From bcca19a055cbdb0d67985ac08fef491f6d4bb42b Mon Sep 17 00:00:00 2001 From: Maciej Wereski Date: Wed, 15 Jan 2014 16:15:00 +0100 Subject: Imported Upstream version 2.24 --- CHANGELOG | 10 +- Make.Rules | 11 +- Makefile | 7 +- README | 1 + libcap/Makefile | 16 +- libcap/cap_alloc.c | 2 +- libcap/cap_extint.c | 10 +- libcap/cap_file.c | 4 +- libcap/include/linux/capability.h | 576 --------------------------------- libcap/include/linux/prctl.h | 105 ------ libcap/include/linux/securebits.h | 54 ---- libcap/include/sys/capability.h | 4 +- libcap/include/uapi/linux/capability.h | 358 ++++++++++++++++++++ libcap/include/uapi/linux/prctl.h | 152 +++++++++ libcap/include/uapi/linux/securebits.h | 51 +++ libcap/libcap.h | 13 +- libcap/libcap.pc.in | 11 + pam_cap/capability.conf | 2 +- pgp.keys.asc | 138 +++++++- progs/capsh.c | 3 +- progs/quicktest.sh | 44 +-- progs/setcap.c | 27 +- 22 files changed, 811 insertions(+), 788 deletions(-) delete mode 100644 libcap/include/linux/capability.h delete mode 100644 libcap/include/linux/prctl.h delete mode 100644 libcap/include/linux/securebits.h create mode 100644 libcap/include/uapi/linux/capability.h create mode 100644 libcap/include/uapi/linux/prctl.h create mode 100644 libcap/include/uapi/linux/securebits.h create mode 100644 libcap/libcap.pc.in diff --git a/CHANGELOG b/CHANGELOG index a945be4..70e5faf 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,8 +4,14 @@ For release notes and other info pointers: See GIT repository for detailed source history - http://git.kernel.org/?p=libs/libcap/libcap.git;a=summary + https://git.kernel.org/cgit/linux/kernel/git/morgan/libcap.git/ Or simply download the source: - git clone git://git.kernel.org/pub/scm/libs/libcap/libcap.git + git clone git://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git + +The license for this library is here: + + https://git.kernel.org/cgit/linux/kernel/git/morgan/libcap.git/tree/License + +please submit patches compatible with this to morgan at kernel.org. diff --git a/Make.Rules b/Make.Rules index 8393738..ec1c474 100644 --- a/Make.Rules +++ b/Make.Rules @@ -7,13 +7,13 @@ FAKEROOT=$(DESTDIR) # Autoconf-style prefixes are activated when $(prefix) is defined. -# Otherwise binaries and libraraies are installed in /{lib,sbin}/, +# Otherwise binaries and libraries are installed in /{lib,sbin}/, # header files in /usr/include/ and documentation in /usr/man/man?/. # These choices are motivated by the fact that getcap and setcap are # administrative operations that could be needed to recover a system. ifndef lib -lib=$(shell ldd /usr/bin/ld|fgrep ld-linux|cut -d/ -f2) +lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2) endif ifdef prefix @@ -35,17 +35,18 @@ MANDIR=$(FAKEROOT)$(man_prefix)/man SBINDIR=$(FAKEROOT)$(exec_prefix)/sbin INCDIR=$(FAKEROOT)$(inc_prefix)/include LIBDIR=$(FAKEROOT)$(lib_prefix)/$(lib) +PKGCONFIGDIR=$(FAKEROOT)$(prefix)/$(lib)/pkgconfig # common defines for libcap LIBTITLE=libcap VERSION=2 -MINOR=22 +MINOR=24 # # Compilation specifics -KERNEL_HEADERS := $(topdir)/libcap/include -IPATH += -fPIC -I$(topdir)/libcap/include -I$(KERNEL_HEADERS) +KERNEL_HEADERS := $(topdir)/libcap/include/uapi +IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include CC := gcc CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 diff --git a/Makefile b/Makefile index b0a8727..124d10d 100644 --- a/Makefile +++ b/Makefile @@ -27,8 +27,11 @@ distclean: clean $(DISTCLEAN) release: distclean - cd .. && ln -s libcap libcap-$(VERSION).$(MINOR) && tar cvfz libcap-$(VERSION).$(MINOR).tar.gz libcap-$(VERSION).$(MINOR)/* && rm libcap-$(VERSION).$(MINOR) + cd .. && ln -s libcap libcap-$(VERSION).$(MINOR) && tar cvf libcap-$(VERSION).$(MINOR).tar libcap-$(VERSION).$(MINOR)/* && rm libcap-$(VERSION).$(MINOR) + cd .. && gpg -sba -u E2CCF3F4 libcap-$(VERSION).$(MINOR).tar tagrelease: distclean - git tag -s libcap-$(VERSION).$(MINOR) + @echo "sign the tag twice: older DSA key; and newer RSA kernel.org key" + git tag -u D41A6DF2 -s libcap-$(VERSION).$(MINOR) + git tag -u E2CCF3F4 -s libcap-korg-$(VERSION).$(MINOR) make release diff --git a/README b/README index b4740f0..7356eac 100644 --- a/README +++ b/README @@ -20,6 +20,7 @@ More information on capabilities in the Linux kernel can be found at installs the library libcap.XX.Y in /lib[64]/ the binaries in /sbin/ the file in /usr/include + the libcap.pc file in /usr/lib[64]/pkgconfig * for some example programs look in progs. diff --git a/libcap/Makefile b/libcap/Makefile index 4762c60..20ab00f 100644 --- a/libcap/Makefile +++ b/libcap/Makefile @@ -17,6 +17,7 @@ FILES=cap_alloc cap_proc cap_extint cap_flag cap_text ifeq ($(LIBATTR),yes) FILES += cap_file LDFLAGS += -lattr +DEPS = -lattr endif INCLS=libcap.h cap_names.h $(INCS) @@ -25,13 +26,22 @@ MAJLIBNAME=$(LIBNAME).$(VERSION) MINLIBNAME=$(MAJLIBNAME).$(MINOR) GPERF_OUTPUT = _caps_output.gperf -all: $(MINLIBNAME) $(STALIBNAME) +all: $(MINLIBNAME) $(STALIBNAME) libcap.pc ifeq ($(shell gperf --version > /dev/null 2>&1 && echo yes),yes) USE_GPERF_OUTPUT = $(GPERF_OUTPUT) INCLUDE_GPERF_OUTPUT = -include $(GPERF_OUTPUT) endif +libcap.pc: libcap.pc.in + sed -e 's,@prefix@,$(prefix),' \ + -e 's,@exec_prefix@,$(exec_prefix),' \ + -e 's,@libdir@,$(lib_prefix)/$(lib),' \ + -e 's,@includedir@,$(inc_prefix)/include,' \ + -e 's,@VERSION@,$(VERSION).$(MINOR),' \ + -e 's,@deps@,$(DEPS),' \ + $< >$@ + _makenames: _makenames.c cap_names.list.h $(BUILD_CC) $(BUILD_CFLAGS) $< -o $@ @@ -71,9 +81,11 @@ install: all ifeq ($(FAKEROOT),) -/sbin/ldconfig endif + mkdir -p -m 0755 $(PKGCONFIGDIR) + install -m 0644 libcap.pc $(PKGCONFIGDIR)/libcap.pc clean: $(LOCALCLEAN) - rm -f $(OBJS) $(LIBNAME)* $(STALIBNAME) + rm -f $(OBJS) $(LIBNAME)* $(STALIBNAME) libcap.pc rm -f cap_names.h cap_names.list.h _makenames $(GPERF_OUTPUT) cd include/sys && $(LOCALCLEAN) diff --git a/libcap/cap_alloc.c b/libcap/cap_alloc.c index 5fa5e93..525ea90 100644 --- a/libcap/cap_alloc.c +++ b/libcap/cap_alloc.c @@ -125,7 +125,7 @@ int cap_free(void *data_p) } if ( good_cap_string(data_p) ) { - int length = strlen(data_p) + sizeof(__u32); + size_t length = strlen(data_p) + sizeof(__u32); data_p = -1 + (__u32 *) data_p; memset(data_p, 0, length); free(data_p); diff --git a/libcap/cap_extint.c b/libcap/cap_extint.c index 5a0cc8e..7d6e7ad 100644 --- a/libcap/cap_extint.c +++ b/libcap/cap_extint.c @@ -31,7 +31,7 @@ struct cap_ext_struct { ssize_t cap_size(cap_t caps) { - return sizeof(struct cap_ext_struct); + return ssizeof(struct cap_ext_struct); } /* @@ -46,7 +46,7 @@ ssize_t cap_copy_ext(void *cap_ext, cap_t cap_d, ssize_t length) int i; /* valid arguments? */ - if (!good_cap_t(cap_d) || length < sizeof(struct cap_ext_struct) + if (!good_cap_t(cap_d) || length < ssizeof(struct cap_ext_struct) || cap_ext == NULL) { errno = EINVAL; return -1; @@ -57,7 +57,7 @@ ssize_t cap_copy_ext(void *cap_ext, cap_t cap_d, ssize_t length) result->length_of_capset = CAP_SET_SIZE; for (i=0; ilength_of_capset; for (set=0; set - * - * Andrew G. Morgan - * Alexander Kjeldaas - * with help from Aleph1, Roland Buresund and Andrew Main. - * - * See here for the libcap library ("POSIX draft" compliance): - * - * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ - */ - -#ifndef _LINUX_CAPABILITY_H -#define _LINUX_CAPABILITY_H - -#include - -struct task_struct; - -/* User-level do most of the mapping between kernel and user - capabilities based on the version tag given by the kernel. The - kernel might be somewhat backwards compatible, but don't bet on - it. */ - -/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to - a set of three capability sets. The transposition of 3*the - following structure to such a composite is better handled in a user - library since the draft standard requires the use of malloc/free - etc.. */ - -#define _LINUX_CAPABILITY_VERSION_1 0x19980330 -#define _LINUX_CAPABILITY_U32S_1 1 - -#define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ -#define _LINUX_CAPABILITY_U32S_2 2 - -#define _LINUX_CAPABILITY_VERSION_3 0x20080522 -#define _LINUX_CAPABILITY_U32S_3 2 - -typedef struct __user_cap_header_struct { - __u32 version; - int pid; -} __user *cap_user_header_t; - -typedef struct __user_cap_data_struct { - __u32 effective; - __u32 permitted; - __u32 inheritable; -} __user *cap_user_data_t; - - -#define XATTR_CAPS_SUFFIX "capability" -#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX - -#define VFS_CAP_REVISION_MASK 0xFF000000 -#define VFS_CAP_REVISION_SHIFT 24 -#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK -#define VFS_CAP_FLAGS_EFFECTIVE 0x000001 - -#define VFS_CAP_REVISION_1 0x01000000 -#define VFS_CAP_U32_1 1 -#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) - -#define VFS_CAP_REVISION_2 0x02000000 -#define VFS_CAP_U32_2 2 -#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) - -#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 -#define VFS_CAP_U32 VFS_CAP_U32_2 -#define VFS_CAP_REVISION VFS_CAP_REVISION_2 - -struct vfs_cap_data { - __le32 magic_etc; /* Little endian */ - struct { - __le32 permitted; /* Little endian */ - __le32 inheritable; /* Little endian */ - } data[VFS_CAP_U32]; -}; - -#ifndef __KERNEL__ - -/* - * Backwardly compatible definition for source code - trapped in a - * 32-bit world. If you find you need this, please consider using - * libcap to untrap yourself... - */ -#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 -#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 - -#else - -#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 -#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 - -extern int file_caps_enabled; - -typedef struct kernel_cap_struct { - __u32 cap[_KERNEL_CAPABILITY_U32S]; -} kernel_cap_t; - -/* exact same as vfs_cap_data but in cpu endian and always filled completely */ -struct cpu_vfs_cap_data { - __u32 magic_etc; - kernel_cap_t permitted; - kernel_cap_t inheritable; -}; - -#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) -#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) - -#endif - - -/** - ** POSIX-draft defined capabilities. - **/ - -/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this - overrides the restriction of changing file ownership and group - ownership. */ - -#define CAP_CHOWN 0 - -/* Override all DAC access, including ACL execute access if - [_POSIX_ACL] is defined. Excluding DAC access covered by - CAP_LINUX_IMMUTABLE. */ - -#define CAP_DAC_OVERRIDE 1 - -/* Overrides all DAC restrictions regarding read and search on files - and directories, including ACL restrictions if [_POSIX_ACL] is - defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ - -#define CAP_DAC_READ_SEARCH 2 - -/* Overrides all restrictions about allowed operations on files, where - file owner ID must be equal to the user ID, except where CAP_FSETID - is applicable. It doesn't override MAC and DAC restrictions. */ - -#define CAP_FOWNER 3 - -/* Overrides the following restrictions that the effective user ID - shall match the file owner ID when setting the S_ISUID and S_ISGID - bits on that file; that the effective group ID (or one of the - supplementary group IDs) shall match the file owner ID when setting - the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are - cleared on successful return from chown(2) (not implemented). */ - -#define CAP_FSETID 4 - -/* Overrides the restriction that the real or effective user ID of a - process sending a signal must match the real or effective user ID - of the process receiving the signal. */ - -#define CAP_KILL 5 - -/* Allows setgid(2) manipulation */ -/* Allows setgroups(2) */ -/* Allows forged gids on socket credentials passing. */ - -#define CAP_SETGID 6 - -/* Allows set*uid(2) manipulation (including fsuid). */ -/* Allows forged pids on socket credentials passing. */ - -#define CAP_SETUID 7 - - -/** - ** Linux-specific capabilities - **/ - -/* Without VFS support for capabilities: - * Transfer any capability in your permitted set to any pid, - * remove any capability in your permitted set from any pid - * With VFS support for capabilities (neither of above, but) - * Add any capability from current's capability bounding set - * to the current process' inheritable set - * Allow taking bits out of capability bounding set - * Allow modification of the securebits for a process - */ - -#define CAP_SETPCAP 8 - -/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ - -#define CAP_LINUX_IMMUTABLE 9 - -/* Allows binding to TCP/UDP sockets below 1024 */ -/* Allows binding to ATM VCIs below 32 */ - -#define CAP_NET_BIND_SERVICE 10 - -/* Allow broadcasting, listen to multicast */ - -#define CAP_NET_BROADCAST 11 - -/* Allow interface configuration */ -/* Allow administration of IP firewall, masquerading and accounting */ -/* Allow setting debug option on sockets */ -/* Allow modification of routing tables */ -/* Allow setting arbitrary process / process group ownership on - sockets */ -/* Allow binding to any address for transparent proxying */ -/* Allow setting TOS (type of service) */ -/* Allow setting promiscuous mode */ -/* Allow clearing driver statistics */ -/* Allow multicasting */ -/* Allow read/write of device-specific registers */ -/* Allow activation of ATM control sockets */ - -#define CAP_NET_ADMIN 12 - -/* Allow use of RAW sockets */ -/* Allow use of PACKET sockets */ - -#define CAP_NET_RAW 13 - -/* Allow locking of shared memory segments */ -/* Allow mlock and mlockall (which doesn't really have anything to do - with IPC) */ - -#define CAP_IPC_LOCK 14 - -/* Override IPC ownership checks */ - -#define CAP_IPC_OWNER 15 - -/* Insert and remove kernel modules - modify kernel without limit */ -#define CAP_SYS_MODULE 16 - -/* Allow ioperm/iopl access */ -/* Allow sending USB messages to any device via /proc/bus/usb */ - -#define CAP_SYS_RAWIO 17 - -/* Allow use of chroot() */ - -#define CAP_SYS_CHROOT 18 - -/* Allow ptrace() of any process */ - -#define CAP_SYS_PTRACE 19 - -/* Allow configuration of process accounting */ - -#define CAP_SYS_PACCT 20 - -/* Allow configuration of the secure attention key */ -/* Allow administration of the random device */ -/* Allow examination and configuration of disk quotas */ -/* Allow configuring the kernel's syslog (printk behaviour) */ -/* Allow setting the domainname */ -/* Allow setting the hostname */ -/* Allow calling bdflush() */ -/* Allow mount() and umount(), setting up new smb connection */ -/* Allow some autofs root ioctls */ -/* Allow nfsservctl */ -/* Allow VM86_REQUEST_IRQ */ -/* Allow to read/write pci config on alpha */ -/* Allow irix_prctl on mips (setstacksize) */ -/* Allow flushing all cache on m68k (sys_cacheflush) */ -/* Allow removing semaphores */ -/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores - and shared memory */ -/* Allow locking/unlocking of shared memory segment */ -/* Allow turning swap on/off */ -/* Allow forged pids on socket credentials passing */ -/* Allow setting readahead and flushing buffers on block devices */ -/* Allow setting geometry in floppy driver */ -/* Allow turning DMA on/off in xd driver */ -/* Allow administration of md devices (mostly the above, but some - extra ioctls) */ -/* Allow tuning the ide driver */ -/* Allow access to the nvram device */ -/* Allow administration of apm_bios, serial and bttv (TV) device */ -/* Allow manufacturer commands in isdn CAPI support driver */ -/* Allow reading non-standardized portions of pci configuration space */ -/* Allow DDI debug ioctl on sbpcd driver */ -/* Allow setting up serial ports */ -/* Allow sending raw qic-117 commands */ -/* Allow enabling/disabling tagged queuing on SCSI controllers and sending - arbitrary SCSI commands */ -/* Allow setting encryption key on loopback filesystem */ -/* Allow setting zone reclaim policy */ - -#define CAP_SYS_ADMIN 21 - -/* Allow use of reboot() */ - -#define CAP_SYS_BOOT 22 - -/* Allow raising priority and setting priority on other (different - UID) processes */ -/* Allow use of FIFO and round-robin (realtime) scheduling on own - processes and setting the scheduling algorithm used by another - process. */ -/* Allow setting cpu affinity on other processes */ - -#define CAP_SYS_NICE 23 - -/* Override resource limits. Set resource limits. */ -/* Override quota limits. */ -/* Override reserved space on ext2 filesystem */ -/* Modify data journaling mode on ext3 filesystem (uses journaling - resources) */ -/* NOTE: ext2 honors fsuid when checking for resource overrides, so - you can override using fsuid too */ -/* Override size restrictions on IPC message queues */ -/* Allow more than 64hz interrupts from the real-time clock */ -/* Override max number of consoles on console allocation */ -/* Override max number of keymaps */ - -#define CAP_SYS_RESOURCE 24 - -/* Allow manipulation of system clock */ -/* Allow irix_stime on mips */ -/* Allow setting the real-time clock */ - -#define CAP_SYS_TIME 25 - -/* Allow configuration of tty devices */ -/* Allow vhangup() of tty */ - -#define CAP_SYS_TTY_CONFIG 26 - -/* Allow the privileged aspects of mknod() */ - -#define CAP_MKNOD 27 - -/* Allow taking of leases on files */ - -#define CAP_LEASE 28 - -#define CAP_AUDIT_WRITE 29 - -#define CAP_AUDIT_CONTROL 30 - -#define CAP_SETFCAP 31 - -/* Override MAC access. - The base kernel enforces no MAC policy. - An LSM may enforce a MAC policy, and if it does and it chooses - to implement capability based overrides of that policy, this is - the capability it should use to do so. */ - -#define CAP_MAC_OVERRIDE 32 - -/* Allow MAC configuration or state changes. - The base kernel requires no MAC configuration. - An LSM may enforce a MAC policy, and if it does and it chooses - to implement capability based checks on modifications to that - policy or the data required to maintain it, this is the - capability it should use to do so. */ - -#define CAP_MAC_ADMIN 33 - - -/* Privileged syslog operations currently require CAP_SYSLOG. - CAP_SYS_ADMIN is not acceptable anymore. */ -#define CAP_SYSLOG 34 - -#define CAP_LAST_CAP CAP_SYSLOG - -#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) - -/* - * Bit location of each capability (used by user-space library and kernel) - */ - -#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ -#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ - -#ifdef __KERNEL__ - -/* - * Internal kernel functions only - */ - -#define CAP_FOR_EACH_U32(__capi) \ - for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi) - -/* - * CAP_FS_MASK and CAP_NFSD_MASKS: - * - * The fs mask is all the privileges that fsuid==0 historically meant. - * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. - * - * It has never meant setting security.* and trusted.* xattrs. - * - * We could also define fsmask as follows: - * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions - * 2. The security.* and trusted.* xattrs are fs-related MAC permissions - */ - -# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \ - | CAP_TO_MASK(CAP_MKNOD) \ - | CAP_TO_MASK(CAP_DAC_OVERRIDE) \ - | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \ - | CAP_TO_MASK(CAP_FOWNER) \ - | CAP_TO_MASK(CAP_FSETID)) - -# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) - -#if _KERNEL_CAPABILITY_U32S != 2 -# error Fix up hand-coded capability macro initializers -#else /* HAND-CODED capability initializers */ - -# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) -# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) -# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}) -# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ - | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \ - CAP_FS_MASK_B1 } }) -# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \ - | CAP_TO_MASK(CAP_SYS_RESOURCE), \ - CAP_FS_MASK_B1 } }) - -#endif /* _KERNEL_CAPABILITY_U32S != 2 */ - -#define CAP_INIT_INH_SET CAP_EMPTY_SET - -# define cap_clear(c) do { (c) = __cap_empty_set; } while (0) -# define cap_set_full(c) do { (c) = __cap_full_set; } while (0) -# define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0) - -#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag)) -#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag)) -#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag)) - -#define CAP_BOP_ALL(c, a, b, OP) \ -do { \ - unsigned __capi; \ - CAP_FOR_EACH_U32(__capi) { \ - c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \ - } \ -} while (0) - -#define CAP_UOP_ALL(c, a, OP) \ -do { \ - unsigned __capi; \ - CAP_FOR_EACH_U32(__capi) { \ - c.cap[__capi] = OP a.cap[__capi]; \ - } \ -} while (0) - -static inline kernel_cap_t cap_combine(const kernel_cap_t a, - const kernel_cap_t b) -{ - kernel_cap_t dest; - CAP_BOP_ALL(dest, a, b, |); - return dest; -} - -static inline kernel_cap_t cap_intersect(const kernel_cap_t a, - const kernel_cap_t b) -{ - kernel_cap_t dest; - CAP_BOP_ALL(dest, a, b, &); - return dest; -} - -static inline kernel_cap_t cap_drop(const kernel_cap_t a, - const kernel_cap_t drop) -{ - kernel_cap_t dest; - CAP_BOP_ALL(dest, a, drop, &~); - return dest; -} - -static inline kernel_cap_t cap_invert(const kernel_cap_t c) -{ - kernel_cap_t dest; - CAP_UOP_ALL(dest, c, ~); - return dest; -} - -static inline int cap_isclear(const kernel_cap_t a) -{ - unsigned __capi; - CAP_FOR_EACH_U32(__capi) { - if (a.cap[__capi] != 0) - return 0; - } - return 1; -} - -/* - * Check if "a" is a subset of "set". - * return 1 if ALL of the capabilities in "a" are also in "set" - * cap_issubset(0101, 1111) will return 1 - * return 0 if ANY of the capabilities in "a" are not in "set" - * cap_issubset(1111, 0101) will return 0 - */ -static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set) -{ - kernel_cap_t dest; - dest = cap_drop(a, set); - return cap_isclear(dest); -} - -/* Used to decide between falling back on the old suser() or fsuser(). */ - -static inline int cap_is_fs_cap(int cap) -{ - const kernel_cap_t __cap_fs_set = CAP_FS_SET; - return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]); -} - -static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) -{ - const kernel_cap_t __cap_fs_set = CAP_FS_SET; - return cap_drop(a, __cap_fs_set); -} - -static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, - const kernel_cap_t permitted) -{ - const kernel_cap_t __cap_fs_set = CAP_FS_SET; - return cap_combine(a, - cap_intersect(permitted, __cap_fs_set)); -} - -static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) -{ - const kernel_cap_t __cap_fs_set = CAP_NFSD_SET; - return cap_drop(a, __cap_fs_set); -} - -static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, - const kernel_cap_t permitted) -{ - const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET; - return cap_combine(a, - cap_intersect(permitted, __cap_nfsd_set)); -} - -extern const kernel_cap_t __cap_empty_set; -extern const kernel_cap_t __cap_full_set; -extern const kernel_cap_t __cap_init_eff_set; - -/** - * has_capability - Determine if a task has a superior capability available - * @t: The task in question - * @cap: The capability to be tested for - * - * Return true if the specified task has the given superior capability - * currently in effect, false if not. - * - * Note that this does not set PF_SUPERPRIV on the task. - */ -#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0) - -/** - * has_capability_noaudit - Determine if a task has a superior capability available (unaudited) - * @t: The task in question - * @cap: The capability to be tested for - * - * Return true if the specified task has the given superior capability - * currently in effect, false if not, but don't write an audit message for the - * check. - * - * Note that this does not set PF_SUPERPRIV on the task. - */ -#define has_capability_noaudit(t, cap) \ - (security_real_capable_noaudit((t), (cap)) == 0) - -extern int capable(int cap); - -/* audit system wants to get cap info from files as well */ -struct dentry; -extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); - -#endif /* __KERNEL__ */ - -#endif /* !_LINUX_CAPABILITY_H */ diff --git a/libcap/include/linux/prctl.h b/libcap/include/linux/prctl.h deleted file mode 100644 index a3baeb2..0000000 --- a/libcap/include/linux/prctl.h +++ /dev/null @@ -1,105 +0,0 @@ -#ifndef _LINUX_PRCTL_H -#define _LINUX_PRCTL_H - -/* Values to pass as first argument to prctl() */ - -#define PR_SET_PDEATHSIG 1 /* Second arg is a signal */ -#define PR_GET_PDEATHSIG 2 /* Second arg is a ptr to return the signal */ - -/* Get/set current->mm->dumpable */ -#define PR_GET_DUMPABLE 3 -#define PR_SET_DUMPABLE 4 - -/* Get/set unaligned access control bits (if meaningful) */ -#define PR_GET_UNALIGN 5 -#define PR_SET_UNALIGN 6 -# define PR_UNALIGN_NOPRINT 1 /* silently fix up unaligned user accesses */ -# define PR_UNALIGN_SIGBUS 2 /* generate SIGBUS on unaligned user access */ - -/* Get/set whether or not to drop capabilities on setuid() away from - * uid 0 (as per security/commoncap.c) */ -#define PR_GET_KEEPCAPS 7 -#define PR_SET_KEEPCAPS 8 - -/* Get/set floating-point emulation control bits (if meaningful) */ -#define PR_GET_FPEMU 9 -#define PR_SET_FPEMU 10 -# define PR_FPEMU_NOPRINT 1 /* silently emulate fp operations accesses */ -# define PR_FPEMU_SIGFPE 2 /* don't emulate fp operations, send SIGFPE instead */ - -/* Get/set floating-point exception mode (if meaningful) */ -#define PR_GET_FPEXC 11 -#define PR_SET_FPEXC 12 -# define PR_FP_EXC_SW_ENABLE 0x80 /* Use FPEXC for FP exception enables */ -# define PR_FP_EXC_DIV 0x010000 /* floating point divide by zero */ -# define PR_FP_EXC_OVF 0x020000 /* floating point overflow */ -# define PR_FP_EXC_UND 0x040000 /* floating point underflow */ -# define PR_FP_EXC_RES 0x080000 /* floating point inexact result */ -# define PR_FP_EXC_INV 0x100000 /* floating point invalid operation */ -# define PR_FP_EXC_DISABLED 0 /* FP exceptions disabled */ -# define PR_FP_EXC_NONRECOV 1 /* async non-recoverable exc. mode */ -# define PR_FP_EXC_ASYNC 2 /* async recoverable exception mode */ -# define PR_FP_EXC_PRECISE 3 /* precise exception mode */ - -/* Get/set whether we use statistical process timing or accurate timestamp - * based process timing */ -#define PR_GET_TIMING 13 -#define PR_SET_TIMING 14 -# define PR_TIMING_STATISTICAL 0 /* Normal, traditional, - statistical process timing */ -# define PR_TIMING_TIMESTAMP 1 /* Accurate timestamp based - process timing */ - -#define PR_SET_NAME 15 /* Set process name */ -#define PR_GET_NAME 16 /* Get process name */ - -/* Get/set process endian */ -#define PR_GET_ENDIAN 19 -#define PR_SET_ENDIAN 20 -# define PR_ENDIAN_BIG 0 -# define PR_ENDIAN_LITTLE 1 /* True little endian mode */ -# define PR_ENDIAN_PPC_LITTLE 2 /* "PowerPC" pseudo little endian */ - -/* Get/set process seccomp mode */ -#define PR_GET_SECCOMP 21 -#define PR_SET_SECCOMP 22 - -/* Get/set the capability bounding set (as per security/commoncap.c) */ -#define PR_CAPBSET_READ 23 -#define PR_CAPBSET_DROP 24 - -/* Get/set the process' ability to use the timestamp counter instruction */ -#define PR_GET_TSC 25 -#define PR_SET_TSC 26 -# define PR_TSC_ENABLE 1 /* allow the use of the timestamp counter */ -# define PR_TSC_SIGSEGV 2 /* throw a SIGSEGV instead of reading the TSC */ - -/* Get/set securebits (as per security/commoncap.c) */ -#define PR_GET_SECUREBITS 27 -#define PR_SET_SECUREBITS 28 - -/* - * Get/set the timerslack as used by poll/select/nanosleep - * A value of 0 means "use default" - */ -#define PR_SET_TIMERSLACK 29 -#define PR_GET_TIMERSLACK 30 - -#define PR_TASK_PERF_EVENTS_DISABLE 31 -#define PR_TASK_PERF_EVENTS_ENABLE 32 - -/* - * Set early/late kill mode for hwpoison memory corruption. - * This influences when the process gets killed on a memory corruption. - */ -#define PR_MCE_KILL 33 -# define PR_MCE_KILL_CLEAR 0 -# define PR_MCE_KILL_SET 1 - -# define PR_MCE_KILL_LATE 0 -# define PR_MCE_KILL_EARLY 1 -# define PR_MCE_KILL_DEFAULT 2 - -#define PR_MCE_KILL_GET 34 - -#endif /* _LINUX_PRCTL_H */ diff --git a/libcap/include/linux/securebits.h b/libcap/include/linux/securebits.h deleted file mode 100644 index 3340617..0000000 --- a/libcap/include/linux/securebits.h +++ /dev/null @@ -1,54 +0,0 @@ -#ifndef _LINUX_SECUREBITS_H -#define _LINUX_SECUREBITS_H 1 - -/* Each securesetting is implemented using two bits. One bit specifies - whether the setting is on or off. The other bit specify whether the - setting is locked or not. A setting which is locked cannot be - changed from user-level. */ -#define issecure_mask(X) (1 << (X)) -#ifdef __KERNEL__ -#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits)) -#endif - -#define SECUREBITS_DEFAULT 0x00000000 - -/* When set UID 0 has no special privileges. When unset, we support - inheritance of root-permissions and suid-root executable under - compatibility mode. We raise the effective and inheritable bitmasks - *of the executable file* if the effective uid of the new process is - 0. If the real uid is 0, we raise the effective (legacy) bit of the - executable file. */ -#define SECURE_NOROOT 0 -#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */ - -#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT)) -#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED)) - -/* When set, setuid to/from uid 0 does not trigger capability-"fixup". - When unset, to provide compatiblility with old programs relying on - set*uid to gain/lose privilege, transitions to/from uid 0 cause - capabilities to be gained/lost. */ -#define SECURE_NO_SETUID_FIXUP 2 -#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ - -#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP)) -#define SECBIT_NO_SETUID_FIXUP_LOCKED \ - (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)) - -/* When set, a process can retain its capabilities even after - transitioning to a non-root user (the set-uid fixup suppressed by - bit 2). Bit-4 is cleared when a process calls exec(); setting both - bit 4 and 5 will create a barrier through exec that no exec()'d - child can use this feature again. */ -#define SECURE_KEEP_CAPS 4 -#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */ - -#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) -#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) - -#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ - issecure_mask(SECURE_NO_SETUID_FIXUP) | \ - issecure_mask(SECURE_KEEP_CAPS)) -#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) - -#endif /* !_LINUX_SECUREBITS_H */ diff --git a/libcap/include/sys/capability.h b/libcap/include/sys/capability.h index 4b54acc..64ac50e 100644 --- a/libcap/include/sys/capability.h +++ b/libcap/include/sys/capability.h @@ -23,13 +23,11 @@ extern "C" { #include #include -/* - * Required to limit what gets defined in the kernel header file. - */ #ifndef __user #define __user #endif #include +#include /* * POSIX capability types diff --git a/libcap/include/uapi/linux/capability.h b/libcap/include/uapi/linux/capability.h new file mode 100644 index 0000000..a4b907f --- /dev/null +++ b/libcap/include/uapi/linux/capability.h @@ -0,0 +1,358 @@ +/* + * This is + * + * Andrew G. Morgan + * Alexander Kjeldaas + * with help from Aleph1, Roland Buresund and Andrew Main. + * + * See here for the libcap library ("POSIX draft" compliance): + * + * http://www.kernel.org/pub/linux/libs/security/linux-privs/ + */ + +#ifndef _UAPI_LINUX_CAPABILITY_H +#define _UAPI_LINUX_CAPABILITY_H + +#include + +struct task_struct; + +/* User-level do most of the mapping between kernel and user + capabilities based on the version tag given by the kernel. The + kernel might be somewhat backwards compatible, but don't bet on + it. */ + +/* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to + a set of three capability sets. The transposition of 3*the + following structure to such a composite is better handled in a user + library since the draft standard requires the use of malloc/free + etc.. */ + +#define _LINUX_CAPABILITY_VERSION_1 0x19980330 +#define _LINUX_CAPABILITY_U32S_1 1 + +#define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */ +#define _LINUX_CAPABILITY_U32S_2 2 + +#define _LINUX_CAPABILITY_VERSION_3 0x20080522 +#define _LINUX_CAPABILITY_U32S_3 2 + +typedef struct __user_cap_header_struct { + __u32 version; + int pid; +} __user *cap_user_header_t; + +typedef struct __user_cap_data_struct { + __u32 effective; + __u32 permitted; + __u32 inheritable; +} __user *cap_user_data_t; + + +#define VFS_CAP_REVISION_MASK 0xFF000000 +#define VFS_CAP_REVISION_SHIFT 24 +#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK +#define VFS_CAP_FLAGS_EFFECTIVE 0x000001 + +#define VFS_CAP_REVISION_1 0x01000000 +#define VFS_CAP_U32_1 1 +#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) + +#define VFS_CAP_REVISION_2 0x02000000 +#define VFS_CAP_U32_2 2 +#define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2)) + +#define XATTR_CAPS_SZ XATTR_CAPS_SZ_2 +#define VFS_CAP_U32 VFS_CAP_U32_2 +#define VFS_CAP_REVISION VFS_CAP_REVISION_2 + +struct vfs_cap_data { + __le32 magic_etc; /* Little endian */ + struct { + __le32 permitted; /* Little endian */ + __le32 inheritable; /* Little endian */ + } data[VFS_CAP_U32]; +}; + +#ifndef __KERNEL__ + +/* + * Backwardly compatible definition for source code - trapped in a + * 32-bit world. If you find you need this, please consider using + * libcap to untrap yourself... + */ +#define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 +#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 + +#endif + + +/** + ** POSIX-draft defined capabilities. + **/ + +/* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this + overrides the restriction of changing file ownership and group + ownership. */ + +#define CAP_CHOWN 0 + +/* Override all DAC access, including ACL execute access if + [_POSIX_ACL] is defined. Excluding DAC access covered by + CAP_LINUX_IMMUTABLE. */ + +#define CAP_DAC_OVERRIDE 1 + +/* Overrides all DAC restrictions regarding read and search on files + and directories, including ACL restrictions if [_POSIX_ACL] is + defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ + +#define CAP_DAC_READ_SEARCH 2 + +/* Overrides all restrictions about allowed operations on files, where + file owner ID must be equal to the user ID, except where CAP_FSETID + is applicable. It doesn't override MAC and DAC restrictions. */ + +#define CAP_FOWNER 3 + +/* Overrides the following restrictions that the effective user ID + shall match the file owner ID when setting the S_ISUID and S_ISGID + bits on that file; that the effective group ID (or one of the + supplementary group IDs) shall match the file owner ID when setting + the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are + cleared on successful return from chown(2) (not implemented). */ + +#define CAP_FSETID 4 + +/* Overrides the restriction that the real or effective user ID of a + process sending a signal must match the real or effective user ID + of the process receiving the signal. */ + +#define CAP_KILL 5 + +/* Allows setgid(2) manipulation */ +/* Allows setgroups(2) */ +/* Allows forged gids on socket credentials passing. */ + +#define CAP_SETGID 6 + +/* Allows set*uid(2) manipulation (including fsuid). */ +/* Allows forged pids on socket credentials passing. */ + +#define CAP_SETUID 7 + + +/** + ** Linux-specific capabilities + **/ + +/* Without VFS support for capabilities: + * Transfer any capability in your permitted set to any pid, + * remove any capability in your permitted set from any pid + * With VFS support for capabilities (neither of above, but) + * Add any capability from current's capability bounding set + * to the current process' inheritable set + * Allow taking bits out of capability bounding set + * Allow modification of the securebits for a process + */ + +#define CAP_SETPCAP 8 + +/* Allow modification of S_IMMUTABLE and S_APPEND file attributes */ + +#define CAP_LINUX_IMMUTABLE 9 + +/* Allows binding to TCP/UDP sockets below 1024 */ +/* Allows binding to ATM VCIs below 32 */ + +#define CAP_NET_BIND_SERVICE 10 + +/* Allow broadcasting, listen to multicast */ + +#define CAP_NET_BROADCAST 11 + +/* Allow interface configuration */ +/* Allow administration of IP firewall, masquerading and accounting */ +/* Allow setting debug option on sockets */ +/* Allow modification of routing tables */ +/* Allow setting arbitrary process / process group ownership on + sockets */ +/* Allow binding to any address for transparent proxying (also via NET_RAW) */ +/* Allow setting TOS (type of service) */ +/* Allow setting promiscuous mode */ +/* Allow clearing driver statistics */ +/* Allow multicasting */ +/* Allow read/write of device-specific registers */ +/* Allow activation of ATM control sockets */ + +#define CAP_NET_ADMIN 12 + +/* Allow use of RAW sockets */ +/* Allow use of PACKET sockets */ +/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */ + +#define CAP_NET_RAW 13 + +/* Allow locking of shared memory segments */ +/* Allow mlock and mlockall (which doesn't really have anything to do + with IPC) */ + +#define CAP_IPC_LOCK 14 + +/* Override IPC ownership checks */ + +#define CAP_IPC_OWNER 15 + +/* Insert and remove kernel modules - modify kernel without limit */ +#define CAP_SYS_MODULE 16 + +/* Allow ioperm/iopl access */ +/* Allow sending USB messages to any device via /proc/bus/usb */ + +#define CAP_SYS_RAWIO 17 + +/* Allow use of chroot() */ + +#define CAP_SYS_CHROOT 18 + +/* Allow ptrace() of any process */ + +#define CAP_SYS_PTRACE 19 + +/* Allow configuration of process accounting */ + +#define CAP_SYS_PACCT 20 + +/* Allow configuration of the secure attention key */ +/* Allow administration of the random device */ +/* Allow examination and configuration of disk quotas */ +/* Allow setting the domainname */ +/* Allow setting the hostname */ +/* Allow calling bdflush() */ +/* Allow mount() and umount(), setting up new smb connection */ +/* Allow some autofs root ioctls */ +/* Allow nfsservctl */ +/* Allow VM86_REQUEST_IRQ */ +/* Allow to read/write pci config on alpha */ +/* Allow irix_prctl on mips (setstacksize) */ +/* Allow flushing all cache on m68k (sys_cacheflush) */ +/* Allow removing semaphores */ +/* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores + and shared memory */ +/* Allow locking/unlocking of shared memory segment */ +/* Allow turning swap on/off */ +/* Allow forged pids on socket credentials passing */ +/* Allow setting readahead and flushing buffers on block devices */ +/* Allow setting geometry in floppy driver */ +/* Allow turning DMA on/off in xd driver */ +/* Allow administration of md devices (mostly the above, but some + extra ioctls) */ +/* Allow tuning the ide driver */ +/* Allow access to the nvram device */ +/* Allow administration of apm_bios, serial and bttv (TV) device */ +/* Allow manufacturer commands in isdn CAPI support driver */ +/* Allow reading non-standardized portions of pci configuration space */ +/* Allow DDI debug ioctl on sbpcd driver */ +/* Allow setting up serial ports */ +/* Allow sending raw qic-117 commands */ +/* Allow enabling/disabling tagged queuing on SCSI controllers and sending + arbitrary SCSI commands */ +/* Allow setting encryption key on loopback filesystem */ +/* Allow setting zone reclaim policy */ + +#define CAP_SYS_ADMIN 21 + +/* Allow use of reboot() */ + +#define CAP_SYS_BOOT 22 + +/* Allow raising priority and setting priority on other (different + UID) processes */ +/* Allow use of FIFO and round-robin (realtime) scheduling on own + processes and setting the scheduling algorithm used by another + process. */ +/* Allow setting cpu affinity on other processes */ + +#define CAP_SYS_NICE 23 + +/* Override resource limits. Set resource limits. */ +/* Override quota limits. */ +/* Override reserved space on ext2 filesystem */ +/* Modify data journaling mode on ext3 filesystem (uses journaling + resources) */ +/* NOTE: ext2 honors fsuid when checking for resource overrides, so + you can override using fsuid too */ +/* Override size restrictions on IPC message queues */ +/* Allow more than 64hz interrupts from the real-time clock */ +/* Override max number of consoles on console allocation */ +/* Override max number of keymaps */ + +#define CAP_SYS_RESOURCE 24 + +/* Allow manipulation of system clock */ +/* Allow irix_stime on mips */ +/* Allow setting the real-time clock */ + +#define CAP_SYS_TIME 25 + +/* Allow configuration of tty devices */ +/* Allow vhangup() of tty */ + +#define CAP_SYS_TTY_CONFIG 26 + +/* Allow the privileged aspects of mknod() */ + +#define CAP_MKNOD 27 + +/* Allow taking of leases on files */ + +#define CAP_LEASE 28 + +#define CAP_AUDIT_WRITE 29 + +#define CAP_AUDIT_CONTROL 30 + +#define CAP_SETFCAP 31 + +/* Override MAC access. + The base kernel enforces no MAC policy. + An LSM may enforce a MAC policy, and if it does and it chooses + to implement capability based overrides of that policy, this is + the capability it should use to do so. */ + +#define CAP_MAC_OVERRIDE 32 + +/* Allow MAC configuration or state changes. + The base kernel requires no MAC configuration. + An LSM may enforce a MAC policy, and if it does and it chooses + to implement capability based checks on modifications to that + policy or the data required to maintain it, this is the + capability it should use to do so. */ + +#define CAP_MAC_ADMIN 33 + +/* Allow configuring the kernel's syslog (printk behaviour) */ + +#define CAP_SYSLOG 34 + +/* Allow triggering something that will wake the system */ + +#define CAP_WAKE_ALARM 35 + +/* Allow preventing system suspends */ + +#define CAP_BLOCK_SUSPEND 36 + +#define CAP_LAST_CAP CAP_BLOCK_SUSPEND + +#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) + +/* + * Bit location of each capability (used by user-space library and kernel) + */ + +#define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ +#define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ + + +#endif /* _UAPI_LINUX_CAPABILITY_H */ diff --git a/libcap/include/uapi/linux/prctl.h b/libcap/include/uapi/linux/prctl.h new file mode 100644 index 0000000..289760f --- /dev/null +++ b/libcap/include/uapi/linux/prctl.h @@ -0,0 +1,152 @@ +#ifndef _LINUX_PRCTL_H +#define _LINUX_PRCTL_H + +/* Values to pass as first argument to prctl() */ + +#define PR_SET_PDEATHSIG 1 /* Second arg is a signal */ +#define PR_GET_PDEATHSIG 2 /* Second arg is a ptr to return the signal */ + +/* Get/set current->mm->dumpable */ +#define PR_GET_DUMPABLE 3 +#define PR_SET_DUMPABLE 4 + +/* Get/set unaligned access control bits (if meaningful) */ +#define PR_GET_UNALIGN 5 +#define PR_SET_UNALIGN 6 +# define PR_UNALIGN_NOPRINT 1 /* silently fix up unaligned user accesses */ +# define PR_UNALIGN_SIGBUS 2 /* generate SIGBUS on unaligned user access */ + +/* Get/set whether or not to drop capabilities on setuid() away from + * uid 0 (as per security/commoncap.c) */ +#define PR_GET_KEEPCAPS 7 +#define PR_SET_KEEPCAPS 8 + +/* Get/set floating-point emulation control bits (if meaningful) */ +#define PR_GET_FPEMU 9 +#define PR_SET_FPEMU 10 +# define PR_FPEMU_NOPRINT 1 /* silently emulate fp operations accesses */ +# define PR_FPEMU_SIGFPE 2 /* don't emulate fp operations, send SIGFPE instead */ + +/* Get/set floating-point exception mode (if meaningful) */ +#define PR_GET_FPEXC 11 +#define PR_SET_FPEXC 12 +# define PR_FP_EXC_SW_ENABLE 0x80 /* Use FPEXC for FP exception enables */ +# define PR_FP_EXC_DIV 0x010000 /* floating point divide by zero */ +# define PR_FP_EXC_OVF 0x020000 /* floating point overflow */ +# define PR_FP_EXC_UND 0x040000 /* floating point underflow */ +# define PR_FP_EXC_RES 0x080000 /* floating point inexact result */ +# define PR_FP_EXC_INV 0x100000 /* floating point invalid operation */ +# define PR_FP_EXC_DISABLED 0 /* FP exceptions disabled */ +# define PR_FP_EXC_NONRECOV 1 /* async non-recoverable exc. mode */ +# define PR_FP_EXC_ASYNC 2 /* async recoverable exception mode */ +# define PR_FP_EXC_PRECISE 3 /* precise exception mode */ + +/* Get/set whether we use statistical process timing or accurate timestamp + * based process timing */ +#define PR_GET_TIMING 13 +#define PR_SET_TIMING 14 +# define PR_TIMING_STATISTICAL 0 /* Normal, traditional, + statistical process timing */ +# define PR_TIMING_TIMESTAMP 1 /* Accurate timestamp based + process timing */ + +#define PR_SET_NAME 15 /* Set process name */ +#define PR_GET_NAME 16 /* Get process name */ + +/* Get/set process endian */ +#define PR_GET_ENDIAN 19 +#define PR_SET_ENDIAN 20 +# define PR_ENDIAN_BIG 0 +# define PR_ENDIAN_LITTLE 1 /* True little endian mode */ +# define PR_ENDIAN_PPC_LITTLE 2 /* "PowerPC" pseudo little endian */ + +/* Get/set process seccomp mode */ +#define PR_GET_SECCOMP 21 +#define PR_SET_SECCOMP 22 + +/* Get/set the capability bounding set (as per security/commoncap.c) */ +#define PR_CAPBSET_READ 23 +#define PR_CAPBSET_DROP 24 + +/* Get/set the process' ability to use the timestamp counter instruction */ +#define PR_GET_TSC 25 +#define PR_SET_TSC 26 +# define PR_TSC_ENABLE 1 /* allow the use of the timestamp counter */ +# define PR_TSC_SIGSEGV 2 /* throw a SIGSEGV instead of reading the TSC */ + +/* Get/set securebits (as per security/commoncap.c) */ +#define PR_GET_SECUREBITS 27 +#define PR_SET_SECUREBITS 28 + +/* + * Get/set the timerslack as used by poll/select/nanosleep + * A value of 0 means "use default" + */ +#define PR_SET_TIMERSLACK 29 +#define PR_GET_TIMERSLACK 30 + +#define PR_TASK_PERF_EVENTS_DISABLE 31 +#define PR_TASK_PERF_EVENTS_ENABLE 32 + +/* + * Set early/late kill mode for hwpoison memory corruption. + * This influences when the process gets killed on a memory corruption. + */ +#define PR_MCE_KILL 33 +# define PR_MCE_KILL_CLEAR 0 +# define PR_MCE_KILL_SET 1 + +# define PR_MCE_KILL_LATE 0 +# define PR_MCE_KILL_EARLY 1 +# define PR_MCE_KILL_DEFAULT 2 + +#define PR_MCE_KILL_GET 34 + +/* + * Tune up process memory map specifics. + */ +#define PR_SET_MM 35 +# define PR_SET_MM_START_CODE 1 +# define PR_SET_MM_END_CODE 2 +# define PR_SET_MM_START_DATA 3 +# define PR_SET_MM_END_DATA 4 +# define PR_SET_MM_START_STACK 5 +# define PR_SET_MM_START_BRK 6 +# define PR_SET_MM_BRK 7 +# define PR_SET_MM_ARG_START 8 +# define PR_SET_MM_ARG_END 9 +# define PR_SET_MM_ENV_START 10 +# define PR_SET_MM_ENV_END 11 +# define PR_SET_MM_AUXV 12 +# define PR_SET_MM_EXE_FILE 13 + +/* + * Set specific pid that is allowed to ptrace the current task. + * A value of 0 mean "no process". + */ +#define PR_SET_PTRACER 0x59616d61 +# define PR_SET_PTRACER_ANY ((unsigned long)-1) + +#define PR_SET_CHILD_SUBREAPER 36 +#define PR_GET_CHILD_SUBREAPER 37 + +/* + * If no_new_privs is set, then operations that grant new privileges (i.e. + * execve) will either fail or not grant them. This affects suid/sgid, + * file capabilities, and LSMs. + * + * Operations that merely manipulate or drop existing privileges (setresuid, + * capset, etc.) will still work. Drop those privileges if you want them gone. + * + * Changing LSM security domain is considered a new privilege. So, for example, + * asking selinux for a specific new context (e.g. with runcon) will result + * in execve returning -EPERM. + * + * See Documentation/prctl/no_new_privs.txt for more details. + */ +#define PR_SET_NO_NEW_PRIVS 38 +#define PR_GET_NO_NEW_PRIVS 39 + +#define PR_GET_TID_ADDRESS 40 + +#endif /* _LINUX_PRCTL_H */ diff --git a/libcap/include/uapi/linux/securebits.h b/libcap/include/uapi/linux/securebits.h new file mode 100644 index 0000000..985aac9 --- /dev/null +++ b/libcap/include/uapi/linux/securebits.h @@ -0,0 +1,51 @@ +#ifndef _UAPI_LINUX_SECUREBITS_H +#define _UAPI_LINUX_SECUREBITS_H + +/* Each securesetting is implemented using two bits. One bit specifies + whether the setting is on or off. The other bit specify whether the + setting is locked or not. A setting which is locked cannot be + changed from user-level. */ +#define issecure_mask(X) (1 << (X)) + +#define SECUREBITS_DEFAULT 0x00000000 + +/* When set UID 0 has no special privileges. When unset, we support + inheritance of root-permissions and suid-root executable under + compatibility mode. We raise the effective and inheritable bitmasks + *of the executable file* if the effective uid of the new process is + 0. If the real uid is 0, we raise the effective (legacy) bit of the + executable file. */ +#define SECURE_NOROOT 0 +#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */ + +#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT)) +#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED)) + +/* When set, setuid to/from uid 0 does not trigger capability-"fixup". + When unset, to provide compatiblility with old programs relying on + set*uid to gain/lose privilege, transitions to/from uid 0 cause + capabilities to be gained/lost. */ +#define SECURE_NO_SETUID_FIXUP 2 +#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ + +#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP)) +#define SECBIT_NO_SETUID_FIXUP_LOCKED \ + (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)) + +/* When set, a process can retain its capabilities even after + transitioning to a non-root user (the set-uid fixup suppressed by + bit 2). Bit-4 is cleared when a process calls exec(); setting both + bit 4 and 5 will create a barrier through exec that no exec()'d + child can use this feature again. */ +#define SECURE_KEEP_CAPS 4 +#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */ + +#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) +#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) + +#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ + issecure_mask(SECURE_NO_SETUID_FIXUP) | \ + issecure_mask(SECURE_KEEP_CAPS)) +#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) + +#endif /* _UAPI_LINUX_SECUREBITS_H */ diff --git a/libcap/libcap.h b/libcap/libcap.h index 1e66f98..2596c11 100644 --- a/libcap/libcap.h +++ b/libcap/libcap.h @@ -12,14 +12,15 @@ #include #include #include +#include #include #ifndef __u8 -#define __u8 unsigned char +#define __u8 uint8_t #endif /* __8 */ #ifndef __u32 -#define __u32 unsigned int +#define __u32 uint32_t #endif /* __u32 */ /* include the names for the caps and a definition of __CAP_BITS */ @@ -197,4 +198,12 @@ extern int capsetp(pid_t pid, cap_t cap_d); #define PR_GET_SECUREBITS 27 #define PR_SET_SECUREBITS 28 +/* + * The library compares sizeof() with integer return values. To avoid + * signed/unsigned comparisons, leading to unfortunate + * misinterpretations of -1, we provide a convenient cast-to-signed-integer + * version of sizeof(). + */ +#define ssizeof(x) ((ssize_t) sizeof(x)) + #endif /* LIBCAP_H */ diff --git a/libcap/libcap.pc.in b/libcap/libcap.pc.in new file mode 100644 index 0000000..a28e3e4 --- /dev/null +++ b/libcap/libcap.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libcap +Description: libcap +Version: @VERSION@ +Libs: -L${libdir} -lcap +Libs.private: @deps@ +Cflags: -I${includedir} diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf index dd93ea7..09517f8 100644 --- a/pam_cap/capability.conf +++ b/pam_cap/capability.conf @@ -8,7 +8,7 @@ # and thus you'll know about Linux's capability support. # [If you don't know about libcap, the sources for it are here: # -# http://linux.kernel.org/pub/linux/libs/security/linux-privs/ +# http://www.kernel.org/pub/linux/libs/security/linux-privs/ # # .] # diff --git a/pgp.keys.asc b/pgp.keys.asc index 583accd..b39f76a 100644 --- a/pgp.keys.asc +++ b/pgp.keys.asc @@ -1,8 +1,112 @@ +morgan@kernel.org upload/signature key. + +pub 4096R/E2CCF3F4 2011-10-07 Andrew G. Morgan (Work Address) +uid Andrew G. Morgan +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.15 (GNU/Linux) + +mQINBE6OiBIBEADpdtUxC8Fmhn5UK6UCZdU7mFgZwN8U9cabFUPfUIkMqXULhCD0 +hG2/amuiiUoLollPjOopNqk4cc8LcZfszOdBFAYj7MeWzNySVw4KkWrVCEH/bZ0Q +QzZH2qmoMT5CIrtcNxCAvukYsZLhyZYO0HdfuE05mVhVjtX9Btfxr7Ndvb7L4MRS +3Qb6+nHTgfn/Oow92/koIWvi0YvskKdZypeU888TQL99E8xdgL2n2Ip3xYwBHRR2 +GPb5MGOuEItF3tJ0kkILW5mzkJq/iLzRphzKjdF76I9QVRP8dZ+uWHPubWePm/5c +1H9lnlw00ZZ/ucQvSwTesUYk2aKkxzgm6X8fCdJXBLGgW5K6CkynpjN3qJ9KpcNY +H55smUgp8BaiWuoHe4pLvuBhnN2wiYOe2j9UvGX1OaRstMXFx7YbBvkGgdoZthUe +VPGAa4K+dnI2oy4wukzl/unAKrlMCBRsRoW2qjy3TDSXqwJhd34ilHzrdAdchrh/ +acBfbBtRzVlcDTnGltDNMuRTXzujaY9C3B0L2E+Jfrds8WcM8ASO4mHwJUTMrBwM +b5sFSG+/X9Ufg/c2G086HQ7xMERUA5oz66P5ReHCph8WHQN2L5vtZwL7//hZB9hn +G0K1210YEDXpFPijpis/54MKUSkWEFOLjUbiSPbwEfb79A00CcHojQQinwARAQAB +tDBBbmRyZXcgRy4gTW9yZ2FuIChXb3JrIEFkZHJlc3MpIDxhZ21AZ29vZ2xlLmNv +bT6JAjgEEwECACIFAk6VD4ICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ +ECnuhIrizPP0zNoQAMDjx3iovvf0rpAYFvvAoPbzhEXcJ41/T+paxWOJm8SEg7fX +nUHgXeTwW3RJPIp7PguctPogvKQV+7GcU5Dcg13DZO4nMrSsvInsLQkfeDVU/zl2 +MuHFOtBMpDp6iGcUwjS0bYbvl03fPj7ZXIML+I7OSyNeoZ/n2ztI9UiIBHovsHqZ +qYm4d7VOi4nVj1Y/Gak99sw3cLvUwq9f3i8ioNzynqBT7jA+GWFaeVJuGrOCBBBg +uIu0Ekg42NAZ2AR32wQP5eEtlSAq8Il9RZzewa1v74loDNJOl+kW5/jQK6tGj2A9 +vlTqVzHUDmPZ9n6Ds7h3wo2g3gzYX1cuM3spW9UsA8XUDNY2yNFYDC9IsAI09u18 +N7f89isG/yYh5MZpJz2fx7cecHtwSVukTGHDsaoHTXMlfjQmVU5efORZJa6Bx0Tk +aSCwecem3q+3OcdgW8XwPWik/5Wv8B3dJopMH1Mw3pRhirtTd6/88xNyLkJStptB +DZvbqvB2nMmSiqgh0mPeslnwubxJ5/4FbP9zlLN7zp49RZHKDl/8EMSXGCjmG6UT +xW6I3YpKdc4+yEd19/UUtxqQOfbgFvlcbesQ5ILvLOzZidkS7y0v4i9rZBe/HEy3 +eG8z4s5dloBrpSBvKySwqWuuSDn3tMqw4Bz2Be3FgtYA4TnNy7shcFR2BMFotCRB +bmRyZXcgRy4gTW9yZ2FuIDxtb3JnYW5Aa2VybmVsLm9yZz6JAjsEEwECACUCGwMG +CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOmRGPAhkBAAoJECnuhIrizPP0wK0P +/RMvjmzeXbgoa36cBDvDKReAiC56Au4qGXkNah3984tNPT1hVUKCiwiUmULoNJbE +I4qFJTtwsMi5QzE+daCA7t+ALJiC+PKiKFG1LDz7mxfhmBeS3XcYuqZdjyKrATUF +r0SHbsJxtRCslawGD2gKczLknFeBXL0997TfJS9ipLibqCtmvyryHn4EbZfoJqcp +j/RBN/izVGHNYI8BsZpO5F6z7vXoncDL0dKh65ndGaIbhVDUPsDBvzg3i+EzhB51 +hYTTNKK0QpWbmsXfJBnvztinfLUsnO9HV8aRaygOI/DAKAtT7YPXORA1oFYtx69b +zulqC+TXUmeV8YW8bETH4xHM9mQb0oNLPibR2nK2FSDiLp0/eEM5vgzfPVUX7WzB +JUPsf0ah/e1yrXqudGUUZ0R+3VMOdxMryZBKLymkzyvu6a5DcLarqAt8y9ciRH67 +HKNnE1gvHf5K2Q37gwSecwmXCjpMlbVJnIarLKBcVRcYKtxgPxCv6483I8heSKF7 +PB/IFBmzT1cX7lhln9+62Ks/0Gs0pA0iNLaD+POPiqWrAwZsFvKjD9PDaCBDFRWj +FqZLyJMsMi1qmP8jWsdQqPdUskQC0ftvw3Z6SiyyrriSAzglCjmmAcfdt+w4b/EO +4SzSZUnd/ApkHkZx1Lbta15WKxGi7S8/5zNdaK721nUdiEYEEBECAAYFAk6Oi/kA +CgkQQheEq9QabfJhdwCdEhWd2WbjrypMC2jEqWUswmf7fsQAn3LwZyeVJK5LApOF +7NimHkCQV9z7iQIcBBABAgAGBQJOl+CHAAoJEO2/8mhZLMbY4ywP/2qX0+QrilRC +eqk8cOmljLB+sxiA2Jc5YINAXipg6PSQzF7IlMnSNSW69ARLPW5iyDTljXTtD85W +/yWhm3vsouWldBa1Wb6xVb8iA8H8fUUKCY7ngCSjHJxPa1KRsTrMKCkLHR2MP7Qi +ar0dvquomtlx5chkhXmY+0cxcA/cMB/A/fbfDvvbYD5HYiB90AylPmLbM9XiLF0F +RSJt7iokGidS1W80ZCg5p1R02dQV5H7/111Xx1QIggPcNPWGwCK61Q3tPV0xc0oQ +dZpQk2hnPVHF7BMmCyB/iNRofF9mpC/QZGFRQkb3XgdIdK/O23VQntSGctrtnL1M +rcrgQUIrMaU3LKFbIE7DBwMUzUaTO/t14ZQQUZJTAKLSVCfvGvgh6/dqaXpssQxL +D2S5J1sWs1ZVInOhjo2OZnVl3SEmQT9h6NB93QRoGfbfy+AJgReRcfCep5zDMrud +5HPym9itvMLVVzw267Yn0ATBhrESAY8LqBBRbigM/TL+jNPfsQzhEzHXFsQL/dKh +V4N8IURnpCqHzY2BSnTX1K8ipl+iRGpMVfkYQnM660AIJhAReT2rwzuhGRKHbOXz +UrzoEg1PEw/+69ZmcGUZH1VtSrOw0r6eub+rg7Q0R4r6c8kF2vS2XSQn/MZ2Wqjk +hW4fWCqqogIvCkqk1Jt3OCRIWbVC0bKKiQIcBBABAgAGBQJOmJxYAAoJECDQTlpx +NmCnTvEP/38M2bsQGnKVhNsAcr7sDO4YmDrc8V/bUrGjADWmLcW/K2MDOWLZIwmg +Z1qMifHXuy/NhyX3/xp8VacNAlpuQ8o/T77P1QCLwuPu+fuXLOmFkCISFeTW5g/d +pShZ4tsTXAaJs7bQdQnsY3prZl0CMJtItOhwW34PDZL95Vp2ZRx84Dn355KHUeeq +yQjqu+cEz2T5sfVj/O2w1tgeWcMxrOI3ARD/Ks+CeWoFZPezq2K4ctka7Q+muH9/ +1WCatdpryf5SJoBMDaC7GXzGegesKQr35sfNM9XRP1TphmCqQz4VOb+stIEJv1Dq +c9Lc4EScOwmESt5mzPwrZ3OJ+stFKW1QJgErUb55TNQ4C957rodxCerNa9ptpdUk +U9Pb2vpSurNRgETA/urZkBO/vPQ8MEgdJSbVgh0Rj/zPFnj3akQFc98U5Km0TIHJ +7r6S+qj73itUM79jMVKJgewPEA8cys0ACLoM5uRNYq35mY4OeP/Edm6NLiKfD0us +MfEQ+02B8RqXuHBAJAa/+f+U3zGkw268f3/16kZv/PTMfdOEy1cjKlQ3LFwIHfny +Brb/3vHAVTAyEbBPWmULEjopdevEPKmKyW2EXFphBmjOHSghmIRDxO2WmSuI8bIU +sH4oq6MwqAJpE5rzreBNLNh5ZY4yzw3nAJb6Bb59m0kt2fHKIq+AiQI4BBMBAgAi +BQJOjogSAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAp7oSK4szz9HRi +D/4sMdw5WrUtmagrXWVyj83YLJW2GBxH6s5UR1/fyl5uDYjBAccf3jDuIwVZzpCJ +ZpQ8RwvRV699Pag5L5uwDEvkiIMROPNescaXGROuNoCFfqIOTVZfGya2w06dB0Kh +C0l++iO6YVy1eJkyc/XooiOOtEfv5UpBZSWn9hMYaNSc9tiQcyPxzEnEQYUmIoXG +kHXUNRDBQfJLRZP4e9YjN/hH0ZW7/rHXXMxeBREfbCekKy0qDgJ/Sf3Eh6dwUkOR +/vCrdZM2Q8TTX0LJdflJdqMEuYHqm1j9RrnoXIjhx0wFopEOHPSr2qxOu2gOkyxB +JE7Ur3IKpMRaoCR0xHMb5MOgnMmwRW2G6KcZTCdr2jmxp2hK3BxRcUt3qh74jhZL +Dbv5dxTqVn/VK1CGhHbrcW2adkyi2sK7vVARdlSmHYWIWhLqv77p7tkSAX76Qig8 +X75WGF+W3YSAS4f3I6QXRnXxzG8TbMIa4CfeN5IZ2Z5TisC2YyuG8VdM/m6i6W18 +cLa7ZNGE3w04eVQvtigG+9p9gCs5Kg6PVVxwJsjGDDqHkCslfFF8Wl1ZdqXqtUB2 +RKTWb4XNU5XxO0xIGFtLUNnCKcJAOUCu/oRJ/WWHW+BKDdG1VbgYVFTXHc6YZpet +2D+sAs7cWV8GDJ9nChHWcQ5C/bPV1PVnheZhwGvHLsWrILkCDQROjogSARAAtLny +8nlyr8fyYGAocQz0S47a99n/X0Vmgwo1trJsCXWbOrpztznY8IFRK/dRnRHiMwBx +WQ4CvdUk2p0MweUiOjpEN7bUm92jeFXMr0hpQKf+O4DMExHS4hxLwArnKFuAk2ej +RQGXBcEoMv11LiUwuzFbWdXqMsA1TbuA+WvEBnFUYM/6xNiJeRIUIiGydhG1yaw8 +HrNWLHnhhcOfT6z5AO69hZZiJacp9pU/+jnep/M42p4J17x81+ESpJeladwR0Qxc +0qxOyWidN7oO5hSiBEwU6lYQjdQ23pa7tN1o90P9jyN2nFBEdBu2D/mi4DV/+VXU +YHNEy3uNhmmLGwMoPVWiZveRmG74+ne7MVyxwb9EIF3IenS4T65ee1dlZvaoMxUl +Ue8htEK0ChrQZOfITs9MyjUwoTiLUVo3kQeMli9HJEQXPRjHqkkZ7W65LhkEVnHS +PHWtttRSDkuZYtze+he142GzDSQA3dF2zy/tLpBb5CA29ITcQTspgV7AuV8YQqDZ +4XWHsR9Am5334N83EXk2oouqxl7mKUB0Vg6tujNCBSRn6A3CUaA29w/MyTg4z6Yw +6HD3il1J8PcWEoOzqlUoPd8tA5pcZCcKngkXndpXgsZCgoCgvx9WNU+LUrHBfhC3 +TLLsI7iGO1JvLghkesKTARF3O2hS3xAhfGZxn8MAEQEAAYkCHwQYAQIACQUCTo6I +EgIbDAAKCRAp7oSK4szz9HSYD/9hmEsJuSgAGwx/OPweYuDGkA25ajDAu59LpzTb +jB/yOU1rDVUu3cMH+UEyaEGlhbneGvHF2DsEC9il/8fVL4eaE9EWpopIonYndBE9 +1+YiGHPToiyKcdp0KuQMwm2ENAiEf/qErrB2NLna4wfZUx5lzvEOEk3cNPmNz2ER +yMPXIeeiQ9VKp3MzopWhvBItAyIzzuydKKvJAKzDoTOEL4w60slAphj8rVCsW45k +2AurWUH7VFM8ezXunieLeygCGb+YJZAet6yVXD3UwnNcWCGQ+xKSPuyKrn4xKG0N +5gzxnGIh/S/7IOjRaNR5X+pfWd6YzN9qURUfiXmuLSPRHK4Flfam4gMMHul9wL6X +BayFo2NUPBaxg4U9ACAgSJxgCTNPCKwnovecOsRmIESKtT1F3hbZRRgRGj/TDepJ +QNfHSyk/ZQfuoJggBMQLJKzGII42rb0W90QLMk0SyCzeb3LO3yyNiKpluNpJsl2I +qdBJE5t1LxhKDnju6JlFyPcGJnP/doTuDTjjL0V+guPAGVbuq0g2hku+ZlJwjMSt +NwHPWxeifuDJbQVIp0xZbI5djdHC8hVJX+d09J5eq0PlgMEidc4F+Vv+mmGJl0Gi +NfhmTaACSRzbI25/bhvj2xhx8A2LEOuU/+nzYgQzPcFpawiUP1wBnTqi+maxKx5/ +9ifyrw== +=Ibs8 +-----END PGP PUBLIC KEY BLOCK----- pub 1024D/D41A6DF2 2002-09-23 Andrew G. Morgan -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.0.6 (GNU/Linux) -Comment: For info see http://www.gnupg.org +Version: GnuPG v1.4.15 (GNU/Linux) mQGiBD2PVCcRBADmR2dfKJIaGj120v0EjrGbnYic8nKCrDLUHmtiZyIlMeTNqnw/ /Q2m057SIyFC5K5W7XV8LIsOcpEBAdIS5QLClwec/wqVj1FU5TLHNifR9fBq+DaI @@ -13,13 +117,33 @@ mtZnYAkopb8uksBo4yj4abfBZNiVXEttc+XpwhnRODfy576wVy/lmDMTFAz7CYw8 ObE5A/oDWXC35DcgFdmgVH2qr5COEvrDs9T5w4UdRXBMj2khE+32rdP0qqGYCW13 by84+Cpoekmg+6/FqL/At0Xl2a87czur5xR9mrDd32iknws0DggEuf+zL3Twt9kA ftnqgiGr33iaNeXwgqfgQYMbxruLvjaAOayKPhr+tgJU6bIpWbQkQW5kcmV3IEcu -IE1vcmdhbiA8bW9yZ2FuQGtlcm5lbC5vcmc+iFcEExECABcFAj2PVCcFCwcKAwQD -FQMCAxYCAQIXgAAKCRBCF4Sr1Bpt8u+VAJ958HbiLmhrpWjAauN9GrtKudijkACf -R2XasdjQs2ECc2qMX19QwNohDAc= -=7XTB +IE1vcmdhbiA8bW9yZ2FuQGtlcm5lbC5vcmc+iEYEEBECAAYFAj4UuSoACgkQkEgh +GpsoCtOuSACbBUTsx4vlTI5sfutfBntt4TySShoAn1M8hB0S9TkqbG/3OHB8gPm+ +QhjHiEYEERECAAYFAj3irW4ACgkQ1fT/Y8EaOHp+sQCfWWkmmIDvyUi4bA3v4VSw +WaK7mSsAn0N65kYwaW7ohuYJAPeZ6U2HKvFfiEYEExECAAYFAj22Rz8ACgkQi9gu +bzC5S1y0dACfewqmEfYHaTNlCD3PPBCQdWhfi4UAn3+rNDIS5AohUPpbG2/8s9Ef +ZLyKiFcEExECABcFAj2PVCcFCwcKAwQDFQMCAxYCAQIXgAAKCRBCF4Sr1Bpt8u+V +AJ958HbiLmhrpWjAauN9GrtKudijkACfR2XasdjQs2ECc2qMX19QwNohDAeIRgQQ +EQIABgUCQCGDkgAKCRCA8Qy7VNK/WXUIAJ9/Zhn5knqsTTMllzWxe/N1ddGaaACf +SiuBacgyyBdIas15RYaD0YYcNlGJARwEEwECAAYFAj/7MEkACgkQC56ssbtLKadZ +lwgAlS98PQDeITUujwAWpGvOhXh9Bfh27RRKe+MskFTzTzuvmK5+VZGo4suC0PPS +9Hv40UPtt0SvgIuli1Ero0pCP6pWGjgLGPWroXtKfXfYRqnu4vfETt/Ugy2OjG9R +zfum4J8PULD47bsMVw3oMHFucgerArSQNeNx0w5JwYpFJCb5jSf7yXhDCfm+yVv0 +XTls1DC7mtHQrnKGlZe75gEa6zaXRUAYboKbuBifV/anjwMLr2q0JKJSYxFFjIfG +e6QHAuM+NKj3+UAcpkCKYCUobaB315K/pOyKdKfRe5L+8zYQLafNqRlhkvuIkChX +ztyhoXEspp/yIPUJfZFcRldgEohGBBMRAgAGBQJEK0S1AAoJEOCAR9WqTho4asYA +oMdOh1uGDl7qgIO/h5VDwo4Hcs2xAJ4zqSnm0QrNgfFTK9x6j4Jzur+Tl4hGBBMR +AgAGBQJGg9bXAAoJEPmxwkd4G/I7NZ4An2wZ8rfwJt3CSm1ZVPiSf9Ax6J9fAKDM +1PqnD/qIbNMbmURXpEbvWWQunYkBIgQQAQIADAUCRgBA4AUDABJ1AAAKCRCXELib +yletfCcuB/kBeH0/nAFKNw77fNucYhlt9GuT1c1j+8emujF7mwgm18TVcxqRjeSV +PskEkzaX+mzf3Tfn6k7+d/dPYRHPrX0STdsNMqrZkqjt5tiozuLYJUE/PDKafzdI +Q7ya5ps2AdIKNixiSRPC+6cNB85NBorLXs9yg+JkQlPeUI7/DZb2iz1iZXTnyCZv +SvKA7JMYpCOzZ6fWshanZ/91hxQvsYHjYC+zQVTErSYQlBqz8fDLPfyYQiqQFn4c +T/i1WsxYMEaZtexvLuQe9LeaDqyY19DyBaJIIiN6EcGZ4sXRa7M6QUD1HKjEWt62 +U4shHkPGIMgQWLcRZDepovlpGVXLmXEf +=oXom -----END PGP PUBLIC KEY BLOCK----- - The following is my DSA key 'D41A6DF2' signed with my old '2A398175' RSA key. diff --git a/progs/capsh.c b/progs/capsh.c index 52336d7..3ceadcd 100644 --- a/progs/capsh.c +++ b/progs/capsh.c @@ -520,7 +520,8 @@ int main(int argc, char *argv[], char *envp[]) if (set >= 0) { const char *b; b = binary(set); /* use verilog convention for binary string */ - printf("Securebits: 0%o/0x%x/%u'b%s\n", set, set, strlen(b), b); + printf("Securebits: 0%o/0x%x/%u'b%s\n", set, set, + (unsigned) strlen(b), b); printf(" secure-noroot: %s (%s)\n", (set & 1) ? "yes":"no", (set & 2) ? "locked":"unlocked"); diff --git a/progs/quicktest.sh b/progs/quicktest.sh index be3fa7d..ca6bf1e 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -44,18 +44,23 @@ pass_capsh () { pass_capsh --print -# Make a local non-setuid-0 version of ping -cp /bin/ping . && chmod -s ./ping -# Give it the forced capability it needs -./setcap all=ep ./ping +# Make a local non-setuid-0 version of capsh and call it privileged +cp ./capsh ./privileged && chmod -s ./privileged +if [ $? -ne 0 ]; then + echo "Failed to copy capsh for capability manipulation" + exit 1 +fi + +# Give it the forced capability it could need +./setcap all=ep ./privileged if [ $? -ne 0 ]; then echo "Failed to set all capabilities on file" exit 1 fi -./setcap cap_net_raw=ep ./ping +./setcap cap_setuid,cap_setgid=ep ./privileged if [ $? -ne 0 ]; then - echo "Failed to set single capability on ping file" + echo "Failed to set limited capabilities on privileged file" exit 1 fi @@ -75,37 +80,40 @@ pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin # This fails, on 2.6.24, but shouldn't pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --forkfor=10 --caps= --print --killit=9 --print" -rm -f tcapsh - # only continue with these if --secbits is supported ./capsh --secbits=0x2f > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "unable to test securebits manipulation - assume not supported (PASS)" - rm -f ./ping + rm -f tcapsh + rm -f privileged exit 0 fi pass_capsh --secbits=42 --print fail_capsh --secbits=32 --keep=1 --keep=0 --print pass_capsh --secbits=10 --keep=0 --keep=1 --print -fail_capsh --secbits=47 -- -c "ping -c1 localhost" +fail_capsh --secbits=47 -- -c "./tcapsh --user=nobody" + +rm -f tcapsh # Suppress uid=0 privilege -fail_capsh --secbits=47 --print -- -c "/bin/ping -c1 localhost" +fail_capsh --secbits=47 --print -- -c "./capsh --user=nobody" -# suppress uid=0 privilege and test this ping -pass_capsh --secbits=0x2f --print -- -c "./ping -c1 localhost" +# suppress uid=0 privilege and test this privileged +pass_capsh --secbits=0x2f --print -- -c "./privileged --user=nobody" # observe that the bounding set can be used to suppress this forced capability -fail_capsh --drop=cap_net_raw,cap_chown --secbits=0x2f --print -- -c "./ping -c1 localhost" +fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --user=nobody" # change the way the capability is obtained (make it inheritable) -./setcap cap_net_raw=ei ./ping +./setcap cap_setuid,cap_setgid=ei ./privileged -pass_capsh --secbits=47 --inh=cap_net_raw --drop=cap_net_raw \ - --uid=500 --print -- -c "./ping -c1 localhost" +# Note, the bounding set (edited with --drop) only limits p +# capabilities, not i's. +pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \ + --uid=500 --print -- -c "./privileged --user=nobody" -rm -f ./ping +rm -f ./privileged # test that we do not support capabilities on setuid shell-scripts cat > hack.sh <