security: protect legacy applications from executing with insufficient privilege

When cap_bset suppresses some of the forced (fP) capabilities of a file,
it is generally only safe to execute the program if it understands how to
recognize it doesn't have enough privilege to work correctly.  For legacy
applications (fE!=0), which have no non-destructive way to determine that
they are missing privilege, we fail to execute (EPERM) any executable that
requires fP capabilities, but would otherwise get pP' < fP.  This is a
fail-safe permission check.

For some discussion of why it is problematic for (legacy) privileged
applications to run with less than the set of capabilities requested for
them, see:

 http://userweb.kernel.org/~morgan/sendmail-capabilities-war-story.html

With this iteration of this support, we do not include setuid-0 based
privilege protection from the bounding set.  That is, the admin can still
(ab)use the bounding set to suppress the privileges of a setuid-0 program.

[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: cleanup]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index ee0ed48..826f623 100644 (file)
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -38,7 +38,7 @@ struct linux_binprm{
                     misc_bang:1;
        struct file * file;
        int e_uid, e_gid;
-       kernel_cap_t cap_inheritable, cap_permitted;
+       kernel_cap_t cap_post_exec_permitted;
        bool cap_effective;
        void *security;
        int argc, envc;

diff --git a/security/commoncap.c b/security/commoncap.c
index 0b6537a..4afbece 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -162,8 +162,7 @@ void cap_capset_set (struct task_struct *target, kernel_cap_t *effective,
 
 static inline void bprm_clear_caps(struct linux_binprm *bprm)
 {
-       cap_clear(bprm->cap_inheritable);
-       cap_clear(bprm->cap_permitted);
+       cap_clear(bprm->cap_post_exec_permitted);
        bprm->cap_effective = false;
 }
 
@@ -198,6 +197,7 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
 {
        __u32 magic_etc;
        unsigned tocopy, i;
+       int ret;
 
        if (size < sizeof(magic_etc))
                return -EINVAL;
@@ -225,19 +225,40 @@ static inline int cap_from_disk(struct vfs_cap_data *caps,
                bprm->cap_effective = false;
        }
 
-       for (i = 0; i < tocopy; ++i) {
-               bprm->cap_permitted.cap[i] =
-                       le32_to_cpu(caps->data[i].permitted);
-               bprm->cap_inheritable.cap[i] =
-                       le32_to_cpu(caps->data[i].inheritable);
-       }
-       while (i < VFS_CAP_U32) {
-               bprm->cap_permitted.cap[i] = 0;
-               bprm->cap_inheritable.cap[i] = 0;
-               i++;
+       ret = 0;
+
+       CAP_FOR_EACH_U32(i) {
+               __u32 value_cpu;
+
+               if (i >= tocopy) {
+                       /*
+                        * Legacy capability sets have no upper bits
+                        */
+                       bprm->cap_post_exec_permitted.cap[i] = 0;
+                       continue;
+               }
+               /*
+                * pP' = (X & fP) | (pI & fI)
+                */
+               value_cpu = le32_to_cpu(caps->data[i].permitted);
+               bprm->cap_post_exec_permitted.cap[i] =
+                       (current->cap_bset.cap[i] & value_cpu) |
+                       (current->cap_inheritable.cap[i] &
+                               le32_to_cpu(caps->data[i].inheritable));
+               if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
+                       /*
+                        * insufficient to execute correctly
+                        */
+                       ret = -EPERM;
+               }
        }
 
-       return 0;
+       /*
+        * For legacy apps, with no internal support for recognizing they
+        * do not have enough capabilities, we return an error if they are
+        * missing some "forced" (aka file-permitted) capabilities.
+        */
+       return bprm->cap_effective ? ret : 0;
 }
 
 /* Locate any VFS capabilities: */
@@ -269,9 +290,9 @@ static int get_file_caps(struct linux_binprm *bprm)
                goto out;
 
        rc = cap_from_disk(&vcaps, bprm, rc);
-       if (rc)
+       if (rc == -EINVAL)
                printk(KERN_NOTICE "%s: cap_from_disk returned %d for %s\n",
-                       __func__, rc, bprm->filename);
+                      __func__, rc, bprm->filename);
 
 out:
        dput(dentry);
@@ -304,25 +325,24 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
        int ret;
 
        ret = get_file_caps(bprm);
-       if (ret)
-               printk(KERN_NOTICE "%s: get_file_caps returned %d for %s\n",
-                       __func__, ret, bprm->filename);
-
-       /*  To support inheritance of root-permissions and suid-root
-        *  executables under compatibility mode, we raise all three
-        *  capability sets for the file.
-        *
-        *  If only the real uid is 0, we only raise the inheritable
-        *  and permitted sets of the executable file.
-        */
 
-       if (!issecure (SECURE_NOROOT)) {
+       if (!issecure(SECURE_NOROOT)) {
+               /*
+                * To support inheritance of root-permissions and suid-root
+                * executables under compatibility mode, we override the
+                * capability sets for the file.
+                *
+                * If only the real uid is 0, we do not set the effective
+                * bit.
+                */
                if (bprm->e_uid == 0 || current->uid == 0) {
-                       cap_set_full (bprm->cap_inheritable);
-                       cap_set_full (bprm->cap_permitted);
+                       /* pP' = (cap_bset & ~0) | (pI & ~0) */
+                       bprm->cap_post_exec_permitted = cap_combine(
+                               current->cap_bset, current->cap_inheritable
+                               );
+                       bprm->cap_effective = (bprm->e_uid == 0);
+                       ret = 0;
                }
-               if (bprm->e_uid == 0)
-                       bprm->cap_effective = true;
        }
 
        return ret;
@@ -330,17 +350,9 @@ int cap_bprm_set_security (struct linux_binprm *bprm)
 
 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
 {
-       /* Derived from fs/exec.c:compute_creds. */
-       kernel_cap_t new_permitted, working;
-
-       new_permitted = cap_intersect(bprm->cap_permitted,
-                                current->cap_bset);
-       working = cap_intersect(bprm->cap_inheritable,
-                                current->cap_inheritable);
-       new_permitted = cap_combine(new_permitted, working);
-
        if (bprm->e_uid != current->uid || bprm->e_gid != current->gid ||
-           !cap_issubset (new_permitted, current->cap_permitted)) {
+           !cap_issubset(bprm->cap_post_exec_permitted,
+                         current->cap_permitted)) {
                set_dumpable(current->mm, suid_dumpable);
                current->pdeath_signal = 0;
 
@@ -350,9 +362,9 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
                                bprm->e_gid = current->gid;
                        }
                        if (cap_limit_ptraced_target()) {
-                               new_permitted =
-                                       cap_intersect(new_permitted,
-                                                     current->cap_permitted);
+                               bprm->cap_post_exec_permitted = cap_intersect(
+                                       bprm->cap_post_exec_permitted,
+                                       current->cap_permitted);
                        }
                }
        }
@@ -364,9 +376,9 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
         * in the init_task struct. Thus we skip the usual
         * capability rules */
        if (!is_global_init(current)) {
-               current->cap_permitted = new_permitted;
+               current->cap_permitted = bprm->cap_post_exec_permitted;
                if (bprm->cap_effective)
-                       current->cap_effective = new_permitted;
+                       current->cap_effective = bprm->cap_post_exec_permitted;
                else
                        cap_clear(current->cap_effective);
        }
@@ -381,9 +393,7 @@ int cap_bprm_secureexec (struct linux_binprm *bprm)
        if (current->uid != 0) {
                if (bprm->cap_effective)
                        return 1;
-               if (!cap_isclear(bprm->cap_permitted))
-                       return 1;
-               if (!cap_isclear(bprm->cap_inheritable))
+               if (!cap_isclear(bprm->cap_post_exec_permitted))
                        return 1;
        }