tables */
|
|
/* Allow setting arbitrary process / process group ownership on
|
|
sockets */
|
|
/* Allow binding to any address for transparent proxying (also via NET_RAW) */
|
|
/* Allow setting TOS (type of service) */
|
|
/* Allow setting promiscuous mode */
|
|
/* Allow clearing driver statistics */
|
|
/* Allow multicasting */
|
|
/* Allow read/write of device-specific registers */
|
|
/* Allow activation of ATM control sockets */
|
|
|
|
#define CAP_NET_ADMIN 12
|
|
|
|
/* Allow use of RAW sockets */
|
|
/* Allow use of PACKET sockets */
|
|
/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */
|
|
|
|
#define CAP_NET_RAW 13
|
|
|
|
/* Allow locking of shared memory segments */
|
|
/* Allow mlock and mlockall (which doesn't really have anything to do
|
|
with IPC) */
|
|
|
|
#define CAP_IPC_LOCK 14
|
|
|
|
/* Override IPC ownership checks */
|
|
|
|
#define CAP_IPC_OWNER 15
|
|
|
|
/* Insert and remove kernel modules - modify kernel without limit */
|
|
#define CAP_SYS_MODULE 16
|
|
|
|
/* Allow ioperm/iopl access */
|
|
/* Allow sending USB messages to any device via /proc/bus/usb */
|
|
|
|
#define CAP_SYS_RAWIO 17
|
|
|
|
/* Allow use of chroot() */
|
|
|
|
#define CAP_SYS_CHROOT 18
|
|
|
|
/* Allow ptrace() of any process */
|
|
|
|
#define CAP_SYS_PTRACE 19
|
|
|
|
/* Allow configuration of process accounting */
|
|
|
|
#define CAP_SYS_PACCT 20
|
|
|
|
/* Allow configuration of the secure attention key */
|
|
/* Allow administration of the random device */
|
|
/* Allow examination and configuration of disk quotas */
|
|
/* Allow setting the domainname */
|
|
/* Allow setting the hostname */
|
|
/* Allow calling bdflush() */
|
|
/* Allow mount() and umount(), setting up new smb connection */
|
|
/* Allow some autofs root ioctls */
|
|
/* Allow nfsservctl */
|
|
/* Allow VM86_REQUEST_IRQ */
|
|
/* Allow to read/write pci config on alpha */
|
|
/* Allow irix_prctl on mips (setstacksize) */
|
|
/* Allow flushing all cache on m68k (sys_cacheflush) */
|
|
/* Allow removing semaphores */
|
|
/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
|
|
and shared memory */
|
|
/* Allow locking/unlocking of shared memory segment */
|
|
/* Allow turning swap on/off */
|
|
/* Allow forged pids on socket credentials passing */
|
|
/* Allow setting readahead and flushing buffers on block devices */
|
|
/* Allow setting geometry in floppy driver */
|
|
/* Allow turning DMA on/off in xd driver */
|
|
/* Allow administration of md devices (mostly the above, but some
|
|
extra ioctls) */
|
|
/* Allow tuning the ide driver */
|
|
/* Allow access to the nvram device */
|
|
/* Allow administration of apm_bios, serial and bttv (TV) device */
|
|
/* Allow manufacturer commands in isdn CAPI support driver */
|
|
/* Allow reading non-standardized portions of pci configuration space */
|
|
/* Allow DDI debug ioctl on sbpcd driver */
|
|
/* Allow setting up serial ports */
|
|
/* Allow sending raw qic-117 commands */
|
|
/* Allow enabling/disabling tagged queuing on SCSI controllers and sending
|
|
arbitrary SCSI commands */
|
|
/* Allow setting encryption key on loopback filesystem */
|
|
/* Allow setting zone reclaim policy */
|
|
|
|
#define CAP_SYS_ADMIN 21
|
|
|
|
/* Allow use of reboot() */
|
|
|
|
#define CAP_SYS_BOOT 22
|
|
|
|
/* Allow raising priority and setting priority on other (different
|
|
UID) processes */
|
|
/* Allow use of FIFO and round-robin (realtime) scheduling on own
|
|
processes and setting the scheduling algorithm used by another
|
|
process. */
|
|
/* Allow setting cpu affinity on other processes */
|
|
|
|
#define CAP_SYS_NICE 23
|
|
|
|
/* Override resource limits. Set resource limits. */
|
|
/* Override quota limits. */
|
|
/* Override reserved space on ext2 filesystem */
|
|
/* Modify data journaling mode on ext3 filesystem (uses journaling
|
|
resources) */
|
|
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
|
|
you can override using fsuid too */
|
|
/* Override size restrictions on IPC message queues */
|
|
/* Allow more than 64hz interrupts from the real-time clock */
|
|
/* Override max number of consoles on console allocation */
|
|
/* Override max number of keymaps */
|
|
|
|
#define CAP_SYS_RESOURCE 24
|
|
|
|
/* Allow manipulation of system clock */
|
|
/* Allow irix_stime on mips */
|
|
/* Allow setting the real-time clock */
|
|
|
|
#define CAP_SYS_TIME 25
|
|
|
|
/* Allow configuration of tty devices */
|
|
/* Allow vhangup() of tty */
|
|
|
|
#define CAP_SYS_TTY_CONFIG 26
|
|
|
|
/* Allow the privileged aspects of mknod() */
|
|
|
|
#define CAP_MKNOD 27
|
|
|
|
/* Allow taking of leases on files */
|
|
|
|
#define CAP_LEASE 28
|
|
|
|
#define CAP_AUDIT_WRITE 29
|
|
|
|
#define CAP_AUDIT_CONTROL 30
|
|
|
|
#define CAP_SETFCAP 31
|
|
|
|
/* Override MAC access.
|
|
The base kernel enforces no MAC policy.
|
|
An LSM may enforce a MAC policy, and if it does and it chooses
|
|
to implement capability based overrides of that policy, this is
|
|
the capability it should use to do so. */
|
|
|
|
#define CAP_MAC_OVERRIDE 32
|
|
|
|
/* Allow MAC configuration or state changes.
|
|
The base kernel requires no MAC configuration.
|
|
An LSM may enforce a MAC policy, and if it does and it chooses
|
|
to implement capability based checks on modifications to that
|
|
policy or the data required to maintain it, this is the
|
|
capability it should use to do so. */
|
|
|
|
#define CAP_MAC_ADMIN 33
|
|
|
|
/* Allow configuring the kernel's syslog (printk behaviour) */
|
|
|
|
#define CAP_SYSLOG 34
|
|
|
|
/* Allow triggering something that will wake the system */
|
|
|
|
#define CAP_WAKE_ALARM 35
|
|
|
|
|
|
#define CAP_LAST_CAP CAP_WAKE_ALARM
|
|
|
|
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
|
|
|
|
/*
|
|
* Bit location of each capability (used by user-space library and kernel)
|
|
*/
|
|
|
|
#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
|
|
#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
struct dentry;
|
|
struct user_namespace;
|
|
|
|
struct user_namespace *current_user_ns(void);
|
|
|
|
extern const kernel_cap_t __cap_empty_set;
|
|
extern const kernel_cap_t __cap_full_set;
|
|
extern const kernel_cap_t __cap_init_eff_set;
|
|
|
|
/*
|
|
* Internal kernel functions only
|
|
*/
|
|
|
|
#define CAP_FOR_EACH_U32(__capi) \
|
|
for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
|
|
|
|
/*
|
|
* CAP_FS_MASK and CAP_NFSD_MASKS:
|
|
*
|
|
* The fs mask is all the privileges that fsuid==0 historically meant.
|
|
* At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
|
|
*
|
|
* It has never meant setting security.* and trusted.* xattrs.
|
|
*
|
|
* We could also define fsmask as follows:
|
|
* 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
|
|
* 2. The security.* and trusted.* xattrs are fs-related MAC permissions
|
|
*/
|
|
|
|
# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
|
|
| CAP_TO_MASK(CAP_MKNOD) \
|
|
| CAP_TO_MASK(CAP_DAC_OVERRIDE) \
|
|
| CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
|
|
| CAP_TO_MASK(CAP_FOWNER) \
|
|
| CAP_TO_MASK(CAP_FSETID))
|
|
|
|
# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
|
|
|
|
#if _KERNEL_CAPABILITY_U32S != 2
|
|
# error Fix up hand-coded capability macro initializers
|
|
#else /* HAND-CODED capability initializers */
|
|
|
|
# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
|
|
# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
|
|
# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
|
|
| CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
|
|
CAP_FS_MASK_B1 } })
|
|
# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
|
|
| CAP_TO_MASK(CAP_SYS_RESOURCE), \
|
|
CAP_FS_MASK_B1 } })
|
|
|
|
#endif /* _KERNEL_CAPABILITY_U32S != 2 */
|
|
|
|
# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
|
|
|
|
#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
|
|
#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
|
|
#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
|
|
|
|
#define CAP_BOP_ALL(c, a, b, OP) \
|
|
do { \
|
|
unsigned __capi; \
|
|
CAP_FOR_EACH_U32(__capi) { \
|
|
c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
|
|
} \
|
|
} while (0)
|
|
|
|
#define CAP_UOP_ALL(c, a, OP) \
|
|
do { \
|
|
unsigned __capi; \
|
|
CAP_FOR_EACH_U32(__capi) { \
|
|
c.cap[__capi] = OP a.cap[__capi]; \
|
|
} \
|
|
} while (0)
|
|
|
|
static inline kernel_cap_t cap_combine(const kernel_cap_t a,
|
|
const kernel_cap_t b)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, b, |);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
|
|
const kernel_cap_t b)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, b, &);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop(const kernel_cap_t a,
|
|
const kernel_cap_t drop)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, drop, &~);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_invert(const kernel_cap_t c)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_UOP_ALL(dest, c, ~);
|
|
return dest;
|
|
}
|
|
|
|
static inline int cap_isclear(const kernel_cap_t a)
|
|
{
|
|
unsigned __capi;
|
|
CAP_FOR_EACH_U32(__capi) {
|
|
if (a.cap[__capi] != 0)
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* Check if "a" is a subset of "set".
|
|
* return 1 if ALL of the capabilities in "a" are also in "set"
|
|
* cap_issubset(0101, 1111) will return 1
|
|
* return 0 if ANY of the capabilities in "a" are not in "set"
|
|
* cap_issubset(1111, 0101) will return 0
|
|
*/
|
|
static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
|
|
{
|
|
kernel_cap_t dest;
|
|
dest = cap_drop(a, set);
|
|
return cap_isclear(dest);
|
|
}
|
|
|
|
/* Used to decide between falling back on the old suser() or fsuser(). */
|
|
|
|
static inline int cap_is_fs_cap(int cap)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return cap_drop(a, __cap_fs_set);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
|
|
const kernel_cap_t permitted)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return cap_combine(a,
|
|
cap_intersect(permitted, __cap_fs_set));
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
|
|
return cap_drop(a, __cap_fs_set);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
|
|
const kernel_cap_t permitted)
|
|
{
|
|
const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
|
|
return cap_combine(a,
|
|
cap_intersect(permitted, __cap_nfsd_set));
|
|
}
|
|
|
|
extern bool has_capability(struct task_struct *t, int cap);
|
|
extern bool has_ns_capability(struct task_struct *t,
|
|
struct user_namespace *ns, int cap);
|
|
extern bool has_capability_noaudit(struct task_struct *t, int cap);
|
|
extern bool capable(int cap);
|
|
extern bool ns_capable(struct user_namespace *ns, int cap);
|
|
extern bool task_ns_capable(struct task_struct *t, int cap);
|
|
extern bool nsown_capable(int cap);
|
|
|
|
/* audit system wants to get cap info from files as well */
|
|
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
#endif /* !_LINUX_CAPABILITY_H */
|