Line data Source code
1 : /*
2 : * This is <linux/capability.h>
3 : *
4 : * Andrew G. Morgan <morgan@kernel.org>
5 : * Alexander Kjeldaas <astor@guardian.no>
6 : * with help from Aleph1, Roland Buresund and Andrew Main.
7 : *
8 : * See here for the libcap library ("POSIX draft" compliance):
9 : *
10 : * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
11 : */
12 :
13 : #ifndef _LINUX_CAPABILITY_H
14 : #define _LINUX_CAPABILITY_H
15 :
16 : #include <linux/types.h>
17 :
18 : struct task_struct;
19 :
20 : /* User-level do most of the mapping between kernel and user
21 : capabilities based on the version tag given by the kernel. The
22 : kernel might be somewhat backwards compatible, but don't bet on
23 : it. */
24 :
25 : /* Note, cap_t, is defined by POSIX (draft) to be an "opaque" pointer to
26 : a set of three capability sets. The transposition of 3*the
27 : following structure to such a composite is better handled in a user
28 : library since the draft standard requires the use of malloc/free
29 : etc.. */
30 :
31 : #define _LINUX_CAPABILITY_VERSION_1 0x19980330
32 : #define _LINUX_CAPABILITY_U32S_1 1
33 :
34 : #define _LINUX_CAPABILITY_VERSION_2 0x20071026 /* deprecated - use v3 */
35 : #define _LINUX_CAPABILITY_U32S_2 2
36 :
37 : #define _LINUX_CAPABILITY_VERSION_3 0x20080522
38 : #define _LINUX_CAPABILITY_U32S_3 2
39 :
40 : typedef struct __user_cap_header_struct {
41 : __u32 version;
42 : int pid;
43 : } __user *cap_user_header_t;
44 :
45 : typedef struct __user_cap_data_struct {
46 : __u32 effective;
47 : __u32 permitted;
48 : __u32 inheritable;
49 : } __user *cap_user_data_t;
50 :
51 :
52 : #define XATTR_CAPS_SUFFIX "capability"
53 : #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
54 :
55 : #define VFS_CAP_REVISION_MASK 0xFF000000
56 : #define VFS_CAP_REVISION_SHIFT 24
57 : #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
58 : #define VFS_CAP_FLAGS_EFFECTIVE 0x000001
59 :
60 : #define VFS_CAP_REVISION_1 0x01000000
61 : #define VFS_CAP_U32_1 1
62 : #define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
63 :
64 : #define VFS_CAP_REVISION_2 0x02000000
65 : #define VFS_CAP_U32_2 2
66 : #define XATTR_CAPS_SZ_2 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_2))
67 :
68 : #define XATTR_CAPS_SZ XATTR_CAPS_SZ_2
69 : #define VFS_CAP_U32 VFS_CAP_U32_2
70 : #define VFS_CAP_REVISION VFS_CAP_REVISION_2
71 :
72 : struct vfs_cap_data {
73 : __le32 magic_etc; /* Little endian */
74 : struct {
75 : __le32 permitted; /* Little endian */
76 : __le32 inheritable; /* Little endian */
77 : } data[VFS_CAP_U32];
78 : };
79 :
80 : #ifndef __KERNEL__
81 :
82 : /*
83 : * Backwardly compatible definition for source code - trapped in a
84 : * 32-bit world. If you find you need this, please consider using
85 : * libcap to untrap yourself...
86 : */
87 : #define _LINUX_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1
88 : #define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1
89 :
90 : #else
91 :
92 : #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
93 : #define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
94 :
95 : extern int file_caps_enabled;
96 1 :
97 : typedef struct kernel_cap_struct {
98 : __u32 cap[_KERNEL_CAPABILITY_U32S];
99 1 : } kernel_cap_t;
100 :
101 : /* exact same as vfs_cap_data but in cpu endian and always filled completely */
102 : struct cpu_vfs_cap_data {
103 : __u32 magic_etc;
104 : kernel_cap_t permitted;
105 : kernel_cap_t inheritable;
106 : };
107 :
108 : #define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
109 : #define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
110 :
111 : #endif
112 :
113 :
114 : /**
115 : ** POSIX-draft defined capabilities.
116 : **/
117 :
118 : /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
119 : overrides the restriction of changing file ownership and group
120 : ownership. */
121 :
122 : #define CAP_CHOWN 0
123 :
124 : /* Override all DAC access, including ACL execute access if
125 : [_POSIX_ACL] is defined. Excluding DAC access covered by
126 : CAP_LINUX_IMMUTABLE. */
127 :
128 : #define CAP_DAC_OVERRIDE 1
129 :
130 : /* Overrides all DAC restrictions regarding read and search on files
131 : and directories, including ACL restrictions if [_POSIX_ACL] is
132 : defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
133 :
134 : #define CAP_DAC_READ_SEARCH 2
135 :
136 : /* Overrides all restrictions about allowed operations on files, where
137 : file owner ID must be equal to the user ID, except where CAP_FSETID
138 : is applicable. It doesn't override MAC and DAC restrictions. */
139 :
140 : #define CAP_FOWNER 3
141 :
142 : /* Overrides the following restrictions that the effective user ID
143 : shall match the file owner ID when setting the S_ISUID and S_ISGID
144 : bits on that file; that the effective group ID (or one of the
145 : supplementary group IDs) shall match the file owner ID when setting
146 : the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
147 : cleared on successful return from chown(2) (not implemented). */
148 :
149 : #define CAP_FSETID 4
150 :
151 : /* Overrides the restriction that the real or effective user ID of a
152 : process sending a signal must match the real or effective user ID
153 : of the process receiving the signal. */
154 :
155 : #define CAP_KILL 5
156 :
157 : /* Allows setgid(2) manipulation */
158 : /* Allows setgroups(2) */
159 : /* Allows forged gids on socket credentials passing. */
160 :
161 : #define CAP_SETGID 6
162 :
163 : /* Allows set*uid(2) manipulation (including fsuid). */
164 : /* Allows forged pids on socket credentials passing. */
165 :
166 : #define CAP_SETUID 7
167 :
168 :
169 : /**
170 : ** Linux-specific capabilities
171 : **/
172 :
173 : /* Without VFS support for capabilities:
174 : * Transfer any capability in your permitted set to any pid,
175 : * remove any capability in your permitted set from any pid
176 : * With VFS support for capabilities (neither of above, but)
177 : * Add any capability from current's capability bounding set
178 : * to the current process' inheritable set
179 : * Allow taking bits out of capability bounding set
180 : * Allow modification of the securebits for a process
181 : */
182 :
183 : #define CAP_SETPCAP 8
184 :
185 : /* Allow modification of S_IMMUTABLE and S_APPEND file attributes */
186 :
187 : #define CAP_LINUX_IMMUTABLE 9
188 :
189 : /* Allows binding to TCP/UDP sockets below 1024 */
190 : /* Allows binding to ATM VCIs below 32 */
191 :
192 : #define CAP_NET_BIND_SERVICE 10
193 :
194 : /* Allow broadcasting, listen to multicast */
195 :
196 : #define CAP_NET_BROADCAST 11
197 :
198 : /* Allow interface configuration */
199 : /* Allow administration of IP firewall, masquerading and accounting */
200 : /* Allow setting debug option on sockets */
201 : /* Allow modification of routing tables */
202 : /* Allow setting arbitrary process / process group ownership on
203 : sockets */
204 : /* Allow binding to any address for transparent proxying */
205 : /* Allow setting TOS (type of service) */
206 : /* Allow setting promiscuous mode */
207 : /* Allow clearing driver statistics */
208 : /* Allow multicasting */
209 : /* Allow read/write of device-specific registers */
210 : /* Allow activation of ATM control sockets */
211 :
212 : #define CAP_NET_ADMIN 12
213 :
214 : /* Allow use of RAW sockets */
215 : /* Allow use of PACKET sockets */
216 :
217 : #define CAP_NET_RAW 13
218 :
219 : /* Allow locking of shared memory segments */
220 : /* Allow mlock and mlockall (which doesn't really have anything to do
221 : with IPC) */
222 :
223 : #define CAP_IPC_LOCK 14
224 :
225 : /* Override IPC ownership checks */
226 :
227 : #define CAP_IPC_OWNER 15
228 :
229 : /* Insert and remove kernel modules - modify kernel without limit */
230 : #define CAP_SYS_MODULE 16
231 :
232 : /* Allow ioperm/iopl access */
233 : /* Allow sending USB messages to any device via /proc/bus/usb */
234 :
235 : #define CAP_SYS_RAWIO 17
236 :
237 : /* Allow use of chroot() */
238 :
239 : #define CAP_SYS_CHROOT 18
240 :
241 : /* Allow ptrace() of any process */
242 :
243 : #define CAP_SYS_PTRACE 19
244 :
245 : /* Allow configuration of process accounting */
246 :
247 : #define CAP_SYS_PACCT 20
248 :
249 : /* Allow configuration of the secure attention key */
250 : /* Allow administration of the random device */
251 : /* Allow examination and configuration of disk quotas */
252 : /* Allow configuring the kernel's syslog (printk behaviour) */
253 : /* Allow setting the domainname */
254 : /* Allow setting the hostname */
255 : /* Allow calling bdflush() */
256 : /* Allow mount() and umount(), setting up new smb connection */
257 : /* Allow some autofs root ioctls */
258 : /* Allow nfsservctl */
259 : /* Allow VM86_REQUEST_IRQ */
260 : /* Allow to read/write pci config on alpha */
261 : /* Allow irix_prctl on mips (setstacksize) */
262 : /* Allow flushing all cache on m68k (sys_cacheflush) */
263 : /* Allow removing semaphores */
264 : /* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
265 : and shared memory */
266 : /* Allow locking/unlocking of shared memory segment */
267 : /* Allow turning swap on/off */
268 : /* Allow forged pids on socket credentials passing */
269 : /* Allow setting readahead and flushing buffers on block devices */
270 : /* Allow setting geometry in floppy driver */
271 : /* Allow turning DMA on/off in xd driver */
272 : /* Allow administration of md devices (mostly the above, but some
273 : extra ioctls) */
274 : /* Allow tuning the ide driver */
275 : /* Allow access to the nvram device */
276 : /* Allow administration of apm_bios, serial and bttv (TV) device */
277 : /* Allow manufacturer commands in isdn CAPI support driver */
278 : /* Allow reading non-standardized portions of pci configuration space */
279 : /* Allow DDI debug ioctl on sbpcd driver */
280 : /* Allow setting up serial ports */
281 : /* Allow sending raw qic-117 commands */
282 : /* Allow enabling/disabling tagged queuing on SCSI controllers and sending
283 : arbitrary SCSI commands */
284 : /* Allow setting encryption key on loopback filesystem */
285 : /* Allow setting zone reclaim policy */
286 :
287 : #define CAP_SYS_ADMIN 21
288 :
289 : /* Allow use of reboot() */
290 :
291 : #define CAP_SYS_BOOT 22
292 :
293 : /* Allow raising priority and setting priority on other (different
294 : UID) processes */
295 : /* Allow use of FIFO and round-robin (realtime) scheduling on own
296 : processes and setting the scheduling algorithm used by another
297 : process. */
298 : /* Allow setting cpu affinity on other processes */
299 :
300 : #define CAP_SYS_NICE 23
301 :
302 : /* Override resource limits. Set resource limits. */
303 : /* Override quota limits. */
304 : /* Override reserved space on ext2 filesystem */
305 : /* Modify data journaling mode on ext3 filesystem (uses journaling
306 : resources) */
307 : /* NOTE: ext2 honors fsuid when checking for resource overrides, so
308 : you can override using fsuid too */
309 : /* Override size restrictions on IPC message queues */
310 : /* Allow more than 64hz interrupts from the real-time clock */
311 : /* Override max number of consoles on console allocation */
312 : /* Override max number of keymaps */
313 :
314 : #define CAP_SYS_RESOURCE 24
315 :
316 : /* Allow manipulation of system clock */
317 : /* Allow irix_stime on mips */
318 : /* Allow setting the real-time clock */
319 :
320 : #define CAP_SYS_TIME 25
321 :
322 : /* Allow configuration of tty devices */
323 : /* Allow vhangup() of tty */
324 :
325 : #define CAP_SYS_TTY_CONFIG 26
326 :
327 : /* Allow the privileged aspects of mknod() */
328 :
329 : #define CAP_MKNOD 27
330 :
331 : /* Allow taking of leases on files */
332 :
333 : #define CAP_LEASE 28
334 :
335 : #define CAP_AUDIT_WRITE 29
336 :
337 : #define CAP_AUDIT_CONTROL 30
338 :
339 : #define CAP_SETFCAP 31
340 :
341 : /* Override MAC access.
342 : The base kernel enforces no MAC policy.
343 : An LSM may enforce a MAC policy, and if it does and it chooses
344 : to implement capability based overrides of that policy, this is
345 : the capability it should use to do so. */
346 :
347 : #define CAP_MAC_OVERRIDE 32
348 :
349 : /* Allow MAC configuration or state changes.
350 : The base kernel requires no MAC configuration.
351 : An LSM may enforce a MAC policy, and if it does and it chooses
352 : to implement capability based checks on modifications to that
353 : policy or the data required to maintain it, this is the
354 : capability it should use to do so. */
355 :
356 : #define CAP_MAC_ADMIN 33
357 :
358 : #define CAP_LAST_CAP CAP_MAC_ADMIN
359 :
360 : #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
361 :
362 : /*
363 : * Bit location of each capability (used by user-space library and kernel)
364 : */
365 :
366 : #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
367 : #define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */
368 :
369 : #ifdef __KERNEL__
370 :
371 : /*
372 : * Internal kernel functions only
373 : */
374 :
375 : #define CAP_FOR_EACH_U32(__capi) \
376 : for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
377 :
378 : /*
379 : * CAP_FS_MASK and CAP_NFSD_MASKS:
380 : *
381 : * The fs mask is all the privileges that fsuid==0 historically meant.
382 : * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
383 : *
384 : * It has never meant setting security.* and trusted.* xattrs.
385 : *
386 : * We could also define fsmask as follows:
387 : * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
388 : * 2. The security.* and trusted.* xattrs are fs-related MAC permissions
389 : */
390 :
391 : # define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
392 : | CAP_TO_MASK(CAP_MKNOD) \
393 : | CAP_TO_MASK(CAP_DAC_OVERRIDE) \
394 : | CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
395 : | CAP_TO_MASK(CAP_FOWNER) \
396 : | CAP_TO_MASK(CAP_FSETID))
397 :
398 : # define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
399 :
400 : #if _KERNEL_CAPABILITY_U32S != 2
401 : # error Fix up hand-coded capability macro initializers
402 : #else /* HAND-CODED capability initializers */
403 :
404 : # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
405 : # define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
406 : # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
407 : # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
408 : | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
409 : CAP_FS_MASK_B1 } })
410 : # define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
411 : | CAP_TO_MASK(CAP_SYS_RESOURCE), \
412 : CAP_FS_MASK_B1 } })
413 :
414 : #endif /* _KERNEL_CAPABILITY_U32S != 2 */
415 :
416 : #define CAP_INIT_INH_SET CAP_EMPTY_SET
417 :
418 : # define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
419 : # define cap_set_full(c) do { (c) = __cap_full_set; } while (0)
420 : # define cap_set_init_eff(c) do { (c) = __cap_init_eff_set; } while (0)
421 :
422 : #define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
423 : #define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
424 : #define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
425 :
426 : #define CAP_BOP_ALL(c, a, b, OP) \
427 : do { \
428 : unsigned __capi; \
429 : CAP_FOR_EACH_U32(__capi) { \
430 : c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
431 : } \
432 : } while (0)
433 :
434 : #define CAP_UOP_ALL(c, a, OP) \
435 : do { \
436 : unsigned __capi; \
437 : CAP_FOR_EACH_U32(__capi) { \
438 : c.cap[__capi] = OP a.cap[__capi]; \
439 : } \
440 : } while (0)
441 :
442 : static inline kernel_cap_t cap_combine(const kernel_cap_t a,
443 : const kernel_cap_t b)
444 : {
445 : kernel_cap_t dest;
446 : CAP_BOP_ALL(dest, a, b, |);
447 : return dest;
448 : }
449 :
450 : static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
451 : const kernel_cap_t b)
452 : {
453 : kernel_cap_t dest;
454 : CAP_BOP_ALL(dest, a, b, &);
455 : return dest;
456 : }
457 :
458 : static inline kernel_cap_t cap_drop(const kernel_cap_t a,
459 : const kernel_cap_t drop)
460 : {
461 : kernel_cap_t dest;
462 : CAP_BOP_ALL(dest, a, drop, &~);
463 : return dest;
464 : }
465 :
466 : static inline kernel_cap_t cap_invert(const kernel_cap_t c)
467 : {
468 : kernel_cap_t dest;
469 : CAP_UOP_ALL(dest, c, ~);
470 : return dest;
471 : }
472 :
473 : static inline int cap_isclear(const kernel_cap_t a)
474 : {
475 : unsigned __capi;
476 : CAP_FOR_EACH_U32(__capi) {
477 : if (a.cap[__capi] != 0)
478 : return 0;
479 : }
480 : return 1;
481 : }
482 :
483 : /*
484 : * Check if "a" is a subset of "set".
485 : * return 1 if ALL of the capabilities in "a" are also in "set"
486 : * cap_issubset(0101, 1111) will return 1
487 : * return 0 if ANY of the capabilities in "a" are not in "set"
488 : * cap_issubset(1111, 0101) will return 0
489 : */
490 : static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
491 : {
492 : kernel_cap_t dest;
493 : dest = cap_drop(a, set);
494 : return cap_isclear(dest);
495 : }
496 :
497 : /* Used to decide between falling back on the old suser() or fsuser(). */
498 :
499 : static inline int cap_is_fs_cap(int cap)
500 : {
501 : const kernel_cap_t __cap_fs_set = CAP_FS_SET;
502 : return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
503 : }
504 :
505 : static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
506 : {
507 : const kernel_cap_t __cap_fs_set = CAP_FS_SET;
508 : return cap_drop(a, __cap_fs_set);
509 : }
510 :
511 : static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
512 : const kernel_cap_t permitted)
513 : {
514 : const kernel_cap_t __cap_fs_set = CAP_FS_SET;
515 : return cap_combine(a,
516 : cap_intersect(permitted, __cap_fs_set));
517 : }
518 :
519 : static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
520 : {
521 : const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
522 : return cap_drop(a, __cap_fs_set);
523 : }
524 :
525 : static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
526 : const kernel_cap_t permitted)
527 : {
528 : const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
529 : return cap_combine(a,
530 : cap_intersect(permitted, __cap_nfsd_set));
531 : }
532 :
533 : extern const kernel_cap_t __cap_empty_set;
534 : extern const kernel_cap_t __cap_full_set;
535 : extern const kernel_cap_t __cap_init_eff_set;
536 :
537 : /**
538 : * has_capability - Determine if a task has a superior capability available
539 : * @t: The task in question
540 : * @cap: The capability to be tested for
541 : *
542 : * Return true if the specified task has the given superior capability
543 : * currently in effect, false if not.
544 : *
545 : * Note that this does not set PF_SUPERPRIV on the task.
546 : */
547 : #define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
548 :
549 : /**
550 : * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
551 : * @t: The task in question
552 : * @cap: The capability to be tested for
553 : *
554 : * Return true if the specified task has the given superior capability
555 : * currently in effect, false if not, but don't write an audit message for the
556 : * check.
557 : *
558 : * Note that this does not set PF_SUPERPRIV on the task.
559 : */
560 : #define has_capability_noaudit(t, cap) \
561 : (security_real_capable_noaudit((t), (cap)) == 0)
562 :
563 : extern int capable(int cap);
564 :
565 : /* audit system wants to get cap info from files as well */
566 : struct dentry;
567 : extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
568 :
569 : #endif /* __KERNEL__ */
570 :
571 : #endif /* !_LINUX_CAPABILITY_H */
|