xref: /kernel/linux/linux-6.6/security/commoncap.c

232  * @new: The proposed new credentials; alterations should be made here
234  * @effective: A pointer to the proposed new effective capabilities set
235  * @inheritable: A pointer to the proposed new inheritable capabilities set
236  * @permitted: A pointer to the proposed new permitted capabilities set
239  * process's capability sets.  The changes are made to the proposed new
242 int cap_capset(struct cred *new,
258 		/* no new pI capabilities outside bounding set */
261 	/* verify restrictions on target's new Permitted set */
269 	new->cap_effective   = *effective;
270 	new->cap_inheritable = *inheritable;
271 	new->cap_permitted   = *permitted;
277 	new->cap_ambient = cap_intersect(new->cap_ambient,
280 	if (WARN_ON(!cap_ambient_invariant_ok(new)))
527  * Return: On success, return the new size; on error, return < 0.
583  * Calculate the new process capability sets from the capability sets attached
591 	struct cred *new = bprm->cred;
604 	new->cap_permitted.val =
605 		(new->cap_bset.val & caps->permitted.val) |
606 		(new->cap_inheritable.val & caps->inheritable.val);
608 	if (caps->permitted.val & ~new->cap_permitted.val)
792 	struct cred *new = bprm->cred;
801 	if (has_fcap && __is_suid(root_uid, new)) {
810 	if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
812 		new->cap_permitted = cap_combine(old->cap_bset,
818 	if (__is_eff(root_uid, new))
829 static inline bool __is_setuid(struct cred *new, const struct cred *old)
830 { return !uid_eq(new->euid, old->uid); }
832 static inline bool __is_setgid(struct cred *new, const struct cred *old)
833 { return !gid_eq(new->egid, old->gid); }
852 static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
857 	if ((__cap_grew(effective, ambient, new) &&
858 	     !(__cap_full(effective, new) &&
859 	       (__is_eff(root, new) || __is_real(root, new)) &&
862 	     __is_suid(root, new) &&
863 	     !__cap_full(effective, new)) ||
864 	    (!__is_setuid(new, old) &&
866 	       __cap_gained(permitted, new, old)) ||
867 	      __cap_gained(ambient, new, old))))
879  * Set up the proposed credentials for a new execution context being
889 	struct cred *new = bprm->cred;
901 	root_uid = make_kuid(new->user_ns, 0);
906 	if (__cap_gained(permitted, new, old))
912 	 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
914 	is_setid = __is_setuid(new, old) || __is_setgid(new, old);
916 	if ((is_setid || __cap_gained(permitted, new, old)) &&
918 	     !ptracer_capable(current, new->user_ns))) {
920 		if (!ns_capable(new->user_ns, CAP_SETUID) ||
922 			new->euid = new->uid;
923 			new->egid = new->gid;
925 		new->cap_permitted = cap_intersect(new->cap_permitted,
929 	new->suid = new->fsuid = new->euid;
930 	new->sgid = new->fsgid = new->egid;
934 		cap_clear(new->cap_ambient);
940 	new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
947 		new->cap_effective = new->cap_permitted;
949 		new->cap_effective = new->cap_ambient;
951 	if (WARN_ON(!cap_ambient_invariant_ok(new)))
954 	if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
955 		ret = audit_log_bprm_fcaps(bprm, new, old);
960 	new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
962 	if (WARN_ON(!cap_ambient_invariant_ok(new)))
967 	    (!__is_real(root_uid, new) &&
969 	      __cap_grew(permitted, ambient, new))))
1084 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
1091 	    (!uid_eq(new->uid, root_uid) &&
1092 	     !uid_eq(new->euid, root_uid) &&
1093 	     !uid_eq(new->suid, root_uid))) {
1095 			cap_clear(new->cap_permitted);
1096 			cap_clear(new->cap_effective);
1104 		cap_clear(new->cap_ambient);
1106 	if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
1107 		cap_clear(new->cap_effective);
1108 	if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
1109 		new->cap_effective = new->cap_permitted;
1114  * @new: The proposed credentials
1123 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
1132 			cap_emulate_setxuid(new, old);
1144 			if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
1145 				new->cap_effective =
1146 					cap_drop_fs_set(new->cap_effective);
1148 			if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
1149 				new->cap_effective =
1150 					cap_raise_fs_set(new->cap_effective,
1151 							 new->cap_permitted);
1236 	struct cred *new;
1243 	new = prepare_creds();
1244 	if (!new)
1246 	cap_lower(new->cap_bset, cap);
1247 	return commit_creds(new);
1269 	struct cred *new;
1319 		new = prepare_creds();
1320 		if (!new)
1322 		new->securebits = arg2;
1323 		return commit_creds(new);
1337 		new = prepare_creds();
1338 		if (!new)
1341 			new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
1343 			new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
1344 		return commit_creds(new);
1351 			new = prepare_creds();
1352 			if (!new)
1354 			cap_clear(new->cap_ambient);
1355 			return commit_creds(new);
1374 			new = prepare_creds();
1375 			if (!new)
1378 				cap_raise(new->cap_ambient, arg3);
1380 				cap_lower(new->cap_ambient, arg3);
1381 			return commit_creds(new);
1391  * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
1392  * @mm: The VM space in which the new mapping is to be made
1395  * Determine whether the allocation of a new virtual mapping by the current

Indexes created Thu Nov 07 10:32:03 CST 2024