Next try with capabilities, this time against 2.3.1. Patch is
completely safe and should significantly enhance system security. It
is completely backward compatible: ie. no semantics
change. Capabilities are implemented using elf notes (and this version
parses notes correctly). Software exists for adding capabilities at
runtime, so you don't even require a recompile.
This time I removed "FLE" hack, which was maybe too dirty. Please apply,
Pavel
PS: Pretty nice page exists at
http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html; and this time it
really is there.
--- /dev/null Tue Jul 21 02:45:36 1998
+++ linux/Documentation/capabilities.txt Tue May 11 14:17:39 1999
@@ -0,0 +1,31 @@
+Elf capabilities hack
+=====================
+
+From now on, there's support for capabilities in elf executable. Elf
+executable now may contain "capabilities header", telling which
+capabilities should be dropped on exec. This can not hurt: lowering
+capabilities is not priviledged operation, and executable could do it
+itself at beggining of main.
+
+Doing it in exec() time has certain advantages, through: you can
+easily look and what capabilities are in use by what program and you
+can set capabilities for existing executables without need to
+recompile.
+
+What can elfcap do:
+
+* mask inheritable, permitted and effective sets by arbitrary mask
+
+* set euid back to ruid
+
+Along with existing setuid mechanism, this hack can be used to grant
+subset of capabilities to executables. For example currently ping has
+to be setuid0. With elfcap, ping still will be setuid0, but most of
+its capabilities will be dropped at exec() time, so breaking into ping
+will allow attacker to generate arbitrary packets to network, but
+nothing more.
+
+For more info & utility programs, look at
+http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html.
+
+ pavel@ucw.cz
--- clean/include/linux/elf.h Thu Jun 25 17:38:14 1998
+++ linux/include/linux/elf.h Tue May 11 15:58:41 1999
@@ -496,6 +496,27 @@
Elf32_Word n_type; /* Content type */
} Elf64_Nhdr;
+/* Capabilities support
+ */
+struct elf_capabilities {
+ Elf32_Word signature;
+ Elf32_Word version; /* Currently 0; this is so that you can append on the end painlessly */
+ Elf32_Word flags;
+#define ECF_MAKE_EUID_UID 1
+#define ECF_MAKE_EUID_XUID 2
+ Elf32_Word xuid; /* We want our set 128bit for future expansion */
+ Elf32_Word effective, effective1, effective2, effective3;
+ Elf32_Word permitted, permitted1, permitted2, permitted3;
+ Elf32_Word inheritable, inheritable1, inheritable2, inheritable3;
+ Elf32_Word known, known1, known2, known3;
+};
+
+struct elf_capabilities_note {
+ Elf32_Nhdr nhdr;
+ __u32 note_signature; /* == "CAPS" */
+ struct elf_capabilities cap;
+};
+
#if ELF_CLASS == ELFCLASS32
extern Elf32_Dyn _DYNAMIC [];
--- clean/fs/binfmt_elf.c Thu May 13 22:41:36 1999
+++ linux/fs/binfmt_elf.c Thu May 13 22:32:54 1999
@@ -7,6 +7,7 @@
* Tools".
*
* Copyright 1993, 1994: Eric Youngdale (ericy@cais.com).
+ * Capabilities copyright 1999 Pavel Machek (pavel@ucw.cz).
*/
#include <linux/module.h>
@@ -387,6 +388,26 @@
return elf_entry;
}
+static void
+restrict( struct linux_binprm * bprm, struct elf_capabilities *cap )
+{
+ if (cap->signature != 0xca5ab1e)
+ return;
+
+ /* I do not check versions... That is because current version
+ is 0 and I expect all changes to be backward - compabtible */
+ if (cap->flags & ECF_MAKE_EUID_UID) /* You may want to loose owner's uid */
+ bprm->e_uid = current->uid;
+ if ((!bprm->e_uid) && (cap->flags & ECF_MAKE_EUID_XUID))
+ bprm->e_uid = cap->xuid; /* We only honour random uid changes for root */
+ cap_mask( bprm->cap_effective, cap->effective );
+ cap_mask( bprm->cap_permitted, cap->permitted );
+ cap_mask( bprm->cap_inheritable, cap->inheritable );
+
+ printk( KERN_DEBUG "Now: uid = %d, effective = %x, permitted = %x, inheritable = %x\n", bprm->e_uid, bprm->cap_effective, bprm->cap_permitted, bprm->cap_inheritable );
+}
+
+
/*
* These are the functions used to load ELF style executables and shared
* libraries. There is no binary dependent code anywhere else.
@@ -396,6 +417,7 @@
#define INTERPRETER_AOUT 1
#define INTERPRETER_ELF 2
+#define roundup(x, y) ((((x)+((y)-1))/(y))*(y))
static inline int
do_load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs)
@@ -473,6 +498,22 @@
end_data = 0;
for (i = 0; i < elf_ex.e_phnum; i++) {
+ if (elf_ppnt->p_type == PT_NOTE) {
+ struct elf_capabilities_note note;
+ int offset = elf_ppnt->p_offset;
+ int maxoffset = offset + elf_ppnt->p_filesz;
+
+ while (offset <= (maxoffset - sizeof(note))) {
+ int retval;
+ retval = read_exec(bprm->dentry, offset, (void *) ¬e,
+ sizeof(note), 1);
+ if (retval != sizeof(note))
+ goto skip;
+ if (note.note_signature == be32_to_cpu(0x43415053)) /* "CAPS" */
+ restrict(bprm, ¬e.cap);
+ offset += sizeof(Elf32_Nhdr) + roundup(note.nhdr.n_namesz, 4) + roundup(note.nhdr.n_descsz, 4);
+ }
+ }
if (elf_ppnt->p_type == PT_INTERP) {
retval = -EINVAL;
if (elf_interpreter)
@@ -533,6 +574,7 @@
interp_ex = *((struct exec *) bprm->buf);
interp_elf_ex = *((struct elfhdr *) bprm->buf);
}
+ skip:
elf_ppnt++;
}
-- I'm really pavel@ucw.cz. Look at http://195.113.31.123/~pavel. Pavel Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/