1 /* 2 * Copyright (c) 1997,2020 Andrew G Morgan <[email protected]> 3 * 4 * This file contains internal definitions for the various functions in 5 * this small capability library. 6 */ 7 8 #ifndef LIBCAP_H 9 #define LIBCAP_H 10 11 #include <errno.h> 12 #include <sched.h> 13 #include <stdio.h> 14 #include <stdlib.h> 15 #include <string.h> 16 #include <stdint.h> 17 #include <sys/capability.h> 18 19 #ifndef __u8 20 #define __u8 uint8_t 21 #endif /* __8 */ 22 23 #ifndef __u32 24 #define __u32 uint32_t 25 #endif /* __u32 */ 26 27 /* include the names for the caps and a definition of __CAP_BITS */ 28 #include "cap_names.h" 29 30 #ifndef _LINUX_CAPABILITY_U32S_1 31 # define _LINUX_CAPABILITY_U32S_1 1 32 #endif /* ndef _LINUX_CAPABILITY_U32S_1 */ 33 34 /* 35 * Do we match the local kernel? 36 */ 37 38 #if !defined(_LINUX_CAPABILITY_VERSION) 39 40 # error Kernel <linux/capability.h> does not support library 41 # error file "libcap.h" --> fix and recompile libcap 42 43 #elif !defined(_LINUX_CAPABILITY_VERSION_2) 44 45 # warning Kernel <linux/capability.h> does not support 64-bit capabilities 46 # warning and libcap is being built with no support for 64-bit capabilities 47 48 # ifndef _LINUX_CAPABILITY_VERSION_1 49 # define _LINUX_CAPABILITY_VERSION_1 0x19980330 50 # endif 51 52 # _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1 53 # _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1 54 55 #elif defined(_LINUX_CAPABILITY_VERSION_3) 56 57 # if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522) 58 # error Kernel <linux/capability.h> v3 does not match library 59 # error file "libcap.h" --> fix and recompile libcap 60 # else 61 # define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 62 # define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 63 # endif 64 65 #elif (_LINUX_CAPABILITY_VERSION_2 != 0x20071026) 66 67 # error Kernel <linux/capability.h> does not match library 68 # error file "libcap.h" --> fix and recompile libcap 69 70 #else 71 72 # define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2 73 # define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2 74 75 #endif 76 77 #undef _LINUX_CAPABILITY_VERSION 78 #undef _LINUX_CAPABILITY_U32S 79 80 /* 81 * This is a pointer to a struct containing three consecutive 82 * capability sets in the order of the cap_flag_t type: the are 83 * effective,inheritable and permitted. This is the type that the 84 * user-space routines think of as 'internal' capabilities - this is 85 * the type that is passed to the kernel with the system calls related 86 * to processes. 87 */ 88 89 #if defined(VFS_CAP_REVISION_MASK) && !defined(VFS_CAP_U32) 90 # define VFS_CAP_U32_1 1 91 # define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) 92 # define VFS_CAP_U32 VFS_CAP_U32_1 93 struct _cap_vfs_cap_data { 94 __le32 magic_etc; 95 struct { 96 __le32 permitted; 97 __le32 inheritable; 98 } data[VFS_CAP_U32_1]; 99 }; 100 # define vfs_cap_data _cap_vfs_cap_data 101 #endif 102 103 #ifndef CAP_TO_INDEX 104 # define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ 105 #endif /* ndef CAP_TO_INDEX */ 106 107 #ifndef CAP_TO_MASK 108 # define CAP_TO_MASK(x) (1 << ((x) & 31)) 109 #endif /* ndef CAP_TO_MASK */ 110 111 #define NUMBER_OF_CAP_SETS 3 /* effective, inheritable, permitted */ 112 #define __CAP_BLKS (_LIBCAP_CAPABILITY_U32S) 113 #define CAP_SET_SIZE (__CAP_BLKS * sizeof(__u32)) 114 115 #define CAP_T_MAGIC 0xCA90D0 116 struct _cap_struct { 117 __u8 mutex; 118 struct __user_cap_header_struct head; 119 union { 120 struct __user_cap_data_struct set; 121 __u32 flat[NUMBER_OF_CAP_SETS]; 122 } u[_LIBCAP_CAPABILITY_U32S]; 123 uid_t rootid; 124 }; 125 126 /* 127 * Elementary exclusive locking primatives for situations where 128 * linking with pthreads needs it, but such linking is not common. 129 * 130 * _cap_mu_blocked(x) attempts to lock x but if already locked, returns true 131 * _cap_mu_lock(x) attempts to lock and waits until the lock is granted 132 * _cap_mu_unlock(x) unconditionally unlocks the lock 133 * _cap_mu_unlock_return(x, y) unlock lock x and return value y 134 */ 135 #define _cap_mu_blocked(x) \ 136 __atomic_test_and_set((void *)(x), __ATOMIC_SEQ_CST) 137 #define _cap_mu_lock(x) \ 138 while (_cap_mu_blocked(x)) sched_yield() 139 #define _cap_mu_unlock(x) \ 140 __atomic_clear((void *) (x), __ATOMIC_SEQ_CST) 141 #define _cap_mu_unlock_return(x, y) \ 142 do { _cap_mu_unlock(x); return (y); } while (0) 143 144 /* the maximum bits supportable */ 145 #define __CAP_MAXBITS (__CAP_BLKS * 32) 146 147 /* string magic for cap_free */ 148 #define CAP_S_MAGIC 0xCA95D0 149 150 /* iab set magic for cap_free */ 151 #define CAP_IAB_MAGIC 0xCA91AB 152 153 /* launcher magic for cap_free */ 154 #define CAP_LAUNCH_MAGIC 0xCA91AC 155 156 #define magic_of(x) ((x) ? *(-2 + (const __u32 *) x) : 0) 157 #define good_cap_t(x) (CAP_T_MAGIC == magic_of(x)) 158 #define good_cap_iab_t(x) (CAP_IAB_MAGIC == magic_of(x)) 159 #define good_cap_launch_t(x) (CAP_LAUNCH_MAGIC == magic_of(x)) 160 161 /* 162 * kernel API cap set abstraction 163 */ 164 165 #define raise_cap(x, set) u[(x) >> 5].flat[set] |= (1u << ((x)&31)) 166 #define lower_cap(x, set) u[(x) >> 5].flat[set] &= ~(1u << ((x)&31)) 167 #define isset_cap(y, x, set) ((y)->u[(x) >> 5].flat[set] & (1u << ((x)&31))) 168 169 /* 170 * These match CAP_DIFFERS() expectations 171 */ 172 #define LIBCAP_EFF (1 << CAP_EFFECTIVE) 173 #define LIBCAP_INH (1 << CAP_INHERITABLE) 174 #define LIBCAP_PER (1 << CAP_PERMITTED) 175 176 /* 177 * library debugging 178 */ 179 #ifdef DEBUG 180 181 #include <stdio.h> 182 # define _cap_debug(f, x...) do { \ 183 fprintf(stderr, "%s(%s:%d): ", __FUNCTION__, __FILE__, __LINE__); \ 184 fprintf(stderr, f, ## x); \ 185 fprintf(stderr, "\n"); \ 186 } while (0) 187 188 # define _cap_debugcap(s, c, set) do { \ 189 unsigned _cap_index; \ 190 fprintf(stderr, "%s(%s:%d): %s", __FUNCTION__, __FILE__, __LINE__, s); \ 191 for (_cap_index=_LIBCAP_CAPABILITY_U32S; _cap_index-- > 0; ) { \ 192 fprintf(stderr, "%08x", (c).u[_cap_index].flat[set]); \ 193 } \ 194 fprintf(stderr, "\n"); \ 195 } while (0) 196 197 #else /* !DEBUG */ 198 199 # define _cap_debug(f, x...) 200 # define _cap_debugcap(s, c, set) 201 202 #endif /* DEBUG */ 203 204 extern char *_libcap_strdup(const char *text); 205 extern void _libcap_initialize(void); 206 207 #define EXECABLE_INITIALIZE _libcap_initialize() 208 209 /* 210 * These are semi-public prototypes, they will only be defined in 211 * <sys/capability.h> if _POSIX_SOURCE is not #define'd, so we 212 * place them here too. 213 */ 214 215 extern int capget(cap_user_header_t header, cap_user_data_t data); 216 extern int capgetp(pid_t pid, cap_t cap_d); 217 extern int capsetp(pid_t pid, cap_t cap_d); 218 219 /* prctl based API for altering character of current process */ 220 #define PR_GET_KEEPCAPS 7 221 #define PR_SET_KEEPCAPS 8 222 #define PR_CAPBSET_READ 23 223 #define PR_CAPBSET_DROP 24 224 #define PR_GET_SECUREBITS 27 225 #define PR_SET_SECUREBITS 28 226 227 /* 228 * The library compares sizeof() with integer return values. To avoid 229 * signed/unsigned comparisons, leading to unfortunate 230 * misinterpretations of -1, we provide a convenient cast-to-signed-integer 231 * version of sizeof(). 232 */ 233 #define ssizeof(x) ((ssize_t) sizeof(x)) 234 235 /* 236 * Put this here as a macro so we can unit test it. 237 */ 238 #define _binary_search(val, fn, low, high, fallback) do { \ 239 cap_value_t min = low, max = high; \ 240 while (min <= max) { \ 241 cap_value_t mid = (min+max) / 2; \ 242 if (fn(mid) < 0) { \ 243 max = mid - 1; \ 244 } else { \ 245 min = mid + 1; \ 246 } \ 247 } \ 248 val = min ? (min <= high ? min : fallback) : fallback; \ 249 } while(0) 250 251 /* 252 * cap_iab_s holds a collection of inheritable capability bits. The i 253 * bits are inheritable (these are the same as those in cap_t), the a 254 * bits are ambient bits (which cannot be a superset of i&p), and nb 255 * are the bits that will be dropped from the bounding set when 256 * applied. 257 */ 258 struct cap_iab_s { 259 __u8 mutex; 260 __u32 i[_LIBCAP_CAPABILITY_U32S]; 261 __u32 a[_LIBCAP_CAPABILITY_U32S]; 262 __u32 nb[_LIBCAP_CAPABILITY_U32S]; 263 }; 264 265 #define LIBCAP_IAB_I_FLAG (1U << CAP_IAB_INH) 266 #define LIBCAP_IAB_A_FLAG (1U << CAP_IAB_AMB) 267 #define LIBCAP_IAB_IA_FLAG (LIBCAP_IAB_I_FLAG | LIBCAP_IAB_A_FLAG) 268 #define LIBCAP_IAB_NB_FLAG (1U << CAP_IAB_BOUND) 269 270 /* 271 * The following support launching another process without destroying 272 * the state of the current process. This is especially useful for 273 * multithreaded applications. 274 */ 275 struct cap_launch_s { 276 __u8 mutex; 277 /* 278 * Once forked but before active privilege is changed, this 279 * function (if non-NULL) is called. 280 */ 281 int (*custom_setup_fn)(void *detail); 282 283 /* 284 * user and groups to be used by the forked child. 285 */ 286 int change_uids; 287 uid_t uid; 288 289 int change_gids; 290 gid_t gid; 291 int ngroups; 292 const gid_t *groups; 293 294 /* 295 * mode holds the preferred capability mode. Any non-uncertain 296 * setting here will require an empty ambient set. 297 */ 298 int change_mode; 299 cap_mode_t mode; 300 301 /* 302 * i,a,[n]b caps. These bitmaps hold all of the capability sets that 303 * cap_launch will affect. nb holds values to be lowered in the bounding 304 * set. 305 */ 306 struct cap_iab_s *iab; 307 308 /* chroot holds a preferred chroot for the launched child. */ 309 char *chroot; 310 311 /* 312 * execve style arguments 313 */ 314 const char *arg0; 315 const char *const *argv; 316 const char *const *envp; 317 }; 318 319 #endif /* LIBCAP_H */ 320