xref: /security/commoncap.c

272 int cap_capset(struct cred *new,  in cap_capset()  argument
299 	new->cap_effective   = *effective;  in cap_capset()
300 	new->cap_inheritable = *inheritable;  in cap_capset()
301 	new->cap_permitted   = *permitted;  in cap_capset()
307 	new->cap_ambient = cap_intersect(new->cap_ambient,  in cap_capset()
310 	if (WARN_ON(!cap_ambient_invariant_ok(new)))  in cap_capset()
621 	struct cred *new = bprm->cred;  in bprm_caps_from_vfs_caps()  local
634 	new->cap_permitted.val =  in bprm_caps_from_vfs_caps()
635 		(new->cap_bset.val & caps->permitted.val) |  in bprm_caps_from_vfs_caps()
636 		(new->cap_inheritable.val & caps->inheritable.val);  in bprm_caps_from_vfs_caps()
638 	if (caps->permitted.val & ~new->cap_permitted.val)  in bprm_caps_from_vfs_caps()
822 	struct cred *new = bprm->cred;  in handle_privileged_root()  local
831 	if (has_fcap && __is_suid(root_uid, new)) {  in handle_privileged_root()
840 	if (__is_eff(root_uid, new) || __is_real(root_uid, new)) {  in handle_privileged_root()
842 		new->cap_permitted = cap_combine(old->cap_bset,  in handle_privileged_root()
848 	if (__is_eff(root_uid, new))  in handle_privileged_root()
876 static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,  in nonroot_raised_pE()  argument
881 	if ((__cap_grew(effective, ambient, new) &&  in nonroot_raised_pE()
882 	     !(__cap_full(effective, new) &&  in nonroot_raised_pE()
883 	       (__is_eff(root, new) || __is_real(root, new)) &&  in nonroot_raised_pE()
886 	     __is_suid(root, new) &&  in nonroot_raised_pE()
887 	     !__cap_full(effective, new)) ||  in nonroot_raised_pE()
888 	    (uid_eq(new->euid, old->euid) &&  in nonroot_raised_pE()
890 	       __cap_gained(permitted, new, old)) ||  in nonroot_raised_pE()
891 	      __cap_gained(ambient, new, old))))  in nonroot_raised_pE()
913 	struct cred *new = bprm->cred;  in cap_bprm_creds_from_file()  local
925 	root_uid = make_kuid(new->user_ns, 0);  in cap_bprm_creds_from_file()
930 	if (__cap_gained(permitted, new, old))  in cap_bprm_creds_from_file()
938 	id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid);  in cap_bprm_creds_from_file()
940 	if ((id_changed || __cap_gained(permitted, new, old)) &&  in cap_bprm_creds_from_file()
942 	     !ptracer_capable(current, new->user_ns))) {  in cap_bprm_creds_from_file()
944 		if (!ns_capable(new->user_ns, CAP_SETUID) ||  in cap_bprm_creds_from_file()
946 			new->euid = new->uid;  in cap_bprm_creds_from_file()
947 			new->egid = new->gid;  in cap_bprm_creds_from_file()
949 		new->cap_permitted = cap_intersect(new->cap_permitted,  in cap_bprm_creds_from_file()
953 	new->suid = new->fsuid = new->euid;  in cap_bprm_creds_from_file()
954 	new->sgid = new->fsgid = new->egid;  in cap_bprm_creds_from_file()
958 		cap_clear(new->cap_ambient);  in cap_bprm_creds_from_file()
964 	new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);  in cap_bprm_creds_from_file()
971 		new->cap_effective = new->cap_permitted;  in cap_bprm_creds_from_file()
973 		new->cap_effective = new->cap_ambient;  in cap_bprm_creds_from_file()
975 	if (WARN_ON(!cap_ambient_invariant_ok(new)))  in cap_bprm_creds_from_file()
978 	if (nonroot_raised_pE(new, old, root_uid, has_fcap)) {  in cap_bprm_creds_from_file()
979 		ret = audit_log_bprm_fcaps(bprm, new, old);  in cap_bprm_creds_from_file()
984 	new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);  in cap_bprm_creds_from_file()
986 	if (WARN_ON(!cap_ambient_invariant_ok(new)))  in cap_bprm_creds_from_file()
991 	    !uid_eq(new->euid, old->uid) ||  in cap_bprm_creds_from_file()
992 	    !gid_eq(new->egid, old->gid) ||  in cap_bprm_creds_from_file()
993 	    (!__is_real(root_uid, new) &&  in cap_bprm_creds_from_file()
995 	      __cap_grew(permitted, ambient, new))))  in cap_bprm_creds_from_file()
1110 static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)  in cap_emulate_setxuid()  argument
1117 	    (!uid_eq(new->uid, root_uid) &&  in cap_emulate_setxuid()
1118 	     !uid_eq(new->euid, root_uid) &&  in cap_emulate_setxuid()
1119 	     !uid_eq(new->suid, root_uid))) {  in cap_emulate_setxuid()
1121 			cap_clear(new->cap_permitted);  in cap_emulate_setxuid()
1122 			cap_clear(new->cap_effective);  in cap_emulate_setxuid()
1130 		cap_clear(new->cap_ambient);  in cap_emulate_setxuid()
1132 	if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))  in cap_emulate_setxuid()
1133 		cap_clear(new->cap_effective);  in cap_emulate_setxuid()
1134 	if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))  in cap_emulate_setxuid()
1135 		new->cap_effective = new->cap_permitted;  in cap_emulate_setxuid()
1149 int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)  in cap_task_fix_setuid()  argument
1158 			cap_emulate_setxuid(new, old);  in cap_task_fix_setuid()
1170 			if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))  in cap_task_fix_setuid()
1171 				new->cap_effective =  in cap_task_fix_setuid()
1172 					cap_drop_fs_set(new->cap_effective);  in cap_task_fix_setuid()
1174 			if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))  in cap_task_fix_setuid()
1175 				new->cap_effective =  in cap_task_fix_setuid()
1176 					cap_raise_fs_set(new->cap_effective,  in cap_task_fix_setuid()
1177 							 new->cap_permitted);  in cap_task_fix_setuid()
1262 	struct cred *new;  in cap_prctl_drop()  local
1269 	new = prepare_creds();  in cap_prctl_drop()
1270 	if (!new)  in cap_prctl_drop()
1272 	cap_lower(new->cap_bset, cap);  in cap_prctl_drop()
1273 	return commit_creds(new);  in cap_prctl_drop()
1295 	struct cred *new;  in cap_task_prctl()  local
1362 		new = prepare_creds();  in cap_task_prctl()
1363 		if (!new)  in cap_task_prctl()
1365 		new->securebits = arg2;  in cap_task_prctl()
1366 		return commit_creds(new);  in cap_task_prctl()
1380 		new = prepare_creds();  in cap_task_prctl()
1381 		if (!new)  in cap_task_prctl()
1384 			new->securebits |= issecure_mask(SECURE_KEEP_CAPS);  in cap_task_prctl()
1386 			new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);  in cap_task_prctl()
1387 		return commit_creds(new);  in cap_task_prctl()
1394 			new = prepare_creds();  in cap_task_prctl()
1395 			if (!new)  in cap_task_prctl()
1397 			cap_clear(new->cap_ambient);  in cap_task_prctl()
1398 			return commit_creds(new);  in cap_task_prctl()
1417 			new = prepare_creds();  in cap_task_prctl()
1418 			if (!new)  in cap_task_prctl()
1421 				cap_raise(new->cap_ambient, arg3);  in cap_task_prctl()
1423 				cap_lower(new->cap_ambient, arg3);  in cap_task_prctl()
1424 			return commit_creds(new);  in cap_task_prctl()

Last Index update Fri Aug 22 10:33:58 CST 2025