28272947092

Committed 26 Jun 2026 08:38PM UTC coverage: 72.893% (+0.2%) from 72.703%

Build # 28272947092

Build Type

push

github

Committed by

poettering

Commit Message

sysupdate: Address review feedback on CheckNew varlink scaffolding

Follow-up to #42422:

 - Rename process_image() to context_process_image(), since it now
   operates on a Context object.
 - Use IN_SET() in image_type_can_sysupdate() instead of a switch.
 - Name the return parameters of context_list_components() ret_xyz, per
   our coding style.
 - Drop a redundant "else" after a return in vl_method_check_new().

Coverage Stats

9 of 11 new or added lines in 1 file covered. (81.82%)

12567 existing lines in 144 files now uncovered.

341026 of 467845 relevant lines covered (72.89%)

1339355.33 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.23

/src/basic/capability-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <stdatomic.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/syscall.h>
#include <unistd.h>

#include "alloc-util.h"
#include "bitfield.h"
#include "capability-list.h"
#include "capability-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "log.h"
#include "parse-util.h"
#include "pidref.h"
#include "process-util.h"
#include "stat-util.h"
#include "user-util.h"

int capability_get(CapabilityQuintet *ret) {
        assert(ret);

        struct __user_cap_header_struct hdr = {
                .version = _LINUX_CAPABILITY_VERSION_3,
                .pid = getpid_cached(),
        };

        assert_cc(_LINUX_CAPABILITY_U32S_3 == 2);
        struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];
        if (syscall(SYS_capget, &hdr, data) < 0)
                return -errno;

        *ret = (CapabilityQuintet) {
                .effective = (uint64_t) data[0].effective | ((uint64_t) data[1].effective << 32),
                .bounding = UINT64_MAX,
                .inheritable = (uint64_t) data[0].inheritable | ((uint64_t) data[1].inheritable << 32),
                .permitted = (uint64_t) data[0].permitted | ((uint64_t) data[1].permitted << 32),
                .ambient = UINT64_MAX,
        };
        return 0;
}

static int capability_apply(const CapabilityQuintet *q) {
        assert(q);

        struct __user_cap_header_struct hdr = {
                .version = _LINUX_CAPABILITY_VERSION_3,
                .pid = getpid_cached(),
        };

        struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3] = {
                {
                        .effective = (uint32_t) (q->effective & UINT32_MAX),
                        .inheritable = (uint32_t) (q->inheritable & UINT32_MAX),
                        .permitted = (uint32_t) (q->permitted & UINT32_MAX),
                },
                {
                        .effective = (uint32_t) (q->effective >> 32),
                        .inheritable = (uint32_t) (q->inheritable >> 32),
                        .permitted = (uint32_t) (q->permitted >> 32),
                },
        };
        return RET_NERRNO(syscall(SYS_capset, &hdr, data));
}

unsigned cap_last_cap(void) {
        static atomic_int saved = INT_MAX;
        int r, c;

        c = saved;
        if (c != INT_MAX)
                return c;

        /* Available since linux-3.2 */
        _cleanup_free_ char *content = NULL;
        r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);
        if (r < 0)
                log_debug_errno(r, "Failed to read /proc/sys/kernel/cap_last_cap, ignoring: %m");
        else {
                r = safe_atoi(content, &c);
                if (r < 0)
                        log_debug_errno(r, "Failed to parse /proc/sys/kernel/cap_last_cap, ignoring: %m");
                else {
                        if (c > CAP_LIMIT) /* Safety for the future: if one day the kernel learns more than
                                            * 64 caps, then we are in trouble (since we, as much userspace
                                            * and kernel space store capability masks in uint64_t types). We
                                            * also want to use UINT64_MAX as marker for "unset". Hence let's
                                            * hence protect ourselves against that and always cap at 62 for
                                            * now. */
                                c = CAP_LIMIT;

                        saved = c;
                        return c;
                }
        }

        /* Fall back to syscall-probing for pre linux-3.2, or where /proc/ is not mounted */
        unsigned long p = (unsigned long) MIN(CAP_LAST_CAP, CAP_LIMIT);

        if (prctl(PR_CAPBSET_READ, p) < 0) {

                /* Hmm, look downwards, until we find one that works */
                for (p--; p > 0; p--)
                        if (prctl(PR_CAPBSET_READ, p) >= 0)
                                break;

        } else {

                /* Hmm, look upwards, until we find one that doesn't work */
                for (; p < CAP_LIMIT; p++)
                        if (prctl(PR_CAPBSET_READ, p+1) < 0)
                                break;
        }

        c = (int) p;
        saved = c;
        return c;
}

int have_effective_cap(unsigned cap) {
        CapabilityQuintet q;
        int r;

        assert(cap <= CAP_LIMIT);

        r = capability_get(&q);
        if (r < 0)
                return r;

        return BIT_SET(q.effective, cap);
}

int have_inheritable_cap(unsigned cap) {
        CapabilityQuintet q;
        int r;

        assert(cap <= CAP_LIMIT);

        r = capability_get(&q);
        if (r < 0)
                return r;

        return BIT_SET(q.inheritable, cap);
}

int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
        int r;

        /* Remove capabilities requested in ambient set, but not in the bounding set */
        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (!BIT_SET(set, i))
                        continue;

                if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {
                        log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",
                                  capability_to_name(i));
                        CLEAR_BIT(set, i);
                }
        }

        /* Add the capabilities to the ambient set (an possibly also the inheritable set) */

        if (also_inherit) {
                CapabilityQuintet q;

                r = capability_get(&q);
                if (r < 0)
                        return r;

                q.inheritable = set;

                r = capability_apply(&q);
                if (r < 0)
                        return r;
        }

        for (unsigned i = 0; i <= cap_last_cap(); i++)
                if (BIT_SET(set, i)) {
                        /* Add the capability to the ambient set. */
                        if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)
                                return -errno;
                } else {
                        /* Drop the capability so we don't inherit capabilities we didn't ask for. */
                        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
                        if (r < 0)
                                return -errno;
                        if (r > 0)
                                if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)
                                        return -errno;
                }

        return 0;
}

int capability_gain_cap_setpcap(void) {
        CapabilityQuintet q;
        int r;

        r = capability_get(&q);
        if (r < 0)
                return r;

        if (BIT_SET(q.effective, CAP_SETPCAP))
                return 1; /* We already have capability. */

        SET_BIT(q.effective, CAP_SETPCAP);

        r = capability_apply(&q);
        if (r < 0) {
                /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this
                 * just means we'll fail later, when we actually intend to drop some capabilities or try to
                 * set securebits. */
                log_debug_errno(r, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");
                return 0;
        }

        return 1; /* acquired */
}

int capability_bounding_set_drop(uint64_t keep, bool right_now) {
        int k, r;

        /* If we are run as PID 1 we will lack CAP_SETPCAP by default in the effective set (yes, the kernel
         * drops that when executing init!), so get it back temporarily so that we can call PR_CAPBSET_DROP. */

        CapabilityQuintet q;
        r = capability_get(&q);
        if (r < 0)
                return r;
        CapabilityQuintet saved = q;

        r = capability_gain_cap_setpcap();
        if (r < 0)
                return r;

        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (BIT_SET(keep, i))
                        continue;

                /* Drop it from the bounding set */
                if (prctl(PR_CAPBSET_DROP, i) < 0) {
                        r = -errno;

                        /* If dropping the capability failed, let's see if we didn't have it in the first
                         * place. If so, continue anyway, as dropping a capability we didn't have in the
                         * first place doesn't really matter anyway. */
                        if (prctl(PR_CAPBSET_READ, i) != 0)
                                goto finish;
                }

                /* Also drop it from the inheritable set, so that anything we exec() loses the capability for
                 * good. */
                CLEAR_BIT(q.inheritable, i);

                /* If we shall apply this right now drop it also from our own capability sets. */
                if (right_now) {
                        CLEAR_BIT(q.effective, i);
                        CLEAR_BIT(q.permitted, i);
                }
        }

        r = 0;

finish:
        k = capability_apply(&q);
        if (k < 0)
                /* If there are no actual changes anyway then let's ignore this error. */
                if (!capability_quintet_equal(&q, &saved))
                        return k;

        return r;
}

static int drop_from_file(const char *fn, uint64_t keep) {
        _cleanup_free_ char *p = NULL;
        uint64_t current, after;
        uint32_t hi, lo;
        int r, k;

        r = read_one_line_file(fn, &p);
        if (r < 0)
                return r;

        k = sscanf(p, "%" PRIu32 " %" PRIu32, &lo, &hi);
        if (k != 2)
                return -EIO;

        current = (uint64_t) lo | ((uint64_t) hi << 32);
        after = current & keep;

        if (current == after)
                return 0;

        lo = after & UINT32_MAX;
        hi = (after >> 32) & UINT32_MAX;

        return write_string_filef(fn, 0, "%" PRIu32 " %" PRIu32, lo, hi);
}

int capability_bounding_set_drop_usermode(uint64_t keep) {
        int r;

        r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);
        if (r < 0)
                return r;

        r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);
        if (r < 0)
                return r;

        return r;
}

int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
        int r;

        /* Unfortunately we cannot leave privilege dropping to PID 1 here, since we want to run as user but
         * want to keep some capabilities. Since file capabilities have been introduced this cannot be done
         * across exec() anymore, unless our binary has the capability configured in the file system, which
         * we want to avoid. */

        if (setresgid(gid, gid, gid) < 0)
                return log_error_errno(errno, "Failed to change group ID: %m");

        r = maybe_setgroups(/* size= */ 0, /* list= */ NULL);
        if (r < 0)
                return log_error_errno(r, "Failed to drop auxiliary groups list: %m");

        /* Ensure we keep the permitted caps across the setresuid(). Note that we do this even if we actually
         * don't want to keep any capabilities, since we want to be able to drop them from the bounding set
         * too, and we can only do that if we have capabilities. */
        if (prctl(PR_SET_KEEPCAPS, 1) < 0)
                return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");

        if (setresuid(uid, uid, uid) < 0)
                return log_error_errno(errno, "Failed to change user ID: %m");

        if (prctl(PR_SET_KEEPCAPS, 0) < 0)
                return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");

        /* Drop all caps from the bounding set (as well as the inheritable/permitted/effective sets), except
         * the ones we want to keep */
        r = capability_bounding_set_drop(keep_capabilities, /* right_now= */ true);
        if (r < 0)
                return log_error_errno(r, "Failed to drop capabilities: %m");

        /* Now upgrade the permitted caps we still kept to effective caps */
        if (keep_capabilities != 0) {
                CapabilityQuintet q = {
                        .effective = keep_capabilities,
                        .permitted = keep_capabilities,
                };

                r = capability_apply(&q);
                if (r < 0)
                        return log_error_errno(r, "Failed to increase capabilities: %m");
        }

        return 0;
}

static int change_capability(unsigned cap, bool b) {
        CapabilityQuintet q;
        int r;

        assert(cap <= CAP_LIMIT);

        r = capability_get(&q);
        if (r < 0)
                return r;

        if (b) {
                SET_BIT(q.effective, cap);
                SET_BIT(q.permitted, cap);
                SET_BIT(q.inheritable, cap);
        } else {
                CLEAR_BIT(q.effective, cap);
                CLEAR_BIT(q.permitted, cap);
                CLEAR_BIT(q.inheritable, cap);
        }

        return capability_apply(&q);
}

int drop_capability(unsigned cap) {
        return change_capability(cap, false);
}

int keep_capability(unsigned cap) {
        return change_capability(cap, true);
}

bool capability_quintet_mangle(CapabilityQuintet *q) {
        uint64_t combined, drop = 0;

        assert(q);

        combined = q->effective | q->bounding | q->inheritable | q->permitted | q->ambient;

        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (!BIT_SET(combined, i))
                        continue;

                if (prctl(PR_CAPBSET_READ, (unsigned long) i) > 0)
                        continue;

                SET_BIT(drop, i);

                log_debug("Dropping capability not in the current bounding set: %s", capability_to_name(i));
        }

        q->effective &= ~drop;
        q->bounding &= ~drop;
        q->inheritable &= ~drop;
        q->permitted &= ~drop;
        q->ambient &= ~drop;

        return drop != 0; /* Let the caller know we changed something */
}

int capability_quintet_enforce(const CapabilityQuintet *q) {
        CapabilityQuintet c;
        bool modified = false;
        int r;

        assert(q);

        if (q->ambient != CAP_MASK_UNSET ||
            q->inheritable != CAP_MASK_UNSET ||
            q->permitted != CAP_MASK_UNSET ||
            q->effective != CAP_MASK_UNSET) {
                r = capability_get(&c);
                if (r < 0)
                        return r;
        }

        if (q->ambient != CAP_MASK_UNSET) {
                /* In order to raise the ambient caps set we first need to raise the matching
                 * inheritable + permitted cap */
                if (!FLAGS_SET(c.permitted, q->ambient) ||
                    !FLAGS_SET(c.inheritable, q->ambient)) {

                        c.permitted |= q->ambient;
                        c.inheritable |= q->ambient;

                        r = capability_apply(&c);
                        if (r < 0)
                                return r;
                }

                r = capability_ambient_set_apply(q->ambient, /* also_inherit= */ false);
                if (r < 0)
                        return r;
        }

        if (q->inheritable != CAP_MASK_UNSET || q->permitted != CAP_MASK_UNSET || q->effective != CAP_MASK_UNSET) {
                if (!FLAGS_SET(c.effective, q->effective) ||
                    !FLAGS_SET(c.permitted, q->permitted) ||
                    !FLAGS_SET(c.inheritable, q->inheritable)) {

                        c.effective |= q->effective;
                        c.permitted |= q->permitted;
                        c.inheritable |= q->inheritable;

                        /* Now, let's enforce the caps for the first time. Note that this is where we acquire
                         * caps in any of the sets we currently don't have. We have to do this before
                         * dropping the bounding caps below, since at that point we can never acquire new
                         * caps in inherited/permitted/effective anymore, but only lose them.
                         *
                         * In order to change the bounding caps, we need to keep CAP_SETPCAP for a bit
                         * longer. Let's add it to our list hence for now. */
                        if (q->bounding != CAP_MASK_UNSET &&
                            (!BIT_SET(c.effective, CAP_SETPCAP) || !BIT_SET(c.permitted, CAP_SETPCAP))) {
                                CapabilityQuintet tmp = c;

                                SET_BIT(c.effective, CAP_SETPCAP);
                                SET_BIT(c.permitted, CAP_SETPCAP);

                                modified = true;

                                r = capability_apply(&tmp);
                        } else
                                r = capability_apply(&c);
                        if (r < 0)
                                return r;
                }
        }

        if (q->bounding != CAP_MASK_UNSET) {
                r = capability_bounding_set_drop(q->bounding, /* right_now= */ false);
                if (r < 0)
                        return r;
        }

        /* If needed, let's now set the caps again, this time in the final version, which differs from what
         * we have already set only in the CAP_SETPCAP bit, which we needed for dropping the bounding
         * bits. This call only undoes bits and doesn't acquire any which means the bounding caps don't
         * matter. */
        if (modified) {
                r = capability_apply(&c);
                if (r < 0)
                        return r;
        }

        return 0;
}

int capability_get_ambient(uint64_t *ret) {
        uint64_t a = 0;
        int r;

        assert(ret);

        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);
                if (r < 0)
                        return -errno;
                if (r > 0)
                        SET_BIT(a, i);
        }

        *ret = a;
        return 1;
}

int pidref_get_capability(const PidRef *pidref, CapabilityQuintet *ret) {
        int r;

        if (!pidref_is_set(pidref))
                return -ESRCH;
        if (pidref_is_remote(pidref))
                return -EREMOTE;

        const char *path = procfs_file_alloca(pidref->pid, "status");
        _cleanup_fclose_ FILE *f = fopen(path, "re");
        if (!f) {
                if (errno == ENOENT && proc_mounted() == 0)
                        return -ENOSYS;

                return -errno;
        }

        CapabilityQuintet q = CAPABILITY_QUINTET_NULL;
        for (;;) {
                _cleanup_free_ char *line = NULL;

                r = read_line(f, LONG_LINE_MAX, &line);
                if (r < 0)
                        return r;
                if (r == 0)
                        break;

                static const struct {
                        const char *field;
                        size_t offset;
                } fields[] = {
                        { "CapBnd:", offsetof(CapabilityQuintet, bounding)    },
                        { "CapInh:", offsetof(CapabilityQuintet, inheritable) },
                        { "CapPrm:", offsetof(CapabilityQuintet, permitted)   },
                        { "CapEff:", offsetof(CapabilityQuintet, effective)   },
                        { "CapAmb:", offsetof(CapabilityQuintet, ambient)     },
                };

                FOREACH_ELEMENT(i, fields) {

                        const char *p = first_word(line, i->field);
                        if (!p)
                                continue;

                        uint64_t *v = (uint64_t*) ((uint8_t*) &q + i->offset);

                        if (*v != CAP_MASK_UNSET)
                                return -EBADMSG;

                        r = safe_atoux64(p, v);
                        if (r < 0)
                                return r;

                        if (*v == CAP_MASK_UNSET)
                                return -EBADMSG;
                }
        }

        if (!capability_quintet_is_fully_set(&q))
                return -EBADMSG;

        r = pidref_verify(pidref);
        if (r < 0)
                return r;

        if (ret)
                *ret = q;

        return 0;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include <stdatomic.h>
4	#include <stdio.h>
5	#include <sys/prctl.h>
6	#include <sys/syscall.h>
7	#include <unistd.h>
8
9	#include "alloc-util.h"
10	#include "bitfield.h"
11	#include "capability-list.h"
12	#include "capability-util.h"
13	#include "errno-util.h"
14	#include "fd-util.h"
15	#include "fileio.h"
16	#include "log.h"
17	#include "parse-util.h"
18	#include "pidref.h"
19	#include "process-util.h"
20	#include "stat-util.h"
21	#include "user-util.h"
22
23	int capability_get(CapabilityQuintet *ret) {	236,409✔
24	assert(ret);	236,409✔
25
26	struct __user_cap_header_struct hdr = {	472,818✔
27	.version = _LINUX_CAPABILITY_VERSION_3,
28	.pid = getpid_cached(),	236,409✔
29	};
30
31	assert_cc(_LINUX_CAPABILITY_U32S_3 == 2);	236,409✔
32	struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3];	236,409✔
33	if (syscall(SYS_capget, &hdr, data) < 0)	236,409✔
34	return -errno;	×
35
36	*ret = (CapabilityQuintet) {	236,409✔
37	.effective = (uint64_t) data[0].effective \| ((uint64_t) data[1].effective << 32),	236,409✔
38	.bounding = UINT64_MAX,
39	.inheritable = (uint64_t) data[0].inheritable \| ((uint64_t) data[1].inheritable << 32),	236,409✔
40	.permitted = (uint64_t) data[0].permitted \| ((uint64_t) data[1].permitted << 32),	236,409✔
41	.ambient = UINT64_MAX,
42	};
43	return 0;	236,409✔
44	}
45
46	static int capability_apply(const CapabilityQuintet *q) {	7,816✔
47	assert(q);	7,816✔
48
49	struct __user_cap_header_struct hdr = {	15,632✔
50	.version = _LINUX_CAPABILITY_VERSION_3,
51	.pid = getpid_cached(),	7,816✔
52	};
53
54	struct __user_cap_data_struct data[_LINUX_CAPABILITY_U32S_3] = {	7,816✔
55	{
56	.effective = (uint32_t) (q->effective & UINT32_MAX),	7,816✔
57	.inheritable = (uint32_t) (q->inheritable & UINT32_MAX),	7,816✔
58	.permitted = (uint32_t) (q->permitted & UINT32_MAX),	7,816✔
59	},
60	{
61	.effective = (uint32_t) (q->effective >> 32),	7,816✔
62	.inheritable = (uint32_t) (q->inheritable >> 32),	7,816✔
63	.permitted = (uint32_t) (q->permitted >> 32),	7,816✔
64	},
65	};
66	return RET_NERRNO(syscall(SYS_capset, &hdr, data));	7,816✔
67	}
68
69	unsigned cap_last_cap(void) {	2,447,287✔
70	static atomic_int saved = INT_MAX;	2,447,287✔
71	int r, c;	2,447,287✔
72
73	c = saved;	2,447,287✔
74	if (c != INT_MAX)	2,447,287✔
75	return c;	2,447,287✔
76
77	/* Available since linux-3.2 */
78	_cleanup_free_ char *content = NULL;	13,301✔
79	r = read_one_line_file("/proc/sys/kernel/cap_last_cap", &content);	13,301✔
80	if (r < 0)	13,301✔
81	log_debug_errno(r, "Failed to read /proc/sys/kernel/cap_last_cap, ignoring: %m");	×
82	else {
83	r = safe_atoi(content, &c);	13,301✔
84	if (r < 0)	13,301✔
85	log_debug_errno(r, "Failed to parse /proc/sys/kernel/cap_last_cap, ignoring: %m");	×
86	else {
87	if (c > CAP_LIMIT) /* Safety for the future: if one day the kernel learns more than	13,301✔
88	* 64 caps, then we are in trouble (since we, as much userspace
89	* and kernel space store capability masks in uint64_t types). We
90	* also want to use UINT64_MAX as marker for "unset". Hence let's
91	* hence protect ourselves against that and always cap at 62 for
92	* now. */
93	c = CAP_LIMIT;	×
94
95	saved = c;	13,301✔
96	return c;	13,301✔
97	}
98	}
99
100	/* Fall back to syscall-probing for pre linux-3.2, or where /proc/ is not mounted */
101	unsigned long p = (unsigned long) MIN(CAP_LAST_CAP, CAP_LIMIT);	×
102
103	if (prctl(PR_CAPBSET_READ, p) < 0) {	×
104
105	/* Hmm, look downwards, until we find one that works */
106	for (p--; p > 0; p--)	×
107	if (prctl(PR_CAPBSET_READ, p) >= 0)	×
108	break;
109
110	} else {
111
112	/* Hmm, look upwards, until we find one that doesn't work */
113	for (; p < CAP_LIMIT; p++)	×
114	if (prctl(PR_CAPBSET_READ, p+1) < 0)	×
115	break;
116	}
117
118	c = (int) p;	×
119	saved = c;	×
120	return c;	×
121	}
122
123	int have_effective_cap(unsigned cap) {	224,960✔
124	CapabilityQuintet q;	224,960✔
125	int r;	224,960✔
126
127	assert(cap <= CAP_LIMIT);	224,960✔
128
129	r = capability_get(&q);	224,960✔
130	if (r < 0)	224,960✔
131	return r;	224,960✔
132
133	return BIT_SET(q.effective, cap);	224,960✔
134	}
135
136	int have_inheritable_cap(unsigned cap) {	2✔
137	CapabilityQuintet q;	2✔
138	int r;	2✔
139
140	assert(cap <= CAP_LIMIT);	2✔
141
142	r = capability_get(&q);	2✔
143	if (r < 0)	2✔
144	return r;	2✔
145
146	return BIT_SET(q.inheritable, cap);	2✔
147	}
148
149	int capability_ambient_set_apply(uint64_t set, bool also_inherit) {	24,619✔
150	int r;	24,619✔
151
152	/* Remove capabilities requested in ambient set, but not in the bounding set */
153	for (unsigned i = 0; i <= cap_last_cap(); i++) {	1,033,998✔
154	if (!BIT_SET(set, i))	1,009,379✔
155	continue;	1,001,891✔
156
157	if (prctl(PR_CAPBSET_READ, (unsigned long) i) != 1) {	7,488✔
158	log_debug("Ambient capability %s requested but missing from bounding set, suppressing automatically.",	53✔
159	capability_to_name(i));
160	CLEAR_BIT(set, i);	53✔
161	}
162	}
163
164	/* Add the capabilities to the ambient set (an possibly also the inheritable set) */
165
166	if (also_inherit) {	24,619✔
167	CapabilityQuintet q;	765✔
168
169	r = capability_get(&q);	765✔
170	if (r < 0)	765✔
171	return r;	×
172
173	q.inheritable = set;	765✔
174
175	r = capability_apply(&q);	765✔
176	if (r < 0)	765✔
177	return r;
178	}
179
180	for (unsigned i = 0; i <= cap_last_cap(); i++)	1,033,998✔
181	if (BIT_SET(set, i)) {	1,009,379✔
182	/* Add the capability to the ambient set. */
183	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0)	7,435✔
184	return -errno;	×
185	} else {
186	/* Drop the capability so we don't inherit capabilities we didn't ask for. */
187	r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);	1,001,944✔
188	if (r < 0)	1,001,944✔
189	return -errno;	×
190	if (r > 0)	1,001,944✔
191	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_LOWER, i, 0, 0) < 0)	623✔
192	return -errno;	×
193	}
194
195	return 0;
196	}
197
198	int capability_gain_cap_setpcap(void) {	3,736✔
199	CapabilityQuintet q;	3,736✔
200	int r;	3,736✔
201
202	r = capability_get(&q);	3,736✔
203	if (r < 0)	3,736✔
204	return r;	3,736✔
205
206	if (BIT_SET(q.effective, CAP_SETPCAP))	3,736✔
207	return 1; /* We already have capability. */
208
209	SET_BIT(q.effective, CAP_SETPCAP);	109✔
210
211	r = capability_apply(&q);	109✔
212	if (r < 0) {	109✔
213	/* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this
214	* just means we'll fail later, when we actually intend to drop some capabilities or try to
215	* set securebits. */
216	log_debug_errno(r, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m");	×
217	return 0;
218	}
219
220	return 1; /* acquired */
221	}
222
223	int capability_bounding_set_drop(uint64_t keep, bool right_now) {	2,912✔
224	int k, r;	2,912✔
225
226	/* If we are run as PID 1 we will lack CAP_SETPCAP by default in the effective set (yes, the kernel
227	* drops that when executing init!), so get it back temporarily so that we can call PR_CAPBSET_DROP. */
228
229	CapabilityQuintet q;	2,912✔
230	r = capability_get(&q);	2,912✔
231	if (r < 0)	2,912✔
232	return r;	2,912✔
233	CapabilityQuintet saved = q;	2,912✔
234
235	r = capability_gain_cap_setpcap();	2,912✔
236	if (r < 0)	2,912✔
237	return r;
238
239	for (unsigned i = 0; i <= cap_last_cap(); i++) {	122,304✔
240	if (BIT_SET(keep, i))	119,392✔
241	continue;	31,498✔
242
243	/* Drop it from the bounding set */
244	if (prctl(PR_CAPBSET_DROP, i) < 0) {	87,894✔
245	r = -errno;	×
246
247	/* If dropping the capability failed, let's see if we didn't have it in the first
248	* place. If so, continue anyway, as dropping a capability we didn't have in the
249	* first place doesn't really matter anyway. */
250	if (prctl(PR_CAPBSET_READ, i) != 0)	×
251	goto finish;	×
252	}
253
254	/* Also drop it from the inheritable set, so that anything we exec() loses the capability for
255	* good. */
256	CLEAR_BIT(q.inheritable, i);	87,894✔
257
258	/* If we shall apply this right now drop it also from our own capability sets. */
259	if (right_now) {	87,894✔
260	CLEAR_BIT(q.effective, i);	3,840✔
261	CLEAR_BIT(q.permitted, i);	3,840✔
262	}
263	}
264
265	r = 0;
266
267	finish:	2,912✔
268	k = capability_apply(&q);	2,912✔
269	if (k < 0)	2,912✔
270	/* If there are no actual changes anyway then let's ignore this error. */
271	if (!capability_quintet_equal(&q, &saved))	×
272	return k;	×
273
274	return r;
275	}
276
277	static int drop_from_file(const char *fn, uint64_t keep) {	×
278	_cleanup_free_ char *p = NULL;	×
279	uint64_t current, after;	×
280	uint32_t hi, lo;	×
281	int r, k;	×
282
283	r = read_one_line_file(fn, &p);	×
284	if (r < 0)	×
285	return r;
286
287	k = sscanf(p, "%" PRIu32 " %" PRIu32, &lo, &hi);	×
288	if (k != 2)	×
289	return -EIO;
290
291	current = (uint64_t) lo \| ((uint64_t) hi << 32);	×
292	after = current & keep;	×
293
294	if (current == after)	×
295	return 0;
296
297	lo = after & UINT32_MAX;	×
298	hi = (after >> 32) & UINT32_MAX;	×
299
300	return write_string_filef(fn, 0, "%" PRIu32 " %" PRIu32, lo, hi);	×
301	}
302
303	int capability_bounding_set_drop_usermode(uint64_t keep) {	×
304	int r;	×
305
306	r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);	×
307	if (r < 0)	×
308	return r;
309
310	r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);	×
311	if (r < 0)	×
312	return r;	×
313
314	return r;
315	}
316
317	int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {	32✔
318	int r;	32✔
319
320	/* Unfortunately we cannot leave privilege dropping to PID 1 here, since we want to run as user but
321	* want to keep some capabilities. Since file capabilities have been introduced this cannot be done
322	* across exec() anymore, unless our binary has the capability configured in the file system, which
323	* we want to avoid. */
324
325	if (setresgid(gid, gid, gid) < 0)	32✔
326	return log_error_errno(errno, "Failed to change group ID: %m");	1✔
327
328	r = maybe_setgroups(/* size= / 0, / list= */ NULL);	31✔
329	if (r < 0)	31✔
330	return log_error_errno(r, "Failed to drop auxiliary groups list: %m");	1✔
331
332	/* Ensure we keep the permitted caps across the setresuid(). Note that we do this even if we actually
333	* don't want to keep any capabilities, since we want to be able to drop them from the bounding set
334	* too, and we can only do that if we have capabilities. */
335	if (prctl(PR_SET_KEEPCAPS, 1) < 0)	30✔
336	return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");	×
337
338	if (setresuid(uid, uid, uid) < 0)	30✔
339	return log_error_errno(errno, "Failed to change user ID: %m");	×
340
341	if (prctl(PR_SET_KEEPCAPS, 0) < 0)	30✔
342	return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");	×
343
344	/* Drop all caps from the bounding set (as well as the inheritable/permitted/effective sets), except
345	* the ones we want to keep */
346	r = capability_bounding_set_drop(keep_capabilities, /* right_now= */ true);	30✔
347	if (r < 0)	30✔
348	return log_error_errno(r, "Failed to drop capabilities: %m");	×
349
350	/* Now upgrade the permitted caps we still kept to effective caps */
351	if (keep_capabilities != 0) {	30✔
352	CapabilityQuintet q = {	4✔
353	.effective = keep_capabilities,
354	.permitted = keep_capabilities,
355	};
356
357	r = capability_apply(&q);	4✔
358	if (r < 0)	4✔
359	return log_error_errno(r, "Failed to increase capabilities: %m");	×
360	}
361
362	return 0;
363	}
364
365	static int change_capability(unsigned cap, bool b) {	3,905✔
366	CapabilityQuintet q;	3,905✔
367	int r;	3,905✔
368
369	assert(cap <= CAP_LIMIT);	3,905✔
370
371	r = capability_get(&q);	3,905✔
372	if (r < 0)	3,905✔
373	return r;	3,905✔
374
375	if (b) {	3,905✔
376	SET_BIT(q.effective, cap);	1,502✔
377	SET_BIT(q.permitted, cap);	1,502✔
378	SET_BIT(q.inheritable, cap);	1,502✔
379	} else {
380	CLEAR_BIT(q.effective, cap);	2,403✔
381	CLEAR_BIT(q.permitted, cap);	2,403✔
382	CLEAR_BIT(q.inheritable, cap);	2,403✔
383	}
384
385	return capability_apply(&q);	3,905✔
386	}
387
388	int drop_capability(unsigned cap) {	2,403✔
389	return change_capability(cap, false);	2,403✔
390	}
391
392	int keep_capability(unsigned cap) {	1,502✔
393	return change_capability(cap, true);	1,502✔
394	}
395
396	bool capability_quintet_mangle(CapabilityQuintet *q) {	126✔
397	uint64_t combined, drop = 0;	126✔
398
399	assert(q);	126✔
400
401	combined = q->effective \| q->bounding \| q->inheritable \| q->permitted \| q->ambient;	126✔
402
403	for (unsigned i = 0; i <= cap_last_cap(); i++) {	5,292✔
404	if (!BIT_SET(combined, i))	5,166✔
405	continue;	1,862✔
406
407	if (prctl(PR_CAPBSET_READ, (unsigned long) i) > 0)	3,304✔
408	continue;	3,304✔
409
410	SET_BIT(drop, i);	×
411
412	log_debug("Dropping capability not in the current bounding set: %s", capability_to_name(i));	×
413	}
414
415	q->effective &= ~drop;	126✔
416	q->bounding &= ~drop;	126✔
417	q->inheritable &= ~drop;	126✔
418	q->permitted &= ~drop;	126✔
419	q->ambient &= ~drop;	126✔
420
421	return drop != 0; /* Let the caller know we changed something */	126✔
422	}
423
424	int capability_quintet_enforce(const CapabilityQuintet *q) {	126✔
425	CapabilityQuintet c;	126✔
426	bool modified = false;	126✔
427	int r;	126✔
428
429	assert(q);	126✔
430
431	if (q->ambient != CAP_MASK_UNSET \|\|	126✔
432	q->inheritable != CAP_MASK_UNSET \|\|	×
UNCOV 433	q->permitted != CAP_MASK_UNSET \|\|	×
UNCOV 434	q->effective != CAP_MASK_UNSET) {	×
435	r = capability_get(&c);	126✔
436	if (r < 0)	126✔
437	return r;	126✔
438	}
439
440	if (q->ambient != CAP_MASK_UNSET) {	126✔
441	/* In order to raise the ambient caps set we first need to raise the matching
442	* inheritable + permitted cap */
443	if (!FLAGS_SET(c.permitted, q->ambient) \|\|	126✔
444	!FLAGS_SET(c.inheritable, q->ambient)) {	126✔
445
446	c.permitted \|= q->ambient;	1✔
447	c.inheritable \|= q->ambient;	1✔
448
449	r = capability_apply(&c);	1✔
450	if (r < 0)	1✔
451	return r;
452	}
453
454	r = capability_ambient_set_apply(q->ambient, /* also_inherit= */ false);	126✔
455	if (r < 0)	126✔
456	return r;
457	}
458
459	if (q->inheritable != CAP_MASK_UNSET \|\| q->permitted != CAP_MASK_UNSET \|\| q->effective != CAP_MASK_UNSET) {	126✔
460	if (!FLAGS_SET(c.effective, q->effective) \|\|	125✔
461	!FLAGS_SET(c.permitted, q->permitted) \|\|	125✔
462	!FLAGS_SET(c.inheritable, q->inheritable)) {	125✔
463
464	c.effective \|= q->effective;	120✔
465	c.permitted \|= q->permitted;	120✔
466	c.inheritable \|= q->inheritable;	120✔
467
468	/* Now, let's enforce the caps for the first time. Note that this is where we acquire
469	* caps in any of the sets we currently don't have. We have to do this before
470	* dropping the bounding caps below, since at that point we can never acquire new
471	* caps in inherited/permitted/effective anymore, but only lose them.
472	*
473	* In order to change the bounding caps, we need to keep CAP_SETPCAP for a bit
474	* longer. Let's add it to our list hence for now. */
475	if (q->bounding != CAP_MASK_UNSET &&	120✔
476	(!BIT_SET(c.effective, CAP_SETPCAP) \|\| !BIT_SET(c.permitted, CAP_SETPCAP))) {	120✔
477	CapabilityQuintet tmp = c;	×
478
UNCOV 479	SET_BIT(c.effective, CAP_SETPCAP);	×
480	SET_BIT(c.permitted, CAP_SETPCAP);	×
481
482	modified = true;	×
483
UNCOV 484	r = capability_apply(&tmp);	×
485	} else
486	r = capability_apply(&c);	120✔
487	if (r < 0)	120✔
488	return r;
489	}
490	}
491
492	if (q->bounding != CAP_MASK_UNSET) {	126✔
493	r = capability_bounding_set_drop(q->bounding, /* right_now= */ false);	125✔
494	if (r < 0)	125✔
495	return r;
496	}
497
498	/* If needed, let's now set the caps again, this time in the final version, which differs from what
499	* we have already set only in the CAP_SETPCAP bit, which we needed for dropping the bounding
500	* bits. This call only undoes bits and doesn't acquire any which means the bounding caps don't
501	* matter. */
502	if (modified) {	126✔
503	r = capability_apply(&c);	×
UNCOV 504	if (r < 0)	×
UNCOV 505	return r;	×
506	}
507
508	return 0;
509	}
510
511	int capability_get_ambient(uint64_t *ret) {	882✔
512	uint64_t a = 0;	882✔
513	int r;	882✔
514
515	assert(ret);	882✔
516
517	for (unsigned i = 0; i <= cap_last_cap(); i++) {	37,044✔
518	r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, i, 0, 0);	36,162✔
519	if (r < 0)	36,162✔
UNCOV 520	return -errno;	×
521	if (r > 0)	36,162✔
522	SET_BIT(a, i);	139✔
523	}
524
525	*ret = a;	882✔
526	return 1;	882✔
527	}
528
529	int pidref_get_capability(const PidRef pidref, CapabilityQuintet ret) {	17,606✔
530	int r;	17,606✔
531
532	if (!pidref_is_set(pidref))	17,606✔
533	return -ESRCH;	17,606✔
534	if (pidref_is_remote(pidref))	17,606✔
535	return -EREMOTE;
536
537	const char *path = procfs_file_alloca(pidref->pid, "status");	17,606✔
538	_cleanup_fclose_ FILE *f = fopen(path, "re");	35,212✔
539	if (!f) {	17,606✔
540	if (errno == ENOENT && proc_mounted() == 0)	3,651✔
541	return -ENOSYS;
542
543	return -errno;	3,651✔
544	}
545
546	CapabilityQuintet q = CAPABILITY_QUINTET_NULL;	13,955✔
547	for (;;) {	1,703,093✔
548	_cleanup_free_ char *line = NULL;	844,569✔
549
550	r = read_line(f, LONG_LINE_MAX, &line);	858,524✔
551	if (r < 0)	858,524✔
552	return r;
553	if (r == 0)	858,524✔
554	break;
555
556	static const struct {
557	const char *field;
558	size_t offset;
559	} fields[] = {
560	{ "CapBnd:", offsetof(CapabilityQuintet, bounding) },
561	{ "CapInh:", offsetof(CapabilityQuintet, inheritable) },
562	{ "CapPrm:", offsetof(CapabilityQuintet, permitted) },
563	{ "CapEff:", offsetof(CapabilityQuintet, effective) },
564	{ "CapAmb:", offsetof(CapabilityQuintet, ambient) },
565	};
566
567	FOREACH_ELEMENT(i, fields) {	5,067,414✔
568
569	const char *p = first_word(line, i->field);	4,222,845✔
570	if (!p)	4,222,845✔
571	continue;	4,153,070✔
572
573	uint64_t v = (uint64_t) ((uint8_t*) &q + i->offset);	69,775✔
574
575	if (*v != CAP_MASK_UNSET)	69,775✔
576	return -EBADMSG;
577
578	r = safe_atoux64(p, v);	69,775✔
579	if (r < 0)	69,775✔
580	return r;
581
582	if (*v == CAP_MASK_UNSET)	69,775✔
583	return -EBADMSG;
584	}
585	}
586
587	if (!capability_quintet_is_fully_set(&q))	13,955✔
588	return -EBADMSG;
589
590	r = pidref_verify(pidref);	13,955✔
591	if (r < 0)	13,955✔
592	return r;
593
594	if (ret)	13,955✔
595	*ret = q;	13,955✔
596
597	return 0;
598	}

systemd / systemd / 28272947092

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous