Support prctl(PR_SET_KEEPCAPS/PR_GET_KEEPCAPS)

2025-06-20 13:06:33 +00:00 · 2024-12-05 07:49:43 +00:00
parent d72ce0351a
commit 24f1e02b26
6 changed files with 73 additions and 2 deletions
--- a/kernel/src/syscall/execve.rs
+++ b/kernel/src/syscall/execve.rs
@ -129,6 +129,7 @@ fn do_execve(
    let credentials = ctx.posix_thread.credentials_mut();
    set_uid_from_elf(process, &credentials, &elf_file)?;
    set_gid_from_elf(process, &credentials, &elf_file)?;
+    credentials.set_keep_capabilities(false);

    // set executable path
    process.set_executable_path(new_executable_path);
--- a/kernel/src/syscall/prctl.rs
+++ b/kernel/src/syscall/prctl.rs
@ -41,6 +41,25 @@ pub fn sys_prctl(

            // TODO: implement coredump
        }
+        PrctlCmd::PR_GET_KEEPCAPS => {
+            let keep_cap = {
+                let credentials = ctx.posix_thread.credentials();
+                if credentials.keep_capabilities() {
+                    1
+                } else {
+                    0
+                }
+            };
+
+            return Ok(SyscallReturn::Return(keep_cap as _));
+        }
+        PrctlCmd::PR_SET_KEEPCAPS(keep_cap) => {
+            if keep_cap > 1 {
+                return_errno!(Errno::EINVAL)
+            }
+            let credentials = ctx.posix_thread.credentials_mut();
+            credentials.set_keep_capabilities(keep_cap != 0);
+        }
        PrctlCmd::PR_GET_NAME(write_to_addr) => {
            let thread_name = ctx.posix_thread.thread_name().lock();
            if let Some(thread_name) = &*thread_name {
@ -70,6 +89,8 @@ const PR_SET_PDEATHSIG: i32 = 1;
 const PR_GET_PDEATHSIG: i32 = 2;
 const PR_GET_DUMPABLE: i32 = 3;
 const PR_SET_DUMPABLE: i32 = 4;
+const PR_GET_KEEPCAPS: i32 = 7;
+const PR_SET_KEEPCAPS: i32 = 8;
 const PR_SET_NAME: i32 = 15;
 const PR_GET_NAME: i32 = 16;
 const PR_SET_TIMERSLACK: i32 = 29;
@ -82,6 +103,8 @@ pub enum PrctlCmd {
    PR_GET_PDEATHSIG(Vaddr),
    PR_SET_NAME(Vaddr),
    PR_GET_NAME(Vaddr),
+    PR_GET_KEEPCAPS,
+    PR_SET_KEEPCAPS(u32),
    #[allow(dead_code)]
    PR_SET_TIMERSLACK(u64),
    #[allow(dead_code)]
@ -112,6 +135,8 @@ impl PrctlCmd {
            PR_GET_NAME => Ok(PrctlCmd::PR_GET_NAME(arg2 as _)),
            PR_GET_TIMERSLACK => todo!(),
            PR_SET_TIMERSLACK => todo!(),
+            PR_GET_KEEPCAPS => Ok(PrctlCmd::PR_GET_KEEPCAPS),
+            PR_SET_KEEPCAPS => Ok(PrctlCmd::PR_SET_KEEPCAPS(arg2 as _)),
            _ => {
                debug!("prctl cmd number: {}", option);
                return_errno_with_message!(Errno::EINVAL, "unsupported prctl command");