1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
|
package cap
import (
"bytes"
"encoding/binary"
"errors"
"io"
"os"
"syscall"
"unsafe"
)
// uapi/linux/xattr.h defined.
var (
xattrNameCaps, _ = syscall.BytePtrFromString("security.capability")
)
// uapi/linux/capability.h defined.
const (
vfsCapRevisionMask = uint32(0xff000000)
vfsCapFlagsMask = ^vfsCapRevisionMask
vfsCapFlagsEffective = uint32(1)
vfsCapRevision1 = uint32(0x01000000)
vfsCapRevision2 = uint32(0x02000000)
vfsCapRevision3 = uint32(0x03000000)
)
// Data types stored in little-endian order.
type vfsCaps1 struct {
MagicEtc uint32
Data [1]struct {
Permitted, Inheritable uint32
}
}
type vfsCaps2 struct {
MagicEtc uint32
Data [2]struct {
Permitted, Inheritable uint32
}
}
type vfsCaps3 struct {
MagicEtc uint32
Data [2]struct {
Permitted, Inheritable uint32
}
RootID uint32
}
// ErrBadSize indicates the the loaded file capability has
// an invalid number of bytes in it.
var ErrBadSize = errors.New("filecap bad size")
// ErrBadMagic indicates that the kernel preferred magic number for
// capability Set values is not supported by this package. This
// generally implies you are using an exceptionally old
// "../libcap/cap" package. An upgrade is needed, or failing that see
// https://sites.google.com/site/fullycapable/ for how to file a bug.
var ErrBadMagic = errors.New("unsupported magic")
// ErrBadPath indicates a failed attempt to set a file capability on
// an irregular (non-executable) file.
var ErrBadPath = errors.New("file is not a regular executable")
// ErrOutOfRange indicates an erroneous value for MinExtFlagSize.
var ErrOutOfRange = errors.New("flag length invalid for export")
// digestFileCap unpacks a file capability and returns it in a *Set
// form.
func digestFileCap(d []byte, sz int, err error) (*Set, error) {
if err != nil {
return nil, err
}
var raw1 vfsCaps1
var raw2 vfsCaps2
var raw3 vfsCaps3
if sz < binary.Size(raw1) || sz > binary.Size(raw3) {
return nil, ErrBadSize
}
b := bytes.NewReader(d[:sz])
var magicEtc uint32
if err = binary.Read(b, binary.LittleEndian, &magicEtc); err != nil {
return nil, err
}
c := NewSet()
b.Seek(0, io.SeekStart)
switch magicEtc & vfsCapRevisionMask {
case vfsCapRevision1:
if err = binary.Read(b, binary.LittleEndian, &raw1); err != nil {
return nil, err
}
data := raw1.Data[0]
c.flat[0][Permitted] = data.Permitted
c.flat[0][Inheritable] = data.Inheritable
if raw1.MagicEtc&vfsCapFlagsMask == vfsCapFlagsEffective {
c.flat[0][Effective] = data.Inheritable | data.Permitted
}
case vfsCapRevision2:
if err = binary.Read(b, binary.LittleEndian, &raw2); err != nil {
return nil, err
}
for i, data := range raw2.Data {
c.flat[i][Permitted] = data.Permitted
c.flat[i][Inheritable] = data.Inheritable
if raw2.MagicEtc&vfsCapFlagsMask == vfsCapFlagsEffective {
c.flat[i][Effective] = data.Inheritable | data.Permitted
}
}
case vfsCapRevision3:
if err = binary.Read(b, binary.LittleEndian, &raw3); err != nil {
return nil, err
}
for i, data := range raw3.Data {
c.flat[i][Permitted] = data.Permitted
c.flat[i][Inheritable] = data.Inheritable
if raw3.MagicEtc&vfsCapFlagsMask == vfsCapFlagsEffective {
c.flat[i][Effective] = data.Inheritable | data.Permitted
}
}
c.nsRoot = int(raw3.RootID)
default:
return nil, ErrBadMagic
}
return c, nil
}
//go:uintptrescapes
// GetFd returns the file capabilities of an open (*os.File).Fd().
func GetFd(file *os.File) (*Set, error) {
var raw3 vfsCaps3
d := make([]byte, binary.Size(raw3))
sz, _, oErr := multisc.r6(syscall.SYS_FGETXATTR, uintptr(file.Fd()), uintptr(unsafe.Pointer(xattrNameCaps)), uintptr(unsafe.Pointer(&d[0])), uintptr(len(d)), 0, 0)
var err error
if oErr != 0 {
err = oErr
}
return digestFileCap(d, int(sz), err)
}
//go:uintptrescapes
// GetFile returns the file capabilities of a named file.
func GetFile(path string) (*Set, error) {
p, err := syscall.BytePtrFromString(path)
if err != nil {
return nil, err
}
var raw3 vfsCaps3
d := make([]byte, binary.Size(raw3))
sz, _, oErr := multisc.r6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(p)), uintptr(unsafe.Pointer(xattrNameCaps)), uintptr(unsafe.Pointer(&d[0])), uintptr(len(d)), 0, 0)
if oErr != 0 {
err = oErr
}
return digestFileCap(d, int(sz), err)
}
// GetNSOwner returns the namespace owner UID of the capability Set.
func (c *Set) GetNSOwner() (int, error) {
if magic < kv3 {
return 0, ErrBadMagic
}
return c.nsRoot, nil
}
// SetNSOwner adds an explicit namespace owner UID to the capability
// Set. This is only honored when generating file capabilities, and is
// generally for use by a setup process when installing binaries that
// use file capabilities to become capable inside a namespace to be
// administered by that UID. If capability aware code within that
// namespace writes file capabilities without explicitly setting such
// a UID, the kernel will fix-up the capabilities to be specific to
// that owner. In this way, the kernel prevents filesystem
// capabilities from leaking out of that restricted namespace.
func (c *Set) SetNSOwner(uid int) {
c.mu.Lock()
defer c.mu.Unlock()
c.nsRoot = uid
}
// packFileCap transforms a system capability into a VFS form. Because
// of the way Linux stores capabilities in the file extended
// attributes, the process is a little lossy with respect to effective
// bits.
func (c *Set) packFileCap() ([]byte, error) {
var magic uint32
switch words {
case 1:
if c.nsRoot != 0 {
return nil, ErrBadSet // nsRoot not supported for single DWORD caps.
}
magic = vfsCapRevision1
case 2:
if c.nsRoot == 0 {
magic = vfsCapRevision2
break
}
magic = vfsCapRevision3
}
if magic == 0 {
return nil, ErrBadSize
}
eff := uint32(0)
for _, f := range c.flat {
eff |= (f[Permitted] | f[Inheritable]) & f[Effective]
}
if eff != 0 {
magic |= vfsCapFlagsEffective
}
b := new(bytes.Buffer)
binary.Write(b, binary.LittleEndian, magic)
for _, f := range c.flat {
binary.Write(b, binary.LittleEndian, f[Permitted])
binary.Write(b, binary.LittleEndian, f[Inheritable])
}
if c.nsRoot != 0 {
binary.Write(b, binary.LittleEndian, c.nsRoot)
}
return b.Bytes(), nil
}
//go:uintptrescapes
// SetFd attempts to set the file capabilities of an open
// (*os.File).Fd(). This function can also be used to delete a file's
// capabilities, by calling with c = nil.
//
// Note, Linux does not store the full Effective Value Flag in the
// metadata for the file. Only a single Effective bit is stored in
// this metadata. This single bit is non-zero if the Effective vector
// has any overlapping bits with the Permitted or Inheritable vector
// of c. This may appear suboptimal, but the reasoning behind it is
// sound. Namely, the purpose of the Effective bit it to support
// capabability unaware binaries that will only work if they magically
// launch with the needed bits already raised (this bit is sometimes
// referred to simply as the 'legacy' bit). Without *full* support for
// capability manipulation, as it is provided in this "../libcap/cap"
// package, this was the only way for Go programs to make use of
// file capabilities.
//
// The preferred way a binary will actually manipulate its
// file-acquired capabilities is to carefully and deliberately use
// this package (or libcap, assisted by libpsx, for threaded C/C++
// family code).
func (c *Set) SetFd(file *os.File) error {
if c == nil {
if _, _, err := multisc.r6(syscall.SYS_FREMOVEXATTR, uintptr(file.Fd()), uintptr(unsafe.Pointer(xattrNameCaps)), 0, 0, 0, 0); err != 0 {
return err
}
return nil
}
c.mu.Lock()
defer c.mu.Unlock()
d, err := c.packFileCap()
if err != nil {
return err
}
if _, _, err := multisc.r6(syscall.SYS_FSETXATTR, uintptr(file.Fd()), uintptr(unsafe.Pointer(xattrNameCaps)), uintptr(unsafe.Pointer(&d[0])), uintptr(len(d)), 0, 0); err != 0 {
return err
}
return nil
}
//go:uintptrescapes
// SetFile attempts to set the file capabilities of the specified
// filename. This function can also be used to delete a file's
// capabilities, by calling with c = nil.
//
// Note, see the comment for SetFd() for some non-obvious behavior of
// Linux for the Effective Value vector on the modified file.
func (c *Set) SetFile(path string) error {
fi, err := os.Stat(path)
if err != nil {
return err
}
mode := fi.Mode()
if mode&os.ModeType != 0 {
return ErrBadPath
}
if mode&os.FileMode(0111) == 0 {
return ErrBadPath
}
p, err := syscall.BytePtrFromString(path)
if err != nil {
return err
}
if c == nil {
if _, _, err := multisc.r6(syscall.SYS_REMOVEXATTR, uintptr(unsafe.Pointer(p)), uintptr(unsafe.Pointer(xattrNameCaps)), 0, 0, 0, 0); err != 0 {
return err
}
return nil
}
c.mu.Lock()
defer c.mu.Unlock()
d, err := c.packFileCap()
if err != nil {
return err
}
if _, _, err := multisc.r6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(p)), uintptr(unsafe.Pointer(xattrNameCaps)), uintptr(unsafe.Pointer(&d[0])), uintptr(len(d)), 0, 0); err != 0 {
return err
}
return nil
}
// ExtMagic is the 32-bit (little endian) magic for an external
// capability set. It can be used to transmit capabilities in binary
// format in a Linux portable way. The format is:
// <ExtMagic><byte:length><length-bytes*3-of-cap-data>.
const ExtMagic = uint32(0x5101c290)
// Import imports a Set from a byte array where it has been stored in
// a portable (lossless) way. That is values exported by
// libcap.cap_copy_ext() and Export().
func Import(d []byte) (*Set, error) {
b := bytes.NewBuffer(d)
var m uint32
if err := binary.Read(b, binary.LittleEndian, &m); err != nil {
return nil, ErrBadSize
} else if m != ExtMagic {
return nil, ErrBadMagic
}
var n byte
if err := binary.Read(b, binary.LittleEndian, &n); err != nil {
return nil, ErrBadSize
}
c := NewSet()
if int(n) > 4*words {
return nil, ErrBadSize
}
f := make([]byte, 3)
for i := 0; i < words; i++ {
for j := uint(0); n > 0 && j < 4; j++ {
n--
if x, err := b.Read(f); err != nil || x != 3 {
return nil, ErrBadSize
}
sh := 8 * j
c.flat[i][Effective] |= uint32(f[0]) << sh
c.flat[i][Permitted] |= uint32(f[1]) << sh
c.flat[i][Inheritable] |= uint32(f[2]) << sh
}
}
return c, nil
}
// To strictly match libcap, this value defaults to 8. Setting it to
// zero can generate smaller external representations. Such smaller
// representations can be imported by libcap and the Go package just
// fine, we just default to the default libcap representation for
// legacy reasons.
var MinExtFlagSize = uint(8)
// Export exports a Set into a lossless byte array format where it is
// stored in a portable way. Note, any namespace owner in the Set
// content is not exported by this function.
//
// Note, Export() generates exported byte streams that are importable
// by libcap.cap_copy_int() as well as Import().
func (c *Set) Export() ([]byte, error) {
if c == nil {
return nil, ErrBadSet
}
if MinExtFlagSize > 255 {
return nil, ErrOutOfRange
}
b := new(bytes.Buffer)
binary.Write(b, binary.LittleEndian, ExtMagic)
c.mu.Lock()
defer c.mu.Unlock()
var n = uint(0)
for i, f := range c.flat {
if nn := 4 * uint(i); nn+4 > n {
if u := f[Effective] | f[Permitted] | f[Inheritable]; u != 0 {
n = nn
for ; u != 0; u >>= 8 {
n++
}
}
}
}
if n < MinExtFlagSize {
n = MinExtFlagSize
}
b.Write([]byte{byte(n)})
for _, f := range c.flat {
if n == 0 {
break
}
eff, per, inh := f[Effective], f[Permitted], f[Inheritable]
for i := 0; n > 0 && i < 4; i++ {
n--
b.Write([]byte{
byte(eff & 0xff),
byte(per & 0xff),
byte(inh & 0xff),
})
eff >>= 8
per >>= 8
inh >>= 8
}
}
for n > 0 {
n--
b.Write([]byte{0, 0, 0})
}
return b.Bytes(), nil
}
|
