Quoting Andrew Morgan ([EMAIL PROTECTED]):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Serge,
>
> Here is a more fully formed 64-bit capabilities patch than the one I
> sent you last week. Its still subject to a bunch of testing.
>
> [The patch is against Linus' v2.6.24-rc1 tree.]
Hi Andrew,
thanks for sending this. I assume you've made some changes by now so I
just looked it over rather than testing now. A few comments inline, but
the only fundamental question I'd have is would this in fact become
cleaner using a generic bitmap?
I have no particular attachment to my own implementation, so you want
to keep working with and pushing this one that's fine with me :) Let
me know when you're considering it close to done, and I'll do some
testing on architectures i have available.
My main motivation for this is to request some sort of CAP_NS_OVERRIDE
capability, so it's not urgent, but I would like to be able to ask
for it sometimes this year.
thanks,
-serge
> Cheers
>
> Andrew
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFHJYUfQheEq9QabfIRArD0AJ0adXWTSaOBYWhHfzqUqWzbtilnpACfeLc6
> i2yeS9ECRNhZyrFxXc07YME=
> =LgZV
> -----END PGP SIGNATURE-----
> >From f1e1bab2a71854b4224d3b6f3f3ca187584893e3 Mon Sep 17 00:00:00 2001
> From: Andrew Morgan <[EMAIL PROTECTED]>
> Date: Sun, 28 Oct 2007 23:36:08 -0700
> Subject: [PATCH] This patch adds 64-bit capability support to the kernel.
>
> The patch has supports legacy (32-bit) capability use, and where
> possible translates 32-bit capabilities from userspace and the VFS
> to kernel space.
> ---
> fs/nfsd/auth.c | 8 +-
> fs/proc/array.c | 18 +++--
> include/linux/capability.h | 191
> ++++++++++++++++++++++++++++++--------------
> kernel/capability.c | 81 +++++++++++++++++--
> mm/oom_kill.c | 5 +-
> security/commoncap.c | 92 +++++++++++++--------
> security/dummy.c | 13 ++-
> 7 files changed, 284 insertions(+), 124 deletions(-)
>
> diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
> index 2192805..3504093 100644
> --- a/fs/nfsd/auth.c
> +++ b/fs/nfsd/auth.c
> @@ -11,8 +11,6 @@
> #include <linux/nfsd/nfsd.h>
> #include <linux/nfsd/export.h>
>
> -#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE))
> -
> int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp)
> {
> struct exp_flavor_info *f;
> @@ -69,10 +67,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct
> svc_export *exp)
> ret = set_current_groups(cred.cr_group_info);
> put_group_info(cred.cr_group_info);
> if ((cred.cr_uid)) {
> - cap_t(current->cap_effective) &= ~CAP_NFSD_MASK;
> + cap_drop_nfsd_cap(current->cap_effective);
> } else {
> - cap_t(current->cap_effective) |= (CAP_NFSD_MASK &
> - current->cap_permitted);
> + cap_raise_nfsd_cap(current->cap_effective,
> + current->cap_permitted);
> }
> return ret;
> }
> diff --git a/fs/proc/array.c b/fs/proc/array.c
> index 63c95af..eb9c274 100644
> --- a/fs/proc/array.c
> +++ b/fs/proc/array.c
> @@ -288,12 +288,18 @@ static inline char *task_sig(struct task_struct *p,
> char *buffer)
>
> static inline char *task_cap(struct task_struct *p, char *buffer)
> {
> - return buffer + sprintf(buffer, "CapInh:\t%016x\n"
> - "CapPrm:\t%016x\n"
> - "CapEff:\t%016x\n",
> - cap_t(p->cap_inheritable),
> - cap_t(p->cap_permitted),
> - cap_t(p->cap_effective));
> +#if _LINUX_CAPABILITY_U32S != 2
> +# error The following code expects 64-bit capabilities
> +#endif
> + return buffer + sprintf(buffer, "CapInh:\t%08x%08x\n"
> + "CapPrm:\t%08x%08x\n"
> + "CapEff:\t%08x%08x\n",
> + p->cap_inheritable.cap[1],
> + p->cap_inheritable.cap[0],
> + p->cap_permitted.cap[1],
> + p->cap_permitted.cap[0],
> + p->cap_effective.cap[1],
> + p->cap_effective.cap[0]);
> }
>
> static inline char *task_context_switch_counts(struct task_struct *p,
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index bb017ed..786aaa7 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -29,7 +29,14 @@ struct task_struct;
> library since the draft standard requires the use of malloc/free
> etc.. */
>
> -#define _LINUX_CAPABILITY_VERSION 0x19980330
> +#define _LINUX_CAPABILITY_VERSION_1 0x19980330
> +#define _LINUX_CAPABILITY_U32S_1 1
> +
> +#define _LINUX_CAPABILITY_VERSION_2 0x20071026
> +#define _LINUX_CAPABILITY_U32S_2 2
> +
> +#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2
> +#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2
>
> typedef struct __user_cap_header_struct {
> __u32 version;
> @@ -42,41 +49,42 @@ typedef struct __user_cap_data_struct {
> __u32 inheritable;
> } __user *cap_user_data_t;
>
> +
> #define XATTR_CAPS_SUFFIX "capability"
> #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
>
> -#define XATTR_CAPS_SZ (3*sizeof(__le32))
> #define VFS_CAP_REVISION_MASK 0xFF000000
> +#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
> +#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
> +
> #define VFS_CAP_REVISION_1 0x01000000
> +#define VFS_CAP_U32_1 1
> +#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
>
> -#define VFS_CAP_REVISION VFS_CAP_REVISION_1
> +#define VFS_CAP_REVISION_2 0x02000000
> +#define VFS_CAP_U32_2 2
> +#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
> +
> +#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
> +#define VFS_CAP_U32 VFS_CAP_U32_2
> +#define VFS_CAP_REVISION VFS_CAP_REVISION_2
>
> -#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
> -#define VFS_CAP_FLAGS_EFFECTIVE 0x000001
>
> struct vfs_cap_data {
> - __u32 magic_etc; /* Little endian */
> - __u32 permitted; /* Little endian */
> - __u32 inheritable; /* Little endian */
> + __le32 magic_etc; /* Little endian */
> + struct {
> + __le32 permitted; /* Little endian */
> + __le32 inheritable; /* Little endian */
> + } data[VFS_CAP_U32];
> };
>
> #ifdef __KERNEL__
>
> -/* #define STRICT_CAP_T_TYPECHECKS */
Bold :)
I'm not opposed, but we'll have to do a great deal of testing on
lots of architectures with lots of .configs.
> -
> -#ifdef STRICT_CAP_T_TYPECHECKS
> -
> typedef struct kernel_cap_struct {
> - __u32 cap;
> + __u32 cap[_LINUX_CAPABILITY_U32S];
> } kernel_cap_t;
>
> -#else
> -
> -typedef __u32 kernel_cap_t;
> -
> -#endif
> -
> -#define _USER_CAP_HEADER_SIZE (2*sizeof(__u32))
> +#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
> #define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
>
> #endif
> @@ -119,10 +127,6 @@ typedef __u32 kernel_cap_t;
>
> #define CAP_FSETID 4
>
> -/* Used to decide between falling back on the old suser() or fsuser(). */
> -
> -#define CAP_FS_MASK 0x1f
> -
> /* Overrides the restriction that the real or effective user ID of a
> process sending a signal must match the real or effective user ID
> of the process receiving the signal. */
> @@ -145,8 +149,12 @@ typedef __u32 kernel_cap_t;
> ** Linux-specific capabilities
> **/
>
> -/* Transfer any capability in your permitted set to any pid,
> - remove any capability in your permitted set from any pid */
> +/* Without VFS support for capabilities:
> + * Transfer any capability in your permitted set to any pid,
> + * remove any capability in your permitted set from any pid
> + * With VFS support for capabilities (neither of above, but)
> + * Add any capability to the current process' inheritable set
> + */
>
> #define CAP_SETPCAP 8
>
> @@ -313,64 +321,127 @@ typedef __u32 kernel_cap_t;
> * Internal kernel functions only
> */
>
> -#ifdef STRICT_CAP_T_TYPECHECKS
> +#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
> +#define CAP_TO_MASK(x) (1 << ((x) & 31))
What is the purpose of the &31 here?
>
> -#define to_cap_t(x) { x }
> -#define cap_t(x) (x).cap
> +#define CAP_FS_MASK_0 (CAP_TO_MASK(CAP_CHOWN) \
> + |CAP_TO_MASK(CAP_DAC_OVERRIDE) \
> + |CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
> + |CAP_TO_MASK(CAP_FOWNER) \
> + |CAP_TO_MASK(CAP_FSETID))
> +#define CAP_NFSD_MASK_0
> (CAP_FS_MASK_0|CAP_TO_MASK(CAP_SYS_RESOURCE))
>
> -#else
> +#define CAP_FS_MASK_1 0
> +#define CAP_NFSD_MASK_1 CAP_FS_MASK_1
Hmm, calling these _LO and _HI would be clearer now, but of course
throws off your 96-bit plans. But it took me a moment to figure out
what you were doing here especially with the last two lines.
How about CAP_FS_MASK_B0 and CAP_FS_MASK_B1 for block0 and block1?
>
> -#define to_cap_t(x) (x)
> -#define cap_t(x) (x)
> +#if _LINUX_CAPABILITY_U32S != 2
> +# error Fix up hand-coded capability manipulation macros
> +#else /* HAND-CODED capability manipulation macros */
Ok so why not fix it up now, maybe using generic bitmaps like
Chris suggested, and using static inlines in place of the
#defines?
>
> -#endif
> +# define CAP_EMPTY_SET {{ 0, 0 }}
> +# define CAP_FULL_SET {{ ~0, ~0 }}
> +# define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}
> +# define cap_clear(c) do { (c).cap[0] = 0; (c).cap[1] = 0; } while(0)
> +# define cap_set_full(c) do { (c).cap[0] = ~0; (c).cap[1] = ~0; }
> while(0)
> +# define cap_set_init_eff(c) do { (c).cap[0] = ~CAP_TO_MASK(CAP_SETPCAP); \
> + (c).cap[1] = ~0; } while(0)
> +# define cap_isclear(c) ( !((c).cap[0] | (c).cap[1]) )
>
> -#define CAP_EMPTY_SET to_cap_t(0)
> -#define CAP_FULL_SET to_cap_t(~0)
> -#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
> -#define CAP_INIT_INH_SET to_cap_t(0)
> +/* Used to decide between falling back on the old suser() or fsuser(). */
>
> -#define CAP_TO_MASK(x) (1 << (x))
> -#define cap_raise(c, flag) (cap_t(c) |= CAP_TO_MASK(flag))
> -#define cap_lower(c, flag) (cap_t(c) &= ~CAP_TO_MASK(flag))
> -#define cap_raised(c, flag) (cap_t(c) & CAP_TO_MASK(flag))
> +# define cap_is_fs_cap(flag) \
> +(CAP_TO_MASK(flag) & (CAP_TO_INDEX(flag) ? CAP_FS_MASK_1:CAP_FS_MASK_2))
> +
> +# define cap_raise_non_fs_cap(c,pcaptoo) do {
> \
Egads, pcaptoo? :)
These probably should become inline functions rather than #defines.
> + (c).cap[0] |= ~(CAP_FS_MASK_0|((pcaptoo)?CAP_TO_MASK(CAP_SETPCAP):0));\
> + (c).cap[1] |= ~CAP_FS_MASK_1; \
> +} while (0)
> +
> +# define cap_drop_fs_cap(c) do { \
> + (c).cap[0] &= ~CAP_FS_MASK_0; \
> + (c).cap[1] &= ~CAP_FS_MASK_1; \
> +} while (0)
> +
> +# define cap_raise_fs_cap(c) do { \
> + (c).cap[0] |= CAP_FS_MASK_0; \
> + (c).cap[1] |= CAP_FS_MASK_1; \
> +} while (0)
> +
> +# define cap_raise_permitted_fs_cap(c,p) do { \
> + (c).cap[0] |= (p).cap[0] & CAP_FS_MASK_0; \
> + (c).cap[1] |= (p).cap[1] & CAP_FS_MASK_1; \
> +} while (0)
> +
> +# define cap_drop_nfsd_cap(c) do { \
> + (c).cap[0] &= ~CAP_NFSD_MASK_0; \
> + (c).cap[1] &= ~CAP_NFSD_MASK_1; \
> +} while (0)
> +
> +# define cap_raise_nfsd_cap(c,p) do { \
> + (c).cap[0] |= (p).cap[0] & CAP_NFSD_MASK_0; \
> + (c).cap[1] |= (p).cap[1] & CAP_NFSD_MASK_1; \
> +} while (0)
> +
> +#endif /* _LINUX_CAPABILITY_U32S != 2 */
> +
> +#define CAP_INIT_INH_SET CAP_EMPTY_SET
> +
> +#define cap_raise(c,flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
> +#define cap_lower(c,flag) ((c).cap[CAP_TO_INDEX(flag)] &=
> ~CAP_TO_MASK(flag))
> +#define cap_raised(c,flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
> +
> +#define CAP_BOP_ALL(c, a, b, OP) \
> +do { \
> + int __capi; \
> + for (__capi=0; __capi<_LINUX_CAPABILITY_U32S; ++__capi) { \
> + c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
> + } \
> +} while (0)
> +
> +#define CAP_UOP_ALL(c, a, OP) \
> +do { \
> + int __capi; \
> + for (__capi=0; __capi<_LINUX_CAPABILITY_U32S; ++__capi) { \
> + c.cap[__capi] = OP a.cap[__capi]; \
> + } \
> +} while (0)
>
> static inline kernel_cap_t cap_combine(kernel_cap_t a, kernel_cap_t b)
> {
> - kernel_cap_t dest;
> - cap_t(dest) = cap_t(a) | cap_t(b);
> - return dest;
> + kernel_cap_t dest;
> + CAP_BOP_ALL(dest, a, b, |);
> + return dest;
> }
>
> static inline kernel_cap_t cap_intersect(kernel_cap_t a, kernel_cap_t b)
> {
> - kernel_cap_t dest;
> - cap_t(dest) = cap_t(a) & cap_t(b);
> - return dest;
> + kernel_cap_t dest;
> + CAP_BOP_ALL(dest, a, b, &);
> + return dest;
> }
>
> static inline kernel_cap_t cap_drop(kernel_cap_t a, kernel_cap_t drop)
> {
> - kernel_cap_t dest;
> - cap_t(dest) = cap_t(a) & ~cap_t(drop);
> - return dest;
> + kernel_cap_t dest;
> + CAP_BOP_ALL(dest, a, drop, &~);
> + return dest;
> }
>
> static inline kernel_cap_t cap_invert(kernel_cap_t c)
> {
> - kernel_cap_t dest;
> - cap_t(dest) = ~cap_t(c);
> - return dest;
> + kernel_cap_t dest;
> + CAP_UOP_ALL(dest, c, ~);
> + return dest;
> }
>
> -#define cap_isclear(c) (!cap_t(c))
> -#define cap_issubset(a,set) (!(cap_t(a) & ~cap_t(set)))
> -
> -#define cap_clear(c) do { cap_t(c) = 0; } while(0)
> -#define cap_set_full(c) do { cap_t(c) = ~0; } while(0)
> -#define cap_mask(c,mask) do { cap_t(c) &= cap_t(mask); } while(0)
> +static inline int cap_issubset(kernel_cap_t a, kernel_cap_t set)
> +{
> + kernel_cap_t dest;
> + dest = cap_drop(a, set);
> + return cap_isclear(dest);
> +}
>
> -#define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
> +#define cap_mask(c, mask) do { c = cap_intersect(c, mask); } while(0)
>
> int capable(int cap);
> int __capable(struct task_struct *t, int cap);
> diff --git a/kernel/capability.c b/kernel/capability.c
> index efbd9cd..e60b487 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -38,16 +38,31 @@ static DEFINE_SPINLOCK(task_capability_lock);
> */
> asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
> {
> + static int warned = 0;
> int ret = 0;
> pid_t pid;
> __u32 version;
> struct task_struct *target;
> - struct __user_cap_data_struct data;
> + unsigned tocopy;
> + kernel_cap_t pE, pI, pP;
>
> if (get_user(version, &header->version))
> return -EFAULT;
>
> - if (version != _LINUX_CAPABILITY_VERSION) {
> + switch (version) {
> + case _LINUX_CAPABILITY_VERSION_1:
> + if (warned < 5) {
> + warned++;
> + printk(KERN_INFO
> + "warning: process `%s' gets w/ old libcap\n",
> + current->comm);
> + }
> + tocopy = _LINUX_CAPABILITY_U32S_1;
> + break;
> + case _LINUX_CAPABILITY_VERSION_2:
> + tocopy = _LINUX_CAPABILITY_U32S_2;
> + break;
> + default:
> if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
> return -EFAULT;
> return -EINVAL;
> @@ -71,14 +86,34 @@ asmlinkage long sys_capget(cap_user_header_t header,
> cap_user_data_t dataptr)
> } else
> target = current;
>
> - ret = security_capget(target, &data.effective, &data.inheritable,
> &data.permitted);
> + ret = security_capget(target, &pE, &pI, &pP);
>
> out:
> read_unlock(&tasklist_lock);
> spin_unlock(&task_capability_lock);
>
> - if (!ret && copy_to_user(dataptr, &data, sizeof data))
> - return -EFAULT;
> + if (!ret) {
> + struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
> + unsigned i;
> +
> + for (i=0; i<tocopy; i++) {
> + kdata[i].effective = pE.cap[i];
> + kdata[i].permitted = pP.cap[i];
> + kdata[i].inheritable = pP.cap[i];
> + }
> + while (i<_LINUX_CAPABILITY_U32S) {
> + if (pE.cap[i] || pP.cap[i] || pP.cap[i]) {
> + /* Cannot represent w/ legacy structure */
> + return -EINVAL;
> + }
> + i++;
> + }
> +
> + if (copy_to_user(dataptr, kdata, tocopy
> + * sizeof(struct __user_cap_data_struct))) {
> + return -EFAULT;
> + }
> + }
The function definately needs to be reworked to clean up the flow
at this point, but it looks correct. In my own version I got it
wrong at least twice before it worked :)
>
> return ret;
> }
> @@ -167,6 +202,9 @@ static inline int cap_set_all(kernel_cap_t *effective,
> */
> asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t
> data)
> {
> + static int warned = 0;
> + struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S];
> + unsigned i, tocopy;
> kernel_cap_t inheritable, permitted, effective;
> __u32 version;
> struct task_struct *target;
> @@ -176,7 +214,20 @@ asmlinkage long sys_capset(cap_user_header_t header,
> const cap_user_data_t data)
> if (get_user(version, &header->version))
> return -EFAULT;
>
> - if (version != _LINUX_CAPABILITY_VERSION) {
> + switch (version) {
> + case _LINUX_CAPABILITY_VERSION_1:
> + if (warned < 5) {
> + warned++;
> + printk(KERN_INFO
> + "warning: process `%s' sets w/ old libcap\n",
> + current->comm);
> + }
> + tocopy = _LINUX_CAPABILITY_U32S_1;
> + break;
> + case _LINUX_CAPABILITY_VERSION_2:
> + tocopy = _LINUX_CAPABILITY_U32S_2;
> + break;
> + default:
> if (put_user(_LINUX_CAPABILITY_VERSION, &header->version))
> return -EFAULT;
> return -EINVAL;
> @@ -188,10 +239,22 @@ asmlinkage long sys_capset(cap_user_header_t header,
> const cap_user_data_t data)
> if (pid && pid != task_pid_vnr(current) && !capable(CAP_SETPCAP))
> return -EPERM;
>
> - if (copy_from_user(&effective, &data->effective, sizeof(effective)) ||
> - copy_from_user(&inheritable, &data->inheritable,
> sizeof(inheritable)) ||
> - copy_from_user(&permitted, &data->permitted, sizeof(permitted)))
> + if (copy_from_user(&kdata, data, tocopy
> + * sizeof(struct __user_cap_data_struct))) {
> return -EFAULT;
> + }
> +
> + for (i=0; i<tocopy; i++) {
> + effective.cap[i] = kdata[i].effective;
> + permitted.cap[i] = kdata[i].permitted;
> + inheritable.cap[i] = kdata[i].inheritable;
> + }
> + while (i<_LINUX_CAPABILITY_U32S) {
> + effective.cap[i] = 0;
> + permitted.cap[i] = 0;
> + inheritable.cap[i] = 0;
> + i++;
> + }
>
> spin_lock(&task_capability_lock);
> read_lock(&tasklist_lock);
> diff --git a/mm/oom_kill.c b/mm/oom_kill.c
> index 91a081a..8791c26 100644
> --- a/mm/oom_kill.c
> +++ b/mm/oom_kill.c
> @@ -125,8 +125,7 @@ unsigned long badness(struct task_struct *p, unsigned
> long uptime)
> * Superuser processes are usually more important, so we make it
> * less likely that we kill those.
> */
> - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
> - p->uid == 0 || p->euid == 0)
> + if (__capable(p, CAP_SYS_ADMIN) || p->uid == 0 || p->euid == 0)
> points /= 4;
>
> /*
> @@ -135,7 +134,7 @@ unsigned long badness(struct task_struct *p, unsigned
> long uptime)
> * tend to only have this flag set on applications they think
> * of as important.
> */
> - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
> + if (__capable(p, CAP_SYS_RAWIO))
> points /= 4;
>
> /*
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bf67871..b97da15 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -1,4 +1,4 @@
> -/* Common capabilities, needed by capability.o and root_plug.o
> +/* Common capabilities, needed by capability.o and root_plug.o
> *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License as published by
> @@ -87,9 +87,9 @@ int cap_capget (struct task_struct *target, kernel_cap_t
> *effective,
> kernel_cap_t *inheritable, kernel_cap_t *permitted)
> {
> /* Derived from kernel/capability.c:sys_capget. */
> - *effective = cap_t (target->cap_effective);
> - *inheritable = cap_t (target->cap_inheritable);
> - *permitted = cap_t (target->cap_permitted);
> + *effective = target->cap_effective;
> + *inheritable = target->cap_inheritable;
> + *permitted = target->cap_permitted;
> return 0;
> }
>
> @@ -191,28 +191,51 @@ int cap_inode_killpriv(struct dentry *dentry)
> }
>
> static inline int cap_from_disk(struct vfs_cap_data *caps,
> - struct linux_binprm *bprm,
> - int size)
> + struct linux_binprm *bprm, unsigned size)
> {
> __u32 magic_etc;
> + unsigned tocopy, i;
>
> - if (size != XATTR_CAPS_SZ)
> + if (size < sizeof(magic_etc)) {
> return -EINVAL;
> + }
>
> - magic_etc = le32_to_cpu(caps->magic_etc);
> + magic_etc = le32_to_cpu(caps.magic_etc);
>
> switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
> - case VFS_CAP_REVISION:
> - if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
> - bprm->cap_effective = true;
> - else
> - bprm->cap_effective = false;
> - bprm->cap_permitted = to_cap_t(le32_to_cpu(caps->permitted));
> - bprm->cap_inheritable =
> to_cap_t(le32_to_cpu(caps->inheritable));
> - return 0;
> + case VFS_CAP_REVISION_1:
> + if (size != XATTR_CAPS_SZ_1) {
> + return -EINVAL;
> + }
> + tocopy = VFS_CAP_U32_1;
> + break;
> + case VFS_CAP_REVISION_2:
> + if (size != XATTR_CAPS_SZ_2) {
> + return -EINVAL;
> + }
> + tocopy = VFS_CAP_U32_2;
> + break;
> default:
> return -EINVAL;
> }
> +
> + if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE) {
> + bprm->cap_effective = true;
> + } else {
> + bprm->cap_effective = false;
> + }
> +
> + for (i=0; i<tocopy; ++i) {
> + bprm->cap_permitted[i] = le32_to_cpu(caps.data[i].permitted);
> + bprm->cap_inheritable[i] =
> + le32_to_cpu(caps.data[i].inheritable);
> + }
> + for (i=tocopy; i<VFS_CAP_U32; ++i) {
> + bprm->cap_permitted[i] = 0;
> + bprm->cap_inheritable[i] = 0;
> + }
> +
> + return 0;
> }
>
> /* Locate any VFS capabilities: */
> @@ -220,7 +243,7 @@ static int get_file_caps(struct linux_binprm *bprm)
> {
> struct dentry *dentry;
> int rc = 0;
> - struct vfs_cap_data incaps;
> + struct vfs_cap_data vcaps;
> struct inode *inode;
>
> if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
> @@ -233,14 +256,8 @@ static int get_file_caps(struct linux_binprm *bprm)
> if (!inode->i_op || !inode->i_op->getxattr)
> goto out;
>
> - rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, NULL, 0);
> - if (rc > 0) {
> - if (rc == XATTR_CAPS_SZ)
> - rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS,
> - &incaps, XATTR_CAPS_SZ);
> - else
> - rc = -EINVAL;
> - }
> + rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &vcaps,
> + XATTR_CAPS_SZ);
> if (rc == -ENODATA || rc == -EOPNOTSUPP) {
> /* no data, that's ok */
> rc = 0;
> @@ -249,7 +266,7 @@ static int get_file_caps(struct linux_binprm *bprm)
> if (rc < 0)
> goto out;
>
> - rc = cap_from_disk(&incaps, bprm, rc);
> + rc = cap_from_disk(vcaps, bprm, rc);
> if (rc)
> printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
> __FUNCTION__, rc, bprm->filename);
> @@ -344,8 +361,11 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm,
> int unsafe)
> * capability rules */
> if (!is_global_init(current)) {
> current->cap_permitted = new_permitted;
> - current->cap_effective = bprm->cap_effective ?
> - new_permitted : 0;
> + if (bprm->cap_effective) {
> + current->cap_effective = new_permitted;
> + } else {
> + cap_clear(current->cap_effective);
> + }
> }
>
> /* AUD: Audit candidate if current->cap_effective is set */
> @@ -467,13 +487,13 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t
> old_euid, uid_t old_suid,
>
> if (!issecure (SECURE_NO_SETUID_FIXUP)) {
> if (old_fsuid == 0 && current->fsuid != 0) {
> - cap_t (current->cap_effective) &=
> - ~CAP_FS_MASK;
> + cap_drop_fs_cap(
> + current->cap_effective);
> }
> if (old_fsuid != 0 && current->fsuid == 0) {
> - cap_t (current->cap_effective) |=
> - (cap_t (current->cap_permitted) &
> - CAP_FS_MASK);
> + cap_raise_permitted_fs_cap(
> + current->cap_effective,
> + current->cap_permitted);
> }
> }
> break;
> @@ -564,9 +584,9 @@ int cap_task_kill(struct task_struct *p, struct siginfo
> *info,
>
> void cap_task_reparent_to_init (struct task_struct *p)
> {
> - p->cap_effective = CAP_INIT_EFF_SET;
> - p->cap_inheritable = CAP_INIT_INH_SET;
> - p->cap_permitted = CAP_FULL_SET;
> + cap_set_init_eff(p->cap_effective);
> + cap_clear(p->cap_inheritable);
> + cap_set_full(p->cap_permitted);
> p->keep_capabilities = 0;
> return;
> }
> diff --git a/security/dummy.c b/security/dummy.c
> index 6d895ad..e55069c 100644
> --- a/security/dummy.c
> +++ b/security/dummy.c
> @@ -36,14 +36,17 @@ static int dummy_ptrace (struct task_struct *parent,
> struct task_struct *child)
> static int dummy_capget (struct task_struct *target, kernel_cap_t *
> effective,
> kernel_cap_t * inheritable, kernel_cap_t * permitted)
> {
> - *effective = *inheritable = *permitted = 0;
> + cap_clear(*effective);
> + cap_clear(*inheritable);
> + cap_clear(*permitted);
> +
> if (target->euid == 0) {
> - *permitted |= (~0 & ~CAP_FS_MASK);
> - *effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK);
> + cap_raise_non_fs_cap(*permitted, 1);
> + cap_raise_non_fs_cap(*effective, 0);
1 and 0 need to be replaced with understandable #defines, maybe
WITH_PCAP and WITHOUT_PCAP.
> }
> if (target->fsuid == 0) {
> - *permitted |= CAP_FS_MASK;
> - *effective |= CAP_FS_MASK;
> + cap_raise_fs_cap(*permitted);
> + cap_raise_fs_cap(*effective);
> }
> return 0;
> }
> --
> 1.5.1.3
>
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
