/*
* Copyright (c) 1997,2020 Andrew G Morgan <morgan@kernel.org>
*
* This file contains internal definitions for the various functions in
* this small capability library.
*/
#ifndef LIBCAP_H
#define LIBCAP_H
#include <errno.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/capability.h>
#ifndef __u8
#define __u8 uint8_t
#endif /* __8 */
#ifndef __u32
#define __u32 uint32_t
#endif /* __u32 */
/* include the names for the caps and a definition of __CAP_BITS */
#include "cap_names.h"
#ifndef _LINUX_CAPABILITY_U32S_1
# define _LINUX_CAPABILITY_U32S_1 1
#endif /* ndef _LINUX_CAPABILITY_U32S_1 */
/*
* Do we match the local kernel?
*/
#if !defined(_LINUX_CAPABILITY_VERSION)
# error Kernel <linux/capability.h> does not support library
# error file "libcap.h" --> fix and recompile libcap
#elif !defined(_LINUX_CAPABILITY_VERSION_2)
# warning Kernel <linux/capability.h> does not support 64-bit capabilities
# warning and libcap is being built with no support for 64-bit capabilities
# ifndef _LINUX_CAPABILITY_VERSION_1
# define _LINUX_CAPABILITY_VERSION_1 0x19980330
# endif
# _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_1
# _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_1
#elif defined(_LINUX_CAPABILITY_VERSION_3)
# if (_LINUX_CAPABILITY_VERSION_3 != 0x20080522)
# error Kernel <linux/capability.h> v3 does not match library
# error file "libcap.h" --> fix and recompile libcap
# else
# define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
# define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
# endif
#elif (_LINUX_CAPABILITY_VERSION_2 != 0x20071026)
# error Kernel <linux/capability.h> does not match library
# error file "libcap.h" --> fix and recompile libcap
#else
# define _LIBCAP_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_2
# define _LIBCAP_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2
#endif
#undef _LINUX_CAPABILITY_VERSION
#undef _LINUX_CAPABILITY_U32S
/*
* This is a pointer to a struct containing three consecutive
* capability sets in the order of the cap_flag_t type: the are
* effective,inheritable and permitted. This is the type that the
* user-space routines think of as 'internal' capabilities - this is
* the type that is passed to the kernel with the system calls related
* to processes.
*/
#if defined(VFS_CAP_REVISION_MASK) && !defined(VFS_CAP_U32)
# define VFS_CAP_U32_1 1
# define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1))
# define VFS_CAP_U32 VFS_CAP_U32_1
struct _cap_vfs_cap_data {
__le32 magic_etc;
struct {
__le32 permitted;
__le32 inheritable;
} data[VFS_CAP_U32_1];
};
# define vfs_cap_data _cap_vfs_cap_data
#endif
#ifndef CAP_TO_INDEX
# define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */
#endif /* ndef CAP_TO_INDEX */
#ifndef CAP_TO_MASK
# define CAP_TO_MASK(x) (1 << ((x) & 31))
#endif /* ndef CAP_TO_MASK */
#define NUMBER_OF_CAP_SETS 3 /* effective, inheritable, permitted */
#define __CAP_BLKS (_LIBCAP_CAPABILITY_U32S)
#define CAP_SET_SIZE (__CAP_BLKS * sizeof(__u32))
#define CAP_T_MAGIC 0xCA90D0
struct _cap_struct {
__u8 mutex;
struct __user_cap_header_struct head;
union {
struct __user_cap_data_struct set;
__u32 flat[NUMBER_OF_CAP_SETS];
} u[_LIBCAP_CAPABILITY_U32S];
uid_t rootid;
};
/*
* Elementary exclusive locking primatives for situations where
* linking with pthreads needs it, but such linking is not common.
*
* _cap_mu_blocked(x) attempts to lock x but if already locked, returns true
* _cap_mu_lock(x) attempts to lock and waits until the lock is granted
* _cap_mu_unlock(x) unconditionally unlocks the lock
* _cap_mu_unlock_return(x, y) unlock lock x and return value y
*/
#define _cap_mu_blocked(x) \
__atomic_test_and_set((void *)(x), __ATOMIC_SEQ_CST)
#define _cap_mu_lock(x) \
while (_cap_mu_blocked(x)) sched_yield()
#define _cap_mu_unlock(x) \
__atomic_clear((void *) (x), __ATOMIC_SEQ_CST)
#define _cap_mu_unlock_return(x, y) \
do { _cap_mu_unlock(x); return (y); } while (0)
/* the maximum bits supportable */
#define __CAP_MAXBITS (__CAP_BLKS * 32)
/* string magic for cap_free */
#define CAP_S_MAGIC 0xCA95D0
/* iab set magic for cap_free */
#define CAP_IAB_MAGIC 0xCA91AB
/* launcher magic for cap_free */
#define CAP_LAUNCH_MAGIC 0xCA91AC
#define magic_of(x) ((x) ? *(-2 + (const __u32 *) x) : 0)
#define good_cap_t(x) (CAP_T_MAGIC == magic_of(x))
#define good_cap_iab_t(x) (CAP_IAB_MAGIC == magic_of(x))
#define good_cap_launch_t(x) (CAP_LAUNCH_MAGIC == magic_of(x))
/*
* kernel API cap set abstraction
*/
#define raise_cap(x, set) u[(x) >> 5].flat[set] |= (1u << ((x)&31))
#define lower_cap(x, set) u[(x) >> 5].flat[set] &= ~(1u << ((x)&31))
#define isset_cap(y, x, set) ((y)->u[(x) >> 5].flat[set] & (1u << ((x)&31)))
/*
* These match CAP_DIFFERS() expectations
*/
#define LIBCAP_EFF (1 << CAP_EFFECTIVE)
#define LIBCAP_INH (1 << CAP_INHERITABLE)
#define LIBCAP_PER (1 << CAP_PERMITTED)
/*
* library debugging
*/
#ifdef DEBUG
#include <stdio.h>
# define _cap_debug(f, x...) do { \
fprintf(stderr, "%s(%s:%d): ", __FUNCTION__, __FILE__, __LINE__); \
fprintf(stderr, f, ## x); \
fprintf(stderr, "\n"); \
} while (0)
# define _cap_debugcap(s, c, set) do { \
unsigned _cap_index; \
fprintf(stderr, "%s(%s:%d): %s", __FUNCTION__, __FILE__, __LINE__, s); \
for (_cap_index=_LIBCAP_CAPABILITY_U32S; _cap_index-- > 0; ) { \
fprintf(stderr, "%08x", (c).u[_cap_index].flat[set]); \
} \
fprintf(stderr, "\n"); \
} while (0)
#else /* !DEBUG */
# define _cap_debug(f, x...)
# define _cap_debugcap(s, c, set)
#endif /* DEBUG */
extern char *_libcap_strdup(const char *text);
extern void _libcap_initialize(void);
#define EXECABLE_INITIALIZE _libcap_initialize()
/*
* These are semi-public prototypes, they will only be defined in
* <sys/capability.h> if _POSIX_SOURCE is not #define'd, so we
* place them here too.
*/
extern int capget(cap_user_header_t header, cap_user_data_t data);
extern int capgetp(pid_t pid, cap_t cap_d);
extern int capsetp(pid_t pid, cap_t cap_d);
/* prctl based API for altering character of current process */
#define PR_GET_KEEPCAPS 7
#define PR_SET_KEEPCAPS 8
#define PR_CAPBSET_READ 23
#define PR_CAPBSET_DROP 24
#define PR_GET_SECUREBITS 27
#define PR_SET_SECUREBITS 28
/*
* The library compares sizeof() with integer return values. To avoid
* signed/unsigned comparisons, leading to unfortunate
* misinterpretations of -1, we provide a convenient cast-to-signed-integer
* version of sizeof().
*/
#define ssizeof(x) ((ssize_t) sizeof(x))
/*
* Put this here as a macro so we can unit test it.
*/
#define _binary_search(val, fn, low, high, fallback) do { \
cap_value_t min = low, max = high; \
while (min <= max) { \
cap_value_t mid = (min+max) / 2; \
if (fn(mid) < 0) { \
max = mid - 1; \
} else { \
min = mid + 1; \
} \
} \
val = min ? (min <= high ? min : fallback) : fallback; \
} while(0)
/*
* cap_iab_s holds a collection of inheritable capability bits. The i
* bits are inheritable (these are the same as those in cap_t), the a
* bits are ambient bits (which cannot be a superset of i&p), and nb
* are the bits that will be dropped from the bounding set when
* applied.
*/
struct cap_iab_s {
__u8 mutex;
__u32 i[_LIBCAP_CAPABILITY_U32S];
__u32 a[_LIBCAP_CAPABILITY_U32S];
__u32 nb[_LIBCAP_CAPABILITY_U32S];
};
#define LIBCAP_IAB_I_FLAG (1U << CAP_IAB_INH)
#define LIBCAP_IAB_A_FLAG (1U << CAP_IAB_AMB)
#define LIBCAP_IAB_IA_FLAG (LIBCAP_IAB_I_FLAG | LIBCAP_IAB_A_FLAG)
#define LIBCAP_IAB_NB_FLAG (1U << CAP_IAB_BOUND)
/*
* The following support launching another process without destroying
* the state of the current process. This is especially useful for
* multithreaded applications.
*/
struct cap_launch_s {
__u8 mutex;
/*
* Once forked but before active privilege is changed, this
* function (if non-NULL) is called.
*/
int (*custom_setup_fn)(void *detail);
/*
* user and groups to be used by the forked child.
*/
int change_uids;
uid_t uid;
int change_gids;
gid_t gid;
int ngroups;
const gid_t *groups;
/*
* mode holds the preferred capability mode. Any non-uncertain
* setting here will require an empty ambient set.
*/
int change_mode;
cap_mode_t mode;
/*
* i,a,[n]b caps. These bitmaps hold all of the capability sets that
* cap_launch will affect. nb holds values to be lowered in the bounding
* set.
*/
struct cap_iab_s *iab;
/* chroot holds a preferred chroot for the launched child. */
char *chroot;
/*
* execve style arguments
*/
const char *arg0;
const char *const *argv;
const char *const *envp;
};
#endif /* LIBCAP_H */