Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 */
2 : /*
3 : * This is <linux/capability.h>
4 : *
5 : * Andrew G. Morgan <morgan@kernel.org>
6 : * Alexander Kjeldaas <astor@guardian.no>
7 : * with help from Aleph1, Roland Buresund and Andrew Main.
8 : *
9 : * See here for the libcap library ("POSIX draft" compliance):
10 : *
11 : * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
12 : */
13 : #ifndef _LINUX_CAPABILITY_H
14 : #define _LINUX_CAPABILITY_H
15 :
16 : #include <uapi/linux/capability.h>
17 : #include <linux/uidgid.h>
18 :
19 : #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
20 : #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
21 :
22 : extern int file_caps_enabled;
23 :
24 : typedef struct kernel_cap_struct {
25 : __u32 cap[_KERNEL_CAPABILITY_U32S];
26 : } kernel_cap_t;
27 :
28 : /* same as vfs_ns_cap_data but in cpu endian and always filled completely */
29 : struct cpu_vfs_cap_data {
30 : __u32 magic_etc;
31 : kernel_cap_t permitted;
32 : kernel_cap_t inheritable;
33 : kuid_t rootid;
34 : };
35 :
36 : #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
37 : #define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
38 :
39 :
40 : struct file;
41 : struct inode;
42 : struct dentry;
43 : struct task_struct;
44 : struct user_namespace;
45 :
46 : extern const kernel_cap_t __cap_empty_set;
47 : extern const kernel_cap_t __cap_init_eff_set;
48 :
49 : /*
50 : * Internal kernel functions only
51 : */
52 :
53 : #define CAP_FOR_EACH_U32(__capi) \
54 : for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
55 :
56 : /*
57 : * CAP_FS_MASK and CAP_NFSD_MASKS:
58 : *
59 : * The fs mask is all the privileges that fsuid==0 historically meant.
60 : * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
61 : *
62 : * It has never meant setting security.* and trusted.* xattrs.
63 : *
64 : * We could also define fsmask as follows:
65 : * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
66 : * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
67 : */
68 :
69 : # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
70 : | CAP_TO_MASK(CAP_MKNOD) \
71 : | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
72 : | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
73 : | CAP_TO_MASK(CAP_FOWNER) \
74 : | CAP_TO_MASK(CAP_FSETID))
75 :
76 : # define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
77 :
78 : #if _KERNEL_CAPABILITY_U32S != 2
79 : # error Fix up hand-coded capability macro initializers
80 : #else /* HAND-CODED capability initializers */
81 :
82 : #define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1)
83 : #define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1)
84 :
85 : # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
86 : # define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
87 : # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
88 : | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
89 : CAP_FS_MASK_B1 } })
90 : # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
91 : | CAP_TO_MASK(CAP_SYS_RESOURCE), \
92 : CAP_FS_MASK_B1 } })
93 :
94 : #endif /* _KERNEL_CAPABILITY_U32S != 2 */
95 :
96 : # define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
97 :
98 : #define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
99 : #define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
100 : #define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
101 :
102 : #define CAP_BOP_ALL(c, a, b, OP) \
103 : do { \
104 : unsigned __capi; \
105 : CAP_FOR_EACH_U32(__capi) { \
106 : c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
107 : } \
108 : } while (0)
109 :
110 : #define CAP_UOP_ALL(c, a, OP) \
111 : do { \
112 : unsigned __capi; \
113 : CAP_FOR_EACH_U32(__capi) { \
114 : c.cap[__capi] = OP a.cap[__capi]; \
115 : } \
116 : } while (0)
117 :
118 3622 : static inline kernel_cap_t cap_combine(const kernel_cap_t a,
119 : const kernel_cap_t b)
120 : {
121 3622 : kernel_cap_t dest;
122 10866 : CAP_BOP_ALL(dest, a, b, |);
123 3622 : return dest;
124 : }
125 :
126 477 : static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
127 : const kernel_cap_t b)
128 : {
129 5057 : kernel_cap_t dest;
130 16602 : CAP_BOP_ALL(dest, a, b, &);
131 956 : return dest;
132 : }
133 :
134 14983 : static inline kernel_cap_t cap_drop(const kernel_cap_t a,
135 : const kernel_cap_t drop)
136 : {
137 14983 : kernel_cap_t dest;
138 44949 : CAP_BOP_ALL(dest, a, drop, &~);
139 14983 : return dest;
140 : }
141 :
142 : static inline kernel_cap_t cap_invert(const kernel_cap_t c)
143 : {
144 : kernel_cap_t dest;
145 : CAP_UOP_ALL(dest, c, ~);
146 : return dest;
147 : }
148 :
149 14983 : static inline bool cap_isclear(const kernel_cap_t a)
150 : {
151 14983 : unsigned __capi;
152 42071 : CAP_FOR_EACH_U32(__capi) {
153 28527 : if (a.cap[__capi] != 0)
154 : return false;
155 : }
156 : return true;
157 : }
158 :
159 : /*
160 : * Check if "a" is a subset of "set".
161 : * return true if ALL of the capabilities in "a" are also in "set"
162 : * cap_issubset(0101, 1111) will return true
163 : * return false if ANY of the capabilities in "a" are not in "set"
164 : * cap_issubset(1111, 0101) will return false
165 : */
166 14983 : static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
167 : {
168 14983 : kernel_cap_t dest;
169 14983 : dest = cap_drop(a, set);
170 14983 : return cap_isclear(dest);
171 : }
172 :
173 : /* Used to decide between falling back on the old suser() or fsuser(). */
174 :
175 0 : static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
176 : {
177 0 : const kernel_cap_t __cap_fs_set = CAP_FS_SET;
178 0 : return cap_drop(a, __cap_fs_set);
179 : }
180 :
181 0 : static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
182 : const kernel_cap_t permitted)
183 : {
184 0 : const kernel_cap_t __cap_fs_set = CAP_FS_SET;
185 0 : return cap_combine(a,
186 : cap_intersect(permitted, __cap_fs_set));
187 : }
188 :
189 : static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
190 : {
191 : const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
192 : return cap_drop(a, __cap_fs_set);
193 : }
194 :
195 : static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
196 : const kernel_cap_t permitted)
197 : {
198 : const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
199 : return cap_combine(a,
200 : cap_intersect(permitted, __cap_nfsd_set));
201 : }
202 :
203 : #ifdef CONFIG_MULTIUSER
204 : extern bool has_capability(struct task_struct *t, int cap);
205 : extern bool has_ns_capability(struct task_struct *t,
206 : struct user_namespace *ns, int cap);
207 : extern bool has_capability_noaudit(struct task_struct *t, int cap);
208 : extern bool has_ns_capability_noaudit(struct task_struct *t,
209 : struct user_namespace *ns, int cap);
210 : extern bool capable(int cap);
211 : extern bool ns_capable(struct user_namespace *ns, int cap);
212 : extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
213 : extern bool ns_capable_setid(struct user_namespace *ns, int cap);
214 : #else
215 : static inline bool has_capability(struct task_struct *t, int cap)
216 : {
217 : return true;
218 : }
219 : static inline bool has_ns_capability(struct task_struct *t,
220 : struct user_namespace *ns, int cap)
221 : {
222 : return true;
223 : }
224 : static inline bool has_capability_noaudit(struct task_struct *t, int cap)
225 : {
226 : return true;
227 : }
228 : static inline bool has_ns_capability_noaudit(struct task_struct *t,
229 : struct user_namespace *ns, int cap)
230 : {
231 : return true;
232 : }
233 : static inline bool capable(int cap)
234 : {
235 : return true;
236 : }
237 : static inline bool ns_capable(struct user_namespace *ns, int cap)
238 : {
239 : return true;
240 : }
241 : static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
242 : {
243 : return true;
244 : }
245 : static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
246 : {
247 : return true;
248 : }
249 : #endif /* CONFIG_MULTIUSER */
250 : bool privileged_wrt_inode_uidgid(struct user_namespace *ns,
251 : struct user_namespace *mnt_userns,
252 : const struct inode *inode);
253 : bool capable_wrt_inode_uidgid(struct user_namespace *mnt_userns,
254 : const struct inode *inode, int cap);
255 : extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
256 : extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
257 0 : static inline bool perfmon_capable(void)
258 : {
259 0 : return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
260 : }
261 :
262 0 : static inline bool bpf_capable(void)
263 : {
264 0 : return capable(CAP_BPF) || capable(CAP_SYS_ADMIN);
265 : }
266 :
267 0 : static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
268 : {
269 0 : return ns_capable(ns, CAP_CHECKPOINT_RESTORE) ||
270 0 : ns_capable(ns, CAP_SYS_ADMIN);
271 : }
272 :
273 : /* audit system wants to get cap info from files as well */
274 : int get_vfs_caps_from_disk(struct user_namespace *mnt_userns,
275 : const struct dentry *dentry,
276 : struct cpu_vfs_cap_data *cpu_caps);
277 :
278 : int cap_convert_nscap(struct user_namespace *mnt_userns, struct dentry *dentry,
279 : const void **ivalue, size_t size);
280 :
281 : #endif /* !_LINUX_CAPABILITY_H */
|
