Commit 5459c164 authored by Andrew G. Morgan's avatar Andrew G. Morgan Committed by Linus Torvalds

security: protect legacy applications from executing with insufficient privilege

When cap_bset suppresses some of the forced (fP) capabilities of a file,
it is generally only safe to execute the program if it understands how to
recognize it doesn't have enough privilege to work correctly.  For legacy
applications (fE!=0), which have no non-destructive way to determine that
they are missing privilege, we fail to execute (EPERM) any executable that
requires fP capabilities, but would otherwise get pP' < fP.  This is a
fail-safe permission check.

For some discussion of why it is problematic for (legacy) privileged
applications to run with less than the set of capabilities requested for
them, see:

 http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html

With this iteration of this support, we do not include setuid-0 based
privilege protection from the bounding set.  That is, the admin can still
(ab)use the bounding set to suppress the privileges of a setuid-0 program.

[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: cleanup]
Signed-off-by: default avatarAndrew G. Morgan <morgan@kernel.org>
Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 78ecba08
...@@ -38,7 +38,7 @@ struct linux_binprm{ ...@@ -38,7 +38,7 @@ struct linux_binprm{
misc_bang:1; misc_bang:1;
struct file * file; struct file * file;
int e_uid, e_gid; int e_uid, e_gid;
kernel_cap_t cap_inheritable, cap_permitted; kernel_cap_t cap_post_exec_permitted;
bool cap_effective; bool cap_effective;
void *security; void *security;
int argc, envc; int argc, envc;
......
...@@ -162,8 +162,7 @@ void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, ...@@ -162,8 +162,7 @@ void cap_capset_set (struct task_struct *target, kernel_cap_t *effective,
static inline void bprm_clear_caps(struct linux_binprm *bprm) static inline void bprm_clear_caps(struct linux_binprm *bprm)
{ {
cap_clear(bprm->cap_inheritable); cap_clear(bprm->cap_post_exec_permitted);
cap_clear(bprm->cap_permitted);
bprm->cap_effective = false; bprm->cap_effective = false;
} }
...@@ -198,6 +197,7 @@ static inline int cap_from_disk(struct vfs_cap_data *caps, ...@@ -198,6 +197,7 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
{ {
__u32 magic_etc; __u32 magic_etc;
unsigned tocopy, i; unsigned tocopy, i;
int ret;
if (size < sizeof(magic_etc)) if (size < sizeof(magic_etc))
return -EINVAL; return -EINVAL;
...@@ -225,19 +225,40 @@ static inline int cap_from_disk(struct vfs_cap_data *caps, ...@@ -225,19 +225,40 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
bprm->cap_effective = false; bprm->cap_effective = false;
} }
for (i = 0; i < tocopy; ++i) { ret = 0;
bprm->cap_permitted.cap[i] =
le32_to_cpu(caps->data[i].permitted); CAP_FOR_EACH_U32(i) {
bprm->cap_inheritable.cap[i] = __u32 value_cpu;
le32_to_cpu(caps->data[i].inheritable);
if (i >= tocopy) {
/*
* Legacy capability sets have no upper bits
*/
bprm->cap_post_exec_permitted.cap[i] = 0;
continue;
}
/*
* pP' = (X & fP) | (pI & fI)
*/
value_cpu = le32_to_cpu(caps->data[i].permitted);
bprm->cap_post_exec_permitted.cap[i] =
(current->cap_bset.cap[i] & value_cpu) |
(current->cap_inheritable.cap[i] &
le32_to_cpu(caps->data[i].inheritable));
if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
/*
* insufficient to execute correctly
*/
ret = -EPERM;
} }
while (i < VFS_CAP_U32) {
bprm->cap_permitted.cap[i] = 0;
bprm->cap_inheritable.cap[i] = 0;
i++;
} }
return 0; /*
* For legacy apps, with no internal support for recognizing they
* do not have enough capabilities, we return an error if they are
* missing some "forced" (aka file-permitted) capabilities.
*/
return bprm->cap_effective ? ret : 0;
} }
/* Locate any VFS capabilities: */ /* Locate any VFS capabilities: */
...@@ -269,7 +290,7 @@ static int get_file_caps(struct linux_binprm *bprm) ...@@ -269,7 +290,7 @@ static int get_file_caps(struct linux_binprm *bprm)
goto out; goto out;
rc = cap_from_disk(&vcaps, bprm, rc); rc = cap_from_disk(&vcaps, bprm, rc);
if (rc) if (rc == -EINVAL)
printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n", printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
__func__, rc, bprm->filename); __func__, rc, bprm->filename);
...@@ -304,25 +325,24 @@ int cap_bprm_set_security (struct linux_binprm *bprm) ...@@ -304,25 +325,24 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
int ret; int ret;
ret = get_file_caps(bprm); ret = get_file_caps(bprm);
if (ret)
printk(KERN_NOTICE "%s: get_file_caps returned %d for %s\n",
__func__, ret, bprm->filename);
/* To support inheritance of root-permissions and suid-root if (!issecure(SECURE_NOROOT)) {
* executables under compatibility mode, we raise all three /*
* To support inheritance of root-permissions and suid-root
* executables under compatibility mode, we override the
* capability sets for the file. * capability sets for the file.
* *
* If only the real uid is 0, we only raise the inheritable * If only the real uid is 0, we do not set the effective
* and permitted sets of the executable file. * bit.
*/ */
if (!issecure (SECURE_NOROOT)) {
if (bprm->e_uid == 0 || current->uid == 0) { if (bprm->e_uid == 0 || current->uid == 0) {
cap_set_full (bprm->cap_inheritable); /* pP' = (cap_bset & ~0) | (pI & ~0) */
cap_set_full (bprm->cap_permitted); bprm->cap_post_exec_permitted = cap_combine(
current->cap_bset, current->cap_inheritable
);
bprm->cap_effective = (bprm->e_uid == 0);
ret = 0;
} }
if (bprm->e_uid == 0)
bprm->cap_effective = true;
} }
return ret; return ret;
...@@ -330,17 +350,9 @@ int cap_bprm_set_security (struct linux_binprm *bprm) ...@@ -330,17 +350,9 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
{ {
/* Derived from fs/exec.c:compute_creds. */
kernel_cap_t new_permitted, working;
new_permitted = cap_intersect(bprm->cap_permitted,
current->cap_bset);
working = cap_intersect(bprm->cap_inheritable,
current->cap_inheritable);
new_permitted = cap_combine(new_permitted, working);
if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
!cap_issubset (new_permitted, current->cap_permitted)) { !cap_issubset(bprm->cap_post_exec_permitted,
current->cap_permitted)) {
set_dumpable(current->mm, suid_dumpable); set_dumpable(current->mm, suid_dumpable);
current->pdeath_signal = 0; current->pdeath_signal = 0;
...@@ -350,8 +362,8 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) ...@@ -350,8 +362,8 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
bprm->e_gid = current->gid; bprm->e_gid = current->gid;
} }
if (cap_limit_ptraced_target()) { if (cap_limit_ptraced_target()) {
new_permitted = bprm->cap_post_exec_permitted = cap_intersect(
cap_intersect(new_permitted, bprm->cap_post_exec_permitted,
current->cap_permitted); current->cap_permitted);
} }
} }
...@@ -364,9 +376,9 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) ...@@ -364,9 +376,9 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
* in the init_task struct. Thus we skip the usual * in the init_task struct. Thus we skip the usual
* capability rules */ * capability rules */
if (!is_global_init(current)) { if (!is_global_init(current)) {
current->cap_permitted = new_permitted; current->cap_permitted = bprm->cap_post_exec_permitted;
if (bprm->cap_effective) if (bprm->cap_effective)
current->cap_effective = new_permitted; current->cap_effective = bprm->cap_post_exec_permitted;
else else
cap_clear(current->cap_effective); cap_clear(current->cap_effective);
} }
...@@ -381,9 +393,7 @@ int cap_bprm_secureexec (struct linux_binprm *bprm) ...@@ -381,9 +393,7 @@ int cap_bprm_secureexec (struct linux_binprm *bprm)
if (current->uid != 0) { if (current->uid != 0) {
if (bprm->cap_effective) if (bprm->cap_effective)
return 1; return 1;
if (!cap_isclear(bprm->cap_permitted)) if (!cap_isclear(bprm->cap_post_exec_permitted))
return 1;
if (!cap_isclear(bprm->cap_inheritable))
return 1; return 1;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment