-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Serge E. Hallyn wrote:
> Quoting Andrew Morgan ([EMAIL PROTECTED]):
> Serge,
>
> Here is a more fully formed 64-bit capabilities patch than the one I
> sent you last week. Its still subject to a bunch of testing.
>
> [The patch is against Linus' v2.6.24-rc1 tree.]
>
>> Hi Andrew,
>
>> thanks for sending this. I assume you've made some changes by now so I
Yes. I have it working now - with libcap support - still against Linus'
tree. I'll try to address your inline points and port it to Andrew's tree.
>> just looked it over rather than testing now. A few comments inline, but
>> the only fundamental question I'd have is would this in fact become
>> cleaner using a generic bitmap?
Cleaner is one of those terms that means different things to different
folk ;-) My sense is that using a uin64 for all this encourages folk to
take shortcuts and hack up their own manipulation code - for example in
the NFS routines. I'd like to have all of the capability manipulation
code in one central place.
Making these objects into bitmaps, will discourage this; putting all of
the manipulation code into the capabilities header etc. . Now that I
have it all working, I agree that it would benefit from not being
#define's so I'll look a inlining.
>> I have no particular attachment to my own implementation, so you want
>> to keep working with and pushing this one that's fine with me :) Let
>> me know when you're considering it close to done, and I'll do some
>> testing on architectures i have available.
That would be much appreciated.
>> My main motivation for this is to request some sort of CAP_NS_OVERRIDE
>> capability, so it's not urgent, but I would like to be able to ask
>> for it sometimes this year.
Cheers
Andrew
>
>> thanks,
>> -serge
>
> Cheers
>
> Andrew
>From f1e1bab2a71854b4224d3b6f3f3ca187584893e3 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <[EMAIL PROTECTED]>
Date: Sun, 28 Oct 2007 23:36:08 -0700
Subject: [PATCH] This patch adds 64-bit capability support to the kernel.
>>
The patch has supports legacy (32-bit) capability use, and where
possible translates 32-bit capabilities from userspace and the VFS
to kernel space.
- ---
fs/nfsd/auth.c | 8 +-
fs/proc/array.c | 18 +++--
include/linux/capability.h | 191
++++++++++++++++++++++++++++++--------------
kernel/capability.c | 81 +++++++++++++++++--
mm/oom_kill.c | 5 +-
security/commoncap.c | 92 +++++++++++++--------
security/dummy.c | 13 ++-
7 files changed, 284 insertions(+), 124 deletions(-)
>>
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index 2192805..3504093 100644
- --- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -11,8 +11,6 @@
#include <linux/nfsd/nfsd.h>
#include <linux/nfsd/export.h>
- -#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))
- -
int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
{
struct exp_flavor_info *f;
@@ -69,10 +67,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct
svc_export *exp)
ret = set_current_groups(cred.cr_group_info);
put_group_info(cred.cr_group_info);
if ((cred.cr_uid)) {
- - cap_t(current->cap_effective) &= ~CAP_NFSD_MASK;
+ cap_drop_nfsd_cap(current->cap_effective);
} else {
- - cap_t(current->cap_effective) |= (CAP_NFSD_MASK &
- - current->cap_permitted);
+ cap_raise_nfsd_cap(current->cap_effective,
+ current->cap_permitted);
}
return ret;
}
diff --git a/fs/proc/array.c b/fs/proc/array.c
index 63c95af..eb9c274 100644
- --- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -288,12 +288,18 @@ static inline char *task_sig(struct task_struct
*p, char *buffer)
static inline char *task_cap(struct task_struct *p, char *buffer)
{
- - return buffer + sprintf(buffer, "CapInh:\t%016x\n"
- - "CapPrm:\t%016x\n"
- - "CapEff:\t%016x\n",
- - cap_t(p->cap_inheritable),
- - cap_t(p->cap_permitted),
- - cap_t(p->cap_effective));
+#if _LINUX_CAPABILITY_U32S != 2
+# error The following code expects 64-bit capabilities
+#endif
+ return buffer + sprintf(buffer, "CapInh:\t%08x%08x\n"
+ "CapPrm:\t%08x%08x\n"
+ "CapEff:\t%08x%08x\n",
+ p->cap_inheritable.cap[1],
+ p->cap_inheritable.cap[0],
+ p->cap_permitted.cap[1],
+ p->cap_permitted.cap[0],
+ p->cap_effective.cap[1],
+ p->cap_effective.cap[0]);
}
static inline char *task_context_switch_counts(struct task_struct *p,
diff --git a/include/linux/capability.h b/include/linux/capability.h
index bb017ed..786aaa7 100644
- --- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -29,7 +29,14 @@ struct task_struct;
library since the draft standard requires the use of malloc/free
etc.. */
- -#define _LINUX_CAPABILITY_VERSION 0x19980330
+#define _LINUX_CAPABILITY_VERSION_1 0x19980330
+#define _LINUX_CAPABILITY_U32S_1 1
+
+#define _LINUX_CAPABILITY_VERSION_2 0x20071026
+#define _LINUX_CAPABILITY_U32S_2 2
+
+#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2
+#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2
typedef struct __user_cap_header_struct {
__u32 version;
@@ -42,41 +49,42 @@ typedef struct __user_cap_data_struct {
__u32 inheritable;
} __user *cap_user_data_t;
+
#define XATTR_CAPS_SUFFIX "capability"
#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
- -#define XATTR_CAPS_SZ (3*sizeof(__le32))
#define VFS_CAP_REVISION_MASK 0xFF000000
+#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
+#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
+
#define VFS_CAP_REVISION_1 0x01000000
+#define VFS_CAP_U32_1 1
+#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
- -#define VFS_CAP_REVISION VFS_CAP_REVISION_1
+#define VFS_CAP_REVISION_2 0x02000000
+#define VFS_CAP_U32_2 2
+#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
+
+#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
+#define VFS_CAP_U32 VFS_CAP_U32_2
+#define VFS_CAP_REVISION VFS_CAP_REVISION_2
- -#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
- -#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
struct vfs_cap_data {
- - __u32 magic_etc; /* Little endian */
- - __u32 permitted; /* Little endian */
- - __u32 inheritable; /* Little endian */
+ __le32 magic_etc; /* Little endian */
+ struct {
+ __le32 permitted; /* Little endian */
+ __le32 inheritable; /* Little endian */
+ } data[VFS_CAP_U32];
};
#ifdef __KERNEL__
- -/* #define STRICT_CAP_T_TYPECHECKS */
> Bold :)
> I'm not opposed, but we'll have to do a great deal of testing on
> lots of architectures with lots of .configs.
- -
- -#ifdef STRICT_CAP_T_TYPECHECKS
- -
typedef struct kernel_cap_struct {
- - __u32 cap;
+ __u32 cap[_LINUX_CAPABILITY_U32S];
} kernel_cap_t;
- -#else
- -
- -typedef __u32 kernel_cap_t;
- -
- -#endif
- -
- -#define _USER_CAP_HEADER_SIZE (2*sizeof(__u32))
+#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
#endif
@@ -119,10 +127,6 @@ typedef __u32 kernel_cap_t;
#define CAP_FSETID 4
- -/* Used to decide between falling back on the old suser() or fsuser(). */
- -
- -#define CAP_FS_MASK 0x1f
- -
/* Overrides the restriction that the real or effective user ID of a
process sending a signal must match the real or effective user ID
of the process receiving the signal. */
@@ -145,8 +149,12 @@ typedef __u32 kernel_cap_t;
** Linux-specific capabilities
**/
- -/* Transfer any capability in your permitted set to any pid,
- - remove any capability in your permitted set from any pid */
+/* Without VFS support for capabilities:
+ * Transfer any capability in your permitted set to any pid,
+ * remove any capability in your permitted set from any pid
+ * With VFS support for capabilities (neither of above, but)
+ * Add any capability to the current process' inheritable set
+ */
#define CAP_SETPCAP 8
@@ -313,64 +321,127 @@ typedef __u32 kernel_cap_t;
* Internal kernel functions only
*/
- -#ifdef STRICT_CAP_T_TYPECHECKS
+#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
+#define CAP_TO_MASK(x) (1 << ((x) & 31))
> What is the purpose of the &31 here?
- -#define to_cap_t(x) { x }
- -#define cap_t(x) (x).cap
+#define CAP_FS_MASK_0 (CAP_TO_MASK(CAP_CHOWN) \
+ |CAP_TO_MASK(CAP_DAC_OVERRIDE) \
+ |CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
+ |CAP_TO_MASK(CAP_FOWNER) \
+ |CAP_TO_MASK(CAP_FSETID))
+#define CAP_NFSD_MASK_0
(CAP_FS_MASK_0|CAP_TO_MASK(CAP_SYS_RESOURCE))
- -#else
+#define CAP_FS_MASK_1 0
+#define CAP_NFSD_MASK_1 CAP_FS_MASK_1
> Hmm, calling these _LO and _HI would be clearer now, but of course
> throws off your 96-bit plans. But it took me a moment to figure out
> what you were doing here especially with the last two lines.
> How about CAP_FS_MASK_B0 and CAP_FS_MASK_B1 for block0 and block1?
- -#define to_cap_t(x) (x)
- -#define cap_t(x) (x)
+#if _LINUX_CAPABILITY_U32S != 2
+# error Fix up hand-coded capability manipulation macros
+#else /* HAND-CODED capability manipulation macros */
> Ok so why not fix it up now, maybe using generic bitmaps like
> Chris suggested, and using static inlines in place of the
> #defines?
- -#endif
+# define CAP_EMPTY_SET {{ 0, 0 }}
+# define CAP_FULL_SET {{ ~0, ~0 }}
+# define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}
+# define cap_clear(c) do { (c).cap[0] = 0; (c).cap[1] = 0; }
while(0)
+# define cap_set_full(c) do { (c).cap[0] = ~0; (c).cap[1] = ~0; }
while(0)
+# define cap_set_init_eff(c) do { (c).cap[0] =
~CAP_TO_MASK(CAP_SETPCAP); \
+ (c).cap[1] = ~0; } while(0)
+# define cap_isclear(c) ( !((c).cap[0] | (c).cap[1]) )
- -#define CAP_EMPTY_SET to_cap_t(0)
- -#define CAP_FULL_SET to_cap_t(~0)
- -#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
- -#define CAP_INIT_INH_SET to_cap_t(0)
+/* Used to decide between falling back on the old suser() or fsuser(). */
- -#define CAP_TO_MASK(x) (1 << (x))
- -#define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag))
- -#define cap_lower(c, flag) (cap_t(c) &= ~CAP_TO_MASK(flag))
- -#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
+# define cap_is_fs_cap(flag) \
+(CAP_TO_MASK(flag) & (CAP_TO_INDEX(flag) ? CAP_FS_MASK_1:CAP_FS_MASK_2))
+
+# define cap_raise_non_fs_cap(c,pcaptoo) do {
\
> Egads, pcaptoo? :)
> These probably should become inline functions rather than #defines.
+ (c).cap[0] |= ~(CAP_FS_MASK_0|((pcaptoo)?CAP_TO_MASK(CAP_SETPCAP):0));\
+ (c).cap[1] |= ~CAP_FS_MASK_1; \
+} while (0)
+
+# define cap_drop_fs_cap(c) do { \
+ (c).cap[0] &= ~CAP_FS_MASK_0; \
+ (c).cap[1] &= ~CAP_FS_MASK_1; \
+} while (0)
+
+# define cap_raise_fs_cap(c) do { \
+ (c).cap[0] |= CAP_FS_MASK_0; \
+ (c).cap[1] |= CAP_FS_MASK_1; \
+} while (0)
+
+# define cap_raise_permitted_fs_cap(c,p) do { \
+ (c).cap[0] |= (p).cap[0] & CAP_FS_MASK_0; \
+ (c).cap[1] |= (p).cap[1] & CAP_FS_MASK_1; \
+} while (0)
+
+# define cap_drop_nfsd_cap(c) do { \
+ (c).cap[0] &= ~CAP_NFSD_MASK_0; \
+ (c).cap[1] &= ~CAP_NFSD_MASK_1; \
+} while (0)
+
+# define cap_raise_nfsd_cap(c,p) do { \
+ (c).cap[0] |= (p).cap[0] & CAP_NFSD_MASK_0; \
+ (c).cap[1] |= (p).cap[1] & CAP_NFSD_MASK_1; \
+} while (0)
+
+#endif /* _LINUX_CAPABILITY_U32S != 2 */
+
+#define CAP_INIT_INH_SET CAP_EMPTY_SET
+
+#define cap_raise(c,flag) ((c).cap[CAP_TO_INDEX(flag)] |=
CAP_TO_MASK(flag))
+#define cap_lower(c,flag) ((c).cap[CAP_TO_INDEX(flag)] &=
~CAP_TO_MASK(flag))
+#define cap_raised(c,flag) ((c).cap[CAP_TO_INDEX(flag)] &
CAP_TO_MASK(flag))
+
+#define CAP_BOP_ALL(c, a, b, OP) \
+do { \
+ int __capi; \
+ for (__capi=0; __capi<_LINUX_CAPABILITY_U32S; ++__capi) { \
+ c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
+ } \
+} while (0)
+
+#define CAP_UOP_ALL(c, a, OP) \
+do { \
+ int __capi; \
+ for (__capi=0; __capi<_LINUX_CAPABILITY_U32S; ++__capi) { \
+ c.cap[__capi] = OP a.cap[__capi]; \
+ } \
+} while (0)
static inline kernel_cap_t cap_combine(kernel_cap_t a, kernel_cap_t b)
{
- - kernel_cap_t dest;
- - cap_t(dest) = cap_t(a) | cap_t(b);
- - return dest;
+ kernel_cap_t dest;
+ CAP_BOP_ALL(dest, a, b, |);
+ return dest;
}
static inline kernel_cap_t cap_intersect(kernel_cap_t a, kernel_cap_t b)
{
- - kernel_cap_t dest;
- - cap_t(dest) = cap_t(a) & cap_t(b);
- - return dest;
+ kernel_cap_t dest;
+ CAP_BOP_ALL(dest, a, b, &);
+ return dest;
}
static inline kernel_cap_t cap_drop(kernel_cap_t a, kernel_cap_t drop)
{
- - kernel_cap_t dest;
- - cap_t(dest) = cap_t(a) & ~cap_t(drop);
- - return dest;
+ kernel_cap_t dest;
+ CAP_BOP_ALL(dest, a, drop, &~);
+ return dest;
}
static inline kernel_cap_t cap_invert(kernel_cap_t c)
{
- - kernel_cap_t dest;
- - cap_t(dest) = ~cap_t(c);
- - return dest;
+ kernel_cap_t dest;
+ CAP_UOP_ALL(dest, c, ~);
+ return dest;
}
- -#define cap_isclear(c) (!cap_t(c))
- -#define cap_issubset(a,set) (!(cap_t(a) & ~cap_t(set)))
- -
- -#define cap_clear(c) do { cap_t(c) = 0; } while(0)
- -#define cap_set_full(c) do { cap_t(c) = ~0; } while(0)
- -#define cap_mask(c,mask) do { cap_t(c) &= cap_t(mask); } while(0)
+static inline int cap_issubset(kernel_cap_t a, kernel_cap_t set)
+{
+ kernel_cap_t dest;
+ dest = cap_drop(a, set);
+ return cap_isclear(dest);
+}
- -#define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
+#define cap_mask(c, mask) do { c = cap_intersect(c, mask); } while(0)
int capable(int cap);
int __capable(struct task_struct *t, int cap);
diff --git a/kernel/capability.c b/kernel/capability.c
index efbd9cd..e60b487 100644
- --- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -38,16 +38,31 @@ static DEFINE_SPINLOCK(task_capability_lock);
*/
asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t
dataptr)
{
+ static int warned = 0;
int ret = 0;
pid_t pid;
__u32 version;
struct task_struct *target;
- - struct __user_cap_data_struct data;
+ unsigned tocopy;
+ kernel_cap_t pE, pI, pP;
if (get_user(version, &header->version))
return -EFAULT;
- - if (version != _LINUX_CAPABILITY_VERSION) {
+ switch (version) {
+ case _LINUX_CAPABILITY_VERSION_1:
+ if (warned < 5) {
+ warned++;
+ printk(KERN_INFO
+ "warning: process `%s' gets w/ old libcap\n",
+ current->comm);
+ }
+ tocopy = _LINUX_CAPABILITY_U32S_1;
+ break;
+ case _LINUX_CAPABILITY_VERSION_2:
+ tocopy = _LINUX_CAPABILITY_U32S_2;
+ break;
+ default:
if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
return -EFAULT;
return -EINVAL;
@@ -71,14 +86,34 @@ asmlinkage long sys_capget(cap_user_header_t header,
cap_user_data_t dataptr)
} else
target = current;
- - ret = security_capget(target, &data.effective, &data.inheritable,
&data.permitted);
+ ret = security_capget(target, &pE, &pI, &pP);
out:
read_unlock(&tasklist_lock);
spin_unlock(&task_capability_lock);
- - if (!ret && copy_to_user(dataptr, &data, sizeof data))
- - return -EFAULT;
+ if (!ret) {
+ struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
+ unsigned i;
+
+ for (i=0; i<tocopy; i++) {
+ kdata[i].effective = pE.cap[i];
+ kdata[i].permitted = pP.cap[i];
+ kdata[i].inheritable = pP.cap[i];
+ }
+ while (i<_LINUX_CAPABILITY_U32S) {
+ if (pE.cap[i] || pP.cap[i] || pP.cap[i]) {
+ /* Cannot represent w/ legacy structure */
+ return -EINVAL;
+ }
+ i++;
+ }
+
+ if (copy_to_user(dataptr, kdata, tocopy
+ * sizeof(struct __user_cap_data_struct))) {
+ return -EFAULT;
+ }
+ }
> The function definately needs to be reworked to clean up the flow
> at this point, but it looks correct. In my own version I got it
> wrong at least twice before it worked :)
return ret;
}
@@ -167,6 +202,9 @@ static inline int cap_set_all(kernel_cap_t *effective,
*/
asmlinkage long sys_capset(cap_user_header_t header, const
cap_user_data_t data)
{
+ static int warned = 0;
+ struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
+ unsigned i, tocopy;
kernel_cap_t inheritable, permitted, effective;
__u32 version;
struct task_struct *target;
@@ -176,7 +214,20 @@ asmlinkage long sys_capset(cap_user_header_t
header, const cap_user_data_t data)
if (get_user(version, &header->version))
return -EFAULT;
- - if (version != _LINUX_CAPABILITY_VERSION) {
+ switch (version) {
+ case _LINUX_CAPABILITY_VERSION_1:
+ if (warned < 5) {
+ warned++;
+ printk(KERN_INFO
+ "warning: process `%s' sets w/ old libcap\n",
+ current->comm);
+ }
+ tocopy = _LINUX_CAPABILITY_U32S_1;
+ break;
+ case _LINUX_CAPABILITY_VERSION_2:
+ tocopy = _LINUX_CAPABILITY_U32S_2;
+ break;
+ default:
if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
return -EFAULT;
return -EINVAL;
@@ -188,10 +239,22 @@ asmlinkage long sys_capset(cap_user_header_t
header, const cap_user_data_t data)
if (pid && pid != task_pid_vnr(current) && !capable(CAP_SETPCAP))
return -EPERM;
- - if (copy_from_user(&effective, &data->effective, sizeof(effective)) ||
- - copy_from_user(&inheritable, &data->inheritable,
sizeof(inheritable)) ||
- - copy_from_user(&permitted, &data->permitted, sizeof(permitted)))
+ if (copy_from_user(&kdata, data, tocopy
+ * sizeof(struct __user_cap_data_struct))) {
return -EFAULT;
+ }
+
+ for (i=0; i<tocopy; i++) {
+ effective.cap[i] = kdata[i].effective;
+ permitted.cap[i] = kdata[i].permitted;
+ inheritable.cap[i] = kdata[i].inheritable;
+ }
+ while (i<_LINUX_CAPABILITY_U32S) {
+ effective.cap[i] = 0;
+ permitted.cap[i] = 0;
+ inheritable.cap[i] = 0;
+ i++;
+ }
spin_lock(&task_capability_lock);
read_lock(&tasklist_lock);
diff --git a/mm/oom_kill.c b/mm/oom_kill.c
index 91a081a..8791c26 100644
- --- a/mm/oom_kill.c
+++ b/mm/oom_kill.c
@@ -125,8 +125,7 @@ unsigned long badness(struct task_struct *p,
unsigned long uptime)
* Superuser processes are usually more important, so we make it
* less likely that we kill those.
*/
- - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
- - p->uid == 0 || p->euid == 0)
+ if (__capable(p, CAP_SYS_ADMIN) || p->uid == 0 || p->euid == 0)
points /= 4;
/*
@@ -135,7 +134,7 @@ unsigned long badness(struct task_struct *p,
unsigned long uptime)
* tend to only have this flag set on applications they think
* of as important.
*/
- - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
+ if (__capable(p, CAP_SYS_RAWIO))
points /= 4;
/*
diff --git a/security/commoncap.c b/security/commoncap.c
index bf67871..b97da15 100644
- --- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1,4 +1,4 @@
- -/* Common capabilities, needed by capability.o and root_plug.o
+/* Common capabilities, needed by capability.o and root_plug.o
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -87,9 +87,9 @@ int cap_capget (struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
/* Derived from kernel/capability.c:sys_capget. */
- - *effective = cap_t (target->cap_effective);
- - *inheritable = cap_t (target->cap_inheritable);
- - *permitted = cap_t (target->cap_permitted);
+ *effective = target->cap_effective;
+ *inheritable = target->cap_inheritable;
+ *permitted = target->cap_permitted;
return 0;
}
@@ -191,28 +191,51 @@ int cap_inode_killpriv(struct dentry *dentry)
}
static inline int cap_from_disk(struct vfs_cap_data *caps,
- - struct linux_binprm *bprm,
- - int size)
+ struct linux_binprm *bprm, unsigned size)
{
__u32 magic_etc;
+ unsigned tocopy, i;
- - if (size != XATTR_CAPS_SZ)
+ if (size < sizeof(magic_etc)) {
return -EINVAL;
+ }
- - magic_etc = le32_to_cpu(caps->magic_etc);
+ magic_etc = le32_to_cpu(caps.magic_etc);
switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
- - case VFS_CAP_REVISION:
- - if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
- - bprm->cap_effective = true;
- - else
- - bprm->cap_effective = false;
- - bprm->cap_permitted = to_cap_t(le32_to_cpu(caps->permitted));
- - bprm->cap_inheritable =
to_cap_t(le32_to_cpu(caps->inheritable));
- - return 0;
+ case VFS_CAP_REVISION_1:
+ if (size != XATTR_CAPS_SZ_1) {
+ return -EINVAL;
+ }
+ tocopy = VFS_CAP_U32_1;
+ break;
+ case VFS_CAP_REVISION_2:
+ if (size != XATTR_CAPS_SZ_2) {
+ return -EINVAL;
+ }
+ tocopy = VFS_CAP_U32_2;
+ break;
default:
return -EINVAL;
}
+
+ if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
+ bprm->cap_effective = true;
+ } else {
+ bprm->cap_effective = false;
+ }
+
+ for (i=0; i<tocopy; ++i) {
+ bprm->cap_permitted[i] = le32_to_cpu(caps.data[i].permitted);
+ bprm->cap_inheritable[i] =
+ le32_to_cpu(caps.data[i].inheritable);
+ }
+ for (i=tocopy; i<VFS_CAP_U32; ++i) {
+ bprm->cap_permitted[i] = 0;
+ bprm->cap_inheritable[i] = 0;
+ }
+
+ return 0;
}
/* Locate any VFS capabilities: */
@@ -220,7 +243,7 @@ static int get_file_caps(struct linux_binprm *bprm)
{
struct dentry *dentry;
int rc = 0;
- - struct vfs_cap_data incaps;
+ struct vfs_cap_data vcaps;
struct inode *inode;
if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
@@ -233,14 +256,8 @@ static int get_file_caps(struct linux_binprm *bprm)
if (!inode->i_op || !inode->i_op->getxattr)
goto out;
- - rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
- - if (rc > 0) {
- - if (rc == XATTR_CAPS_SZ)
- - rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS,
- - &incaps, XATTR_CAPS_SZ);
- - else
- - rc = -EINVAL;
- - }
+ rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
+ XATTR_CAPS_SZ);
if (rc == -ENODATA || rc == -EOPNOTSUPP) {
/* no data, that's ok */
rc = 0;
@@ -249,7 +266,7 @@ static int get_file_caps(struct linux_binprm *bprm)
if (rc < 0)
goto out;
- - rc = cap_from_disk(&incaps, bprm, rc);
+ rc = cap_from_disk(vcaps, bprm, rc);
if (rc)
printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
__FUNCTION__, rc, bprm->filename);
@@ -344,8 +361,11 @@ void cap_bprm_apply_creds (struct linux_binprm
*bprm, int unsafe)
* capability rules */
if (!is_global_init(current)) {
current->cap_permitted = new_permitted;
- - current->cap_effective = bprm->cap_effective ?
- - new_permitted : 0;
+ if (bprm->cap_effective) {
+ current->cap_effective = new_permitted;
+ } else {
+ cap_clear(current->cap_effective);
+ }
}
/* AUD: Audit candidate if current->cap_effective is set */
@@ -467,13 +487,13 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t
old_euid, uid_t old_suid,
if (!issecure (SECURE_NO_SETUID_FIXUP)) {
if (old_fsuid == 0 && current->fsuid != 0) {
- - cap_t (current->cap_effective) &=
- - ~CAP_FS_MASK;
+ cap_drop_fs_cap(
+ current->cap_effective);
}
if (old_fsuid != 0 && current->fsuid == 0) {
- - cap_t (current->cap_effective) |=
- - (cap_t (current->cap_permitted) &
- - CAP_FS_MASK);
+ cap_raise_permitted_fs_cap(
+ current->cap_effective,
+ current->cap_permitted);
}
}
break;
@@ -564,9 +584,9 @@ int cap_task_kill(struct task_struct *p, struct
siginfo *info,
void cap_task_reparent_to_init (struct task_struct *p)
{
- - p->cap_effective = CAP_INIT_EFF_SET;
- - p->cap_inheritable = CAP_INIT_INH_SET;
- - p->cap_permitted = CAP_FULL_SET;
+ cap_set_init_eff(p->cap_effective);
+ cap_clear(p->cap_inheritable);
+ cap_set_full(p->cap_permitted);
p->keep_capabilities = 0;
return;
}
diff --git a/security/dummy.c b/security/dummy.c
index 6d895ad..e55069c 100644
- --- a/security/dummy.c
+++ b/security/dummy.c
@@ -36,14 +36,17 @@ static int dummy_ptrace (struct task_struct *parent,
struct task_struct *child)
static int dummy_capget (struct task_struct *target, kernel_cap_t *
effective,
kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
- - *effective = *inheritable = *permitted = 0;
+ cap_clear(*effective);
+ cap_clear(*inheritable);
+ cap_clear(*permitted);
+
if (target->euid == 0) {
- - *permitted |= (~0 & ~CAP_FS_MASK);
- - *effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK);
+ cap_raise_non_fs_cap(*permitted, 1);
+ cap_raise_non_fs_cap(*effective, 0);
> 1 and 0 need to be replaced with understandable #defines, maybe
> WITH_PCAP and WITHOUT_PCAP.
}
if (target->fsuid == 0) {
- - *permitted |= CAP_FS_MASK;
- - *effective |= CAP_FS_MASK;
+ cap_raise_fs_cap(*permitted);
+ cap_raise_fs_cap(*effective);
}
return 0;
}
- --
1.5.1.3
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFHKXmmQheEq9QabfIRAjV6AJ9R1sfv3uLbveGs7xU6w7iTv14a7ACfaBzw
pHYyfbk/YAZXof+v+QPfgcg=
=GOEN
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
