Support prctl(PR_SET_KEEPCAPS/PR_GET_KEEPCAPS)

kernel/src/process/credentials/credentials_.rs

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: MPL-2.0
 
-use core::sync::atomic::Ordering;
+use core::sync::atomic::{AtomicBool, Ordering};
 
 use ostd::sync::{PreemptDisabled, RwLockReadGuard, RwLockWriteGuard};
 
@@ -46,6 +46,9 @@ pub(super) struct Credentials_ {
 
     /// Capability that we can actually use
     effective_capset: AtomicCapSet,
+
+    /// Keep capabilities flag
+    keep_capabilities: AtomicBool,
 }
 
 impl Credentials_ {
@@ -67,6 +70,7 @@ impl Credentials_ {
             inheritable_capset: AtomicCapSet::new(capset),
             permitted_capset: AtomicCapSet::new(capset),
             effective_capset: AtomicCapSet::new(capset),
+            keep_capabilities: AtomicBool::new(false),
         }
     }
 
@@ -92,6 +96,10 @@ impl Credentials_ {
         self.fsuid.load(Ordering::Relaxed)
     }
 
+    pub(super) fn keep_capabilities(&self) -> bool {
+        self.keep_capabilities.load(Ordering::Relaxed)
+    }
+
     pub(super) fn set_uid(&self, uid: Uid) {
         if self.is_privileged() {
             self.ruid.store(uid, Ordering::Relaxed);
@@ -99,9 +107,23 @@ impl Credentials_ {
             self.suid.store(uid, Ordering::Relaxed);
             self.fsuid.store(uid, Ordering::Relaxed);
         } else {
+            // Unprivileged processes can only switch between ruid, euid, suid
+            if uid != self.ruid.load(Ordering::Relaxed)
+                && uid != self.euid.load(Ordering::Relaxed)
+                && uid != self.suid.load(Ordering::Relaxed)
+            {
+                // No permission to set to this UID
+                return;
+            }
             self.euid.store(uid, Ordering::Relaxed);
             self.fsuid.store(uid, Ordering::Relaxed);
         }
+        if !self.keep_capabilities.load(Ordering::Relaxed) {
+            self.set_permitted_capset(CapSet::empty());
+            self.set_inheritable_capset(CapSet::empty());
+        }
+        // Always clear the effective capabilities when changing the UID
+        self.set_effective_capset(CapSet::empty());
     }
 
     pub(super) fn set_reuid(&self, ruid: Option<Uid>, euid: Option<Uid>) -> Result<()> {
@@ -326,6 +348,11 @@ impl Credentials_ {
         self.sgid.store(sgid, Ordering::Relaxed);
     }
 
+    pub(super) fn set_keep_capabilities(&self, keep_capabilities: bool) {
+        self.keep_capabilities
+            .store(keep_capabilities, Ordering::Relaxed);
+    }
+
     // For `setregid`, rgid can *NOT* be set to old sgid,
     // while for `setresgid`, ruid can be set to old sgid.
     fn check_gid_perm(
@@ -444,6 +471,7 @@ impl Clone for Credentials_ {
             inheritable_capset: self.inheritable_capset.clone(),
             permitted_capset: self.permitted_capset.clone(),
             effective_capset: self.effective_capset.clone(),
+            keep_capabilities: AtomicBool::new(self.keep_capabilities.load(Ordering::Relaxed)),
         }
     }
 }

kernel/src/process/credentials/static_cap.rs

@@ -79,6 +79,14 @@ impl<R: TRights> Credentials<R> {
         self.0.fsuid()
     }
 
+    /// Gets keep capabilities flag.
+    ///
+    /// This method requires the `Read` right.
+    #[require(R > Read)]
+    pub fn keep_capabilities(&self) -> bool {
+        self.0.keep_capabilities()
+    }
+
     /// Sets uid. If self is privileged, sets the effective, real, saved-set user ids as `uid`,
     /// Otherwise, sets effective user id as `uid`.
     ///
@@ -139,6 +147,14 @@ impl<R: TRights> Credentials<R> {
         self.0.set_suid(euid);
     }
 
+    /// Sets keep capabilities flag.
+    ///
+    /// This method requires the `Write` right.
+    #[require(R > Write)]
+    pub fn set_keep_capabilities(&self, keep_capabilities: bool) {
+        self.0.set_keep_capabilities(keep_capabilities);
+    }
+
     // *********** Gid methods **********
 
     /// Gets real group id.