LCOV - code coverage report
Current view: top level - security - commoncap.c (source / functions) Hit Total Coverage
Test: combined.info Lines: 233 456 51.1 %
Date: 2022-03-28 13:20:08 Functions: 25 30 83.3 %
Branches: 141 459 30.7 %

           Branch data     Line data    Source code
       1                 :            : // SPDX-License-Identifier: GPL-2.0-or-later
       2                 :            : /* Common capabilities, needed by capability.o.
       3                 :            :  */
       4                 :            : 
       5                 :            : #include <linux/capability.h>
       6                 :            : #include <linux/audit.h>
       7                 :            : #include <linux/init.h>
       8                 :            : #include <linux/kernel.h>
       9                 :            : #include <linux/lsm_hooks.h>
      10                 :            : #include <linux/file.h>
      11                 :            : #include <linux/mm.h>
      12                 :            : #include <linux/mman.h>
      13                 :            : #include <linux/pagemap.h>
      14                 :            : #include <linux/swap.h>
      15                 :            : #include <linux/skbuff.h>
      16                 :            : #include <linux/netlink.h>
      17                 :            : #include <linux/ptrace.h>
      18                 :            : #include <linux/xattr.h>
      19                 :            : #include <linux/hugetlb.h>
      20                 :            : #include <linux/mount.h>
      21                 :            : #include <linux/sched.h>
      22                 :            : #include <linux/prctl.h>
      23                 :            : #include <linux/securebits.h>
      24                 :            : #include <linux/user_namespace.h>
      25                 :            : #include <linux/binfmts.h>
      26                 :            : #include <linux/personality.h>
      27                 :            : 
      28                 :            : /*
      29                 :            :  * If a non-root user executes a setuid-root binary in
      30                 :            :  * !secure(SECURE_NOROOT) mode, then we raise capabilities.
      31                 :            :  * However if fE is also set, then the intent is for only
      32                 :            :  * the file capabilities to be applied, and the setuid-root
      33                 :            :  * bit is left on either to change the uid (plausible) or
      34                 :            :  * to get full privilege on a kernel without file capabilities
      35                 :            :  * support.  So in that case we do not raise capabilities.
      36                 :            :  *
      37                 :            :  * Warn if that happens, once per boot.
      38                 :            :  */
      39                 :          0 : static void warn_setuid_and_fcaps_mixed(const char *fname)
      40                 :            : {
      41                 :          0 :         static int warned;
      42                 :          0 :         if (!warned) {
      43                 :          0 :                 printk(KERN_INFO "warning: `%s' has both setuid-root and"
      44                 :            :                         " effective capabilities. Therefore not raising all"
      45                 :            :                         " capabilities.\n", fname);
      46                 :          0 :                 warned = 1;
      47                 :            :         }
      48                 :            : }
      49                 :            : 
      50                 :            : /**
      51                 :            :  * cap_capable - Determine whether a task has a particular effective capability
      52                 :            :  * @cred: The credentials to use
      53                 :            :  * @ns:  The user namespace in which we need the capability
      54                 :            :  * @cap: The capability to check for
      55                 :            :  * @opts: Bitmask of options defined in include/linux/security.h
      56                 :            :  *
      57                 :            :  * Determine whether the nominated task has the specified capability amongst
      58                 :            :  * its effective set, returning 0 if it does, -ve if it does not.
      59                 :            :  *
      60                 :            :  * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
      61                 :            :  * and has_capability() functions.  That is, it has the reverse semantics:
      62                 :            :  * cap_has_capability() returns 0 when a task has a capability, but the
      63                 :            :  * kernel's capable() and has_capability() returns 1 for this case.
      64                 :            :  */
      65                 :    1538954 : int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
      66                 :            :                 int cap, unsigned int opts)
      67                 :            : {
      68                 :      74622 :         struct user_namespace *ns = targ_ns;
      69                 :            : 
      70                 :            :         /* See if cred has the capability in the target user namespace
      71                 :            :          * by examining the target user namespace and all of the target
      72                 :            :          * user namespace's parents.
      73                 :            :          */
      74                 :    1613606 :         for (;;) {
      75                 :            :                 /* Do we have the necessary capabilities? */
      76   [ -  -  +  -  :    1613606 :                 if (ns == cred->user_ns)
          +  -  +  -  +  
                      - ]
      77   [ -  -  +  +  :    1613606 :                         return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
          +  -  +  -  +  
                      + ]
      78                 :            : 
      79                 :            :                 /*
      80                 :            :                  * If we're already at a lower level than we're looking for,
      81                 :            :                  * we're done searching.
      82                 :            :                  */
      83   [ #  #  #  #  :          0 :                 if (ns->level <= cred->user_ns->level)
          #  #  #  #  #  
                      # ]
      84                 :            :                         return -EPERM;
      85                 :            : 
      86                 :            :                 /* 
      87                 :            :                  * The owner of the user namespace in the parent of the
      88                 :            :                  * user namespace has all caps.
      89                 :            :                  */
      90   [ #  #  #  #  :          0 :                 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
          #  #  #  #  #  
          #  #  #  #  #  
          #  #  #  #  #  
                      # ]
      91                 :            :                         return 0;
      92                 :            : 
      93                 :            :                 /*
      94                 :            :                  * If you have a capability in a parent user ns, then you have
      95                 :            :                  * it over all children user namespaces as well.
      96                 :            :                  */
      97                 :            :                 ns = ns->parent;
      98                 :            :         }
      99                 :            : 
     100                 :            :         /* We never get here */
     101                 :            : }
     102                 :            : 
     103                 :            : /**
     104                 :            :  * cap_settime - Determine whether the current process may set the system clock
     105                 :            :  * @ts: The time to set
     106                 :            :  * @tz: The timezone to set
     107                 :            :  *
     108                 :            :  * Determine whether the current process may set the system clock and timezone
     109                 :            :  * information, returning 0 if permission granted, -ve if denied.
     110                 :            :  */
     111                 :         30 : int cap_settime(const struct timespec64 *ts, const struct timezone *tz)
     112                 :            : {
     113         [ -  + ]:         30 :         if (!capable(CAP_SYS_TIME))
     114                 :          0 :                 return -EPERM;
     115                 :            :         return 0;
     116                 :            : }
     117                 :            : 
     118                 :            : /**
     119                 :            :  * cap_ptrace_access_check - Determine whether the current process may access
     120                 :            :  *                         another
     121                 :            :  * @child: The process to be accessed
     122                 :            :  * @mode: The mode of attachment.
     123                 :            :  *
     124                 :            :  * If we are in the same or an ancestor user_ns and have all the target
     125                 :            :  * task's capabilities, then ptrace access is allowed.
     126                 :            :  * If we have the ptrace capability to the target user_ns, then ptrace
     127                 :            :  * access is allowed.
     128                 :            :  * Else denied.
     129                 :            :  *
     130                 :            :  * Determine whether a process may access another, returning 0 if permission
     131                 :            :  * granted, -ve if denied.
     132                 :            :  */
     133                 :       3327 : int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
     134                 :            : {
     135                 :       3327 :         int ret = 0;
     136                 :       3327 :         const struct cred *cred, *child_cred;
     137                 :       3327 :         const kernel_cap_t *caller_caps;
     138                 :            : 
     139                 :       3327 :         rcu_read_lock();
     140         [ +  - ]:       3327 :         cred = current_cred();
     141         [ +  - ]:       3327 :         child_cred = __task_cred(child);
     142         [ +  - ]:       3327 :         if (mode & PTRACE_MODE_FSCREDS)
     143                 :       3327 :                 caller_caps = &cred->cap_effective;
     144                 :            :         else
     145                 :          0 :                 caller_caps = &cred->cap_permitted;
     146   [ +  -  +  + ]:       6654 :         if (cred->user_ns == child_cred->user_ns &&
     147                 :       3327 :             cap_issubset(child_cred->cap_permitted, *caller_caps))
     148                 :       2955 :                 goto out;
     149         [ +  - ]:        372 :         if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
     150                 :        372 :                 goto out;
     151                 :            :         ret = -EPERM;
     152                 :       3327 : out:
     153                 :       3327 :         rcu_read_unlock();
     154                 :       3327 :         return ret;
     155                 :            : }
     156                 :            : 
     157                 :            : /**
     158                 :            :  * cap_ptrace_traceme - Determine whether another process may trace the current
     159                 :            :  * @parent: The task proposed to be the tracer
     160                 :            :  *
     161                 :            :  * If parent is in the same or an ancestor user_ns and has all current's
     162                 :            :  * capabilities, then ptrace access is allowed.
     163                 :            :  * If parent has the ptrace capability to current's user_ns, then ptrace
     164                 :            :  * access is allowed.
     165                 :            :  * Else denied.
     166                 :            :  *
     167                 :            :  * Determine whether the nominated task is permitted to trace the current
     168                 :            :  * process, returning 0 if permission is granted, -ve if denied.
     169                 :            :  */
     170                 :          0 : int cap_ptrace_traceme(struct task_struct *parent)
     171                 :            : {
     172                 :          0 :         int ret = 0;
     173                 :          0 :         const struct cred *cred, *child_cred;
     174                 :            : 
     175                 :          0 :         rcu_read_lock();
     176         [ #  # ]:          0 :         cred = __task_cred(parent);
     177         [ #  # ]:          0 :         child_cred = current_cred();
     178   [ #  #  #  # ]:          0 :         if (cred->user_ns == child_cred->user_ns &&
     179                 :          0 :             cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
     180                 :          0 :                 goto out;
     181         [ #  # ]:          0 :         if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
     182                 :          0 :                 goto out;
     183                 :            :         ret = -EPERM;
     184                 :          0 : out:
     185                 :          0 :         rcu_read_unlock();
     186                 :          0 :         return ret;
     187                 :            : }
     188                 :            : 
     189                 :            : /**
     190                 :            :  * cap_capget - Retrieve a task's capability sets
     191                 :            :  * @target: The task from which to retrieve the capability sets
     192                 :            :  * @effective: The place to record the effective set
     193                 :            :  * @inheritable: The place to record the inheritable set
     194                 :            :  * @permitted: The place to record the permitted set
     195                 :            :  *
     196                 :            :  * This function retrieves the capabilities of the nominated task and returns
     197                 :            :  * them to the caller.
     198                 :            :  */
     199                 :        930 : int cap_capget(struct task_struct *target, kernel_cap_t *effective,
     200                 :            :                kernel_cap_t *inheritable, kernel_cap_t *permitted)
     201                 :            : {
     202                 :        930 :         const struct cred *cred;
     203                 :            : 
     204                 :            :         /* Derived from kernel/capability.c:sys_capget. */
     205                 :        930 :         rcu_read_lock();
     206                 :        930 :         cred = __task_cred(target);
     207                 :        930 :         *effective   = cred->cap_effective;
     208                 :        930 :         *inheritable = cred->cap_inheritable;
     209                 :        930 :         *permitted   = cred->cap_permitted;
     210                 :        930 :         rcu_read_unlock();
     211                 :        930 :         return 0;
     212                 :            : }
     213                 :            : 
     214                 :            : /*
     215                 :            :  * Determine whether the inheritable capabilities are limited to the old
     216                 :            :  * permitted set.  Returns 1 if they are limited, 0 if they are not.
     217                 :            :  */
     218                 :         90 : static inline int cap_inh_is_capped(void)
     219                 :            : {
     220                 :            :         /* they are so limited unless the current task has the CAP_SETPCAP
     221                 :            :          * capability
     222                 :            :          */
     223         [ -  - ]:         90 :         if (cap_capable(current_cred(), current_cred()->user_ns,
     224                 :            :                         CAP_SETPCAP, CAP_OPT_NONE) == 0)
     225                 :         90 :                 return 0;
     226                 :            :         return 1;
     227                 :            : }
     228                 :            : 
     229                 :            : /**
     230                 :            :  * cap_capset - Validate and apply proposed changes to current's capabilities
     231                 :            :  * @new: The proposed new credentials; alterations should be made here
     232                 :            :  * @old: The current task's current credentials
     233                 :            :  * @effective: A pointer to the proposed new effective capabilities set
     234                 :            :  * @inheritable: A pointer to the proposed new inheritable capabilities set
     235                 :            :  * @permitted: A pointer to the proposed new permitted capabilities set
     236                 :            :  *
     237                 :            :  * This function validates and applies a proposed mass change to the current
     238                 :            :  * process's capability sets.  The changes are made to the proposed new
     239                 :            :  * credentials, and assuming no error, will be committed by the caller of LSM.
     240                 :            :  */
     241                 :         90 : int cap_capset(struct cred *new,
     242                 :            :                const struct cred *old,
     243                 :            :                const kernel_cap_t *effective,
     244                 :            :                const kernel_cap_t *inheritable,
     245                 :            :                const kernel_cap_t *permitted)
     246                 :            : {
     247   [ -  +  -  - ]:         90 :         if (cap_inh_is_capped() &&
     248                 :          0 :             !cap_issubset(*inheritable,
     249                 :            :                           cap_combine(old->cap_inheritable,
     250                 :            :                                       old->cap_permitted)))
     251                 :            :                 /* incapable of using this inheritable set */
     252                 :            :                 return -EPERM;
     253                 :            : 
     254         [ +  - ]:        180 :         if (!cap_issubset(*inheritable,
     255                 :            :                           cap_combine(old->cap_inheritable,
     256                 :            :                                       old->cap_bset)))
     257                 :            :                 /* no new pI capabilities outside bounding set */
     258                 :            :                 return -EPERM;
     259                 :            : 
     260                 :            :         /* verify restrictions on target's new Permitted set */
     261         [ +  - ]:         90 :         if (!cap_issubset(*permitted, old->cap_permitted))
     262                 :            :                 return -EPERM;
     263                 :            : 
     264                 :            :         /* verify the _new_Effective_ is a subset of the _new_Permitted_ */
     265         [ +  - ]:         90 :         if (!cap_issubset(*effective, *permitted))
     266                 :            :                 return -EPERM;
     267                 :            : 
     268                 :         90 :         new->cap_effective   = *effective;
     269                 :         90 :         new->cap_inheritable = *inheritable;
     270                 :         90 :         new->cap_permitted   = *permitted;
     271                 :            : 
     272                 :            :         /*
     273                 :            :          * Mask off ambient bits that are no longer both permitted and
     274                 :            :          * inheritable.
     275                 :            :          */
     276                 :        180 :         new->cap_ambient = cap_intersect(new->cap_ambient,
     277                 :            :                                          cap_intersect(*permitted,
     278                 :            :                                                        *inheritable));
     279   [ -  +  -  + ]:         90 :         if (WARN_ON(!cap_ambient_invariant_ok(new)))
     280                 :          0 :                 return -EINVAL;
     281                 :            :         return 0;
     282                 :            : }
     283                 :            : 
     284                 :            : /**
     285                 :            :  * cap_inode_need_killpriv - Determine if inode change affects privileges
     286                 :            :  * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
     287                 :            :  *
     288                 :            :  * Determine if an inode having a change applied that's marked ATTR_KILL_PRIV
     289                 :            :  * affects the security markings on that inode, and if it is, should
     290                 :            :  * inode_killpriv() be invoked or the change rejected.
     291                 :            :  *
     292                 :            :  * Returns 1 if security.capability has a value, meaning inode_killpriv()
     293                 :            :  * is required, 0 otherwise, meaning inode_killpriv() is not required.
     294                 :            :  */
     295                 :      24810 : int cap_inode_need_killpriv(struct dentry *dentry)
     296                 :            : {
     297                 :      24810 :         struct inode *inode = d_backing_inode(dentry);
     298                 :      24810 :         int error;
     299                 :            : 
     300                 :      24810 :         error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, NULL, 0);
     301                 :      24810 :         return error > 0;
     302                 :            : }
     303                 :            : 
     304                 :            : /**
     305                 :            :  * cap_inode_killpriv - Erase the security markings on an inode
     306                 :            :  * @dentry: The inode/dentry to alter
     307                 :            :  *
     308                 :            :  * Erase the privilege-enhancing security markings on an inode.
     309                 :            :  *
     310                 :            :  * Returns 0 if successful, -ve on error.
     311                 :            :  */
     312                 :          0 : int cap_inode_killpriv(struct dentry *dentry)
     313                 :            : {
     314                 :          0 :         int error;
     315                 :            : 
     316                 :          0 :         error = __vfs_removexattr(dentry, XATTR_NAME_CAPS);
     317         [ #  # ]:          0 :         if (error == -EOPNOTSUPP)
     318                 :          0 :                 error = 0;
     319                 :          0 :         return error;
     320                 :            : }
     321                 :            : 
     322                 :          0 : static bool rootid_owns_currentns(kuid_t kroot)
     323                 :            : {
     324                 :          0 :         struct user_namespace *ns;
     325                 :            : 
     326                 :          0 :         if (!uid_valid(kroot))
     327                 :            :                 return false;
     328                 :            : 
     329   [ #  #  #  # ]:          0 :         for (ns = current_user_ns(); ; ns = ns->parent) {
     330   [ #  #  #  # ]:          0 :                 if (from_kuid(ns, kroot) == 0)
     331                 :          0 :                         return true;
     332                 :            :                 if (ns == &init_user_ns)
     333                 :            :                         break;
     334                 :            :         }
     335                 :            : 
     336                 :            :         return false;
     337                 :            : }
     338                 :            : 
     339                 :          0 : static __u32 sansflags(__u32 m)
     340                 :            : {
     341                 :          0 :         return m & ~VFS_CAP_FLAGS_EFFECTIVE;
     342                 :            : }
     343                 :            : 
     344                 :          0 : static bool is_v2header(size_t size, const struct vfs_cap_data *cap)
     345                 :            : {
     346                 :          0 :         if (size != XATTR_CAPS_SZ_2)
     347                 :            :                 return false;
     348                 :          0 :         return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
     349                 :            : }
     350                 :            : 
     351                 :          0 : static bool is_v3header(size_t size, const struct vfs_cap_data *cap)
     352                 :            : {
     353         [ #  # ]:          0 :         if (size != XATTR_CAPS_SZ_3)
     354                 :            :                 return false;
     355                 :          0 :         return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
     356                 :            : }
     357                 :            : 
     358                 :            : /*
     359                 :            :  * getsecurity: We are called for security.* before any attempt to read the
     360                 :            :  * xattr from the inode itself.
     361                 :            :  *
     362                 :            :  * This gives us a chance to read the on-disk value and convert it.  If we
     363                 :            :  * return -EOPNOTSUPP, then vfs_getxattr() will call the i_op handler.
     364                 :            :  *
     365                 :            :  * Note we are not called by vfs_getxattr_alloc(), but that is only called
     366                 :            :  * by the integrity subsystem, which really wants the unconverted values -
     367                 :            :  * so that's good.
     368                 :            :  */
     369                 :          0 : int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
     370                 :            :                           bool alloc)
     371                 :            : {
     372                 :          0 :         int size, ret;
     373                 :          0 :         kuid_t kroot;
     374                 :          0 :         uid_t root, mappedroot;
     375                 :          0 :         char *tmpbuf = NULL;
     376                 :          0 :         struct vfs_cap_data *cap;
     377                 :          0 :         struct vfs_ns_cap_data *nscap;
     378                 :          0 :         struct dentry *dentry;
     379                 :          0 :         struct user_namespace *fs_ns;
     380                 :            : 
     381         [ #  # ]:          0 :         if (strcmp(name, "capability") != 0)
     382                 :            :                 return -EOPNOTSUPP;
     383                 :            : 
     384                 :          0 :         dentry = d_find_any_alias(inode);
     385         [ #  # ]:          0 :         if (!dentry)
     386                 :            :                 return -EINVAL;
     387                 :            : 
     388                 :          0 :         size = sizeof(struct vfs_ns_cap_data);
     389                 :          0 :         ret = (int) vfs_getxattr_alloc(dentry, XATTR_NAME_CAPS,
     390                 :            :                                  &tmpbuf, size, GFP_NOFS);
     391                 :          0 :         dput(dentry);
     392                 :            : 
     393         [ #  # ]:          0 :         if (ret < 0)
     394                 :            :                 return ret;
     395                 :            : 
     396                 :          0 :         fs_ns = inode->i_sb->s_user_ns;
     397                 :          0 :         cap = (struct vfs_cap_data *) tmpbuf;
     398   [ #  #  #  # ]:          0 :         if (is_v2header((size_t) ret, cap)) {
     399                 :            :                 /* If this is sizeof(vfs_cap_data) then we're ok with the
     400                 :            :                  * on-disk value, so return that.  */
     401         [ #  # ]:          0 :                 if (alloc)
     402                 :          0 :                         *buffer = tmpbuf;
     403                 :            :                 else
     404                 :          0 :                         kfree(tmpbuf);
     405                 :          0 :                 return ret;
     406   [ #  #  #  # ]:          0 :         } else if (!is_v3header((size_t) ret, cap)) {
     407                 :          0 :                 kfree(tmpbuf);
     408                 :          0 :                 return -EINVAL;
     409                 :            :         }
     410                 :            : 
     411                 :          0 :         nscap = (struct vfs_ns_cap_data *) tmpbuf;
     412                 :          0 :         root = le32_to_cpu(nscap->rootid);
     413         [ #  # ]:          0 :         kroot = make_kuid(fs_ns, root);
     414                 :            : 
     415                 :            :         /* If the root kuid maps to a valid uid in current ns, then return
     416                 :            :          * this as a nscap. */
     417         [ #  # ]:          0 :         mappedroot = from_kuid(current_user_ns(), kroot);
     418         [ #  # ]:          0 :         if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
     419         [ #  # ]:          0 :                 if (alloc) {
     420                 :          0 :                         *buffer = tmpbuf;
     421                 :          0 :                         nscap->rootid = cpu_to_le32(mappedroot);
     422                 :            :                 } else
     423                 :          0 :                         kfree(tmpbuf);
     424                 :          0 :                 return size;
     425                 :            :         }
     426                 :            : 
     427         [ #  # ]:          0 :         if (!rootid_owns_currentns(kroot)) {
     428                 :          0 :                 kfree(tmpbuf);
     429                 :          0 :                 return -EOPNOTSUPP;
     430                 :            :         }
     431                 :            : 
     432                 :            :         /* This comes from a parent namespace.  Return as a v2 capability */
     433                 :          0 :         size = sizeof(struct vfs_cap_data);
     434         [ #  # ]:          0 :         if (alloc) {
     435                 :          0 :                 *buffer = kmalloc(size, GFP_ATOMIC);
     436         [ #  # ]:          0 :                 if (*buffer) {
     437                 :          0 :                         struct vfs_cap_data *cap = *buffer;
     438                 :          0 :                         __le32 nsmagic, magic;
     439                 :          0 :                         magic = VFS_CAP_REVISION_2;
     440                 :          0 :                         nsmagic = le32_to_cpu(nscap->magic_etc);
     441                 :          0 :                         if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
     442                 :            :                                 magic |= VFS_CAP_FLAGS_EFFECTIVE;
     443                 :          0 :                         memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
     444                 :          0 :                         cap->magic_etc = cpu_to_le32(magic);
     445                 :            :                 } else {
     446                 :            :                         size = -ENOMEM;
     447                 :            :                 }
     448                 :            :         }
     449                 :          0 :         kfree(tmpbuf);
     450                 :          0 :         return size;
     451                 :            : }
     452                 :            : 
     453                 :          0 : static kuid_t rootid_from_xattr(const void *value, size_t size,
     454                 :            :                                 struct user_namespace *task_ns)
     455                 :            : {
     456                 :          0 :         const struct vfs_ns_cap_data *nscap = value;
     457                 :          0 :         uid_t rootid = 0;
     458                 :            : 
     459                 :          0 :         if (size == XATTR_CAPS_SZ_3)
     460                 :          0 :                 rootid = le32_to_cpu(nscap->rootid);
     461                 :            : 
     462         [ #  # ]:          0 :         return make_kuid(task_ns, rootid);
     463                 :            : }
     464                 :            : 
     465                 :          0 : static bool validheader(size_t size, const struct vfs_cap_data *cap)
     466                 :            : {
     467   [ #  #  #  # ]:          0 :         return is_v2header(size, cap) || is_v3header(size, cap);
     468                 :            : }
     469                 :            : 
     470                 :            : /*
     471                 :            :  * User requested a write of security.capability.  If needed, update the
     472                 :            :  * xattr to change from v2 to v3, or to fixup the v3 rootid.
     473                 :            :  *
     474                 :            :  * If all is ok, we return the new size, on error return < 0.
     475                 :            :  */
     476                 :          0 : int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
     477                 :            : {
     478                 :          0 :         struct vfs_ns_cap_data *nscap;
     479                 :          0 :         uid_t nsrootid;
     480                 :          0 :         const struct vfs_cap_data *cap = *ivalue;
     481                 :          0 :         __u32 magic, nsmagic;
     482         [ #  # ]:          0 :         struct inode *inode = d_backing_inode(dentry);
     483         [ #  # ]:          0 :         struct user_namespace *task_ns = current_user_ns(),
     484                 :            :                 *fs_ns = inode->i_sb->s_user_ns;
     485                 :          0 :         kuid_t rootid;
     486                 :          0 :         size_t newsize;
     487                 :            : 
     488         [ #  # ]:          0 :         if (!*ivalue)
     489                 :            :                 return -EINVAL;
     490   [ #  #  #  # ]:          0 :         if (!validheader(size, cap))
     491                 :            :                 return -EINVAL;
     492         [ #  # ]:          0 :         if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
     493                 :            :                 return -EPERM;
     494         [ #  # ]:          0 :         if (size == XATTR_CAPS_SZ_2)
     495         [ #  # ]:          0 :                 if (ns_capable(inode->i_sb->s_user_ns, CAP_SETFCAP))
     496                 :            :                         /* user is privileged, just write the v2 */
     497                 :            :                         return size;
     498                 :            : 
     499         [ #  # ]:          0 :         rootid = rootid_from_xattr(*ivalue, size, task_ns);
     500         [ #  # ]:          0 :         if (!uid_valid(rootid))
     501                 :            :                 return -EINVAL;
     502                 :            : 
     503                 :          0 :         nsrootid = from_kuid(fs_ns, rootid);
     504                 :          0 :         if (nsrootid == -1)
     505                 :            :                 return -EINVAL;
     506                 :            : 
     507                 :          0 :         newsize = sizeof(struct vfs_ns_cap_data);
     508                 :          0 :         nscap = kmalloc(newsize, GFP_ATOMIC);
     509         [ #  # ]:          0 :         if (!nscap)
     510                 :            :                 return -ENOMEM;
     511                 :          0 :         nscap->rootid = cpu_to_le32(nsrootid);
     512                 :          0 :         nsmagic = VFS_CAP_REVISION_3;
     513                 :          0 :         magic = le32_to_cpu(cap->magic_etc);
     514                 :          0 :         if (magic & VFS_CAP_FLAGS_EFFECTIVE)
     515                 :            :                 nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
     516                 :          0 :         nscap->magic_etc = cpu_to_le32(nsmagic);
     517                 :          0 :         memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
     518                 :            : 
     519                 :          0 :         kvfree(*ivalue);
     520                 :          0 :         *ivalue = nscap;
     521                 :          0 :         return newsize;
     522                 :            : }
     523                 :            : 
     524                 :            : /*
     525                 :            :  * Calculate the new process capability sets from the capability sets attached
     526                 :            :  * to a file.
     527                 :            :  */
     528                 :            : static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
     529                 :            :                                           struct linux_binprm *bprm,
     530                 :            :                                           bool *effective,
     531                 :            :                                           bool *has_fcap)
     532                 :            : {
     533                 :            :         struct cred *new = bprm->cred;
     534                 :            :         unsigned i;
     535                 :            :         int ret = 0;
     536                 :            : 
     537                 :            :         if (caps->magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
     538                 :            :                 *effective = true;
     539                 :            : 
     540                 :            :         if (caps->magic_etc & VFS_CAP_REVISION_MASK)
     541                 :            :                 *has_fcap = true;
     542                 :            : 
     543                 :            :         CAP_FOR_EACH_U32(i) {
     544                 :            :                 __u32 permitted = caps->permitted.cap[i];
     545                 :            :                 __u32 inheritable = caps->inheritable.cap[i];
     546                 :            : 
     547                 :            :                 /*
     548                 :            :                  * pP' = (X & fP) | (pI & fI)
     549                 :            :                  * The addition of pA' is handled later.
     550                 :            :                  */
     551                 :            :                 new->cap_permitted.cap[i] =
     552                 :            :                         (new->cap_bset.cap[i] & permitted) |
     553                 :            :                         (new->cap_inheritable.cap[i] & inheritable);
     554                 :            : 
     555                 :            :                 if (permitted & ~new->cap_permitted.cap[i])
     556                 :            :                         /* insufficient to execute correctly */
     557                 :            :                         ret = -EPERM;
     558                 :            :         }
     559                 :            : 
     560                 :            :         /*
     561                 :            :          * For legacy apps, with no internal support for recognizing they
     562                 :            :          * do not have enough capabilities, we return an error if they are
     563                 :            :          * missing some "forced" (aka file-permitted) capabilities.
     564                 :            :          */
     565                 :            :         return *effective ? ret : 0;
     566                 :            : }
     567                 :            : 
     568                 :            : /*
     569                 :            :  * Extract the on-exec-apply capability sets for an executable file.
     570                 :            :  */
     571                 :      45186 : int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
     572                 :            : {
     573         [ +  - ]:      45186 :         struct inode *inode = d_backing_inode(dentry);
     574                 :      45186 :         __u32 magic_etc;
     575                 :      45186 :         unsigned tocopy, i;
     576                 :      45186 :         int size;
     577                 :      45186 :         struct vfs_ns_cap_data data, *nscaps = &data;
     578                 :      45186 :         struct vfs_cap_data *caps = (struct vfs_cap_data *) &data;
     579                 :      45186 :         kuid_t rootkuid;
     580                 :      45186 :         struct user_namespace *fs_ns;
     581                 :            : 
     582                 :      45186 :         memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
     583                 :            : 
     584         [ +  - ]:      45186 :         if (!inode)
     585                 :            :                 return -ENODATA;
     586                 :            : 
     587                 :      45186 :         fs_ns = inode->i_sb->s_user_ns;
     588                 :      45186 :         size = __vfs_getxattr((struct dentry *)dentry, inode,
     589                 :            :                               XATTR_NAME_CAPS, &data, XATTR_CAPS_SZ);
     590         [ -  + ]:      45186 :         if (size == -ENODATA || size == -EOPNOTSUPP)
     591                 :            :                 /* no data, that's ok */
     592                 :            :                 return -ENODATA;
     593                 :            : 
     594         [ #  # ]:          0 :         if (size < 0)
     595                 :            :                 return size;
     596                 :            : 
     597         [ #  # ]:          0 :         if (size < sizeof(magic_etc))
     598                 :            :                 return -EINVAL;
     599                 :            : 
     600                 :          0 :         cpu_caps->magic_etc = magic_etc = le32_to_cpu(caps->magic_etc);
     601                 :            : 
     602   [ #  #  #  # ]:          0 :         rootkuid = make_kuid(fs_ns, 0);
     603   [ #  #  #  # ]:          0 :         switch (magic_etc & VFS_CAP_REVISION_MASK) {
     604                 :          0 :         case VFS_CAP_REVISION_1:
     605         [ #  # ]:          0 :                 if (size != XATTR_CAPS_SZ_1)
     606                 :            :                         return -EINVAL;
     607                 :            :                 tocopy = VFS_CAP_U32_1;
     608                 :            :                 break;
     609                 :          0 :         case VFS_CAP_REVISION_2:
     610         [ #  # ]:          0 :                 if (size != XATTR_CAPS_SZ_2)
     611                 :            :                         return -EINVAL;
     612                 :            :                 tocopy = VFS_CAP_U32_2;
     613                 :            :                 break;
     614                 :          0 :         case VFS_CAP_REVISION_3:
     615         [ #  # ]:          0 :                 if (size != XATTR_CAPS_SZ_3)
     616                 :            :                         return -EINVAL;
     617                 :          0 :                 tocopy = VFS_CAP_U32_3;
     618                 :          0 :                 rootkuid = make_kuid(fs_ns, le32_to_cpu(nscaps->rootid));
     619                 :            :                 break;
     620                 :            : 
     621                 :            :         default:
     622                 :            :                 return -EINVAL;
     623                 :            :         }
     624                 :            :         /* Limit the caps to the mounter of the filesystem
     625                 :            :          * or the more limited uid specified in the xattr.
     626                 :            :          */
     627         [ #  # ]:          0 :         if (!rootid_owns_currentns(rootkuid))
     628                 :            :                 return -ENODATA;
     629                 :            : 
     630         [ #  # ]:          0 :         CAP_FOR_EACH_U32(i) {
     631         [ #  # ]:          0 :                 if (i >= tocopy)
     632                 :            :                         break;
     633                 :          0 :                 cpu_caps->permitted.cap[i] = le32_to_cpu(caps->data[i].permitted);
     634                 :          0 :                 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps->data[i].inheritable);
     635                 :            :         }
     636                 :            : 
     637                 :          0 :         cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
     638                 :          0 :         cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
     639                 :            : 
     640                 :          0 :         cpu_caps->rootid = rootkuid;
     641                 :            : 
     642                 :          0 :         return 0;
     643                 :            : }
     644                 :            : 
     645                 :            : /*
     646                 :            :  * Attempt to get the on-exec apply capability sets for an executable file from
     647                 :            :  * its xattrs and, if present, apply them to the proposed credentials being
     648                 :            :  * constructed by execve().
     649                 :            :  */
     650                 :      45186 : static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_fcap)
     651                 :            : {
     652                 :      45186 :         int rc = 0;
     653                 :      45186 :         struct cpu_vfs_cap_data vcaps;
     654                 :            : 
     655                 :      45186 :         cap_clear(bprm->cred->cap_permitted);
     656                 :            : 
     657         [ +  - ]:      45186 :         if (!file_caps_enabled)
     658                 :            :                 return 0;
     659                 :            : 
     660         [ +  - ]:      45186 :         if (!mnt_may_suid(bprm->file->f_path.mnt))
     661                 :            :                 return 0;
     662                 :            : 
     663                 :            :         /*
     664                 :            :          * This check is redundant with mnt_may_suid() but is kept to make
     665                 :            :          * explicit that capability bits are limited to s_user_ns and its
     666                 :            :          * descendants.
     667                 :            :          */
     668                 :      45186 :         if (!current_in_userns(bprm->file->f_path.mnt->mnt_sb->s_user_ns))
     669                 :            :                 return 0;
     670                 :            : 
     671                 :      45186 :         rc = get_vfs_caps_from_disk(bprm->file->f_path.dentry, &vcaps);
     672         [ +  - ]:      45186 :         if (rc < 0) {
     673         [ -  + ]:      45186 :                 if (rc == -EINVAL)
     674                 :          0 :                         printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
     675                 :            :                                         bprm->filename);
     676         [ +  - ]:      45186 :                 else if (rc == -ENODATA)
     677                 :      45186 :                         rc = 0;
     678                 :          0 :                 goto out;
     679                 :            :         }
     680                 :            : 
     681                 :          0 :         rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);
     682                 :            : 
     683                 :          0 : out:
     684         [ -  - ]:      45186 :         if (rc)
     685                 :          0 :                 cap_clear(bprm->cred->cap_permitted);
     686                 :            : 
     687                 :            :         return rc;
     688                 :            : }
     689                 :            : 
     690   [ +  -  +  - ]:      45156 : static inline bool root_privileged(void) { return !issecure(SECURE_NOROOT); }
     691                 :            : 
     692                 :      90372 : static inline bool __is_real(kuid_t uid, struct cred *cred)
     693   [ +  +  -  -  :      45216 : { return uid_eq(cred->uid, uid); }
                   -  + ]
     694                 :            : 
     695                 :     135528 : static inline bool __is_eff(kuid_t uid, struct cred *cred)
     696   [ -  +  +  -  :      45156 : { return uid_eq(cred->euid, uid); }
                   -  - ]
     697                 :            : 
     698                 :      45156 : static inline bool __is_suid(kuid_t uid, struct cred *cred)
     699   [ +  +  +  -  :      45156 : { return !__is_real(uid, cred) && __is_eff(uid, cred); }
             -  -  -  - ]
     700                 :            : 
     701                 :            : /*
     702                 :            :  * handle_privileged_root - Handle case of privileged root
     703                 :            :  * @bprm: The execution parameters, including the proposed creds
     704                 :            :  * @has_fcap: Are any file capabilities set?
     705                 :            :  * @effective: Do we have effective root privilege?
     706                 :            :  * @root_uid: This namespace' root UID WRT initial USER namespace
     707                 :            :  *
     708                 :            :  * Handle the case where root is privileged and hasn't been neutered by
     709                 :            :  * SECURE_NOROOT.  If file capabilities are set, they won't be combined with
     710                 :            :  * set UID root and nothing is changed.  If we are root, cap_permitted is
     711                 :            :  * updated.  If we have become set UID root, the effective bit is set.
     712                 :            :  */
     713                 :      45186 : static void handle_privileged_root(struct linux_binprm *bprm, bool has_fcap,
     714                 :            :                                    bool *effective, kuid_t root_uid)
     715                 :            : {
     716         [ +  - ]:      45186 :         const struct cred *old = current_cred();
     717                 :      45186 :         struct cred *new = bprm->cred;
     718                 :            : 
     719         [ +  - ]:      45186 :         if (!root_privileged())
     720                 :            :                 return;
     721                 :            :         /*
     722                 :            :          * If the legacy file capability is set, then don't set privs
     723                 :            :          * for a setuid root binary run by a non-root user.  Do set it
     724                 :            :          * for a root user just to cause least surprise to an admin.
     725                 :            :          */
     726   [ -  +  -  - ]:      45186 :         if (has_fcap && __is_suid(root_uid, new)) {
     727         [ #  # ]:          0 :                 warn_setuid_and_fcaps_mixed(bprm->filename);
     728                 :          0 :                 return;
     729                 :            :         }
     730                 :            :         /*
     731                 :            :          * To support inheritance of root-permissions and suid-root
     732                 :            :          * executables under compatibility mode, we override the
     733                 :            :          * capability sets for the file.
     734                 :            :          */
     735   [ +  +  -  + ]:      45186 :         if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {
     736                 :            :                 /* pP' = (cap_bset & ~0) | (pI & ~0) */
     737                 :      90312 :                 new->cap_permitted = cap_combine(old->cap_bset,
     738                 :            :                                                  old->cap_inheritable);
     739                 :            :         }
     740                 :            :         /*
     741                 :            :          * If only the real uid is 0, we do not set the effective bit.
     742                 :            :          */
     743         [ +  + ]:      45186 :         if (__is_eff(root_uid, new))
     744                 :      45156 :                 *effective = true;
     745                 :            : }
     746                 :            : 
     747                 :            : #define __cap_gained(field, target, source) \
     748                 :            :         !cap_issubset(target->cap_##field, source->cap_##field)
     749                 :            : #define __cap_grew(target, source, cred) \
     750                 :            :         !cap_issubset(cred->cap_##target, cred->cap_##source)
     751                 :            : #define __cap_full(field, cred) \
     752                 :            :         cap_issubset(CAP_FULL_SET, cred->cap_##field)
     753                 :            : 
     754                 :      90342 : static inline bool __is_setuid(struct cred *new, const struct cred *old)
     755         [ +  - ]:      45156 : { return !uid_eq(new->euid, old->uid); }
     756                 :            : 
     757                 :      45186 : static inline bool __is_setgid(struct cred *new, const struct cred *old)
     758         [ -  + ]:      45186 : { return !gid_eq(new->egid, old->gid); }
     759                 :            : 
     760                 :            : /*
     761                 :            :  * 1) Audit candidate if current->cap_effective is set
     762                 :            :  *
     763                 :            :  * We do not bother to audit if 3 things are true:
     764                 :            :  *   1) cap_effective has all caps
     765                 :            :  *   2) we became root *OR* are were already root
     766                 :            :  *   3) root is supposed to have all caps (SECURE_NOROOT)
     767                 :            :  * Since this is just a normal root execing a process.
     768                 :            :  *
     769                 :            :  * Number 1 above might fail if you don't have a full bset, but I think
     770                 :            :  * that is interesting information to audit.
     771                 :            :  *
     772                 :            :  * A number of other conditions require logging:
     773                 :            :  * 2) something prevented setuid root getting all caps
     774                 :            :  * 3) non-setuid root gets fcaps
     775                 :            :  * 4) non-setuid root gets ambient
     776                 :            :  */
     777                 :      45186 : static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
     778                 :            :                                      kuid_t root, bool has_fcap)
     779                 :            : {
     780                 :      45186 :         bool ret = false;
     781                 :            : 
     782   [ +  +  +  + ]:      90342 :         if ((__cap_grew(effective, ambient, new) &&
     783   [ -  +  +  - ]:      90282 :              !(__cap_full(effective, new) &&
     784         [ #  # ]:          0 :                (__is_eff(root, new) || __is_real(root, new)) &&
     785         [ +  - ]:      45156 :                root_privileged())) ||
     786         [ -  + ]:      45156 :             (root_privileged() &&
     787         [ #  # ]:          0 :              __is_suid(root, new) &&
     788         [ +  - ]:      45156 :              !__cap_full(effective, new)) ||
     789         [ -  + ]:      45156 :             (!__is_setuid(new, old) &&
     790         [ #  # ]:          0 :              ((has_fcap &&
     791         [ -  + ]:      45156 :                __cap_gained(permitted, new, old)) ||
     792                 :      45156 :               __cap_gained(ambient, new, old))))
     793                 :            : 
     794                 :            :                 ret = true;
     795                 :            : 
     796                 :      45186 :         return ret;
     797                 :            : }
     798                 :            : 
     799                 :            : /**
     800                 :            :  * cap_bprm_set_creds - Set up the proposed credentials for execve().
     801                 :            :  * @bprm: The execution parameters, including the proposed creds
     802                 :            :  *
     803                 :            :  * Set up the proposed credentials for a new execution context being
     804                 :            :  * constructed by execve().  The proposed creds in @bprm->cred is altered,
     805                 :            :  * which won't take effect immediately.  Returns 0 if successful, -ve on error.
     806                 :            :  */
     807                 :      45186 : int cap_bprm_set_creds(struct linux_binprm *bprm)
     808                 :            : {
     809                 :      45186 :         const struct cred *old = current_cred();
     810                 :      45186 :         struct cred *new = bprm->cred;
     811                 :      45186 :         bool effective = false, has_fcap = false, is_setid;
     812                 :      45186 :         int ret;
     813                 :      45186 :         kuid_t root_uid;
     814                 :            : 
     815   [ -  +  +  - ]:      45186 :         if (WARN_ON(!cap_ambient_invariant_ok(old)))
     816                 :            :                 return -EPERM;
     817                 :            : 
     818                 :      45186 :         ret = get_file_caps(bprm, &effective, &has_fcap);
     819         [ +  - ]:      45186 :         if (ret < 0)
     820                 :            :                 return ret;
     821                 :            : 
     822                 :      45186 :         root_uid = make_kuid(new->user_ns, 0);
     823                 :            : 
     824                 :      45186 :         handle_privileged_root(bprm, has_fcap, &effective, root_uid);
     825                 :            : 
     826                 :            :         /* if we have fs caps, clear dangerous personality flags */
     827         [ -  + ]:      45186 :         if (__cap_gained(permitted, new, old))
     828                 :          0 :                 bprm->per_clear |= PER_CLEAR_ON_SETID;
     829                 :            : 
     830                 :            :         /* Don't let someone trace a set[ug]id/setpcap binary with the revised
     831                 :            :          * credentials unless they have the appropriate permit.
     832                 :            :          *
     833                 :            :          * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
     834                 :            :          */
     835   [ +  -  -  + ]:      45186 :         is_setid = __is_setuid(new, old) || __is_setgid(new, old);
     836                 :            : 
     837   [ +  -  -  + ]:      45186 :         if ((is_setid || __cap_gained(permitted, new, old)) &&
     838   [ #  #  #  # ]:          0 :             ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
     839                 :          0 :              !ptracer_capable(current, new->user_ns))) {
     840                 :            :                 /* downgrade; they get no more than they had, and maybe less */
     841         [ #  # ]:          0 :                 if (!ns_capable(new->user_ns, CAP_SETUID) ||
     842         [ #  # ]:          0 :                     (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
     843                 :          0 :                         new->euid = new->uid;
     844                 :          0 :                         new->egid = new->gid;
     845                 :            :                 }
     846                 :          0 :                 new->cap_permitted = cap_intersect(new->cap_permitted,
     847                 :            :                                                    old->cap_permitted);
     848                 :            :         }
     849                 :            : 
     850                 :      45186 :         new->suid = new->fsuid = new->euid;
     851                 :      45186 :         new->sgid = new->fsgid = new->egid;
     852                 :            : 
     853                 :            :         /* File caps or setid cancels ambient. */
     854         [ -  + ]:      45186 :         if (has_fcap || is_setid)
     855                 :          0 :                 cap_clear(new->cap_ambient);
     856                 :            : 
     857                 :            :         /*
     858                 :            :          * Now that we've computed pA', update pP' to give:
     859                 :            :          *   pP' = (X & fP) | (pI & fI) | pA'
     860                 :            :          */
     861                 :      45186 :         new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
     862                 :            : 
     863                 :            :         /*
     864                 :            :          * Set pE' = (fE ? pP' : pA').  Because pA' is zero if fE is set,
     865                 :            :          * this is the same as pE' = (fE ? pP' : 0) | pA'.
     866                 :            :          */
     867         [ +  + ]:      45186 :         if (effective)
     868                 :      45156 :                 new->cap_effective = new->cap_permitted;
     869                 :            :         else
     870                 :         30 :                 new->cap_effective = new->cap_ambient;
     871                 :            : 
     872   [ -  +  +  - ]:      45186 :         if (WARN_ON(!cap_ambient_invariant_ok(new)))
     873                 :            :                 return -EPERM;
     874                 :            : 
     875         [ +  + ]:      45186 :         if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {
     876                 :         30 :                 ret = audit_log_bprm_fcaps(bprm, new, old);
     877         [ +  - ]:         30 :                 if (ret < 0)
     878                 :            :                         return ret;
     879                 :            :         }
     880                 :            : 
     881                 :      45186 :         new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
     882                 :            : 
     883   [ -  +  +  - ]:      45186 :         if (WARN_ON(!cap_ambient_invariant_ok(new)))
     884                 :            :                 return -EPERM;
     885                 :            : 
     886                 :            :         /* Check for privilege-elevated exec. */
     887                 :      45186 :         bprm->cap_elevated = 0;
     888   [ +  -  +  + ]:      45186 :         if (is_setid ||
     889                 :         30 :             (!__is_real(root_uid, new) &&
     890   [ +  -  -  + ]:         60 :              (effective ||
     891                 :         30 :               __cap_grew(permitted, ambient, new))))
     892                 :          0 :                 bprm->cap_elevated = 1;
     893                 :            : 
     894                 :            :         return 0;
     895                 :            : }
     896                 :            : 
     897                 :            : /**
     898                 :            :  * cap_inode_setxattr - Determine whether an xattr may be altered
     899                 :            :  * @dentry: The inode/dentry being altered
     900                 :            :  * @name: The name of the xattr to be changed
     901                 :            :  * @value: The value that the xattr will be changed to
     902                 :            :  * @size: The size of value
     903                 :            :  * @flags: The replacement flag
     904                 :            :  *
     905                 :            :  * Determine whether an xattr may be altered or set on an inode, returning 0 if
     906                 :            :  * permission is granted, -ve if denied.
     907                 :            :  *
     908                 :            :  * This is used to make sure security xattrs don't get updated or set by those
     909                 :            :  * who aren't privileged to do so.
     910                 :            :  */
     911                 :        876 : int cap_inode_setxattr(struct dentry *dentry, const char *name,
     912                 :            :                        const void *value, size_t size, int flags)
     913                 :            : {
     914                 :        876 :         struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
     915                 :            : 
     916                 :            :         /* Ignore non-security xattrs */
     917         [ -  + ]:        876 :         if (strncmp(name, XATTR_SECURITY_PREFIX,
     918                 :            :                         XATTR_SECURITY_PREFIX_LEN) != 0)
     919                 :            :                 return 0;
     920                 :            : 
     921                 :            :         /*
     922                 :            :          * For XATTR_NAME_CAPS the check will be done in
     923                 :            :          * cap_convert_nscap(), called by setxattr()
     924                 :            :          */
     925         [ #  # ]:          0 :         if (strcmp(name, XATTR_NAME_CAPS) == 0)
     926                 :            :                 return 0;
     927                 :            : 
     928         [ #  # ]:          0 :         if (!ns_capable(user_ns, CAP_SYS_ADMIN))
     929                 :          0 :                 return -EPERM;
     930                 :            :         return 0;
     931                 :            : }
     932                 :            : 
     933                 :            : /**
     934                 :            :  * cap_inode_removexattr - Determine whether an xattr may be removed
     935                 :            :  * @dentry: The inode/dentry being altered
     936                 :            :  * @name: The name of the xattr to be changed
     937                 :            :  *
     938                 :            :  * Determine whether an xattr may be removed from an inode, returning 0 if
     939                 :            :  * permission is granted, -ve if denied.
     940                 :            :  *
     941                 :            :  * This is used to make sure security xattrs don't get removed by those who
     942                 :            :  * aren't privileged to remove them.
     943                 :            :  */
     944                 :        120 : int cap_inode_removexattr(struct dentry *dentry, const char *name)
     945                 :            : {
     946                 :        120 :         struct user_namespace *user_ns = dentry->d_sb->s_user_ns;
     947                 :            : 
     948                 :            :         /* Ignore non-security xattrs */
     949         [ -  + ]:        120 :         if (strncmp(name, XATTR_SECURITY_PREFIX,
     950                 :            :                         XATTR_SECURITY_PREFIX_LEN) != 0)
     951                 :            :                 return 0;
     952                 :            : 
     953         [ #  # ]:          0 :         if (strcmp(name, XATTR_NAME_CAPS) == 0) {
     954                 :            :                 /* security.capability gets namespaced */
     955         [ #  # ]:          0 :                 struct inode *inode = d_backing_inode(dentry);
     956         [ #  # ]:          0 :                 if (!inode)
     957                 :            :                         return -EINVAL;
     958         [ #  # ]:          0 :                 if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
     959                 :            :                         return -EPERM;
     960                 :          0 :                 return 0;
     961                 :            :         }
     962                 :            : 
     963         [ #  # ]:          0 :         if (!ns_capable(user_ns, CAP_SYS_ADMIN))
     964                 :          0 :                 return -EPERM;
     965                 :            :         return 0;
     966                 :            : }
     967                 :            : 
     968                 :            : /*
     969                 :            :  * cap_emulate_setxuid() fixes the effective / permitted capabilities of
     970                 :            :  * a process after a call to setuid, setreuid, or setresuid.
     971                 :            :  *
     972                 :            :  *  1) When set*uiding _from_ one of {r,e,s}uid == 0 _to_ all of
     973                 :            :  *  {r,e,s}uid != 0, the permitted and effective capabilities are
     974                 :            :  *  cleared.
     975                 :            :  *
     976                 :            :  *  2) When set*uiding _from_ euid == 0 _to_ euid != 0, the effective
     977                 :            :  *  capabilities of the process are cleared.
     978                 :            :  *
     979                 :            :  *  3) When set*uiding _from_ euid != 0 _to_ euid == 0, the effective
     980                 :            :  *  capabilities are set to the permitted capabilities.
     981                 :            :  *
     982                 :            :  *  fsuid is handled elsewhere. fsuid == 0 and {r,e,s}uid!= 0 should
     983                 :            :  *  never happen.
     984                 :            :  *
     985                 :            :  *  -astor
     986                 :            :  *
     987                 :            :  * cevans - New behaviour, Oct '99
     988                 :            :  * A process may, via prctl(), elect to keep its capabilities when it
     989                 :            :  * calls setuid() and switches away from uid==0. Both permitted and
     990                 :            :  * effective sets will be retained.
     991                 :            :  * Without this change, it was impossible for a daemon to drop only some
     992                 :            :  * of its privilege. The call to setuid(!=0) would drop all privileges!
     993                 :            :  * Keeping uid 0 is not an option because uid 0 owns too many vital
     994                 :            :  * files..
     995                 :            :  * Thanks to Olaf Kirch and Peter Benie for spotting this.
     996                 :            :  */
     997                 :        180 : static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
     998                 :            : {
     999         [ +  + ]:        180 :         kuid_t root_uid = make_kuid(old->user_ns, 0);
    1000                 :            : 
    1001   [ +  +  -  + ]:        180 :         if ((uid_eq(old->uid, root_uid) ||
    1002         [ #  # ]:          0 :              uid_eq(old->euid, root_uid) ||
    1003         [ +  + ]:        180 :              uid_eq(old->suid, root_uid)) &&
    1004         [ +  + ]:         60 :             (!uid_eq(new->uid, root_uid) &&
    1005         [ +  - ]:         30 :              !uid_eq(new->euid, root_uid) &&
    1006                 :            :              !uid_eq(new->suid, root_uid))) {
    1007         [ -  + ]:         30 :                 if (!issecure(SECURE_KEEP_CAPS)) {
    1008                 :          0 :                         cap_clear(new->cap_permitted);
    1009                 :          0 :                         cap_clear(new->cap_effective);
    1010                 :            :                 }
    1011                 :            : 
    1012                 :            :                 /*
    1013                 :            :                  * Pre-ambient programs expect setresuid to nonroot followed
    1014                 :            :                  * by exec to drop capabilities.  We should make sure that
    1015                 :            :                  * this remains the case.
    1016                 :            :                  */
    1017                 :         30 :                 cap_clear(new->cap_ambient);
    1018                 :            :         }
    1019   [ +  +  +  + ]:        180 :         if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
    1020                 :         60 :                 cap_clear(new->cap_effective);
    1021   [ +  +  +  - ]:        180 :         if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
    1022                 :         30 :                 new->cap_effective = new->cap_permitted;
    1023                 :        180 : }
    1024                 :            : 
    1025                 :            : /**
    1026                 :            :  * cap_task_fix_setuid - Fix up the results of setuid() call
    1027                 :            :  * @new: The proposed credentials
    1028                 :            :  * @old: The current task's current credentials
    1029                 :            :  * @flags: Indications of what has changed
    1030                 :            :  *
    1031                 :            :  * Fix up the results of setuid() call before the credential changes are
    1032                 :            :  * actually applied, returning 0 to grant the changes, -ve to deny them.
    1033                 :            :  */
    1034                 :        180 : int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
    1035                 :            : {
    1036      [ +  -  - ]:        180 :         switch (flags) {
    1037                 :            :         case LSM_SETID_RE:
    1038                 :            :         case LSM_SETID_ID:
    1039                 :            :         case LSM_SETID_RES:
    1040                 :            :                 /* juggle the capabilities to follow [RES]UID changes unless
    1041                 :            :                  * otherwise suppressed */
    1042         [ +  - ]:        180 :                 if (!issecure(SECURE_NO_SETUID_FIXUP))
    1043                 :        180 :                         cap_emulate_setxuid(new, old);
    1044                 :            :                 break;
    1045                 :            : 
    1046                 :            :         case LSM_SETID_FS:
    1047                 :            :                 /* juggle the capabilties to follow FSUID changes, unless
    1048                 :            :                  * otherwise suppressed
    1049                 :            :                  *
    1050                 :            :                  * FIXME - is fsuser used for all CAP_FS_MASK capabilities?
    1051                 :            :                  *          if not, we might be a bit too harsh here.
    1052                 :            :                  */
    1053         [ #  # ]:          0 :                 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
    1054         [ #  # ]:          0 :                         kuid_t root_uid = make_kuid(old->user_ns, 0);
    1055   [ #  #  #  # ]:          0 :                         if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
    1056                 :          0 :                                 new->cap_effective =
    1057                 :          0 :                                         cap_drop_fs_set(new->cap_effective);
    1058                 :            : 
    1059   [ #  #  #  # ]:          0 :                         if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
    1060                 :          0 :                                 new->cap_effective =
    1061                 :          0 :                                         cap_raise_fs_set(new->cap_effective,
    1062                 :            :                                                          new->cap_permitted);
    1063                 :            :                 }
    1064                 :            :                 break;
    1065                 :            : 
    1066                 :            :         default:
    1067                 :            :                 return -EINVAL;
    1068                 :            :         }
    1069                 :            : 
    1070                 :            :         return 0;
    1071                 :            : }
    1072                 :            : 
    1073                 :            : /*
    1074                 :            :  * Rationale: code calling task_setscheduler, task_setioprio, and
    1075                 :            :  * task_setnice, assumes that
    1076                 :            :  *   . if capable(cap_sys_nice), then those actions should be allowed
    1077                 :            :  *   . if not capable(cap_sys_nice), but acting on your own processes,
    1078                 :            :  *      then those actions should be allowed
    1079                 :            :  * This is insufficient now since you can call code without suid, but
    1080                 :            :  * yet with increased caps.
    1081                 :            :  * So we check for increased caps on the target process.
    1082                 :            :  */
    1083                 :        180 : static int cap_safe_nice(struct task_struct *p)
    1084                 :            : {
    1085                 :        180 :         int is_subset, ret = 0;
    1086                 :            : 
    1087                 :        180 :         rcu_read_lock();
    1088                 :        180 :         is_subset = cap_issubset(__task_cred(p)->cap_permitted,
    1089                 :        180 :                                  current_cred()->cap_permitted);
    1090   [ -  +  -  - ]:        180 :         if (!is_subset && !ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE))
    1091                 :          0 :                 ret = -EPERM;
    1092                 :        180 :         rcu_read_unlock();
    1093                 :            : 
    1094                 :        180 :         return ret;
    1095                 :            : }
    1096                 :            : 
    1097                 :            : /**
    1098                 :            :  * cap_task_setscheduler - Detemine if scheduler policy change is permitted
    1099                 :            :  * @p: The task to affect
    1100                 :            :  *
    1101                 :            :  * Detemine if the requested scheduler policy change is permitted for the
    1102                 :            :  * specified task, returning 0 if permission is granted, -ve if denied.
    1103                 :            :  */
    1104                 :         90 : int cap_task_setscheduler(struct task_struct *p)
    1105                 :            : {
    1106                 :         90 :         return cap_safe_nice(p);
    1107                 :            : }
    1108                 :            : 
    1109                 :            : /**
    1110                 :            :  * cap_task_ioprio - Detemine if I/O priority change is permitted
    1111                 :            :  * @p: The task to affect
    1112                 :            :  * @ioprio: The I/O priority to set
    1113                 :            :  *
    1114                 :            :  * Detemine if the requested I/O priority change is permitted for the specified
    1115                 :            :  * task, returning 0 if permission is granted, -ve if denied.
    1116                 :            :  */
    1117                 :         90 : int cap_task_setioprio(struct task_struct *p, int ioprio)
    1118                 :            : {
    1119                 :         90 :         return cap_safe_nice(p);
    1120                 :            : }
    1121                 :            : 
    1122                 :            : /**
    1123                 :            :  * cap_task_ioprio - Detemine if task priority change is permitted
    1124                 :            :  * @p: The task to affect
    1125                 :            :  * @nice: The nice value to set
    1126                 :            :  *
    1127                 :            :  * Detemine if the requested task priority change is permitted for the
    1128                 :            :  * specified task, returning 0 if permission is granted, -ve if denied.
    1129                 :            :  */
    1130                 :          0 : int cap_task_setnice(struct task_struct *p, int nice)
    1131                 :            : {
    1132                 :          0 :         return cap_safe_nice(p);
    1133                 :            : }
    1134                 :            : 
    1135                 :            : /*
    1136                 :            :  * Implement PR_CAPBSET_DROP.  Attempt to remove the specified capability from
    1137                 :            :  * the current task's bounding set.  Returns 0 on success, -ve on error.
    1138                 :            :  */
    1139                 :       1890 : static int cap_prctl_drop(unsigned long cap)
    1140                 :            : {
    1141                 :       1890 :         struct cred *new;
    1142                 :            : 
    1143         [ +  - ]:       1890 :         if (!ns_capable(current_user_ns(), CAP_SETPCAP))
    1144                 :            :                 return -EPERM;
    1145         [ +  - ]:       1890 :         if (!cap_valid(cap))
    1146                 :            :                 return -EINVAL;
    1147                 :            : 
    1148                 :       1890 :         new = prepare_creds();
    1149         [ +  - ]:       1890 :         if (!new)
    1150                 :            :                 return -ENOMEM;
    1151                 :       1890 :         cap_lower(new->cap_bset, cap);
    1152                 :       1890 :         return commit_creds(new);
    1153                 :            : }
    1154                 :            : 
    1155                 :            : /**
    1156                 :            :  * cap_task_prctl - Implement process control functions for this security module
    1157                 :            :  * @option: The process control function requested
    1158                 :            :  * @arg2, @arg3, @arg4, @arg5: The argument data for this function
    1159                 :            :  *
    1160                 :            :  * Allow process control functions (sys_prctl()) to alter capabilities; may
    1161                 :            :  * also deny access to other functions not otherwise implemented here.
    1162                 :            :  *
    1163                 :            :  * Returns 0 or +ve on success, -ENOSYS if this function is not implemented
    1164                 :            :  * here, other -ve on error.  If -ENOSYS is returned, sys_prctl() and other LSM
    1165                 :            :  * modules will consider performing the function.
    1166                 :            :  */
    1167                 :       9146 : int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
    1168                 :            :                    unsigned long arg4, unsigned long arg5)
    1169                 :            : {
    1170   [ -  +  +  +  :       9146 :         const struct cred *old = current_cred();
             -  -  +  + ]
    1171                 :       9146 :         struct cred *new;
    1172                 :            : 
    1173   [ -  +  +  +  :       9146 :         switch (option) {
             -  -  +  + ]
    1174                 :          0 :         case PR_CAPBSET_READ:
    1175         [ #  # ]:          0 :                 if (!cap_valid(arg2))
    1176                 :            :                         return -EINVAL;
    1177                 :          0 :                 return !!cap_raised(old->cap_bset, arg2);
    1178                 :            : 
    1179                 :       1890 :         case PR_CAPBSET_DROP:
    1180                 :       1890 :                 return cap_prctl_drop(arg2);
    1181                 :            : 
    1182                 :            :         /*
    1183                 :            :          * The next four prctl's remain to assist with transitioning a
    1184                 :            :          * system from legacy UID=0 based privilege (when filesystem
    1185                 :            :          * capabilities are not in use) to a system using filesystem
    1186                 :            :          * capabilities only - as the POSIX.1e draft intended.
    1187                 :            :          *
    1188                 :            :          * Note:
    1189                 :            :          *
    1190                 :            :          *  PR_SET_SECUREBITS =
    1191                 :            :          *      issecure_mask(SECURE_KEEP_CAPS_LOCKED)
    1192                 :            :          *    | issecure_mask(SECURE_NOROOT)
    1193                 :            :          *    | issecure_mask(SECURE_NOROOT_LOCKED)
    1194                 :            :          *    | issecure_mask(SECURE_NO_SETUID_FIXUP)
    1195                 :            :          *    | issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)
    1196                 :            :          *
    1197                 :            :          * will ensure that the current process and all of its
    1198                 :            :          * children will be locked into a pure
    1199                 :            :          * capability-based-privilege environment.
    1200                 :            :          */
    1201                 :         30 :         case PR_SET_SECUREBITS:
    1202                 :         30 :                 if ((((old->securebits & SECURE_ALL_LOCKS) >> 1)
    1203         [ +  - ]:         30 :                      & (old->securebits ^ arg2))                 /*[1]*/
    1204         [ +  - ]:         30 :                     || ((old->securebits & SECURE_ALL_LOCKS & ~arg2))        /*[2]*/
    1205         [ +  - ]:         30 :                     || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))       /*[3]*/
    1206         [ -  - ]:         30 :                     || (cap_capable(current_cred(),
    1207                 :         30 :                                     current_cred()->user_ns,
    1208                 :            :                                     CAP_SETPCAP,
    1209                 :            :                                     CAP_OPT_NONE) != 0)                 /*[4]*/
    1210                 :            :                         /*
    1211                 :            :                          * [1] no changing of bits that are locked
    1212                 :            :                          * [2] no unlocking of locks
    1213                 :            :                          * [3] no setting of unsupported bits
    1214                 :            :                          * [4] doing anything requires privilege (go read about
    1215                 :            :                          *     the "sendmail capabilities bug")
    1216                 :            :                          */
    1217                 :            :                     )
    1218                 :            :                         /* cannot change a locked bit */
    1219                 :            :                         return -EPERM;
    1220                 :            : 
    1221                 :         30 :                 new = prepare_creds();
    1222         [ +  - ]:         30 :                 if (!new)
    1223                 :            :                         return -ENOMEM;
    1224                 :         30 :                 new->securebits = arg2;
    1225                 :         30 :                 return commit_creds(new);
    1226                 :            : 
    1227                 :        876 :         case PR_GET_SECUREBITS:
    1228                 :        876 :                 return old->securebits;
    1229                 :            : 
    1230                 :            :         case PR_GET_KEEPCAPS:
    1231                 :          0 :                 return !!issecure(SECURE_KEEP_CAPS);
    1232                 :            : 
    1233                 :          0 :         case PR_SET_KEEPCAPS:
    1234         [ #  # ]:          0 :                 if (arg2 > 1) /* Note, we rely on arg2 being unsigned here */
    1235                 :            :                         return -EINVAL;
    1236         [ #  # ]:          0 :                 if (issecure(SECURE_KEEP_CAPS_LOCKED))
    1237                 :            :                         return -EPERM;
    1238                 :            : 
    1239                 :          0 :                 new = prepare_creds();
    1240         [ #  # ]:          0 :                 if (!new)
    1241                 :            :                         return -ENOMEM;
    1242         [ #  # ]:          0 :                 if (arg2)
    1243                 :          0 :                         new->securebits |= issecure_mask(SECURE_KEEP_CAPS);
    1244                 :            :                 else
    1245                 :          0 :                         new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
    1246                 :          0 :                 return commit_creds(new);
    1247                 :            : 
    1248                 :         90 :         case PR_CAP_AMBIENT:
    1249         [ -  + ]:         90 :                 if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
    1250         [ #  # ]:          0 :                         if (arg3 | arg4 | arg5)
    1251                 :            :                                 return -EINVAL;
    1252                 :            : 
    1253                 :          0 :                         new = prepare_creds();
    1254         [ #  # ]:          0 :                         if (!new)
    1255                 :            :                                 return -ENOMEM;
    1256                 :          0 :                         cap_clear(new->cap_ambient);
    1257                 :          0 :                         return commit_creds(new);
    1258                 :            :                 }
    1259                 :            : 
    1260         [ +  - ]:         90 :                 if (((!cap_valid(arg3)) | arg4 | arg5))
    1261                 :            :                         return -EINVAL;
    1262                 :            : 
    1263         [ +  + ]:         90 :                 if (arg2 == PR_CAP_AMBIENT_IS_SET) {
    1264                 :         30 :                         return !!cap_raised(current_cred()->cap_ambient, arg3);
    1265         [ +  - ]:         60 :                 } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
    1266                 :            :                            arg2 != PR_CAP_AMBIENT_LOWER) {
    1267                 :            :                         return -EINVAL;
    1268                 :            :                 } else {
    1269   [ +  -  +  - ]:         60 :                         if (arg2 == PR_CAP_AMBIENT_RAISE &&
    1270   [ +  -  +  - ]:         60 :                             (!cap_raised(current_cred()->cap_permitted, arg3) ||
    1271         [ +  - ]:         60 :                              !cap_raised(current_cred()->cap_inheritable,
    1272         [ +  - ]:         60 :                                          arg3) ||
    1273         [ +  - ]:         60 :                              issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
    1274                 :            :                                 return -EPERM;
    1275                 :            : 
    1276                 :         60 :                         new = prepare_creds();
    1277         [ +  - ]:         60 :                         if (!new)
    1278                 :            :                                 return -ENOMEM;
    1279         [ +  - ]:         60 :                         if (arg2 == PR_CAP_AMBIENT_RAISE)
    1280                 :         60 :                                 cap_raise(new->cap_ambient, arg3);
    1281                 :            :                         else
    1282                 :          0 :                                 cap_lower(new->cap_ambient, arg3);
    1283                 :         60 :                         return commit_creds(new);
    1284                 :            :                 }
    1285                 :            : 
    1286                 :            :         default:
    1287                 :            :                 /* No functionality available - continue with default */
    1288                 :            :                 return -ENOSYS;
    1289                 :            :         }
    1290                 :            : }
    1291                 :            : 
    1292                 :            : /**
    1293                 :            :  * cap_vm_enough_memory - Determine whether a new virtual mapping is permitted
    1294                 :            :  * @mm: The VM space in which the new mapping is to be made
    1295                 :            :  * @pages: The size of the mapping
    1296                 :            :  *
    1297                 :            :  * Determine whether the allocation of a new virtual mapping by the current
    1298                 :            :  * task is permitted, returning 1 if permission is granted, 0 if not.
    1299                 :            :  */
    1300                 :    1538864 : int cap_vm_enough_memory(struct mm_struct *mm, long pages)
    1301                 :            : {
    1302                 :    1538864 :         int cap_sys_admin = 0;
    1303                 :            : 
    1304         [ -  - ]:    1538864 :         if (cap_capable(current_cred(), &init_user_ns,
    1305                 :            :                                 CAP_SYS_ADMIN, CAP_OPT_NOAUDIT) == 0)
    1306                 :    1537184 :                 cap_sys_admin = 1;
    1307                 :            : 
    1308                 :    1538864 :         return cap_sys_admin;
    1309                 :            : }
    1310                 :            : 
    1311                 :            : /*
    1312                 :            :  * cap_mmap_addr - check if able to map given addr
    1313                 :            :  * @addr: address attempting to be mapped
    1314                 :            :  *
    1315                 :            :  * If the process is attempting to map memory below dac_mmap_min_addr they need
    1316                 :            :  * CAP_SYS_RAWIO.  The other parameters to this function are unused by the
    1317                 :            :  * capability security module.  Returns 0 if this mapping should be allowed
    1318                 :            :  * -EPERM if not.
    1319                 :            :  */
    1320                 :    1436772 : int cap_mmap_addr(unsigned long addr)
    1321                 :            : {
    1322                 :    1436772 :         int ret = 0;
    1323                 :            : 
    1324         [ -  + ]:    1436772 :         if (addr < dac_mmap_min_addr) {
    1325                 :          0 :                 ret = cap_capable(current_cred(), &init_user_ns, CAP_SYS_RAWIO,
    1326                 :            :                                   CAP_OPT_NONE);
    1327                 :            :                 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
    1328         [ #  # ]:          0 :                 if (ret == 0)
    1329                 :          0 :                         current->flags |= PF_SUPERPRIV;
    1330                 :            :         }
    1331                 :    1436772 :         return ret;
    1332                 :            : }
    1333                 :            : 
    1334                 :    1283040 : int cap_mmap_file(struct file *file, unsigned long reqprot,
    1335                 :            :                   unsigned long prot, unsigned long flags)
    1336                 :            : {
    1337                 :    1283040 :         return 0;
    1338                 :            : }
    1339                 :            : 
    1340                 :            : #ifdef CONFIG_SECURITY
    1341                 :            : 
    1342                 :            : static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
    1343                 :            :         LSM_HOOK_INIT(capable, cap_capable),
    1344                 :            :         LSM_HOOK_INIT(settime, cap_settime),
    1345                 :            :         LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),
    1346                 :            :         LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
    1347                 :            :         LSM_HOOK_INIT(capget, cap_capget),
    1348                 :            :         LSM_HOOK_INIT(capset, cap_capset),
    1349                 :            :         LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
    1350                 :            :         LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
    1351                 :            :         LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
    1352                 :            :         LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
    1353                 :            :         LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
    1354                 :            :         LSM_HOOK_INIT(mmap_file, cap_mmap_file),
    1355                 :            :         LSM_HOOK_INIT(task_fix_setuid, cap_task_fix_setuid),
    1356                 :            :         LSM_HOOK_INIT(task_prctl, cap_task_prctl),
    1357                 :            :         LSM_HOOK_INIT(task_setscheduler, cap_task_setscheduler),
    1358                 :            :         LSM_HOOK_INIT(task_setioprio, cap_task_setioprio),
    1359                 :            :         LSM_HOOK_INIT(task_setnice, cap_task_setnice),
    1360                 :            :         LSM_HOOK_INIT(vm_enough_memory, cap_vm_enough_memory),
    1361                 :            : };
    1362                 :            : 
    1363                 :         30 : static int __init capability_init(void)
    1364                 :            : {
    1365                 :         30 :         security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
    1366                 :            :                                 "capability");
    1367                 :         30 :         return 0;
    1368                 :            : }
    1369                 :            : 
    1370                 :            : DEFINE_LSM(capability) = {
    1371                 :            :         .name = "capability",
    1372                 :            :         .order = LSM_ORDER_FIRST,
    1373                 :            :         .init = capability_init,
    1374                 :            : };
    1375                 :            : 
    1376                 :            : #endif /* CONFIG_SECURITY */

Generated by: LCOV version 1.14