1 /*
2  * Copyright (c) 1997-8,2007,11,19,20 Andrew G Morgan <morgan@kernel.org>
3  *
4  * This file deals with getting and setting capabilities on processes.
5  */
6 
7 #ifndef _GNU_SOURCE
8 #define _GNU_SOURCE
9 #endif
10 
11 #include <errno.h>
12 #include <fcntl.h>              /* Obtain O_* constant definitions */
13 #include <grp.h>
14 #include <sys/prctl.h>
15 #include <sys/securebits.h>
16 #include <sys/syscall.h>
17 #include <unistd.h>
18 #include <sys/types.h>
19 #include <sys/wait.h>
20 
21 #include <linux/limits.h>
22 
23 #include "libcap.h"
24 
25 /*
26  * libcap uses this abstraction for all system calls that change
27  * kernel managed capability state. This permits the user to redirect
28  * it for testing and also to better implement posix semantics when
29  * using pthreads.
30  */
31 
_cap_syscall3(long int syscall_nr,long int arg1,long int arg2,long int arg3)32 static long int _cap_syscall3(long int syscall_nr,
33 			      long int arg1, long int arg2, long int arg3)
34 {
35     return syscall(syscall_nr, arg1, arg2, arg3);
36 }
37 
_cap_syscall6(long int syscall_nr,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5,long int arg6)38 static long int _cap_syscall6(long int syscall_nr,
39 			      long int arg1, long int arg2, long int arg3,
40 			      long int arg4, long int arg5, long int arg6)
41 {
42     return syscall(syscall_nr, arg1, arg2, arg3, arg4, arg5, arg6);
43 }
44 
45 /*
46  * to keep the structure of the code conceptually similar in C and Go
47  * implementations, we introduce this abstraction for invoking state
48  * writing system calls. In psx+pthreaded code, the fork
49  * implementation provided by nptl ensures that we can consistently
50  * use the multithreaded syscalls even in the child after a fork().
51  */
52 struct syscaller_s {
53     long int (*three)(long int syscall_nr,
54 		      long int arg1, long int arg2, long int arg3);
55     long int (*six)(long int syscall_nr,
56 		    long int arg1, long int arg2, long int arg3,
57 		    long int arg4, long int arg5, long int arg6);
58 };
59 
60 /* use this syscaller for multi-threaded code */
61 static struct syscaller_s multithread = {
62     .three = _cap_syscall3,
63     .six = _cap_syscall6
64 };
65 
66 /* use this syscaller for single-threaded code */
67 static struct syscaller_s singlethread = {
68     .three = _cap_syscall3,
69     .six = _cap_syscall6
70 };
71 
72 /*
73  * This gets reset to 0 if we are *not* linked with libpsx.
74  */
75 static int _libcap_overrode_syscalls = 1;
76 
77 /*
78  * psx_load_syscalls() is weakly defined so we can have it overridden
79  * by libpsx if that library is linked. Specifically, when libcap
80  * calls psx_load_sycalls() it is prepared to override the default
81  * values for the syscalls that libcap uses to change security state.
82  * As can be seen here this present function is mostly a
83  * no-op. However, if libpsx is linked, the one present in that
84  * library (not being weak) will replace this one and the
85  * _libcap_overrode_syscalls value isn't forced to zero.
86  *
87  * Note: we hardcode the prototype for the psx_load_syscalls()
88  * function here so the compiler isn't worried. If we force the build
89  * to include the header, we are close to requiring the optional
90  * libpsx to be linked.
91  */
92 void psx_load_syscalls(long int (**syscall_fn)(long int,
93 					      long int, long int, long int),
94 		       long int (**syscall6_fn)(long int,
95 						long int, long int, long int,
96 						long int, long int, long int));
97 
98 __attribute__((weak))
psx_load_syscalls(long int (** syscall_fn)(long int,long int,long int,long int),long int (** syscall6_fn)(long int,long int,long int,long int,long int,long int,long int))99 void psx_load_syscalls(long int (**syscall_fn)(long int,
100 					       long int, long int, long int),
101 		       long int (**syscall6_fn)(long int,
102 						long int, long int, long int,
103 						long int, long int, long int))
104 {
105     _libcap_overrode_syscalls = 0;
106 }
107 
108 /*
109  * cap_set_syscall overrides the state setting syscalls that libcap does.
110  * Generally, you don't need to call this manually: libcap tries hard to
111  * set things up appropriately.
112  */
cap_set_syscall(long int (* new_syscall)(long int,long int,long int,long int),long int (* new_syscall6)(long int,long int,long int,long int,long int,long int,long int))113 void cap_set_syscall(long int (*new_syscall)(long int,
114 					     long int, long int, long int),
115 			    long int (*new_syscall6)(long int, long int,
116 						     long int, long int,
117 						     long int, long int,
118 						     long int)) {
119     if (new_syscall == NULL) {
120 	psx_load_syscalls(&multithread.three, &multithread.six);
121     } else {
122 	multithread.three = new_syscall;
123 	multithread.six = new_syscall6;
124     }
125 }
126 
_libcap_capset(struct syscaller_s * sc,cap_user_header_t header,const cap_user_data_t data)127 static int _libcap_capset(struct syscaller_s *sc,
128 			  cap_user_header_t header, const cap_user_data_t data)
129 {
130     if (_libcap_overrode_syscalls) {
131 	return sc->three(SYS_capset, (long int) header, (long int) data, 0);
132     }
133     return capset(header, data);
134 }
135 
_libcap_wprctl3(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2)136 static int _libcap_wprctl3(struct syscaller_s *sc,
137 			   long int pr_cmd, long int arg1, long int arg2)
138 {
139     if (_libcap_overrode_syscalls) {
140 	return sc->three(SYS_prctl, pr_cmd, arg1, arg2);
141     }
142     return prctl(pr_cmd, arg1, arg2, 0, 0, 0);
143 }
144 
_libcap_wprctl6(struct syscaller_s * sc,long int pr_cmd,long int arg1,long int arg2,long int arg3,long int arg4,long int arg5)145 static int _libcap_wprctl6(struct syscaller_s *sc,
146 			   long int pr_cmd, long int arg1, long int arg2,
147 			   long int arg3, long int arg4, long int arg5)
148 {
149     if (_libcap_overrode_syscalls) {
150 	return sc->six(SYS_prctl, pr_cmd, arg1, arg2, arg3, arg4, arg5);
151     }
152     return prctl(pr_cmd, arg1, arg2, arg3, arg4, arg5);
153 }
154 
155 /*
156  * cap_get_proc obtains the capability set for the current process.
157  */
cap_get_proc(void)158 cap_t cap_get_proc(void)
159 {
160     cap_t result;
161 
162     /* allocate a new capability set */
163     result = cap_init();
164     if (result) {
165 	_cap_debug("getting current process' capabilities");
166 
167 	/* fill the capability sets via a system call */
168 	if (capget(&result->head, &result->u[0].set)) {
169 	    cap_free(result);
170 	    result = NULL;
171 	}
172     }
173 
174     return result;
175 }
176 
_cap_set_proc(struct syscaller_s * sc,cap_t cap_d)177 static int _cap_set_proc(struct syscaller_s *sc, cap_t cap_d) {
178     int retval;
179 
180     if (!good_cap_t(cap_d)) {
181 	errno = EINVAL;
182 	return -1;
183     }
184 
185     _cap_debug("setting process capabilities");
186     retval = _libcap_capset(sc, &cap_d->head, &cap_d->u[0].set);
187 
188     return retval;
189 }
190 
cap_set_proc(cap_t cap_d)191 int cap_set_proc(cap_t cap_d)
192 {
193     return _cap_set_proc(&multithread, cap_d);
194 }
195 
196 /* the following two functions are not required by POSIX */
197 
198 /* read the caps on a specific process */
199 
capgetp(pid_t pid,cap_t cap_d)200 int capgetp(pid_t pid, cap_t cap_d)
201 {
202     int error;
203 
204     if (!good_cap_t(cap_d)) {
205 	errno = EINVAL;
206 	return -1;
207     }
208 
209     _cap_debug("getting process capabilities for proc %d", pid);
210 
211     cap_d->head.pid = pid;
212     error = capget(&cap_d->head, &cap_d->u[0].set);
213     cap_d->head.pid = 0;
214 
215     return error;
216 }
217 
218 /* allocate space for and return capabilities of target process */
219 
cap_get_pid(pid_t pid)220 cap_t cap_get_pid(pid_t pid)
221 {
222     cap_t result;
223 
224     result = cap_init();
225     if (result) {
226 	if (capgetp(pid, result) != 0) {
227 	    int my_errno;
228 
229 	    my_errno = errno;
230 	    cap_free(result);
231 	    errno = my_errno;
232 	    result = NULL;
233 	}
234     }
235 
236     return result;
237 }
238 
239 /*
240  * set the caps on a specific process/pg etc.. The kernel has long
241  * since deprecated this asynchronous interface. DON'T EXPECT THIS TO
242  * EVER WORK AGAIN.
243  */
244 
capsetp(pid_t pid,cap_t cap_d)245 int capsetp(pid_t pid, cap_t cap_d)
246 {
247     int error;
248 
249     if (!good_cap_t(cap_d)) {
250 	errno = EINVAL;
251 	return -1;
252     }
253 
254     _cap_debug("setting process capabilities for proc %d", pid);
255     cap_d->head.pid = pid;
256     error = capset(&cap_d->head, &cap_d->u[0].set);
257     cap_d->head.version = _LIBCAP_CAPABILITY_VERSION;
258     cap_d->head.pid = 0;
259 
260     return error;
261 }
262 
263 /* the kernel api requires unsigned long arguments */
264 #define pr_arg(x) ((unsigned long) x)
265 
266 /* get a capability from the bounding set */
267 
cap_get_bound(cap_value_t cap)268 int cap_get_bound(cap_value_t cap)
269 {
270     int result;
271 
272     result = prctl(PR_CAPBSET_READ, pr_arg(cap), pr_arg(0));
273     if (result < 0) {
274 	errno = -result;
275 	return -1;
276     }
277     return result;
278 }
279 
_cap_drop_bound(struct syscaller_s * sc,cap_value_t cap)280 static int _cap_drop_bound(struct syscaller_s *sc, cap_value_t cap)
281 {
282     int result;
283 
284     result = _libcap_wprctl3(sc, PR_CAPBSET_DROP, pr_arg(cap), pr_arg(0));
285     if (result < 0) {
286 	errno = -result;
287 	return -1;
288     }
289     return result;
290 }
291 
292 /* drop a capability from the bounding set */
293 
cap_drop_bound(cap_value_t cap)294 int cap_drop_bound(cap_value_t cap) {
295     return _cap_drop_bound(&multithread, cap);
296 }
297 
298 /* get a capability from the ambient set */
299 
cap_get_ambient(cap_value_t cap)300 int cap_get_ambient(cap_value_t cap)
301 {
302     int result;
303     result = prctl(PR_CAP_AMBIENT, pr_arg(PR_CAP_AMBIENT_IS_SET),
304 		   pr_arg(cap), pr_arg(0), pr_arg(0));
305     if (result < 0) {
306 	errno = -result;
307 	return -1;
308     }
309     return result;
310 }
311 
_cap_set_ambient(struct syscaller_s * sc,cap_value_t cap,cap_flag_value_t set)312 static int _cap_set_ambient(struct syscaller_s *sc,
313 			    cap_value_t cap, cap_flag_value_t set)
314 {
315     int result, val;
316     switch (set) {
317     case CAP_SET:
318 	val = PR_CAP_AMBIENT_RAISE;
319 	break;
320     case CAP_CLEAR:
321 	val = PR_CAP_AMBIENT_LOWER;
322 	break;
323     default:
324 	errno = EINVAL;
325 	return -1;
326     }
327     result = _libcap_wprctl6(sc, PR_CAP_AMBIENT, pr_arg(val), pr_arg(cap),
328 			     pr_arg(0), pr_arg(0), pr_arg(0));
329     if (result < 0) {
330 	errno = -result;
331 	return -1;
332     }
333     return result;
334 }
335 
336 /*
337  * cap_set_ambient modifies a single ambient capability value.
338  */
cap_set_ambient(cap_value_t cap,cap_flag_value_t set)339 int cap_set_ambient(cap_value_t cap, cap_flag_value_t set)
340 {
341     return _cap_set_ambient(&multithread, cap, set);
342 }
343 
_cap_reset_ambient(struct syscaller_s * sc)344 static int _cap_reset_ambient(struct syscaller_s *sc)
345 {
346     int olderrno = errno;
347     cap_value_t c;
348     int result = 0;
349 
350     for (c = 0; !result; c++) {
351 	result = cap_get_ambient(c);
352 	if (result == -1) {
353 	    errno = olderrno;
354 	    return 0;
355 	}
356     }
357 
358     result = _libcap_wprctl6(sc, PR_CAP_AMBIENT,
359 			     pr_arg(PR_CAP_AMBIENT_CLEAR_ALL),
360 			     pr_arg(0), pr_arg(0), pr_arg(0), pr_arg(0));
361     if (result < 0) {
362 	errno = -result;
363 	return -1;
364     }
365     return result;
366 }
367 
368 /*
369  * cap_reset_ambient erases all ambient capabilities - this reads the
370  * ambient caps before performing the erase to workaround the corner
371  * case where the set is empty already but the ambient cap API is
372  * locked.
373  */
cap_reset_ambient()374 int cap_reset_ambient()
375 {
376     return _cap_reset_ambient(&multithread);
377 }
378 
379 /*
380  * Read the security mode of the current process.
381  */
cap_get_secbits(void)382 unsigned cap_get_secbits(void)
383 {
384     return (unsigned) prctl(PR_GET_SECUREBITS, pr_arg(0), pr_arg(0));
385 }
386 
_cap_set_secbits(struct syscaller_s * sc,unsigned bits)387 static int _cap_set_secbits(struct syscaller_s *sc, unsigned bits)
388 {
389     return _libcap_wprctl3(sc, PR_SET_SECUREBITS, bits, 0);
390 }
391 
392 /*
393  * Set the secbits of the current process.
394  */
cap_set_secbits(unsigned bits)395 int cap_set_secbits(unsigned bits)
396 {
397     return _cap_set_secbits(&multithread, bits);
398 }
399 
400 /*
401  * Attempt to raise the no new privs prctl value.
402  */
_cap_set_no_new_privs(struct syscaller_s * sc)403 static void _cap_set_no_new_privs(struct syscaller_s *sc)
404 {
405     (void) _libcap_wprctl6(sc, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0);
406 }
407 
408 /*
409  * Some predefined constants
410  */
411 #define CAP_SECURED_BITS_BASIC                                 \
412     (SECBIT_NOROOT | SECBIT_NOROOT_LOCKED |                    \
413      SECBIT_NO_SETUID_FIXUP | SECBIT_NO_SETUID_FIXUP_LOCKED |  \
414      SECBIT_KEEP_CAPS_LOCKED)
415 
416 #define CAP_SECURED_BITS_AMBIENT  (CAP_SECURED_BITS_BASIC |    \
417      SECBIT_NO_CAP_AMBIENT_RAISE | SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED)
418 
419 static cap_value_t raise_cap_setpcap[] = {CAP_SETPCAP};
420 
_cap_set_mode(struct syscaller_s * sc,cap_mode_t flavor)421 static int _cap_set_mode(struct syscaller_s *sc, cap_mode_t flavor)
422 {
423     cap_t working = cap_get_proc();
424     unsigned secbits = CAP_SECURED_BITS_AMBIENT;
425 
426     int ret = cap_set_flag(working, CAP_EFFECTIVE,
427 			   1, raise_cap_setpcap, CAP_SET);
428     ret = ret | _cap_set_proc(sc, working);
429 
430     if (ret == 0) {
431 	cap_flag_t c;
432 
433 	switch (flavor) {
434 	case CAP_MODE_NOPRIV:
435 	    /* fall through */
436 	case CAP_MODE_PURE1E_INIT:
437 	    (void) cap_clear_flag(working, CAP_INHERITABLE);
438 	    /* fall through */
439 	case CAP_MODE_PURE1E:
440 	    if (!CAP_AMBIENT_SUPPORTED()) {
441 		secbits = CAP_SECURED_BITS_BASIC;
442 	    } else {
443 		ret = _cap_reset_ambient(sc);
444 		if (ret) {
445 		    break; /* ambient dropping failed */
446 		}
447 	    }
448 	    ret = _cap_set_secbits(sc, secbits);
449 	    if (flavor != CAP_MODE_NOPRIV) {
450 		break;
451 	    }
452 
453 	    /* just for "case CAP_MODE_NOPRIV:" */
454 
455 	    for (c = 0; cap_get_bound(c) >= 0; c++) {
456 		(void) _cap_drop_bound(sc, c);
457 	    }
458 	    (void) cap_clear_flag(working, CAP_PERMITTED);
459 
460 	    /* for good measure */
461 	    _cap_set_no_new_privs(sc);
462 	    break;
463 
464 	default:
465 	    errno = EINVAL;
466 	    ret = -1;
467 	    break;
468 	}
469     }
470 
471     (void) cap_clear_flag(working, CAP_EFFECTIVE);
472     ret = _cap_set_proc(sc, working) | ret;
473     (void) cap_free(working);
474     return ret;
475 }
476 
477 /*
478  * cap_set_mode locks the overarching capability framework of the
479  * present process and thus its children to a predefined flavor. Once
480  * set, these modes cannot be undone by the affected process tree and
481  * can only be done by "cap_setpcap" permitted processes. Note, a side
482  * effect of this function, whether it succeeds or fails, is to clear
483  * at least the CAP_EFFECTIVE flags for the current process.
484  */
cap_set_mode(cap_mode_t flavor)485 int cap_set_mode(cap_mode_t flavor)
486 {
487     return _cap_set_mode(&multithread, flavor);
488 }
489 
490 /*
491  * cap_get_mode attempts to determine what the current capability mode
492  * is. If it can find no match in the libcap pre-defined modes, it
493  * returns CAP_MODE_UNCERTAIN.
494  */
cap_get_mode(void)495 cap_mode_t cap_get_mode(void)
496 {
497     unsigned secbits = cap_get_secbits();
498 
499     if ((secbits & CAP_SECURED_BITS_BASIC) != CAP_SECURED_BITS_BASIC) {
500 	return CAP_MODE_UNCERTAIN;
501     }
502 
503     /* validate ambient is not set */
504     int olderrno = errno;
505     int ret = 0;
506     cap_value_t c;
507     for (c = 0; !ret; c++) {
508 	ret = cap_get_ambient(c);
509 	if (ret == -1) {
510 	    errno = olderrno;
511 	    if (c && secbits != CAP_SECURED_BITS_AMBIENT) {
512 		return CAP_MODE_UNCERTAIN;
513 	    }
514 	    break;
515 	}
516 	if (ret) {
517 	    return CAP_MODE_UNCERTAIN;
518 	}
519     }
520 
521     cap_t working = cap_get_proc();
522     cap_t empty = cap_init();
523     int cf = cap_compare(empty, working);
524     cap_free(empty);
525     cap_free(working);
526 
527     if (CAP_DIFFERS(cf, CAP_INHERITABLE)) {
528 	return CAP_MODE_PURE1E;
529     }
530     if (CAP_DIFFERS(cf, CAP_PERMITTED) || CAP_DIFFERS(cf, CAP_EFFECTIVE)) {
531 	return CAP_MODE_PURE1E_INIT;
532     }
533 
534     for (c = 0; ; c++) {
535 	int v = cap_get_bound(c);
536 	if (v == -1) {
537 	    break;
538 	}
539 	if (v) {
540 	    return CAP_MODE_PURE1E_INIT;
541 	}
542     }
543 
544     return CAP_MODE_NOPRIV;
545 }
546 
_cap_setuid(struct syscaller_s * sc,uid_t uid)547 static int _cap_setuid(struct syscaller_s *sc, uid_t uid)
548 {
549     const cap_value_t raise_cap_setuid[] = {CAP_SETUID};
550     cap_t working = cap_get_proc();
551     (void) cap_set_flag(working, CAP_EFFECTIVE,
552 			1, raise_cap_setuid, CAP_SET);
553     /*
554      * Note, we are cognizant of not using glibc's setuid in the case
555      * that we've modified the way libcap is doing setting
556      * syscalls. This is because prctl needs to be working in a POSIX
557      * compliant way for the code below to work, so we are either
558      * all-broken or not-broken and don't allow for "sort of working".
559      */
560     (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 1, 0);
561     int ret = _cap_set_proc(sc, working);
562     if (ret == 0) {
563 	if (_libcap_overrode_syscalls) {
564 	    ret = sc->three(SYS_setuid, (long int) uid, 0, 0);
565 	    if (ret < 0) {
566 		errno = -ret;
567 		ret = -1;
568 	    }
569 	} else {
570 	    ret = setuid(uid);
571 	}
572     }
573     int olderrno = errno;
574     (void) _libcap_wprctl3(sc, PR_SET_KEEPCAPS, 0, 0);
575     (void) cap_clear_flag(working, CAP_EFFECTIVE);
576     (void) _cap_set_proc(sc, working);
577     (void) cap_free(working);
578 
579     errno = olderrno;
580     return ret;
581 }
582 
583 /*
584  * cap_setuid attempts to set the uid of the process without dropping
585  * any permitted capabilities in the process. A side effect of a call
586  * to this function is that the effective set will be cleared by the
587  * time the function returns.
588  */
cap_setuid(uid_t uid)589 int cap_setuid(uid_t uid)
590 {
591     return _cap_setuid(&multithread, uid);
592 }
593 
594 #if defined(__arm__) || defined(__i386__) || \
595     defined(__i486__) || defined(__i586__) || defined(__i686__)
596 #define sys_setgroups_variant  SYS_setgroups32
597 #else
598 #define sys_setgroups_variant  SYS_setgroups
599 #endif
600 
_cap_setgroups(struct syscaller_s * sc,gid_t gid,size_t ngroups,const gid_t groups[])601 static int _cap_setgroups(struct syscaller_s *sc,
602 			  gid_t gid, size_t ngroups, const gid_t groups[])
603 {
604     const cap_value_t raise_cap_setgid[] = {CAP_SETGID};
605     cap_t working = cap_get_proc();
606     (void) cap_set_flag(working, CAP_EFFECTIVE,
607 			1, raise_cap_setgid, CAP_SET);
608     /*
609      * Note, we are cognizant of not using glibc's setgid etc in the
610      * case that we've modified the way libcap is doing setting
611      * syscalls. This is because prctl needs to be working in a POSIX
612      * compliant way for the other functions of this file so we are
613      * all-broken or not-broken and don't allow for "sort of working".
614      */
615     int ret = _cap_set_proc(sc, working);
616     if (_libcap_overrode_syscalls) {
617 	if (ret == 0) {
618 	    ret = sc->three(SYS_setgid, (long int) gid, 0, 0);
619 	}
620 	if (ret == 0) {
621 	    ret = sc->three(sys_setgroups_variant, (long int) ngroups,
622 			    (long int) groups, 0);
623 	}
624 	if (ret < 0) {
625 	    errno = -ret;
626 	    ret = -1;
627 	}
628     } else {
629 	if (ret == 0) {
630 	    ret = setgid(gid);
631 	}
632 	if (ret == 0) {
633 	    ret = setgroups(ngroups, groups);
634 	}
635     }
636     int olderrno = errno;
637 
638     (void) cap_clear_flag(working, CAP_EFFECTIVE);
639     (void) _cap_set_proc(sc, working);
640     (void) cap_free(working);
641 
642     errno = olderrno;
643     return ret;
644 }
645 
646 /*
647  * cap_setgroups combines setting the gid with changing the set of
648  * supplemental groups for a user into one call that raises the needed
649  * capabilities to do it for the duration of the call. A side effect
650  * of a call to this function is that the effective set will be
651  * cleared by the time the function returns.
652  */
cap_setgroups(gid_t gid,size_t ngroups,const gid_t groups[])653 int cap_setgroups(gid_t gid, size_t ngroups, const gid_t groups[])
654 {
655     return _cap_setgroups(&multithread, gid, ngroups, groups);
656 }
657 
658 /*
659  * cap_iab_get_proc returns a cap_iab_t value initialized by the
660  * current process state related to these iab bits.
661  */
cap_iab_get_proc(void)662 cap_iab_t cap_iab_get_proc(void)
663 {
664     cap_iab_t iab = cap_iab_init();
665     cap_t current = cap_get_proc();
666     cap_iab_fill(iab, CAP_IAB_INH, current, CAP_INHERITABLE);
667     cap_value_t c;
668     for (c = cap_max_bits(); c; ) {
669 	--c;
670 	int o = c >> 5;
671 	__u32 mask = 1U << (c & 31);
672 	if (cap_get_bound(c) == 0) {
673 	    iab->nb[o] |= mask;
674 	}
675 	if (cap_get_ambient(c) == 1) {
676 	    iab->a[o] |= mask;
677 	}
678     }
679     return iab;
680 }
681 
682 /*
683  * _cap_iab_set_proc sets the iab collection using the requested syscaller.
684  */
_cap_iab_set_proc(struct syscaller_s * sc,cap_iab_t iab)685 static int _cap_iab_set_proc(struct syscaller_s *sc, cap_iab_t iab)
686 {
687     int ret, i;
688     cap_t working, temp = cap_get_proc();
689     cap_value_t c;
690     int raising = 0;
691 
692     for (i = 0; i < _LIBCAP_CAPABILITY_U32S; i++) {
693 	__u32 newI = iab->i[i];
694 	__u32 oldIP = temp->u[i].flat[CAP_INHERITABLE] |
695 	    temp->u[i].flat[CAP_PERMITTED];
696 	raising |= (newI & ~oldIP) | iab->a[i] | iab->nb[i];
697 	temp->u[i].flat[CAP_INHERITABLE] = newI;
698 
699     }
700 
701     working = cap_dup(temp);
702     if (raising) {
703 	ret = cap_set_flag(working, CAP_EFFECTIVE,
704 			   1, raise_cap_setpcap, CAP_SET);
705 	if (ret) {
706 	    goto defer;
707 	}
708     }
709     if ((ret = _cap_set_proc(sc, working))) {
710 	goto defer;
711     }
712     if ((ret = _cap_reset_ambient(sc))) {
713 	goto done;
714     }
715 
716     for (c = cap_max_bits(); c-- != 0; ) {
717 	unsigned offset = c >> 5;
718 	__u32 mask = 1U << (c & 31);
719 	if (iab->a[offset] & mask) {
720 	    ret = _cap_set_ambient(sc, c, CAP_SET);
721 	    if (ret) {
722 		goto done;
723 	    }
724 	}
725 	if (iab->nb[offset] & mask) {
726 	    /* drop the bounding bit */
727 	    ret = _cap_drop_bound(sc, c);
728 	    if (ret) {
729 		goto done;
730 	    }
731 	}
732     }
733 
734 done:
735     (void) cap_set_proc(temp);
736 
737 defer:
738     cap_free(working);
739     cap_free(temp);
740 
741     return ret;
742 }
743 
744 /*
745  * cap_iab_set_proc sets the iab capability vectors of the current
746  * process.
747  */
cap_iab_set_proc(cap_iab_t iab)748 int cap_iab_set_proc(cap_iab_t iab)
749 {
750     return _cap_iab_set_proc(&multithread, iab);
751 }
752 
753 /*
754  * cap_launcher_callback primes the launcher with a callback that will
755  * be invoked after the fork() but before any privilege has changed
756  * and before the execve(). This can be used to augment the state of
757  * the child process within the cap_launch() process. You can cancel
758  * any callback associated with a launcher by calling this function
759  * with a callback_fn value NULL.
760  *
761  * If the callback function returns anything other than 0, it is
762  * considered to have failed and the launch will be aborted - further,
763  * errno will be communicated to the parent.
764  */
cap_launcher_callback(cap_launch_t attr,int (callback_fn)(void * detail))765 void cap_launcher_callback(cap_launch_t attr, int (callback_fn)(void *detail))
766 {
767     attr->custom_setup_fn = callback_fn;
768 }
769 
770 /*
771  * cap_launcher_setuid primes the launcher to attempt a change of uid.
772  */
cap_launcher_setuid(cap_launch_t attr,uid_t uid)773 void cap_launcher_setuid(cap_launch_t attr, uid_t uid)
774 {
775     attr->uid = uid;
776     attr->change_uids = 1;
777 }
778 
779 /*
780  * cap_launcher_setgroups primes the launcher to attempt a change of
781  * gid and groups.
782  */
cap_launcher_setgroups(cap_launch_t attr,gid_t gid,int ngroups,const gid_t * groups)783 void cap_launcher_setgroups(cap_launch_t attr, gid_t gid,
784 			    int ngroups, const gid_t *groups)
785 {
786     attr->gid = gid;
787     attr->ngroups = ngroups;
788     attr->groups = groups;
789     attr->change_gids = 1;
790 }
791 
792 /*
793  * cap_launcher_set_mode primes the launcher to attempt a change of
794  * mode.
795  */
cap_launcher_set_mode(cap_launch_t attr,cap_mode_t flavor)796 void cap_launcher_set_mode(cap_launch_t attr, cap_mode_t flavor)
797 {
798     attr->mode = flavor;
799     attr->change_mode = 1;
800 }
801 
802 /*
803  * cap_launcher_set_iab primes the launcher to attempt to change the iab bits of
804  * the launched child.
805  */
cap_launcher_set_iab(cap_launch_t attr,cap_iab_t iab)806 cap_iab_t cap_launcher_set_iab(cap_launch_t attr, cap_iab_t iab)
807 {
808     cap_iab_t old = attr->iab;
809     attr->iab = iab;
810     return old;
811 }
812 
813 /*
814  * cap_launcher_set_chroot sets the intended chroot for the launched
815  * child.
816  */
cap_launcher_set_chroot(cap_launch_t attr,const char * chroot)817 void cap_launcher_set_chroot(cap_launch_t attr, const char *chroot)
818 {
819     attr->chroot = _libcap_strdup(chroot);
820 }
821 
_cap_chroot(struct syscaller_s * sc,const char * root)822 static int _cap_chroot(struct syscaller_s *sc, const char *root)
823 {
824     const cap_value_t raise_cap_sys_chroot[] = {CAP_SYS_CHROOT};
825     cap_t working = cap_get_proc();
826     (void) cap_set_flag(working, CAP_EFFECTIVE,
827 			1, raise_cap_sys_chroot, CAP_SET);
828     int ret = _cap_set_proc(sc, working);
829     if (ret == 0) {
830 	if (_libcap_overrode_syscalls) {
831 	    ret = sc->three(SYS_chroot, (long int) root, 0, 0);
832 	    if (ret < 0) {
833 		errno = -ret;
834 		ret = -1;
835 	    }
836 	} else {
837 	    ret = chroot(root);
838 	}
839     }
840     int olderrno = errno;
841     (void) cap_clear_flag(working, CAP_EFFECTIVE);
842     (void) _cap_set_proc(sc, working);
843     (void) cap_free(working);
844 
845     errno = olderrno;
846     return ret;
847 }
848 
849 /*
850  * _cap_launch is invoked in the forked child, it cannot return but is
851  * required to exit. If the execve fails, it will write the errno value
852  * over the filedescriptor, fd, and exit with status 0.
853  */
854 __attribute__ ((noreturn))
_cap_launch(int fd,cap_launch_t attr,void * detail)855 static void _cap_launch(int fd, cap_launch_t attr, void *detail) {
856     struct syscaller_s *sc = &singlethread;
857 
858     if (attr->custom_setup_fn && attr->custom_setup_fn(detail)) {
859 	goto defer;
860     }
861 
862     if (attr->change_uids && _cap_setuid(sc, attr->uid)) {
863 	goto defer;
864     }
865     if (attr->change_gids &&
866 	_cap_setgroups(sc, attr->gid, attr->ngroups, attr->groups)) {
867 	goto defer;
868     }
869     if (attr->change_mode && _cap_set_mode(sc, attr->mode)) {
870 	goto defer;
871     }
872     if (attr->iab && _cap_iab_set_proc(sc, attr->iab)) {
873 	goto defer;
874     }
875     if (attr->chroot != NULL && _cap_chroot(sc, attr->chroot)) {
876 	goto defer;
877     }
878 
879     /*
880      * Some type wrangling to work around what the kernel API really
881      * means: not "const char **".
882      */
883     const void *temp_args = attr->argv;
884     const void *temp_envp = attr->envp;
885 
886     execve(attr->arg0, temp_args, temp_envp);
887     /* if the exec worked, execution will not reach here */
888 
889 defer:
890     /*
891      * getting here means an error has occurred and errno is
892      * communicated to the parent
893      */
894     for (;;) {
895 	int n = write(fd, &errno, sizeof(errno));
896 	if (n < 0 && errno == EAGAIN) {
897 	    continue;
898 	}
899 	break;
900     }
901     close(fd);
902     exit(1);
903 }
904 
905 /*
906  * cap_launch performs a wrapped fork+exec that works in both an
907  * unthreaded environment and also where libcap is linked with
908  * psx+pthreads. The function supports dropping privilege in the
909  * forked thread, but retaining privilege in the parent thread(s).
910  *
911  * Since the ambient set is fragile with respect to changes in I or P,
912  * the function carefully orders setting of these inheritable
913  * characteristics, to make sure they stick, or return an error
914  * of -1 setting errno because the launch failed.
915  */
cap_launch(cap_launch_t attr,void * data)916 pid_t cap_launch(cap_launch_t attr, void *data) {
917     int my_errno;
918     int ps[2];
919 
920     if (pipe2(ps, O_CLOEXEC) != 0) {
921 	return -1;
922     }
923 
924     int child = fork();
925     my_errno = errno;
926 
927     close(ps[1]);
928     if (child < 0) {
929 	goto defer;
930     }
931     if (!child) {
932 	close(ps[0]);
933 	/* noreturn from this function: */
934 	_cap_launch(ps[1], attr, data);
935     }
936 
937     /*
938      * Extend this function's return codes to include setup failures
939      * in the child.
940      */
941     for (;;) {
942 	int ignored;
943 	int n = read(ps[0], &my_errno, sizeof(my_errno));
944 	if (n == 0) {
945 	    goto defer;
946 	}
947 	if (n < 0 && errno == EAGAIN) {
948 	    continue;
949 	}
950 	waitpid(child, &ignored, 0);
951 	child = -1;
952 	my_errno = ECHILD;
953 	break;
954     }
955 
956 defer:
957     close(ps[0]);
958     errno = my_errno;
959     return (pid_t) child;
960 }
961