1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/capability.h>
26 #include <sys/prctl.h>
29 #include "alloc-util.h"
30 #include "capability-util.h"
34 #include "parse-util.h"
35 #include "user-util.h"
38 #if 0 /// UNNEEDED by elogind
39 int have_effective_cap(int value) {
40 _cleanup_cap_free_ cap_t cap;
47 if (cap_get_flag(cap, value, CAP_EFFECTIVE, &fv) < 0)
54 unsigned long cap_last_cap(void) {
55 static thread_local unsigned long saved;
56 static thread_local bool valid = false;
57 _cleanup_free_ char *content = NULL;
64 /* available since linux-3.2 */
65 r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
67 r = safe_atolu(content, &p);
75 /* fall back to syscall-probing for pre linux-3.2 */
76 p = (unsigned long) CAP_LAST_CAP;
78 if (prctl(PR_CAPBSET_READ, p) < 0) {
80 /* Hmm, look downwards, until we find one that
82 for (p--; p > 0; p --)
83 if (prctl(PR_CAPBSET_READ, p) >= 0)
88 /* Hmm, look upwards, until we find one that doesn't
91 if (prctl(PR_CAPBSET_READ, p+1) < 0)
101 #if 0 /// UNNEEDED by elogind
102 int capability_update_inherited_set(cap_t caps, uint64_t set) {
105 /* Add capabilities in the set to the inherited caps. Do not apply
108 for (i = 0; i < cap_last_cap(); i++) {
110 if (set & (UINT64_C(1) << i)) {
115 /* Make the capability inheritable. */
116 if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0)
124 int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
126 _cleanup_cap_free_ cap_t caps = NULL;
128 /* Add the capabilities to the ambient set. */
132 caps = cap_get_proc();
136 r = capability_update_inherited_set(caps, set);
140 if (cap_set_proc(caps) < 0)
144 for (i = 0; i < cap_last_cap(); i++) {
146 if (set & (UINT64_C(1) << i)) {
148 /* Add the capability to the ambient set. */
149 if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
157 int capability_bounding_set_drop(uint64_t keep, bool right_now) {
158 _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL;
163 /* If we are run as PID 1 we will lack CAP_SETPCAP by default
164 * in the effective set (yes, the kernel drops that when
165 * executing init!), so get it back temporarily so that we can
166 * call PR_CAPBSET_DROP. */
168 before_cap = cap_get_proc();
172 if (cap_get_flag(before_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0)
176 _cleanup_cap_free_ cap_t temp_cap = NULL;
177 static const cap_value_t v = CAP_SETPCAP;
179 temp_cap = cap_dup(before_cap);
183 if (cap_set_flag(temp_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0)
186 if (cap_set_proc(temp_cap) < 0)
187 log_debug_errno(errno, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");
189 /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this just means
190 * we'll fail later, when we actually intend to drop some capabilities. */
193 after_cap = cap_dup(before_cap);
197 for (i = 0; i <= cap_last_cap(); i++) {
200 if ((keep & (UINT64_C(1) << i)))
203 /* Drop it from the bounding set */
204 if (prctl(PR_CAPBSET_DROP, i) < 0) {
207 /* If dropping the capability failed, let's see if we didn't have it in the first place. If so,
208 * continue anyway, as dropping a capability we didn't have in the first place doesn't really
210 if (prctl(PR_CAPBSET_READ, i) != 0)
215 /* Also drop it from the inheritable set, so
216 * that anything we exec() loses the
217 * capability for good. */
218 if (cap_set_flag(after_cap, CAP_INHERITABLE, 1, &v, CAP_CLEAR) < 0) {
223 /* If we shall apply this right now drop it
224 * also from our own capability sets. */
226 if (cap_set_flag(after_cap, CAP_PERMITTED, 1, &v, CAP_CLEAR) < 0 ||
227 cap_set_flag(after_cap, CAP_EFFECTIVE, 1, &v, CAP_CLEAR) < 0) {
237 if (cap_set_proc(after_cap) < 0) {
238 /* If there are no actual changes anyway then let's ignore this error. */
239 if (cap_compare(before_cap, after_cap) != 0)
246 static int drop_from_file(const char *fn, uint64_t keep) {
249 uint64_t current, after;
252 r = read_one_line_file(fn, &p);
256 assert_cc(sizeof(hi) == sizeof(unsigned));
257 assert_cc(sizeof(lo) == sizeof(unsigned));
259 k = sscanf(p, "%u %u", &lo, &hi);
265 current = (uint64_t) lo | ((uint64_t) hi << 32ULL);
266 after = current & keep;
268 if (current == after)
271 lo = (unsigned) (after & 0xFFFFFFFFULL);
272 hi = (unsigned) ((after >> 32ULL) & 0xFFFFFFFFULL);
274 if (asprintf(&p, "%u %u", lo, hi) < 0)
277 r = write_string_file(fn, p, WRITE_STRING_FILE_CREATE);
283 int capability_bounding_set_drop_usermode(uint64_t keep) {
286 r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);
290 r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);
297 int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
298 _cleanup_cap_free_ cap_t d = NULL;
302 /* Unfortunately we cannot leave privilege dropping to PID 1
303 * here, since we want to run as user but want to keep some
304 * capabilities. Since file capabilities have been introduced
305 * this cannot be done across exec() anymore, unless our
306 * binary has the capability configured in the file system,
307 * which we want to avoid. */
309 if (setresgid(gid, gid, gid) < 0)
310 return log_error_errno(errno, "Failed to change group ID: %m");
312 r = maybe_setgroups(0, NULL);
314 return log_error_errno(r, "Failed to drop auxiliary groups list: %m");
316 /* Ensure we keep the permitted caps across the setresuid() */
317 if (prctl(PR_SET_KEEPCAPS, 1) < 0)
318 return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");
320 r = setresuid(uid, uid, uid);
322 return log_error_errno(errno, "Failed to change user ID: %m");
324 if (prctl(PR_SET_KEEPCAPS, 0) < 0)
325 return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");
327 /* Drop all caps from the bounding set, except the ones we want */
328 r = capability_bounding_set_drop(keep_capabilities, true);
330 return log_error_errno(r, "Failed to drop capabilities: %m");
332 /* Now upgrade the permitted caps we still kept to effective caps */
337 if (keep_capabilities) {
338 cap_value_t bits[u64log2(keep_capabilities) + 1];
340 for (i = 0; i < ELEMENTSOF(bits); i++)
341 if (keep_capabilities & (1ULL << i))
344 /* use enough bits */
345 assert(i == 64 || (keep_capabilities >> i) == 0);
346 /* don't use too many bits */
347 assert(keep_capabilities & (1ULL << (i - 1)));
349 if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 ||
350 cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0)
351 return log_error_errno(errno, "Failed to enable capabilities bits: %m");
353 if (cap_set_proc(d) < 0)
354 return log_error_errno(errno, "Failed to increase capabilities: %m");
360 int drop_capability(cap_value_t cv) {
361 _cleanup_cap_free_ cap_t tmp_cap = NULL;
363 tmp_cap = cap_get_proc();
367 if ((cap_set_flag(tmp_cap, CAP_INHERITABLE, 1, &cv, CAP_CLEAR) < 0) ||
368 (cap_set_flag(tmp_cap, CAP_PERMITTED, 1, &cv, CAP_CLEAR) < 0) ||
369 (cap_set_flag(tmp_cap, CAP_EFFECTIVE, 1, &cv, CAP_CLEAR) < 0))
372 if (cap_set_proc(tmp_cap) < 0)
378 bool ambient_capabilities_supported(void) {
379 static int cache = -1;
384 /* If PR_CAP_AMBIENT returns something valid, or an unexpected error code we assume that ambient caps are
387 cache = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_KILL, 0, 0) >= 0 ||
388 !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS);