18795135167

Committed 24 Oct 2025 08:21PM UTC coverage: 72.26% (-0.02%) from 72.284%

Build # 18795135167

Build Type

push

github

Committed by

poettering

Commit Message

rules: apply loopback block device rule only onto loopback block devices

Fixes: #39426
Follow-up for: 9422ce83c

Run Details

304809 of 421823 relevant lines covered (72.26%)

1112914.25 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

77.89

/src/basic/capability-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <linux/prctl.h>
#include <stdatomic.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <unistd.h>

#include "alloc-util.h"
#include "bitfield.h"
#include "capability-list.h"
#include "capability-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "log.h"
#include "parse-util.h"
#include "pidref.h"
#include "process-util.h"
#include "stat-util.h"
#include "user-util.h"

int capability_get(CapabilityQuintet *ret) {
        assert(ret);

        struct __user_cap_header_struct hdr = {
                .version = _LINUX_CAPABILITY_VERSION_3,
                .pid = getpid_cached(),
        };

        assert_cc(_LINUX_CAPABILITY_U32S_3 == 2);
        struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];
        if (syscall(SYS_capget, &hdr, data) < 0)
                return -errno;

        *ret = (CapabilityQuintet) {
                .effective = (uint64_t) data[0].effective | ((uint64_t) data[1].effective << 32),
                .bounding = UINT64_MAX,
                .inheritable = (uint64_t) data[0].inheritable | ((uint64_t) data[1].inheritable << 32),
                .permitted = (uint64_t) data[0].permitted | ((uint64_t) data[1].permitted << 32),
                .ambient = UINT64_MAX,
        };
        return 0;
}

static int capability_apply(const CapabilityQuintet *q) {
        assert(q);

        struct __user_cap_header_struct hdr = {
                .version = _LINUX_CAPABILITY_VERSION_3,
                .pid = getpid_cached(),
        };

        struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3] = {
                {
                        .effective = (uint32_t) (q->effective & UINT32_MAX),
                        .inheritable = (uint32_t) (q->inheritable & UINT32_MAX),
                        .permitted = (uint32_t) (q->permitted & UINT32_MAX),
                },
                {
                        .effective = (uint32_t) (q->effective >> 32),
                        .inheritable = (uint32_t) (q->inheritable >> 32),
                        .permitted = (uint32_t) (q->permitted >> 32),
                },
        };
        return RET_NERRNO(syscall(SYS_capset, &hdr, data));
}

unsigned cap_last_cap(void) {
        static atomic_int saved = INT_MAX;
        int r, c;

        c = saved;
        if (c != INT_MAX)
                return c;

        /* Available since linux-3.2 */
        _cleanup_free_ char *content = NULL;
        r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
        if (r < 0)
                log_debug_errno(r, "Failed to read /proc/sys/kernel/cap_last_cap, ignoring: %m");
        else {
                r = safe_atoi(content, &c);
                if (r < 0)
                        log_debug_errno(r, "Failed to parse /proc/sys/kernel/cap_last_cap, ignoring: %m");
                else {
                        if (c > CAP_LIMIT) /* Safety for the future: if one day the kernel learns more than
                                            * 64 caps, then we are in trouble (since we, as much userspace
                                            * and kernel space store capability masks in uint64_t types). We
                                            * also want to use UINT64_MAX as marker for "unset". Hence let's
                                            * hence protect ourselves against that and always cap at 62 for
                                            * now. */
                                c = CAP_LIMIT;

                        saved = c;
                        return c;
                }
        }

        /* Fall back to syscall-probing for pre linux-3.2, or where /proc/ is not mounted */
        unsigned long p = (unsigned long) MIN(CAP_LAST_CAP, CAP_LIMIT);

        if (prctl(PR_CAPBSET_READ, p) < 0) {

                /* Hmm, look downwards, until we find one that works */
                for (p--; p > 0; p--)
                        if (prctl(PR_CAPBSET_READ, p) >= 0)
                                break;

        } else {

                /* Hmm, look upwards, until we find one that doesn't work */
                for (; p < CAP_LIMIT; p++)
                        if (prctl(PR_CAPBSET_READ, p+1) < 0)
                                break;
        }

        c = (int) p;
        saved = c;
        return c;
}

int have_effective_cap(unsigned cap) {
        CapabilityQuintet q;
        int r;

        assert(cap <= CAP_LIMIT);

        r = capability_get(&q);
        if (r < 0)
                return r;

        return BIT_SET(q.effective, cap);
}

int have_inheritable_cap(unsigned cap) {
        CapabilityQuintet q;
        int r;

        assert(cap <= CAP_LIMIT);

        r = capability_get(&q);
        if (r < 0)
                return r;

        return BIT_SET(q.inheritable, cap);
}

int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
        int r;

        /* Remove capabilities requested in ambient set, but not in the bounding set */
        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (!BIT_SET(set, i))
                        continue;

                if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {
                        log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",
                                  capability_to_name(i));
                        CLEAR_BIT(set, i);
                }
        }

        /* Add the capabilities to the ambient set (an possibly also the inheritable set) */

        if (also_inherit) {
                CapabilityQuintet q;

                r = capability_get(&q);
                if (r < 0)
                        return r;

                q.inheritable = set;

                r = capability_apply(&q);
                if (r < 0)
                        return r;
        }

        for (unsigned i = 0; i <= cap_last_cap(); i++)
                if (BIT_SET(set, i)) {
                        /* Add the capability to the ambient set. */
                        if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
                                return -errno;
                } else {
                        /* Drop the capability so we don't inherit capabilities we didn't ask for. */
                        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
                        if (r < 0)
                                return -errno;
                        if (r > 0)
                                if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
                                        return -errno;
                }

        return 0;
}

int capability_gain_cap_setpcap(void) {
        CapabilityQuintet q;
        int r;

        r = capability_get(&q);
        if (r < 0)
                return r;

        if (BIT_SET(q.effective, CAP_SETPCAP))
                return 1; /* We already have capability. */

        SET_BIT(q.effective, CAP_SETPCAP);

        r = capability_apply(&q);
        if (r < 0) {
                /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this
                 * just means we'll fail later, when we actually intend to drop some capabilities or try to
                 * set securebits. */
                log_debug_errno(r, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");
                return 0;
        }

        return 1; /* acquired */
}

int capability_bounding_set_drop(uint64_t keep, bool right_now) {
        int k, r;

        /* If we are run as PID 1 we will lack CAP_SETPCAP by default in the effective set (yes, the kernel
         * drops that when executing init!), so get it back temporarily so that we can call PR_CAPBSET_DROP. */

        CapabilityQuintet q;
        r = capability_get(&q);
        if (r < 0)
                return r;
        CapabilityQuintet saved = q;

        r = capability_gain_cap_setpcap();
        if (r < 0)
                return r;

        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (BIT_SET(keep, i))
                        continue;

                /* Drop it from the bounding set */
                if (prctl(PR_CAPBSET_DROP, i) < 0) {
                        r = -errno;

                        /* If dropping the capability failed, let's see if we didn't have it in the first
                         * place. If so, continue anyway, as dropping a capability we didn't have in the
                         * first place doesn't really matter anyway. */
                        if (prctl(PR_CAPBSET_READ, i) != 0)
                                goto finish;
                }

                /* Also drop it from the inheritable set, so that anything we exec() loses the capability for
                 * good. */
                CLEAR_BIT(q.inheritable, i);

                /* If we shall apply this right now drop it also from our own capability sets. */
                if (right_now) {
                        CLEAR_BIT(q.effective, i);
                        CLEAR_BIT(q.permitted, i);
                }
        }

        r = 0;

finish:
        k = capability_apply(&q);
        if (k < 0)
                /* If there are no actual changes anyway then let's ignore this error. */
                if (!capability_quintet_equal(&q, &saved))
                        return k;

        return r;
}

static int drop_from_file(const char *fn, uint64_t keep) {
        _cleanup_free_ char *p = NULL;
        uint64_t current, after;
        uint32_t hi, lo;
        int r, k;

        r = read_one_line_file(fn, &p);
        if (r < 0)
                return r;

        k = sscanf(p, "%" PRIu32 " %" PRIu32, &lo, &hi);
        if (k != 2)
                return -EIO;

        current = (uint64_t) lo | ((uint64_t) hi << 32);
        after = current & keep;

        if (current == after)
                return 0;

        lo = after & UINT32_MAX;
        hi = (after >> 32) & UINT32_MAX;

        return write_string_filef(fn, 0, "%" PRIu32 " %" PRIu32, lo, hi);
}

int capability_bounding_set_drop_usermode(uint64_t keep) {
        int r;

        r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);
        if (r < 0)
                return r;

        r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);
        if (r < 0)
                return r;

        return r;
}

int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
        int r;

        /* Unfortunately we cannot leave privilege dropping to PID 1 here, since we want to run as user but
         * want to keep some capabilities. Since file capabilities have been introduced this cannot be done
         * across exec() anymore, unless our binary has the capability configured in the file system, which
         * we want to avoid. */

        if (setresgid(gid, gid, gid) < 0)
                return log_error_errno(errno, "Failed to change group ID: %m");

        r = maybe_setgroups(/* size= */ 0, /* list= */ NULL);
        if (r < 0)
                return log_error_errno(r, "Failed to drop auxiliary groups list: %m");

        /* Ensure we keep the permitted caps across the setresuid(). Note that we do this even if we actually
         * don't want to keep any capabilities, since we want to be able to drop them from the bounding set
         * too, and we can only do that if we have capabilities. */
        if (prctl(PR_SET_KEEPCAPS, 1) < 0)
                return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");

        if (setresuid(uid, uid, uid) < 0)
                return log_error_errno(errno, "Failed to change user ID: %m");

        if (prctl(PR_SET_KEEPCAPS, 0) < 0)
                return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");

        /* Drop all caps from the bounding set (as well as the inheritable/permitted/effective sets), except
         * the ones we want to keep */
        r = capability_bounding_set_drop(keep_capabilities, /* right_now= */ true);
        if (r < 0)
                return log_error_errno(r, "Failed to drop capabilities: %m");

        /* Now upgrade the permitted caps we still kept to effective caps */
        if (keep_capabilities != 0) {
                CapabilityQuintet q = {
                        .effective = keep_capabilities,
                        .permitted = keep_capabilities,
                };

                r = capability_apply(&q);
                if (r < 0)
                        return log_error_errno(r, "Failed to increase capabilities: %m");
        }

        return 0;
}

static int change_capability(unsigned cap, bool b) {
        CapabilityQuintet q;
        int r;

        assert(cap <= CAP_LIMIT);

        r = capability_get(&q);
        if (r < 0)
                return r;

        if (b) {
                SET_BIT(q.effective, cap);
                SET_BIT(q.permitted, cap);
                SET_BIT(q.inheritable, cap);
        } else {
                CLEAR_BIT(q.effective, cap);
                CLEAR_BIT(q.permitted, cap);
                CLEAR_BIT(q.inheritable, cap);
        }

        return capability_apply(&q);
}

int drop_capability(unsigned cap) {
        return change_capability(cap, false);
}

int keep_capability(unsigned cap) {
        return change_capability(cap, true);
}

bool capability_quintet_mangle(CapabilityQuintet *q) {
        uint64_t combined, drop = 0;

        assert(q);

        combined = q->effective | q->bounding | q->inheritable | q->permitted | q->ambient;

        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (!BIT_SET(combined, i))
                        continue;

                if (prctl(PR_CAPBSET_READ, (unsigned long) i) > 0)
                        continue;

                SET_BIT(drop, i);

                log_debug("Dropping capability not in the current bounding set: %s", capability_to_name(i));
        }

        q->effective &= ~drop;
        q->bounding &= ~drop;
        q->inheritable &= ~drop;
        q->permitted &= ~drop;
        q->ambient &= ~drop;

        return drop != 0; /* Let the caller know we changed something */
}

int capability_quintet_enforce(const CapabilityQuintet *q) {
        CapabilityQuintet c;
        bool modified = false;
        int r;

        if (q->ambient != CAP_MASK_UNSET ||
            q->inheritable != CAP_MASK_UNSET ||
            q->permitted != CAP_MASK_UNSET ||
            q->effective != CAP_MASK_UNSET) {
                r = capability_get(&c);
                if (r < 0)
                        return r;
        }

        if (q->ambient != CAP_MASK_UNSET) {
                /* In order to raise the ambient caps set we first need to raise the matching
                 * inheritable + permitted cap */
                if (!FLAGS_SET(c.permitted, q->ambient) ||
                    !FLAGS_SET(c.inheritable, q->ambient)) {

                        c.permitted |= q->ambient;
                        c.inheritable |= q->ambient;

                        r = capability_apply(&c);
                        if (r < 0)
                                return r;
                }

                r = capability_ambient_set_apply(q->ambient, /* also_inherit= */ false);
                if (r < 0)
                        return r;
        }

        if (q->inheritable != CAP_MASK_UNSET || q->permitted != CAP_MASK_UNSET || q->effective != CAP_MASK_UNSET) {
                if (!FLAGS_SET(c.effective, q->effective) ||
                    !FLAGS_SET(c.permitted, q->permitted) ||
                    !FLAGS_SET(c.inheritable, q->inheritable)) {

                        c.effective |= q->effective;
                        c.permitted |= q->permitted;
                        c.inheritable |= q->inheritable;

                        /* Now, let's enforce the caps for the first time. Note that this is where we acquire
                         * caps in any of the sets we currently don't have. We have to do this before
                         * dropping the bounding caps below, since at that point we can never acquire new
                         * caps in inherited/permitted/effective anymore, but only lose them.
                         *
                         * In order to change the bounding caps, we need to keep CAP_SETPCAP for a bit
                         * longer. Let's add it to our list hence for now. */
                        if (q->bounding != CAP_MASK_UNSET &&
                            (!BIT_SET(c.effective, CAP_SETPCAP) || !BIT_SET(c.permitted, CAP_SETPCAP))) {
                                CapabilityQuintet tmp = c;

                                SET_BIT(c.effective, CAP_SETPCAP);
                                SET_BIT(c.permitted, CAP_SETPCAP);

                                modified = true;

                                r = capability_apply(&tmp);
                        } else
                                r = capability_apply(&c);
                        if (r < 0)
                                return r;
                }
        }

        if (q->bounding != CAP_MASK_UNSET) {
                r = capability_bounding_set_drop(q->bounding, /* right_now= */ false);
                if (r < 0)
                        return r;
        }

        /* If needed, let's now set the caps again, this time in the final version, which differs from what
         * we have already set only in the CAP_SETPCAP bit, which we needed for dropping the bounding
         * bits. This call only undoes bits and doesn't acquire any which means the bounding caps don't
         * matter. */
        if (modified) {
                r = capability_apply(&c);
                if (r < 0)
                        return r;
        }

        return 0;
}

int capability_get_ambient(uint64_t *ret) {
        uint64_t a = 0;
        int r;

        assert(ret);

        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
                if (r < 0)
                        return -errno;
                if (r > 0)
                        SET_BIT(a, i);
        }

        *ret = a;
        return 1;
}

int pidref_get_capability(const PidRef *pidref, CapabilityQuintet *ret) {
        int r;

        if (!pidref_is_set(pidref))
                return -ESRCH;
        if (pidref_is_remote(pidref))
                return -EREMOTE;

        const char *path = procfs_file_alloca(pidref->pid, "status");
        _cleanup_fclose_ FILE *f = fopen(path, "re");
        if (!f) {
                if (errno == ENOENT && proc_mounted() == 0)
                        return -ENOSYS;

                return -errno;
        }

        CapabilityQuintet q = CAPABILITY_QUINTET_NULL;
        for (;;) {
                _cleanup_free_ char *line = NULL;

                r = read_line(f, LONG_LINE_MAX, &line);
                if (r < 0)
                        return r;
                if (r == 0)
                        break;

                static const struct {
                        const char *field;
                        size_t offset;
                } fields[] = {
                        { "CapBnd:", offsetof(CapabilityQuintet, bounding)    },
                        { "CapInh:", offsetof(CapabilityQuintet, inheritable) },
                        { "CapPrm:", offsetof(CapabilityQuintet, permitted)   },
                        { "CapEff:", offsetof(CapabilityQuintet, effective)   },
                        { "CapAmb:", offsetof(CapabilityQuintet, ambient)     },
                };

                FOREACH_ELEMENT(i, fields) {

                        const char *p = first_word(line, i->field);
                        if (!p)
                                continue;

                        uint64_t *v = (uint64_t*) ((uint8_t*) &q + i->offset);

                        if (*v != CAP_MASK_UNSET)
                                return -EBADMSG;

                        r = safe_atoux64(p, v);
                        if (r < 0)
                                return r;

                        if (*v == CAP_MASK_UNSET)
                                return -EBADMSG;
                }
        }

        if (!capability_quintet_is_fully_set(&q))
                return -EBADMSG;

        r = pidref_verify(pidref);
        if (r < 0)
                return r;

        if (ret)
                *ret = q;

        return 0;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <linux/prctl.h>
4	#include <stdatomic.h>
5	#include <stdio.h>
6	#include <sys/prctl.h>
7	#include <sys/syscall.h>
8	#include <unistd.h>
9
10	#include "alloc-util.h"
11	#include "bitfield.h"
12	#include "capability-list.h"
13	#include "capability-util.h"
14	#include "errno-util.h"
15	#include "fd-util.h"
16	#include "fileio.h"
17	#include "log.h"
18	#include "parse-util.h"
19	#include "pidref.h"
20	#include "process-util.h"
21	#include "stat-util.h"
22	#include "user-util.h"
23
24	int capability_get(CapabilityQuintet *ret) {	210,387✔
25	assert(ret);	210,387✔
26
27	struct __user_cap_header_struct hdr = {	420,774✔
28	.version = _LINUX_CAPABILITY_VERSION_3,
29	.pid = getpid_cached(),	210,387✔
30	};
31
32	assert_cc(_LINUX_CAPABILITY_U32S_3 == 2);	210,387✔
33	struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];	210,387✔
34	if (syscall(SYS_capget, &hdr, data) < 0)	210,387✔
35	return -errno;	×
36
37	*ret = (CapabilityQuintet) {	210,387✔
38	.effective = (uint64_t) data[0].effective \| ((uint64_t) data[1].effective << 32),	210,387✔
39	.bounding = UINT64_MAX,
40	.inheritable = (uint64_t) data[0].inheritable \| ((uint64_t) data[1].inheritable << 32),	210,387✔
41	.permitted = (uint64_t) data[0].permitted \| ((uint64_t) data[1].permitted << 32),	210,387✔
42	.ambient = UINT64_MAX,
43	};
44	return 0;	210,387✔
45	}
46
47	static int capability_apply(const CapabilityQuintet *q) {	6,999✔
48	assert(q);	6,999✔
49
50	struct __user_cap_header_struct hdr = {	13,998✔
51	.version = _LINUX_CAPABILITY_VERSION_3,
52	.pid = getpid_cached(),	6,999✔
53	};
54
55	struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3] = {	6,999✔
56	{
57	.effective = (uint32_t) (q->effective & UINT32_MAX),	6,999✔
58	.inheritable = (uint32_t) (q->inheritable & UINT32_MAX),	6,999✔
59	.permitted = (uint32_t) (q->permitted & UINT32_MAX),	6,999✔
60	},
61	{
62	.effective = (uint32_t) (q->effective >> 32),	6,999✔
63	.inheritable = (uint32_t) (q->inheritable >> 32),	6,999✔
64	.permitted = (uint32_t) (q->permitted >> 32),	6,999✔
65	},
66	};
67	return RET_NERRNO(syscall(SYS_capset, &hdr, data));	6,999✔
68	}
69
70	unsigned cap_last_cap(void) {	1,717,961✔
71	static atomic_int saved = INT_MAX;	1,717,961✔
72	int r, c;	1,717,961✔
73
74	c = saved;	1,717,961✔
75	if (c != INT_MAX)	1,717,961✔
76	return c;	1,717,961✔
77
78	/* Available since linux-3.2 */
79	_cleanup_free_ char *content = NULL;	12,568✔
80	r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);	12,568✔
81	if (r < 0)	12,568✔
82	log_debug_errno(r, "Failed to read /proc/sys/kernel/cap_last_cap, ignoring: %m");	×
83	else {
84	r = safe_atoi(content, &c);	12,568✔
85	if (r < 0)	12,568✔
86	log_debug_errno(r, "Failed to parse /proc/sys/kernel/cap_last_cap, ignoring: %m");	×
87	else {
88	if (c > CAP_LIMIT) /* Safety for the future: if one day the kernel learns more than	12,568✔
89	* 64 caps, then we are in trouble (since we, as much userspace
90	* and kernel space store capability masks in uint64_t types). We
91	* also want to use UINT64_MAX as marker for "unset". Hence let's
92	* hence protect ourselves against that and always cap at 62 for
93	* now. */
94	c = CAP_LIMIT;	×
95
96	saved = c;	12,568✔
97	return c;	12,568✔
98	}
99	}
100
101	/* Fall back to syscall-probing for pre linux-3.2, or where /proc/ is not mounted */
102	unsigned long p = (unsigned long) MIN(CAP_LAST_CAP, CAP_LIMIT);	×
103
104	if (prctl(PR_CAPBSET_READ, p) < 0) {	×
105
106	/* Hmm, look downwards, until we find one that works */
107	for (p--; p > 0; p--)	×
108	if (prctl(PR_CAPBSET_READ, p) >= 0)	×
109	break;
110
111	} else {
112
113	/* Hmm, look upwards, until we find one that doesn't work */
114	for (; p < CAP_LIMIT; p++)	×
115	if (prctl(PR_CAPBSET_READ, p+1) < 0)	×
116	break;
117	}
118
119	c = (int) p;	×
120	saved = c;	×
121	return c;	×
122	}
123
124	int have_effective_cap(unsigned cap) {	200,284✔
125	CapabilityQuintet q;	200,284✔
126	int r;	200,284✔
127
128	assert(cap <= CAP_LIMIT);	200,284✔
129
130	r = capability_get(&q);	200,284✔
131	if (r < 0)	200,284✔
132	return r;	200,284✔
133
134	return BIT_SET(q.effective, cap);	200,284✔
135	}
136
137	int have_inheritable_cap(unsigned cap) {	2✔
138	CapabilityQuintet q;	2✔
139	int r;	2✔
140
141	assert(cap <= CAP_LIMIT);	2✔
142
143	r = capability_get(&q);	2✔
144	if (r < 0)	2✔
145	return r;	2✔
146
147	return BIT_SET(q.inheritable, cap);	2✔
148	}
149
150	int capability_ambient_set_apply(uint64_t set, bool also_inherit) {	18,395✔
151	int r;	18,395✔
152
153	/* Remove capabilities requested in ambient set, but not in the bounding set */
154	for (unsigned i = 0; i <= cap_last_cap(); i++) {	772,590✔
155	if (!BIT_SET(set, i))	754,195✔
156	continue;	747,392✔
157
158	if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {	6,803✔
159	log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",	1✔
160	capability_to_name(i));
161	CLEAR_BIT(set, i);	1✔
162	}
163	}
164
165	/* Add the capabilities to the ambient set (an possibly also the inheritable set) */
166
167	if (also_inherit) {	18,395✔
168	CapabilityQuintet q;	706✔
169
170	r = capability_get(&q);	706✔
171	if (r < 0)	706✔
172	return r;	×
173
174	q.inheritable = set;	706✔
175
176	r = capability_apply(&q);	706✔
177	if (r < 0)	706✔
178	return r;
179	}
180
181	for (unsigned i = 0; i <= cap_last_cap(); i++)	772,590✔
182	if (BIT_SET(set, i)) {	754,195✔
183	/* Add the capability to the ambient set. */
184	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)	6,802✔
185	return -errno;	×
186	} else {
187	/* Drop the capability so we don't inherit capabilities we didn't ask for. */
188	r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);	747,393✔
189	if (r < 0)	747,393✔
190	return -errno;	×
191	if (r > 0)	747,393✔
192	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)	449✔
193	return -errno;	×
194	}
195
196	return 0;
197	}
198
199	int capability_gain_cap_setpcap(void) {	3,185✔
200	CapabilityQuintet q;	3,185✔
201	int r;	3,185✔
202
203	r = capability_get(&q);	3,185✔
204	if (r < 0)	3,185✔
205	return r;	3,185✔
206
207	if (BIT_SET(q.effective, CAP_SETPCAP))	3,185✔
208	return 1; /* We already have capability. */
209
210	SET_BIT(q.effective, CAP_SETPCAP);	85✔
211
212	r = capability_apply(&q);	85✔
213	if (r < 0) {	85✔
214	/* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this
215	* just means we'll fail later, when we actually intend to drop some capabilities or try to
216	* set securebits. */
217	log_debug_errno(r, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");	×
218	return 0;	×
219	}
220
221	return 1; /* acquired */
222	}
223
224	int capability_bounding_set_drop(uint64_t keep, bool right_now) {	2,427✔
225	int k, r;	2,427✔
226
227	/* If we are run as PID 1 we will lack CAP_SETPCAP by default in the effective set (yes, the kernel
228	* drops that when executing init!), so get it back temporarily so that we can call PR_CAPBSET_DROP. */
229
230	CapabilityQuintet q;	2,427✔
231	r = capability_get(&q);	2,427✔
232	if (r < 0)	2,427✔
233	return r;	2,427✔
234	CapabilityQuintet saved = q;	2,427✔
235
236	r = capability_gain_cap_setpcap();	2,427✔
237	if (r < 0)	2,427✔
238	return r;
239
240	for (unsigned i = 0; i <= cap_last_cap(); i++) {	101,934✔
241	if (BIT_SET(keep, i))	99,507✔
242	continue;	26,829✔
243
244	/* Drop it from the bounding set */
245	if (prctl(PR_CAPBSET_DROP, i) < 0) {	72,678✔
246	r = -errno;	×
247
248	/* If dropping the capability failed, let's see if we didn't have it in the first
249	* place. If so, continue anyway, as dropping a capability we didn't have in the
250	* first place doesn't really matter anyway. */
251	if (prctl(PR_CAPBSET_READ, i) != 0)	×
252	goto finish;	×
253	}
254
255	/* Also drop it from the inheritable set, so that anything we exec() loses the capability for
256	* good. */
257	CLEAR_BIT(q.inheritable, i);	72,678✔
258
259	/* If we shall apply this right now drop it also from our own capability sets. */
260	if (right_now) {	72,678✔
261	CLEAR_BIT(q.effective, i);	1,734✔
262	CLEAR_BIT(q.permitted, i);	1,734✔
263	}
264	}
265
266	r = 0;
267
268	finish:	2,427✔
269	k = capability_apply(&q);	2,427✔
270	if (k < 0)	2,427✔
271	/* If there are no actual changes anyway then let's ignore this error. */
272	if (!capability_quintet_equal(&q, &saved))	×
273	return k;	×
274
275	return r;
276	}
277
278	static int drop_from_file(const char *fn, uint64_t keep) {	×
279	_cleanup_free_ char *p = NULL;	×
280	uint64_t current, after;	×
281	uint32_t hi, lo;	×
282	int r, k;	×
283
284	r = read_one_line_file(fn, &p);	×
285	if (r < 0)	×
286	return r;
287
288	k = sscanf(p, "%" PRIu32 " %" PRIu32, &lo, &hi);	×
289	if (k != 2)	×
290	return -EIO;
291
292	current = (uint64_t) lo \| ((uint64_t) hi << 32);	×
293	after = current & keep;	×
294
295	if (current == after)	×
296	return 0;
297
298	lo = after & UINT32_MAX;	×
299	hi = (after >> 32) & UINT32_MAX;	×
300
301	return write_string_filef(fn, 0, "%" PRIu32 " %" PRIu32, lo, hi);	×
302	}
303
304	int capability_bounding_set_drop_usermode(uint64_t keep) {	×
305	int r;	×
306
307	r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);	×
308	if (r < 0)	×
309	return r;
310
311	r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);	×
312	if (r < 0)	×
313	return r;	×
314
315	return r;
316	}
317
318	int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {	26✔
319	int r;	26✔
320
321	/* Unfortunately we cannot leave privilege dropping to PID 1 here, since we want to run as user but
322	* want to keep some capabilities. Since file capabilities have been introduced this cannot be done
323	* across exec() anymore, unless our binary has the capability configured in the file system, which
324	* we want to avoid. */
325
326	if (setresgid(gid, gid, gid) < 0)	26✔
327	return log_error_errno(errno, "Failed to change group ID: %m");	1✔
328
329	r = maybe_setgroups(/* size= / 0, / list= */ NULL);	25✔
330	if (r < 0)	25✔
331	return log_error_errno(r, "Failed to drop auxiliary groups list: %m");	1✔
332
333	/* Ensure we keep the permitted caps across the setresuid(). Note that we do this even if we actually
334	* don't want to keep any capabilities, since we want to be able to drop them from the bounding set
335	* too, and we can only do that if we have capabilities. */
336	if (prctl(PR_SET_KEEPCAPS, 1) < 0)	24✔
337	return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");	×
338
339	if (setresuid(uid, uid, uid) < 0)	24✔
340	return log_error_errno(errno, "Failed to change user ID: %m");	×
341
342	if (prctl(PR_SET_KEEPCAPS, 0) < 0)	24✔
343	return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");	×
344
345	/* Drop all caps from the bounding set (as well as the inheritable/permitted/effective sets), except
346	* the ones we want to keep */
347	r = capability_bounding_set_drop(keep_capabilities, /* right_now= */ true);	24✔
348	if (r < 0)	24✔
349	return log_error_errno(r, "Failed to drop capabilities: %m");	×
350
351	/* Now upgrade the permitted caps we still kept to effective caps */
352	if (keep_capabilities != 0) {	24✔
353	CapabilityQuintet q = {	4✔
354	.effective = keep_capabilities,
355	.permitted = keep_capabilities,
356	};
357
358	r = capability_apply(&q);	4✔
359	if (r < 0)	4✔
360	return log_error_errno(r, "Failed to increase capabilities: %m");	×
361	}
362
363	return 0;
364	}
365
366	static int change_capability(unsigned cap, bool b) {	3,659✔
367	CapabilityQuintet q;	3,659✔
368	int r;	3,659✔
369
370	assert(cap <= CAP_LIMIT);	3,659✔
371
372	r = capability_get(&q);	3,659✔
373	if (r < 0)	3,659✔
374	return r;	3,659✔
375
376	if (b) {	3,659✔
377	SET_BIT(q.effective, cap);	1,402✔
378	SET_BIT(q.permitted, cap);	1,402✔
379	SET_BIT(q.inheritable, cap);	1,402✔
380	} else {
381	CLEAR_BIT(q.effective, cap);	2,257✔
382	CLEAR_BIT(q.permitted, cap);	2,257✔
383	CLEAR_BIT(q.inheritable, cap);	2,257✔
384	}
385
386	return capability_apply(&q);	3,659✔
387	}
388
389	int drop_capability(unsigned cap) {	2,257✔
390	return change_capability(cap, false);	2,257✔
391	}
392
393	int keep_capability(unsigned cap) {	1,402✔
394	return change_capability(cap, true);	1,402✔
395	}
396
397	bool capability_quintet_mangle(CapabilityQuintet *q) {	121✔
398	uint64_t combined, drop = 0;	121✔
399
400	assert(q);	121✔
401
402	combined = q->effective \| q->bounding \| q->inheritable \| q->permitted \| q->ambient;	121✔
403
404	for (unsigned i = 0; i <= cap_last_cap(); i++) {	5,082✔
405	if (!BIT_SET(combined, i))	4,961✔
406	continue;	1,785✔
407
408	if (prctl(PR_CAPBSET_READ, (unsigned long) i) > 0)	3,176✔
409	continue;	3,176✔
410
411	SET_BIT(drop, i);	×
412
413	log_debug("Dropping capability not in the current bounding set: %s", capability_to_name(i));	×
414	}
415
416	q->effective &= ~drop;	121✔
417	q->bounding &= ~drop;	121✔
418	q->inheritable &= ~drop;	121✔
419	q->permitted &= ~drop;	121✔
420	q->ambient &= ~drop;	121✔
421
422	return drop != 0; /* Let the caller know we changed something */	121✔
423	}
424
425	int capability_quintet_enforce(const CapabilityQuintet *q) {	121✔
426	CapabilityQuintet c;	121✔
427	bool modified = false;	121✔
428	int r;	121✔
429
430	if (q->ambient != CAP_MASK_UNSET \|\|	121✔
431	q->inheritable != CAP_MASK_UNSET \|\|	×
432	q->permitted != CAP_MASK_UNSET \|\|	×
433	q->effective != CAP_MASK_UNSET) {	×
434	r = capability_get(&c);	121✔
435	if (r < 0)	121✔
436	return r;	121✔
437	}
438
439	if (q->ambient != CAP_MASK_UNSET) {	121✔
440	/* In order to raise the ambient caps set we first need to raise the matching
441	* inheritable + permitted cap */
442	if (!FLAGS_SET(c.permitted, q->ambient) \|\|	121✔
443	!FLAGS_SET(c.inheritable, q->ambient)) {	121✔
444
445	c.permitted \|= q->ambient;	1✔
446	c.inheritable \|= q->ambient;	1✔
447
448	r = capability_apply(&c);	1✔
449	if (r < 0)	1✔
450	return r;
451	}
452
453	r = capability_ambient_set_apply(q->ambient, /* also_inherit= */ false);	121✔
454	if (r < 0)	121✔
455	return r;
456	}
457
458	if (q->inheritable != CAP_MASK_UNSET \|\| q->permitted != CAP_MASK_UNSET \|\| q->effective != CAP_MASK_UNSET) {	121✔
459	if (!FLAGS_SET(c.effective, q->effective) \|\|	120✔
460	!FLAGS_SET(c.permitted, q->permitted) \|\|	120✔
461	!FLAGS_SET(c.inheritable, q->inheritable)) {	120✔
462
463	c.effective \|= q->effective;	117✔
464	c.permitted \|= q->permitted;	117✔
465	c.inheritable \|= q->inheritable;	117✔
466
467	/* Now, let's enforce the caps for the first time. Note that this is where we acquire
468	* caps in any of the sets we currently don't have. We have to do this before
469	* dropping the bounding caps below, since at that point we can never acquire new
470	* caps in inherited/permitted/effective anymore, but only lose them.
471	*
472	* In order to change the bounding caps, we need to keep CAP_SETPCAP for a bit
473	* longer. Let's add it to our list hence for now. */
474	if (q->bounding != CAP_MASK_UNSET &&	117✔
475	(!BIT_SET(c.effective, CAP_SETPCAP) \|\| !BIT_SET(c.permitted, CAP_SETPCAP))) {	117✔
476	CapabilityQuintet tmp = c;	×
477
478	SET_BIT(c.effective, CAP_SETPCAP);	×
479	SET_BIT(c.permitted, CAP_SETPCAP);	×
480
481	modified = true;	×
482
483	r = capability_apply(&tmp);	×
484	} else
485	r = capability_apply(&c);	117✔
486	if (r < 0)	117✔
487	return r;
488	}
489	}
490
491	if (q->bounding != CAP_MASK_UNSET) {	121✔
492	r = capability_bounding_set_drop(q->bounding, /* right_now= */ false);	120✔
493	if (r < 0)	120✔
494	return r;
495	}
496
497	/* If needed, let's now set the caps again, this time in the final version, which differs from what
498	* we have already set only in the CAP_SETPCAP bit, which we needed for dropping the bounding
499	* bits. This call only undoes bits and doesn't acquire any which means the bounding caps don't
500	* matter. */
501	if (modified) {	121✔
502	r = capability_apply(&c);	×
503	if (r < 0)	×
504	return r;	×
505	}
506
507	return 0;
508	}
509
510	int capability_get_ambient(uint64_t *ret) {	692✔
511	uint64_t a = 0;	692✔
512	int r;	692✔
513
514	assert(ret);	692✔
515
516	for (unsigned i = 0; i <= cap_last_cap(); i++) {	29,064✔
517	r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);	28,372✔
518	if (r < 0)	28,372✔
519	return -errno;	×
520	if (r > 0)	28,372✔
521	SET_BIT(a, i);	113✔
522	}
523
524	*ret = a;	692✔
525	return 1;	692✔
526	}
527
528	int pidref_get_capability(const PidRef pidref, CapabilityQuintet ret) {	15,197✔
529	int r;	15,197✔
530
531	if (!pidref_is_set(pidref))	15,197✔
532	return -ESRCH;	15,197✔
533	if (pidref_is_remote(pidref))	15,197✔
534	return -EREMOTE;
535
536	const char *path = procfs_file_alloca(pidref->pid, "status");	15,197✔
537	_cleanup_fclose_ FILE *f = fopen(path, "re");	30,394✔
538	if (!f) {	15,197✔
539	if (errno == ENOENT && proc_mounted() == 0)	4,524✔
540	return -ENOSYS;
541
542	return -errno;	4,524✔
543	}
544
545	CapabilityQuintet q = CAPABILITY_QUINTET_NULL;	10,673✔
546	for (;;) {	1,301,927✔
547	_cleanup_free_ char *line = NULL;	645,627✔
548
549	r = read_line(f, LONG_LINE_MAX, &line);	656,300✔
550	if (r < 0)	656,300✔
551	return r;
552	if (r == 0)	656,300✔
553	break;
554
555	static const struct {
556	const char *field;
557	size_t offset;
558	} fields[] = {
559	{ "CapBnd:", offsetof(CapabilityQuintet, bounding) },
560	{ "CapInh:", offsetof(CapabilityQuintet, inheritable) },
561	{ "CapPrm:", offsetof(CapabilityQuintet, permitted) },
562	{ "CapEff:", offsetof(CapabilityQuintet, effective) },
563	{ "CapAmb:", offsetof(CapabilityQuintet, ambient) },
564	};
565
566	FOREACH_ELEMENT(i, fields) {	3,873,762✔
567
568	const char *p = first_word(line, i->field);	3,228,135✔
569	if (!p)	3,228,135✔
570	continue;	3,174,770✔
571
572	uint64_t v = (uint64_t) ((uint8_t*) &q + i->offset);	53,365✔
573
574	if (*v != CAP_MASK_UNSET)	53,365✔
575	return -EBADMSG;
576
577	r = safe_atoux64(p, v);	53,365✔
578	if (r < 0)	53,365✔
579	return r;
580
581	if (*v == CAP_MASK_UNSET)	53,365✔
582	return -EBADMSG;
583	}
584	}
585
586	if (!capability_quintet_is_fully_set(&q))	10,673✔
587	return -EBADMSG;
588
589	r = pidref_verify(pidref);	10,673✔
590	if (r < 0)	10,673✔
591	return r;
592
593	if (ret)	10,673✔
594	*ret = q;	10,673✔
595
596	return 0;
597	}

systemd / systemd / 18795135167

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous