|
 |
5a015b |
From 7a536207483e677f1075e529cbd396dd649b2cdc Mon Sep 17 00:00:00 2001
|
|
|
5a015b |
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
|
|
5a015b |
Date: Wed, 3 Aug 2016 12:58:59 +0200
|
|
|
5a015b |
Subject: [PATCH] prctl.2, capabilities.7: document ambient capabilities
|
|
|
5a015b |
|
|
|
5a015b |
---
|
|
|
5a015b |
man-pages/man2/prctl.2 | 77 +++++++++++++++++++++++++++++++++++++++++++
|
|
|
5a015b |
man-pages/man7/capabilities.7 | 51 ++++++++++++++++++++++++----
|
|
|
5a015b |
2 files changed, 122 insertions(+), 6 deletions(-)
|
|
|
5a015b |
|
|
|
5a015b |
diff --git a/man-pages/man2/prctl.2 b/man-pages/man2/prctl.2
|
|
|
5a015b |
index 92eecf9..cd6daef 100644
|
|
|
5a015b |
--- a/man-pages/man2/prctl.2
|
|
|
5a015b |
+++ b/man-pages/man2/prctl.2
|
|
|
5a015b |
@@ -844,6 +844,42 @@ had been called.
|
|
|
5a015b |
For further information on Intel MPX, see the kernel source file
|
|
|
5a015b |
.IR Documentation/x86/intel_mpx.txt .
|
|
|
5a015b |
.\"
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT " (since Linux 4.3)"
|
|
|
5a015b |
+.\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
|
|
|
5a015b |
+Reads or changes the ambient capability set, according to the value of
|
|
|
5a015b |
+.IR arg2 ,
|
|
|
5a015b |
+which must be one of the following:
|
|
|
5a015b |
+.RS
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.B PR_CAP_AMBIENT_RAISE
|
|
|
5a015b |
+The capability specified in
|
|
|
5a015b |
+.I arg3
|
|
|
5a015b |
+is added to the ambient set.
|
|
|
5a015b |
+The specified capability must already be present in
|
|
|
5a015b |
+both the permitted and the inheritable sets of the process.
|
|
|
5a015b |
+This operation is not permitted if the
|
|
|
5a015b |
+.B SECBIT_NO_CAP_AMBIENT_RAISE
|
|
|
5a015b |
+securebit is set.
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.B PR_CAP_AMBIENT_LOWER
|
|
|
5a015b |
+The capability specified in
|
|
|
5a015b |
+.I arg3
|
|
|
5a015b |
+is removed from the ambient set.
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.B PR_CAP_AMBIENT_IS_SET
|
|
|
5a015b |
+The
|
|
|
5a015b |
+.BR prctl (2)
|
|
|
5a015b |
+call returns 1 if the capability in
|
|
|
5a015b |
+.I arg3
|
|
|
5a015b |
+is in the ambient set and 0 if it is not.
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_CLEAR_ALL
|
|
|
5a015b |
+All capabilities will be removed from the ambient set.
|
|
|
5a015b |
+This operation requires setting
|
|
|
5a015b |
+.I arg3
|
|
|
5a015b |
+to zero.
|
|
|
5a015b |
+.RE
|
|
|
5a015b |
.SH RETURN VALUE
|
|
|
5a015b |
On success,
|
|
|
5a015b |
.BR PR_GET_DUMPABLE ,
|
|
|
5a015b |
@@ -853,6 +889,7 @@ On success,
|
|
|
5a015b |
.BR PR_GET_TIMING ,
|
|
|
5a015b |
.BR PR_GET_SECUREBITS ,
|
|
|
5a015b |
.BR PR_MCE_KILL_GET ,
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT + PR_CAP_AMBIENT_IS_SET ,
|
|
|
5a015b |
and (if it returns)
|
|
|
5a015b |
.BR PR_GET_SECCOMP
|
|
|
5a015b |
return the nonnegative values described above.
|
|
|
5a015b |
@@ -949,6 +986,31 @@ is not 0,
|
|
|
5a015b |
.BR PR_SET_PTRACER_ANY ,
|
|
|
5a015b |
or the PID of an existing process.
|
|
|
5a015b |
.TP
|
|
|
5a015b |
+.B EINVAL
|
|
|
5a015b |
+.I option
|
|
|
5a015b |
+is
|
|
|
5a015b |
+.B PR_CAP_AMBIENT
|
|
|
5a015b |
+and an unused argument
|
|
|
5a015b |
+.RI ( arg4 ,
|
|
|
5a015b |
+.IR arg5 ,
|
|
|
5a015b |
+or,
|
|
|
5a015b |
+in the case of
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_CLEAR_ALL ,
|
|
|
5a015b |
+.IR arg3 )
|
|
|
5a015b |
+is nonzero; or
|
|
|
5a015b |
+.IR arg2
|
|
|
5a015b |
+has an invalid value;
|
|
|
5a015b |
+or
|
|
|
5a015b |
+.IR arg2
|
|
|
5a015b |
+is
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_LOWER ,
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_RAISE ,
|
|
|
5a015b |
+or
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_IS_SET
|
|
|
5a015b |
+and
|
|
|
5a015b |
+.IR arg3
|
|
|
5a015b |
+does not specify a valid capability.
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
.B EPERM
|
|
|
5a015b |
.I option
|
|
|
5a015b |
is
|
|
|
5a015b |
@@ -1030,6 +1092,21 @@ capability.
|
|
|
5a015b |
.\" .BR PR_SET_SECCOMP ,
|
|
|
5a015b |
.\" and secure computing mode is already 1.
|
|
|
5a015b |
.TP
|
|
|
5a015b |
+.B EPERM
|
|
|
5a015b |
+.IR option
|
|
|
5a015b |
+is
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT
|
|
|
5a015b |
+and
|
|
|
5a015b |
+.IR arg2
|
|
|
5a015b |
+is
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_RAISE ,
|
|
|
5a015b |
+but either the capability specified in
|
|
|
5a015b |
+.IR arg3
|
|
|
5a015b |
+is not present in the process's permitted and inheritable capability sets,
|
|
|
5a015b |
+or the
|
|
|
5a015b |
+.B PR_CAP_AMBIENT_LOWER
|
|
|
5a015b |
+securebit has been set.
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
.B ENXIO
|
|
|
5a015b |
.I option
|
|
|
5a015b |
was
|
|
|
5a015b |
diff --git a/man-pages/man7/capabilities.7 b/man-pages/man7/capabilities.7
|
|
|
5a015b |
index 2c3377e..c340245 100644
|
|
|
5a015b |
--- a/man-pages/man7/capabilities.7
|
|
|
5a015b |
+++ b/man-pages/man7/capabilities.7
|
|
|
5a015b |
@@ -659,13 +659,40 @@ a program whose associated file capabilities grant that capability).
|
|
|
5a015b |
.IR Inheritable :
|
|
|
5a015b |
This is a set of capabilities preserved across an
|
|
|
5a015b |
.BR execve (2).
|
|
|
5a015b |
-It provides a mechanism for a process to assign capabilities
|
|
|
5a015b |
-to the permitted set of the new program during an
|
|
|
5a015b |
-.BR execve (2).
|
|
|
5a015b |
+Inheritable capabilities remain inheritable when executing any program,
|
|
|
5a015b |
+and inheritable capabilities are added to the permitted set when executing
|
|
|
5a015b |
+a program that has the corresponding bits set in the file inheritable set.
|
|
|
5a015b |
+.IP
|
|
|
5a015b |
+Because inheritable capabilities are not generally preserved across
|
|
|
5a015b |
+.BR execve (2)
|
|
|
5a015b |
+when running as a non-root user, applications that wish to run helper
|
|
|
5a015b |
+programs with elevated capabilities should consider using
|
|
|
5a015b |
+ambient capabilities, described below.
|
|
|
5a015b |
.TP
|
|
|
5a015b |
.IR Effective :
|
|
|
5a015b |
This is the set of capabilities used by the kernel to
|
|
|
5a015b |
perform permission checks for the thread.
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.IR Ambient " (since Linux 4.3):"
|
|
|
5a015b |
+.\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
|
|
|
5a015b |
+This is a set of capabilities that are preserved across an
|
|
|
5a015b |
+.BR execve (2)
|
|
|
5a015b |
+of a program that is not privileged.
|
|
|
5a015b |
+The ambient capability set obeys the invariant that no capability
|
|
|
5a015b |
+can ever be ambient if it is not both permitted and inheritable.
|
|
|
5a015b |
+
|
|
|
5a015b |
+The ambient capability set can be directly modified using
|
|
|
5a015b |
+.BR prctl (2).
|
|
|
5a015b |
+Ambient capabilities are automatically lowered if either of
|
|
|
5a015b |
+the corresponding permitted or inheritable capabilities is lowered.
|
|
|
5a015b |
+
|
|
|
5a015b |
+Executing a program that changes UID or GID due to the
|
|
|
5a015b |
+set-user-ID or set-group-ID bits or executing a program that has
|
|
|
5a015b |
+any file capabilities set will clear the ambient set.
|
|
|
5a015b |
+Ambient capabilities are added to the permitted set and
|
|
|
5a015b |
+assigned to the effective set when
|
|
|
5a015b |
+.BR execve (2)
|
|
|
5a015b |
+is called.
|
|
|
5a015b |
.PP
|
|
|
5a015b |
A child created via
|
|
|
5a015b |
.BR fork (2)
|
|
|
5a015b |
@@ -747,10 +774,12 @@ the process using the following algorithm:
|
|
|
5a015b |
.in +4n
|
|
|
5a015b |
.nf
|
|
|
5a015b |
|
|
|
5a015b |
+P'(ambient) = (file is privileged) ? 0 : P(ambient)
|
|
|
5a015b |
+
|
|
|
5a015b |
P'(permitted) = (P(inheritable) & F(inheritable)) |
|
|
|
5a015b |
- (F(permitted) & cap_bset)
|
|
|
5a015b |
+ (F(permitted) & cap_bset) | P'(ambient)
|
|
|
5a015b |
|
|
|
5a015b |
-P'(effective) = F(effective) ? P'(permitted) : 0
|
|
|
5a015b |
+P'(effective) = F(effective) ? P'(permitted) : P'(ambient)
|
|
|
5a015b |
|
|
|
5a015b |
P'(inheritable) = P(inheritable) [i.e., unchanged]
|
|
|
5a015b |
|
|
|
5a015b |
@@ -769,6 +798,9 @@ denotes a file capability set
|
|
|
5a015b |
.IP cap_bset
|
|
|
5a015b |
is the value of the capability bounding set (described below).
|
|
|
5a015b |
.RE
|
|
|
5a015b |
+.PP
|
|
|
5a015b |
+A privileged file is one that has capabilities or
|
|
|
5a015b |
+has the set-user-ID or set-group-ID bit set.
|
|
|
5a015b |
.\"
|
|
|
5a015b |
.SS Capabilities and execution of programs by root
|
|
|
5a015b |
In order to provide an all-powerful
|
|
|
5a015b |
@@ -1029,6 +1061,12 @@ an effective or real UID of 0 calls
|
|
|
5a015b |
.BR execve (2).
|
|
|
5a015b |
(See the subsection
|
|
|
5a015b |
.IR "Capabilities and execution of programs by root" .)
|
|
|
5a015b |
+.TP
|
|
|
5a015b |
+.B SECBIT_NO_CAP_AMBIENT_RAISE
|
|
|
5a015b |
+Setting this flag disallows raising ambient capabilities via the
|
|
|
5a015b |
+.BR prctl (2)
|
|
|
5a015b |
+.BR PR_CAP_AMBIENT_RAISE
|
|
|
5a015b |
+operation.
|
|
|
5a015b |
.PP
|
|
|
5a015b |
Each of the above "base" flags has a companion "locked" flag.
|
|
|
5a015b |
Setting any of the "locked" flags is irreversible,
|
|
|
5a015b |
@@ -1037,8 +1075,9 @@ corresponding "base" flag.
|
|
|
5a015b |
The locked flags are:
|
|
|
5a015b |
.BR SECBIT_KEEP_CAPS_LOCKED ,
|
|
|
5a015b |
.BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
|
|
|
5a015b |
+.BR SECBIT_NOROOT_LOCKED ,
|
|
|
5a015b |
and
|
|
|
5a015b |
-.BR SECBIT_NOROOT_LOCKED .
|
|
|
5a015b |
+.BR SECBIT_NO_CAP_AMBIENT_RAISE .
|
|
|
5a015b |
.PP
|
|
|
5a015b |
The
|
|
|
5a015b |
.I securebits
|
|
|
5a015b |
--
|
|
|
5a015b |
2.7.4
|
|
|
5a015b |
|