setpriv: allow modifying inheritable caps
The main use case of setpriv is to modify the current state of privileges available to the calling process and spawn a new executable with the modified, new state. Next to the already supported case of modifying the no-new-privs flag, util-linux also supports to modify capability sets. This commit introduces to add or drop capabilities from the set of inheritable capabilities. Quoting from capabilities(7): This is a set of capabilities preserved across an execve(2). Inheritable capabilities remain inheritable when executing any program, and inheritable capabilities are added to the permitted set when executing a program that has the corresponding bits set in the file inheritable set. As such, inheritable capabilities enable executing files with certain privileges if the file itself has these privileges set. Note though that inheritable capabilities are dropped across execve when running as a non-root user. function old new delta getcaps - 237 +237 setpriv_main 1129 1246 +117 .rodata 146198 146307 +109 static.setpriv_longopts 29 40 +11 packed_usage 32107 32092 -15 Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
5e0987405c
commit
0f49f6f926
@ -56,6 +56,9 @@
|
||||
//usage: "\n-d,--dump Show current capabilities"
|
||||
//usage: )
|
||||
//usage: "\n--nnp,--no-new-privs Ignore setuid/setgid bits and file capabilities"
|
||||
//usage: IF_FEATURE_SETPRIV_CAPABILITIES(
|
||||
//usage: "\n--inh-caps CAP[,CAP...] Set inheritable capabilities"
|
||||
//usage: )
|
||||
|
||||
//setpriv from util-linux 2.28:
|
||||
// -d, --dump show current state (and do not exec anything)
|
||||
@ -101,9 +104,11 @@
|
||||
|
||||
enum {
|
||||
IF_FEATURE_SETPRIV_DUMP(OPTBIT_DUMP,)
|
||||
IF_FEATURE_SETPRIV_CAPABILITIES(OPTBIT_INH,)
|
||||
OPTBIT_NNP,
|
||||
|
||||
IF_FEATURE_SETPRIV_DUMP(OPT_DUMP = (1 << OPTBIT_DUMP),)
|
||||
IF_FEATURE_SETPRIV_CAPABILITIES(OPT_INH = (1 << OPTBIT_INH),)
|
||||
OPT_NNP = (1 << OPTBIT_NNP),
|
||||
};
|
||||
|
||||
@ -159,8 +164,7 @@ static const char *const capabilities[] = {
|
||||
|
||||
#endif /* FEATURE_SETPRIV_CAPABILITIES */
|
||||
|
||||
#if ENABLE_FEATURE_SETPRIV_DUMP
|
||||
# if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
||||
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
||||
static void getcaps(struct caps *caps)
|
||||
{
|
||||
int versions[] = {
|
||||
@ -197,8 +201,9 @@ static void getcaps(struct caps *caps)
|
||||
if (capget(&caps->header, caps->data) < 0)
|
||||
bb_simple_perror_msg_and_die("capget");
|
||||
}
|
||||
# endif /* FEATURE_SETPRIV_CAPABILITIES */
|
||||
#endif /* FEATURE_SETPRIV_CAPABILITIES */
|
||||
|
||||
#if ENABLE_FEATURE_SETPRIV_DUMP
|
||||
static int dump(void)
|
||||
{
|
||||
IF_FEATURE_SETPRIV_CAPABILITIES(struct caps caps;)
|
||||
@ -215,7 +220,7 @@ static int dump(void)
|
||||
|
||||
nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
|
||||
if (nnp < 0)
|
||||
bb_simple_perror_msg_and_die("prctl: GET_NO_NEW_PRIVS");
|
||||
bb_perror_msg_and_die("prctl: %s", "GET_NO_NEW_PRIVS");
|
||||
|
||||
printf("uid: %u\n", (unsigned)ruid);
|
||||
printf("euid: %u\n", (unsigned)euid);
|
||||
@ -262,7 +267,7 @@ static int dump(void)
|
||||
for (i = 0; cap_valid(i); i++) {
|
||||
int ret = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, (unsigned long) i, 0UL, 0UL);
|
||||
if (ret < 0)
|
||||
bb_simple_perror_msg_and_die("prctl: CAP_AMBIENT_IS_SET");
|
||||
bb_perror_msg_and_die("prctl: %s", "CAP_AMBIENT_IS_SET");
|
||||
if (ret) {
|
||||
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
||||
if (i < ARRAY_SIZE(capabilities))
|
||||
@ -283,7 +288,7 @@ static int dump(void)
|
||||
for (i = 0; cap_valid(i); i++) {
|
||||
int ret = prctl(PR_CAPBSET_READ, (unsigned long) i, 0UL, 0UL, 0UL);
|
||||
if (ret < 0)
|
||||
bb_simple_perror_msg_and_die("prctl: CAPBSET_READ");
|
||||
bb_perror_msg_and_die("prctl: %s", "CAPBSET_READ");
|
||||
if (ret) {
|
||||
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
||||
if (i < ARRAY_SIZE(capabilities))
|
||||
@ -307,20 +312,94 @@ static int dump(void)
|
||||
}
|
||||
#endif /* FEATURE_SETPRIV_DUMP */
|
||||
|
||||
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
||||
static void parse_cap(unsigned long *index, int *add, const char *cap)
|
||||
{
|
||||
unsigned long i;
|
||||
|
||||
switch (cap[0]) {
|
||||
case '-':
|
||||
*add = 0;
|
||||
break;
|
||||
case '+':
|
||||
*add = 1;
|
||||
break;
|
||||
default:
|
||||
bb_error_msg_and_die("invalid capability '%s'", cap);
|
||||
break;
|
||||
}
|
||||
|
||||
cap++;
|
||||
if ((sscanf(cap, "cap_%lu", &i)) == 1) {
|
||||
if (!cap_valid(i))
|
||||
bb_error_msg_and_die("unsupported capability '%s'", cap);
|
||||
*index = i;
|
||||
return;
|
||||
}
|
||||
|
||||
# if ENABLE_FEATURE_SETPRIV_CAPABILITY_NAMES
|
||||
for (i = 0; i < ARRAY_SIZE(capabilities); i++) {
|
||||
if (strcmp(capabilities[i], cap) != 0)
|
||||
continue;
|
||||
|
||||
if (!cap_valid(i))
|
||||
bb_error_msg_and_die("unsupported capability '%s'", cap);
|
||||
*index = i;
|
||||
return;
|
||||
}
|
||||
# endif
|
||||
|
||||
bb_error_msg_and_die("unknown capability '%s'", cap);
|
||||
}
|
||||
|
||||
static void set_inh_caps(char *capstring)
|
||||
{
|
||||
struct caps caps;
|
||||
|
||||
getcaps(&caps);
|
||||
|
||||
capstring = strtok(capstring, ",");
|
||||
while (capstring) {
|
||||
unsigned long cap;
|
||||
int add;
|
||||
|
||||
parse_cap(&cap, &add, capstring);
|
||||
if (CAP_TO_INDEX(cap) >= caps.u32s)
|
||||
bb_error_msg_and_die("invalid capability cap");
|
||||
if (add)
|
||||
caps.data[CAP_TO_INDEX(cap)].inheritable |= CAP_TO_MASK(cap);
|
||||
else
|
||||
caps.data[CAP_TO_INDEX(cap)].inheritable &= ~CAP_TO_MASK(cap);
|
||||
capstring = strtok(NULL, ",");
|
||||
}
|
||||
|
||||
if ((capset(&caps.header, caps.data)) < 0)
|
||||
bb_perror_msg_and_die("capset");
|
||||
|
||||
if (ENABLE_FEATURE_CLEAN_UP)
|
||||
free(caps.data);
|
||||
}
|
||||
#endif /* FEATURE_SETPRIV_CAPABILITIES */
|
||||
|
||||
int setpriv_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
|
||||
int setpriv_main(int argc UNUSED_PARAM, char **argv)
|
||||
{
|
||||
static const char setpriv_longopts[] ALIGN1 =
|
||||
IF_FEATURE_SETPRIV_DUMP(
|
||||
"dump\0" No_argument "d"
|
||||
"dump\0" No_argument "d"
|
||||
)
|
||||
"nnp\0" No_argument "\xff"
|
||||
"no-new-privs\0" No_argument "\xff"
|
||||
IF_FEATURE_SETPRIV_CAPABILITIES(
|
||||
"inh-caps\0" Required_argument "\xfe"
|
||||
)
|
||||
"nnp\0" No_argument "\xff"
|
||||
"no-new-privs\0" No_argument "\xff"
|
||||
;
|
||||
int opts;
|
||||
IF_FEATURE_SETPRIV_CAPABILITIES(char *inh_caps;)
|
||||
|
||||
applet_long_options = setpriv_longopts;
|
||||
opts = getopt32(argv, "+"IF_FEATURE_SETPRIV_DUMP("d"));
|
||||
opts = getopt32(argv, "+"IF_FEATURE_SETPRIV_DUMP("d")
|
||||
IF_FEATURE_SETPRIV_CAPABILITIES("\xfe:", &inh_caps));
|
||||
argv += optind;
|
||||
|
||||
#if ENABLE_FEATURE_SETPRIV_DUMP
|
||||
@ -332,9 +411,14 @@ int setpriv_main(int argc UNUSED_PARAM, char **argv)
|
||||
#endif
|
||||
if (opts & OPT_NNP) {
|
||||
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
|
||||
bb_simple_perror_msg_and_die("prctl: NO_NEW_PRIVS");
|
||||
bb_perror_msg_and_die("prctl: %s", "SET_NO_NEW_PRIVS");
|
||||
}
|
||||
|
||||
#if ENABLE_FEATURE_SETPRIV_CAPABILITIES
|
||||
if (opts & OPT_INH)
|
||||
set_inh_caps(inh_caps);
|
||||
#endif
|
||||
|
||||
if (!argv[0])
|
||||
bb_show_usage();
|
||||
BB_EXECVP_or_die(argv);
|
||||
|
Loading…
Reference in New Issue
Block a user