commoncap.c 17.6 KB
Newer Older
1
/* Common capabilities, needed by capability.o and root_plug.o
L
Linus Torvalds 已提交
2 3 4 5 6 7 8 9
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License as published by
 *	the Free Software Foundation; either version 2 of the License, or
 *	(at your option) any later version.
 *
 */

10
#include <linux/capability.h>
L
Linus Torvalds 已提交
11 12 13 14 15 16 17 18 19 20 21 22 23 24
#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/security.h>
#include <linux/file.h>
#include <linux/mm.h>
#include <linux/mman.h>
#include <linux/pagemap.h>
#include <linux/swap.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/ptrace.h>
#include <linux/xattr.h>
#include <linux/hugetlb.h>
25
#include <linux/mount.h>
26
#include <linux/sched.h>
27 28
#include <linux/prctl.h>
#include <linux/securebits.h>
29

L
Linus Torvalds 已提交
30 31 32 33 34 35
int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
{
	NETLINK_CB(skb).eff_cap = current->cap_effective;
	return 0;
}

36
int cap_netlink_recv(struct sk_buff *skb, int cap)
L
Linus Torvalds 已提交
37
{
38
	if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
L
Linus Torvalds 已提交
39 40 41 42 43 44
		return -EPERM;
	return 0;
}

EXPORT_SYMBOL(cap_netlink_recv);

45 46 47 48 49 50
/*
 * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
 * function.  That is, it has the reverse semantics: cap_capable()
 * returns 0 when a task has a capability, but the kernel's capable()
 * returns 1 for this case.
 */
L
Linus Torvalds 已提交
51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
int cap_capable (struct task_struct *tsk, int cap)
{
	/* Derived from include/linux/sched.h:capable. */
	if (cap_raised(tsk->cap_effective, cap))
		return 0;
	return -EPERM;
}

int cap_settime(struct timespec *ts, struct timezone *tz)
{
	if (!capable(CAP_SYS_TIME))
		return -EPERM;
	return 0;
}

66
int cap_ptrace_may_access(struct task_struct *child, unsigned int mode)
L
Linus Torvalds 已提交
67 68
{
	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
	if (cap_issubset(child->cap_permitted, current->cap_permitted))
		return 0;
	if (capable(CAP_SYS_PTRACE))
		return 0;
	return -EPERM;
}

int cap_ptrace_traceme(struct task_struct *parent)
{
	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
	if (cap_issubset(current->cap_permitted, parent->cap_permitted))
		return 0;
	if (has_capability(parent, CAP_SYS_PTRACE))
		return 0;
	return -EPERM;
L
Linus Torvalds 已提交
84 85 86 87 88 89
}

int cap_capget (struct task_struct *target, kernel_cap_t *effective,
		kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
	/* Derived from kernel/capability.c:sys_capget. */
90 91 92
	*effective = target->cap_effective;
	*inheritable = target->cap_inheritable;
	*permitted = target->cap_permitted;
L
Linus Torvalds 已提交
93 94 95
	return 0;
}

96 97 98 99 100 101 102 103 104 105 106 107 108 109
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES

static inline int cap_block_setpcap(struct task_struct *target)
{
	/*
	 * No support for remote process capability manipulation with
	 * filesystem capability support.
	 */
	return (target != current);
}

static inline int cap_inh_is_capped(void)
{
	/*
110 111 112
	 * Return 1 if changes to the inheritable set are limited
	 * to the old permitted set. That is, if the current task
	 * does *not* possess the CAP_SETPCAP capability.
113
	 */
114
	return (cap_capable(current, CAP_SETPCAP) != 0);
115 116
}

117 118
static inline int cap_limit_ptraced_target(void) { return 1; }

119 120 121 122
#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */

static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
static inline int cap_inh_is_capped(void) { return 1; }
123 124 125 126
static inline int cap_limit_ptraced_target(void)
{
	return !capable(CAP_SETPCAP);
}
127 128 129

#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */

L
Linus Torvalds 已提交
130 131 132
int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
		      kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
133 134 135 136 137 138 139 140
	if (cap_block_setpcap(target)) {
		return -EPERM;
	}
	if (cap_inh_is_capped()
	    && !cap_issubset(*inheritable,
			     cap_combine(target->cap_inheritable,
					 current->cap_permitted))) {
		/* incapable of using this inheritable set */
L
Linus Torvalds 已提交
141 142
		return -EPERM;
	}
143 144 145 146 147 148
	if (!cap_issubset(*inheritable,
			   cap_combine(target->cap_inheritable,
				       current->cap_bset))) {
		/* no new pI capabilities outside bounding set */
		return -EPERM;
	}
L
Linus Torvalds 已提交
149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172

	/* verify restrictions on target's new Permitted set */
	if (!cap_issubset (*permitted,
			   cap_combine (target->cap_permitted,
					current->cap_permitted))) {
		return -EPERM;
	}

	/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
	if (!cap_issubset (*effective, *permitted)) {
		return -EPERM;
	}

	return 0;
}

void cap_capset_set (struct task_struct *target, kernel_cap_t *effective,
		     kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
	target->cap_effective = *effective;
	target->cap_inheritable = *inheritable;
	target->cap_permitted = *permitted;
}

173 174
static inline void bprm_clear_caps(struct linux_binprm *bprm)
{
175
	cap_clear(bprm->cap_post_exec_permitted);
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204
	bprm->cap_effective = false;
}

#ifdef CONFIG_SECURITY_FILE_CAPABILITIES

int cap_inode_need_killpriv(struct dentry *dentry)
{
	struct inode *inode = dentry->d_inode;
	int error;

	if (!inode->i_op || !inode->i_op->getxattr)
	       return 0;

	error = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
	if (error <= 0)
		return 0;
	return 1;
}

int cap_inode_killpriv(struct dentry *dentry)
{
	struct inode *inode = dentry->d_inode;

	if (!inode->i_op || !inode->i_op->removexattr)
	       return 0;

	return inode->i_op->removexattr(dentry, XATTR_NAME_CAPS);
}

205 206
static inline int cap_from_disk(struct vfs_cap_data *caps,
				struct linux_binprm *bprm, unsigned size)
207 208
{
	__u32 magic_etc;
209
	unsigned tocopy, i;
210
	int ret;
211

212
	if (size < sizeof(magic_etc))
213 214
		return -EINVAL;

215
	magic_etc = le32_to_cpu(caps->magic_etc);
216 217

	switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
218 219 220 221 222 223 224 225 226 227
	case VFS_CAP_REVISION_1:
		if (size != XATTR_CAPS_SZ_1)
			return -EINVAL;
		tocopy = VFS_CAP_U32_1;
		break;
	case VFS_CAP_REVISION_2:
		if (size != XATTR_CAPS_SZ_2)
			return -EINVAL;
		tocopy = VFS_CAP_U32_2;
		break;
228 229 230
	default:
		return -EINVAL;
	}
231 232 233 234 235 236 237

	if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
		bprm->cap_effective = true;
	} else {
		bprm->cap_effective = false;
	}

238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263
	ret = 0;

	CAP_FOR_EACH_U32(i) {
		__u32 value_cpu;

		if (i >= tocopy) {
			/*
			 * Legacy capability sets have no upper bits
			 */
			bprm->cap_post_exec_permitted.cap[i] = 0;
			continue;
		}
		/*
		 * pP' = (X & fP) | (pI & fI)
		 */
		value_cpu = le32_to_cpu(caps->data[i].permitted);
		bprm->cap_post_exec_permitted.cap[i] =
			(current->cap_bset.cap[i] & value_cpu) |
			(current->cap_inheritable.cap[i] &
				le32_to_cpu(caps->data[i].inheritable));
		if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
			/*
			 * insufficient to execute correctly
			 */
			ret = -EPERM;
		}
264 265
	}

266 267 268 269 270 271
	/*
	 * For legacy apps, with no internal support for recognizing they
	 * do not have enough capabilities, we return an error if they are
	 * missing some "forced" (aka file-permitted) capabilities.
	 */
	return bprm->cap_effective ? ret : 0;
272 273 274 275 276 277 278
}

/* Locate any VFS capabilities: */
static int get_file_caps(struct linux_binprm *bprm)
{
	struct dentry *dentry;
	int rc = 0;
279
	struct vfs_cap_data vcaps;
280 281 282 283 284 285 286 287 288 289 290 291
	struct inode *inode;

	if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
		bprm_clear_caps(bprm);
		return 0;
	}

	dentry = dget(bprm->file->f_dentry);
	inode = dentry->d_inode;
	if (!inode->i_op || !inode->i_op->getxattr)
		goto out;

292 293
	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
				   XATTR_CAPS_SZ);
294 295 296 297 298 299 300 301
	if (rc == -ENODATA || rc == -EOPNOTSUPP) {
		/* no data, that's ok */
		rc = 0;
		goto out;
	}
	if (rc < 0)
		goto out;

302
	rc = cap_from_disk(&vcaps, bprm, rc);
303
	if (rc == -EINVAL)
304
		printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
305
		       __func__, rc, bprm->filename);
306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332

out:
	dput(dentry);
	if (rc)
		bprm_clear_caps(bprm);

	return rc;
}

#else
int cap_inode_need_killpriv(struct dentry *dentry)
{
	return 0;
}

int cap_inode_killpriv(struct dentry *dentry)
{
	return 0;
}

static inline int get_file_caps(struct linux_binprm *bprm)
{
	bprm_clear_caps(bprm);
	return 0;
}
#endif

L
Linus Torvalds 已提交
333 334
int cap_bprm_set_security (struct linux_binprm *bprm)
{
335
	int ret;
L
Linus Torvalds 已提交
336

337
	ret = get_file_caps(bprm);
L
Linus Torvalds 已提交
338

339 340 341 342 343 344 345 346 347
	if (!issecure(SECURE_NOROOT)) {
		/*
		 * To support inheritance of root-permissions and suid-root
		 * executables under compatibility mode, we override the
		 * capability sets for the file.
		 *
		 * If only the real uid is 0, we do not set the effective
		 * bit.
		 */
L
Linus Torvalds 已提交
348
		if (bprm->e_uid == 0 || current->uid == 0) {
349 350 351 352 353 354
			/* pP' = (cap_bset & ~0) | (pI & ~0) */
			bprm->cap_post_exec_permitted = cap_combine(
				current->cap_bset, current->cap_inheritable
				);
			bprm->cap_effective = (bprm->e_uid == 0);
			ret = 0;
L
Linus Torvalds 已提交
355 356
		}
	}
357 358

	return ret;
L
Linus Torvalds 已提交
359 360 361 362 363
}

void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
{
	if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
364 365
	    !cap_issubset(bprm->cap_post_exec_permitted,
			  current->cap_permitted)) {
366
		set_dumpable(current->mm, suid_dumpable);
367
		current->pdeath_signal = 0;
L
Linus Torvalds 已提交
368 369 370 371 372 373

		if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
			if (!capable(CAP_SETUID)) {
				bprm->e_uid = current->uid;
				bprm->e_gid = current->gid;
			}
374
			if (cap_limit_ptraced_target()) {
375 376 377
				bprm->cap_post_exec_permitted = cap_intersect(
					bprm->cap_post_exec_permitted,
					current->cap_permitted);
L
Linus Torvalds 已提交
378 379 380 381 382 383 384 385 386 387
			}
		}
	}

	current->suid = current->euid = current->fsuid = bprm->e_uid;
	current->sgid = current->egid = current->fsgid = bprm->e_gid;

	/* For init, we want to retain the capabilities set
	 * in the init_task struct. Thus we skip the usual
	 * capability rules */
388
	if (!is_global_init(current)) {
389
		current->cap_permitted = bprm->cap_post_exec_permitted;
390
		if (bprm->cap_effective)
391
			current->cap_effective = bprm->cap_post_exec_permitted;
392 393
		else
			cap_clear(current->cap_effective);
L
Linus Torvalds 已提交
394 395 396 397
	}

	/* AUD: Audit candidate if current->cap_effective is set */

398
	current->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
L
Linus Torvalds 已提交
399 400 401 402
}

int cap_bprm_secureexec (struct linux_binprm *bprm)
{
403 404 405
	if (current->uid != 0) {
		if (bprm->cap_effective)
			return 1;
406
		if (!cap_isclear(bprm->cap_post_exec_permitted))
407 408 409
			return 1;
	}

L
Linus Torvalds 已提交
410 411 412 413
	return (current->euid != current->uid ||
		current->egid != current->gid);
}

414 415
int cap_inode_setxattr(struct dentry *dentry, const char *name,
		       const void *value, size_t size, int flags)
L
Linus Torvalds 已提交
416
{
417 418 419 420 421
	if (!strcmp(name, XATTR_NAME_CAPS)) {
		if (!capable(CAP_SETFCAP))
			return -EPERM;
		return 0;
	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
L
Linus Torvalds 已提交
422 423 424 425 426 427
		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
	    !capable(CAP_SYS_ADMIN))
		return -EPERM;
	return 0;
}

428
int cap_inode_removexattr(struct dentry *dentry, const char *name)
L
Linus Torvalds 已提交
429
{
430 431 432 433 434
	if (!strcmp(name, XATTR_NAME_CAPS)) {
		if (!capable(CAP_SETFCAP))
			return -EPERM;
		return 0;
	} else if (!strncmp(name, XATTR_SECURITY_PREFIX,
L
Linus Torvalds 已提交
435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475
		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
	    !capable(CAP_SYS_ADMIN))
		return -EPERM;
	return 0;
}

/* moved from kernel/sys.c. */
/* 
 * cap_emulate_setxuid() fixes the effective / permitted capabilities of
 * a process after a call to setuid, setreuid, or setresuid.
 *
 *  1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
 *  {r,e,s}uid != 0, the permitted and effective capabilities are
 *  cleared.
 *
 *  2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
 *  capabilities of the process are cleared.
 *
 *  3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
 *  capabilities are set to the permitted capabilities.
 *
 *  fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should 
 *  never happen.
 *
 *  -astor 
 *
 * cevans - New behaviour, Oct '99
 * A process may, via prctl(), elect to keep its capabilities when it
 * calls setuid() and switches away from uid==0. Both permitted and
 * effective sets will be retained.
 * Without this change, it was impossible for a daemon to drop only some
 * of its privilege. The call to setuid(!=0) would drop all privileges!
 * Keeping uid 0 is not an option because uid 0 owns too many vital
 * files..
 * Thanks to Olaf Kirch and Peter Benie for spotting this.
 */
static inline void cap_emulate_setxuid (int old_ruid, int old_euid,
					int old_suid)
{
	if ((old_ruid == 0 || old_euid == 0 || old_suid == 0) &&
	    (current->uid != 0 && current->euid != 0 && current->suid != 0) &&
476
	    !issecure(SECURE_KEEP_CAPS)) {
L
Linus Torvalds 已提交
477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512
		cap_clear (current->cap_permitted);
		cap_clear (current->cap_effective);
	}
	if (old_euid == 0 && current->euid != 0) {
		cap_clear (current->cap_effective);
	}
	if (old_euid != 0 && current->euid == 0) {
		current->cap_effective = current->cap_permitted;
	}
}

int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
			  int flags)
{
	switch (flags) {
	case LSM_SETID_RE:
	case LSM_SETID_ID:
	case LSM_SETID_RES:
		/* Copied from kernel/sys.c:setreuid/setuid/setresuid. */
		if (!issecure (SECURE_NO_SETUID_FIXUP)) {
			cap_emulate_setxuid (old_ruid, old_euid, old_suid);
		}
		break;
	case LSM_SETID_FS:
		{
			uid_t old_fsuid = old_ruid;

			/* Copied from kernel/sys.c:setfsuid. */

			/*
			 * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
			 *          if not, we might be a bit too harsh here.
			 */

			if (!issecure (SECURE_NO_SETUID_FIXUP)) {
				if (old_fsuid == 0 && current->fsuid != 0) {
513 514 515
					current->cap_effective =
						cap_drop_fs_set(
						    current->cap_effective);
L
Linus Torvalds 已提交
516 517
				}
				if (old_fsuid != 0 && current->fsuid == 0) {
518 519 520 521
					current->cap_effective =
						cap_raise_fs_set(
						    current->cap_effective,
						    current->cap_permitted);
L
Linus Torvalds 已提交
522 523 524 525 526 527 528 529 530 531 532
				}
			}
			break;
		}
	default:
		return -EINVAL;
	}

	return 0;
}

533 534 535 536 537 538 539 540 541 542 543
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
/*
 * Rationale: code calling task_setscheduler, task_setioprio, and
 * task_setnice, assumes that
 *   . if capable(cap_sys_nice), then those actions should be allowed
 *   . if not capable(cap_sys_nice), but acting on your own processes,
 *   	then those actions should be allowed
 * This is insufficient now since you can call code without suid, but
 * yet with increased caps.
 * So we check for increased caps on the target process.
 */
544
static int cap_safe_nice(struct task_struct *p)
545 546
{
	if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
547
	    !capable(CAP_SYS_NICE))
548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567
		return -EPERM;
	return 0;
}

int cap_task_setscheduler (struct task_struct *p, int policy,
			   struct sched_param *lp)
{
	return cap_safe_nice(p);
}

int cap_task_setioprio (struct task_struct *p, int ioprio)
{
	return cap_safe_nice(p);
}

int cap_task_setnice (struct task_struct *p, int nice)
{
	return cap_safe_nice(p);
}

568 569 570 571 572 573 574
/*
 * called from kernel/sys.c for prctl(PR_CABSET_DROP)
 * done without task_capability_lock() because it introduces
 * no new races - i.e. only another task doing capget() on
 * this task could get inconsistent info.  There can be no
 * racing writer bc a task can only change its own caps.
 */
575
static long cap_prctl_drop(unsigned long cap)
576 577 578 579 580 581 582 583
{
	if (!capable(CAP_SETPCAP))
		return -EPERM;
	if (!cap_valid(cap))
		return -EINVAL;
	cap_lower(current->cap_bset, cap);
	return 0;
}
584

585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600
#else
int cap_task_setscheduler (struct task_struct *p, int policy,
			   struct sched_param *lp)
{
	return 0;
}
int cap_task_setioprio (struct task_struct *p, int ioprio)
{
	return 0;
}
int cap_task_setnice (struct task_struct *p, int nice)
{
	return 0;
}
#endif

601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687
int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
		   unsigned long arg4, unsigned long arg5, long *rc_p)
{
	long error = 0;

	switch (option) {
	case PR_CAPBSET_READ:
		if (!cap_valid(arg2))
			error = -EINVAL;
		else
			error = !!cap_raised(current->cap_bset, arg2);
		break;
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
	case PR_CAPBSET_DROP:
		error = cap_prctl_drop(arg2);
		break;

	/*
	 * The next four prctl's remain to assist with transitioning a
	 * system from legacy UID=0 based privilege (when filesystem
	 * capabilities are not in use) to a system using filesystem
	 * capabilities only - as the POSIX.1e draft intended.
	 *
	 * Note:
	 *
	 *  PR_SET_SECUREBITS =
	 *      issecure_mask(SECURE_KEEP_CAPS_LOCKED)
	 *    | issecure_mask(SECURE_NOROOT)
	 *    | issecure_mask(SECURE_NOROOT_LOCKED)
	 *    | issecure_mask(SECURE_NO_SETUID_FIXUP)
	 *    | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
	 *
	 * will ensure that the current process and all of its
	 * children will be locked into a pure
	 * capability-based-privilege environment.
	 */
	case PR_SET_SECUREBITS:
		if ((((current->securebits & SECURE_ALL_LOCKS) >> 1)
		     & (current->securebits ^ arg2))                  /*[1]*/
		    || ((current->securebits & SECURE_ALL_LOCKS
			 & ~arg2))                                    /*[2]*/
		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
		    || (cap_capable(current, CAP_SETPCAP) != 0)) {    /*[4]*/
			/*
			 * [1] no changing of bits that are locked
			 * [2] no unlocking of locks
			 * [3] no setting of unsupported bits
			 * [4] doing anything requires privilege (go read about
			 *     the "sendmail capabilities bug")
			 */
			error = -EPERM;  /* cannot change a locked bit */
		} else {
			current->securebits = arg2;
		}
		break;
	case PR_GET_SECUREBITS:
		error = current->securebits;
		break;

#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */

	case PR_GET_KEEPCAPS:
		if (issecure(SECURE_KEEP_CAPS))
			error = 1;
		break;
	case PR_SET_KEEPCAPS:
		if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
			error = -EINVAL;
		else if (issecure(SECURE_KEEP_CAPS_LOCKED))
			error = -EPERM;
		else if (arg2)
			current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
		else
			current->securebits &=
				~issecure_mask(SECURE_KEEP_CAPS);
		break;

	default:
		/* No functionality available - continue with default */
		return 0;
	}

	/* Functionality provided */
	*rc_p = error;
	return 1;
}

L
Linus Torvalds 已提交
688 689
void cap_task_reparent_to_init (struct task_struct *p)
{
690 691 692
	cap_set_init_eff(p->cap_effective);
	cap_clear(p->cap_inheritable);
	cap_set_full(p->cap_permitted);
693
	p->securebits = SECUREBITS_DEFAULT;
L
Linus Torvalds 已提交
694 695 696 697 698 699 700 701 702 703
	return;
}

int cap_syslog (int type)
{
	if ((type != 3 && type != 10) && !capable(CAP_SYS_ADMIN))
		return -EPERM;
	return 0;
}

704
int cap_vm_enough_memory(struct mm_struct *mm, long pages)
L
Linus Torvalds 已提交
705 706 707 708 709
{
	int cap_sys_admin = 0;

	if (cap_capable(current, CAP_SYS_ADMIN) == 0)
		cap_sys_admin = 1;
710
	return __vm_enough_memory(mm, pages, cap_sys_admin);
L
Linus Torvalds 已提交
711 712
}