cregit-Linux how code gets into the kernel

Release 4.7 include/linux/capability.h

Directory: include/linux
/*
 * This is <linux/capability.h>
 *
 * Andrew G. Morgan <morgan@kernel.org>
 * Alexander Kjeldaas <astor@guardian.no>
 * with help from Aleph1, Roland Buresund and Andrew Main.
 *
 * See here for the libcap library ("POSIX draft" compliance):
 *
 * ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
 */
#ifndef _LINUX_CAPABILITY_H

#define _LINUX_CAPABILITY_H

#include <uapi/linux/capability.h>



#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3

#define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3

extern int file_caps_enabled;


typedef struct kernel_cap_struct {
	
__u32 cap[_KERNEL_CAPABILITY_U32S];
} 
kernel_cap_t;

/* exact same as vfs_cap_data but in cpu endian and always filled completely */

struct cpu_vfs_cap_data {
	
__u32 magic_etc;
	
kernel_cap_t permitted;
	
kernel_cap_t inheritable;
};


#define _USER_CAP_HEADER_SIZE  (sizeof(struct __user_cap_header_struct))

#define _KERNEL_CAP_T_SIZE     (sizeof(kernel_cap_t))


struct file;
struct inode;
struct dentry;
struct user_namespace;

extern const kernel_cap_t __cap_empty_set;
extern const kernel_cap_t __cap_init_eff_set;

/*
 * Internal kernel functions only
 */


#define CAP_FOR_EACH_U32(__capi)  \
	for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)

/*
 * CAP_FS_MASK and CAP_NFSD_MASKS:
 *
 * The fs mask is all the privileges that fsuid==0 historically meant.
 * At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
 *
 * It has never meant setting security.* and trusted.* xattrs.
 *
 * We could also define fsmask as follows:
 *   1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
 *   2. The security.* and trusted.* xattrs are fs-related MAC permissions
 */


# define CAP_FS_MASK_B0     (CAP_TO_MASK(CAP_CHOWN)         \
                            | CAP_TO_MASK(CAP_MKNOD)            \
                            | CAP_TO_MASK(CAP_DAC_OVERRIDE)     \
                            | CAP_TO_MASK(CAP_DAC_READ_SEARCH)  \
                            | CAP_TO_MASK(CAP_FOWNER)           \
                            | CAP_TO_MASK(CAP_FSETID))


# define CAP_FS_MASK_B1     (CAP_TO_MASK(CAP_MAC_OVERRIDE))

#if _KERNEL_CAPABILITY_U32S != 2
# error Fix up hand-coded capability macro initializers
#else /* HAND-CODED capability initializers */


#define CAP_LAST_U32			((_KERNEL_CAPABILITY_U32S) - 1)

#define CAP_LAST_U32_VALID_MASK		(CAP_TO_MASK(CAP_LAST_CAP + 1) -1)


# define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})

# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})

# define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                    | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
                                    CAP_FS_MASK_B1 } })

# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                    | CAP_TO_MASK(CAP_SYS_RESOURCE), \
                                    CAP_FS_MASK_B1 } })

#endif /* _KERNEL_CAPABILITY_U32S != 2 */


# define cap_clear(c)         do { (c) = __cap_empty_set; } while (0)


#define cap_raise(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))

#define cap_lower(c, flag)  ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))

#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))


#define CAP_BOP_ALL(c, a, b, OP)                                    \
do {                                                                \
        unsigned __capi;                                            \
        CAP_FOR_EACH_U32(__capi) {                                  \
                c.cap[__capi] = a.cap[__capi] OP b.cap[__capi];     \
        }                                                           \
} while (0)


#define CAP_UOP_ALL(c, a, OP)                                       \
do {                                                                \
        unsigned __capi;                                            \
        CAP_FOR_EACH_U32(__capi) {                                  \
                c.cap[__capi] = OP a.cap[__capi];                   \
        }                                                           \
} while (0)


static inline kernel_cap_t cap_combine(const kernel_cap_t a, const kernel_cap_t b) { kernel_cap_t dest; CAP_BOP_ALL(dest, a, b, |); return dest; }

Contributors

PersonTokensPropCommitsCommitProp
pre-gitpre-git2578.12%266.67%
andrew g. morganandrew g. morgan721.88%133.33%
Total32100.00%3100.00%


static inline kernel_cap_t cap_intersect(const kernel_cap_t a, const kernel_cap_t b) { kernel_cap_t dest; CAP_BOP_ALL(dest, a, b, &); return dest; }

Contributors

PersonTokensPropCommitsCommitProp
pre-gitpre-git2578.12%266.67%
andrew g. morganandrew g. morgan721.88%133.33%
Total32100.00%3100.00%


static inline kernel_cap_t cap_drop(const kernel_cap_t a, const kernel_cap_t drop) { kernel_cap_t dest; CAP_BOP_ALL(dest, a, drop, &~); return dest; }

Contributors

PersonTokensPropCommitsCommitProp
pre-gitpre-git2678.79%266.67%
andrew g. morganandrew g. morgan721.21%133.33%
Total33100.00%3100.00%


static inline kernel_cap_t cap_invert(const kernel_cap_t c) { kernel_cap_t dest; CAP_UOP_ALL(dest, c, ~); return dest; }

Contributors

PersonTokensPropCommitsCommitProp
pre-gitpre-git2180.77%266.67%
andrew g. morganandrew g. morgan519.23%133.33%
Total26100.00%3100.00%


static inline bool cap_isclear(const kernel_cap_t a) { unsigned __capi; CAP_FOR_EACH_U32(__capi) { if (a.cap[__capi] != 0) return false; } return true; }

Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan3183.78%133.33%
yaowei baiyaowei bai38.11%133.33%
pre-gitpre-git38.11%133.33%
Total37100.00%3100.00%

/* * Check if "a" is a subset of "set". * return true if ALL of the capabilities in "a" are also in "set" * cap_issubset(0101, 1111) will return true * return false if ANY of the capabilities in "a" are not in "set" * cap_issubset(1111, 0101) will return false */
static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set) { kernel_cap_t dest; dest = cap_drop(a, set); return cap_isclear(dest); }

Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan2678.79%125.00%
pre-gitpre-git618.18%250.00%
yaowei baiyaowei bai13.03%125.00%
Total33100.00%4100.00%

/* Used to decide between falling back on the old suser() or fsuser(). */
static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) { const kernel_cap_t __cap_fs_set = CAP_FS_SET; return cap_drop(a, __cap_fs_set); }

Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan2392.00%150.00%
pre-gitpre-git28.00%150.00%
Total25100.00%2100.00%


static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a, const kernel_cap_t permitted) { const kernel_cap_t __cap_fs_set = CAP_FS_SET; return cap_combine(a, cap_intersect(permitted, __cap_fs_set)); }

Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan3191.18%150.00%
pre-gitpre-git38.82%150.00%
Total34100.00%2100.00%


static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a) { const kernel_cap_t __cap_fs_set = CAP_NFSD_SET; return cap_drop(a, __cap_fs_set); }

Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan2392.00%150.00%
pre-gitpre-git28.00%150.00%
Total25100.00%2100.00%


static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a, const kernel_cap_t permitted) { const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET; return cap_combine(a, cap_intersect(permitted, __cap_nfsd_set)); }

Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan34100.00%1100.00%
Total34100.00%1100.00%

#ifdef CONFIG_MULTIUSER extern bool has_capability(struct task_struct *t, int cap); extern bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap); extern bool has_capability_noaudit(struct task_struct *t, int cap); extern bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap); extern bool capable(int cap); extern bool ns_capable(struct user_namespace *ns, int cap); #else
static inline bool has_capability(struct task_struct *t, int cap) { return true; }

Contributors

PersonTokensPropCommitsCommitProp
iulia mandaiulia manda18100.00%1100.00%
Total18100.00%1100.00%


static inline bool has_ns_capability(struct task_struct *t, struct user_namespace *ns, int cap) { return true; }

Contributors

PersonTokensPropCommitsCommitProp
iulia mandaiulia manda23100.00%1100.00%
Total23100.00%1100.00%


static inline bool has_capability_noaudit(struct task_struct *t, int cap) { return true; }

Contributors

PersonTokensPropCommitsCommitProp
iulia mandaiulia manda18100.00%1100.00%
Total18100.00%1100.00%


static inline bool has_ns_capability_noaudit(struct task_struct *t, struct user_namespace *ns, int cap) { return true; }

Contributors

PersonTokensPropCommitsCommitProp
iulia mandaiulia manda23100.00%1100.00%
Total23100.00%1100.00%


static inline bool capable(int cap) { return true; }

Contributors

PersonTokensPropCommitsCommitProp
iulia mandaiulia manda13100.00%1100.00%
Total13100.00%1100.00%


static inline bool ns_capable(struct user_namespace *ns, int cap) { return true; }

Contributors

PersonTokensPropCommitsCommitProp
iulia mandaiulia manda18100.00%1100.00%
Total18100.00%1100.00%

#endif /* CONFIG_MULTIUSER */ extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); /* audit system wants to get cap info from files as well */ extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps); #endif /* !_LINUX_CAPABILITY_H */

Overall Contributors

PersonTokensPropCommitsCommitProp
andrew g. morganandrew g. morgan25333.03%27.69%
pre-gitpre-git16821.93%311.54%
iulia mandaiulia manda12115.80%13.85%
serge hallynserge hallyn7710.05%519.23%
david howellsdavid howells476.14%311.54%
eric pariseric paris435.61%415.38%
linus torvaldslinus torvalds222.87%13.85%
eric w. biedermaneric w. biederman162.09%13.85%
yaowei baiyaowei bai50.65%13.85%
chris wrightchris wright50.65%13.85%
casey schauflercasey schaufler40.52%13.85%
randy dunlaprandy dunlap30.39%13.85%
geunsik limgeunsik lim10.13%13.85%
andy lutomirskiandy lutomirski10.13%13.85%
Total766100.00%26100.00%
Directory: include/linux
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
{% endraw %}