1/* SPDX-License-Identifier: GPL-2.0 */ 2/* 3 * This is <linux/capability.h> 4 * 5 * Andrew G. Morgan <morgan@kernel.org> 6 * Alexander Kjeldaas <astor@guardian.no> 7 * with help from Aleph1, Roland Buresund and Andrew Main. 8 * 9 * See here for the libcap library ("POSIX draft" compliance): 10 * 11 * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ 12 */ 13#ifndef _LINUX_CAPABILITY_H 14#define _LINUX_CAPABILITY_H 15 16#include <uapi/linux/capability.h> 17#include <linux/uidgid.h> 18#include <linux/bits.h> 19 20#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 21 22extern int file_caps_enabled; 23 24typedef struct { u64 val; } kernel_cap_t; 25 26/* same as vfs_ns_cap_data but in cpu endian and always filled completely */ 27struct cpu_vfs_cap_data { 28 __u32 magic_etc; 29 kuid_t rootid; 30 kernel_cap_t permitted; 31 kernel_cap_t inheritable; 32}; 33 34#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct)) 35#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t)) 36 37struct file; 38struct inode; 39struct dentry; 40struct task_struct; 41struct user_namespace; 42struct mnt_idmap; 43 44/* 45 * CAP_FS_MASK and CAP_NFSD_MASKS: 46 * 47 * The fs mask is all the privileges that fsuid==0 historically meant. 48 * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE. 49 * 50 * It has never meant setting security.* and trusted.* xattrs. 51 * 52 * We could also define fsmask as follows: 53 * 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions 54 * 2. The security.* and trusted.* xattrs are fs-related MAC permissions 55 */ 56 57# define CAP_FS_MASK (BIT_ULL(CAP_CHOWN) \ 58 | BIT_ULL(CAP_MKNOD) \ 59 | BIT_ULL(CAP_DAC_OVERRIDE) \ 60 | BIT_ULL(CAP_DAC_READ_SEARCH) \ 61 | BIT_ULL(CAP_FOWNER) \ 62 | BIT_ULL(CAP_FSETID) \ 63 | BIT_ULL(CAP_MAC_OVERRIDE)) 64#define CAP_VALID_MASK (BIT_ULL(CAP_LAST_CAP+1)-1) 65 66# define CAP_EMPTY_SET ((kernel_cap_t) { 0 }) 67# define CAP_FULL_SET ((kernel_cap_t) { CAP_VALID_MASK }) 68# define CAP_FS_SET ((kernel_cap_t) { CAP_FS_MASK | BIT_ULL(CAP_LINUX_IMMUTABLE) }) 69# define CAP_NFSD_SET ((kernel_cap_t) { CAP_FS_MASK | BIT_ULL(CAP_SYS_RESOURCE) }) 70 71# define cap_clear(c) do { (c).val = 0; } while (0) 72 73#define cap_raise(c, flag) ((c).val |= BIT_ULL(flag)) 74#define cap_lower(c, flag) ((c).val &= ~BIT_ULL(flag)) 75#define cap_raised(c, flag) (((c).val & BIT_ULL(flag)) != 0) 76 77static inline kernel_cap_t cap_combine(const kernel_cap_t a, 78 const kernel_cap_t b) 79{ 80 return (kernel_cap_t) { a.val | b.val }; 81} 82 83static inline kernel_cap_t cap_intersect(const kernel_cap_t a, 84 const kernel_cap_t b) 85{ 86 return (kernel_cap_t) { a.val & b.val }; 87} 88 89static inline kernel_cap_t cap_drop(const kernel_cap_t a, 90 const kernel_cap_t drop) 91{ 92 return (kernel_cap_t) { a.val &~ drop.val }; 93} 94 95static inline bool cap_isclear(const kernel_cap_t a) 96{ 97 return !a.val; 98} 99 100static inline bool cap_isidentical(const kernel_cap_t a, const kernel_cap_t b) 101{ 102 return a.val == b.val; 103} 104 105/* 106 * Check if "a" is a subset of "set". 107 * return true if ALL of the capabilities in "a" are also in "set" 108 * cap_issubset(0101, 1111) will return true 109 * return false if ANY of the capabilities in "a" are not in "set" 110 * cap_issubset(1111, 0101) will return false 111 */ 112static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set) 113{ 114 return !(a.val & ~set.val); 115} 116 117/* Used to decide between falling back on the old suser() or fsuser(). */ 118 119static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) 120{ 121 return cap_drop(a, CAP_FS_SET); 122} 123 124static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, 125 const kernel_cap_t permitted) 126{ 127 return cap_combine(a, cap_intersect(permitted, CAP_FS_SET)); 128} 129 130static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) 131{ 132 return cap_drop(a, CAP_NFSD_SET); 133} 134 135static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, 136 const kernel_cap_t permitted) 137{ 138 return cap_combine(a, cap_intersect(permitted, CAP_NFSD_SET)); 139} 140 141#ifdef CONFIG_MULTIUSER 142extern bool has_capability(struct task_struct *t, int cap); 143extern bool has_ns_capability(struct task_struct *t, 144 struct user_namespace *ns, int cap); 145extern bool has_capability_noaudit(struct task_struct *t, int cap); 146extern bool has_ns_capability_noaudit(struct task_struct *t, 147 struct user_namespace *ns, int cap); 148extern bool capable(int cap); 149extern bool ns_capable(struct user_namespace *ns, int cap); 150extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); 151extern bool ns_capable_setid(struct user_namespace *ns, int cap); 152#else 153static inline bool has_capability(struct task_struct *t, int cap) 154{ 155 return true; 156} 157static inline bool has_ns_capability(struct task_struct *t, 158 struct user_namespace *ns, int cap) 159{ 160 return true; 161} 162static inline bool has_capability_noaudit(struct task_struct *t, int cap) 163{ 164 return true; 165} 166static inline bool has_ns_capability_noaudit(struct task_struct *t, 167 struct user_namespace *ns, int cap) 168{ 169 return true; 170} 171static inline bool capable(int cap) 172{ 173 return true; 174} 175static inline bool ns_capable(struct user_namespace *ns, int cap) 176{ 177 return true; 178} 179static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) 180{ 181 return true; 182} 183static inline bool ns_capable_setid(struct user_namespace *ns, int cap) 184{ 185 return true; 186} 187#endif /* CONFIG_MULTIUSER */ 188bool privileged_wrt_inode_uidgid(struct user_namespace *ns, 189 struct mnt_idmap *idmap, 190 const struct inode *inode); 191bool capable_wrt_inode_uidgid(struct mnt_idmap *idmap, 192 const struct inode *inode, int cap); 193extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); 194extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); 195static inline bool perfmon_capable(void) 196{ 197 return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN); 198} 199 200static inline bool bpf_capable(void) 201{ 202 return capable(CAP_BPF) || capable(CAP_SYS_ADMIN); 203} 204 205static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns) 206{ 207 return ns_capable(ns, CAP_CHECKPOINT_RESTORE) || 208 ns_capable(ns, CAP_SYS_ADMIN); 209} 210 211/* audit system wants to get cap info from files as well */ 212int get_vfs_caps_from_disk(struct mnt_idmap *idmap, 213 const struct dentry *dentry, 214 struct cpu_vfs_cap_data *cpu_caps); 215 216int cap_convert_nscap(struct mnt_idmap *idmap, struct dentry *dentry, 217 const void **ivalue, size_t size); 218 219#endif /* !_LINUX_CAPABILITY_H */ 220