Add syscall capget/capset

2025-06-27 03:13:23 +00:00 · 2024-05-06 13:35:13 +08:00
parent 8e1aeaf578
commit 6e612fc730
15 changed files with 413 additions and 20 deletions
--- a/kernel/aster-nix/src/syscall/capset.rs
+++ b/kernel/aster-nix/src/syscall/capset.rs
@ -0,0 +1,51 @@
+// SPDX-License-Identifier: MPL-2.0
+
+use super::SyscallReturn;
+use crate::{
+    prelude::*,
+    process::{
+        credentials::{
+            c_types::{cap_user_data_t, cap_user_header_t, LINUX_CAPABILITY_VERSION_3},
+            capabilities::CapSet,
+        },
+        credentials_mut,
+    },
+    util::read_val_from_user,
+};
+
+const CAP_LAST_CAP: u64 = 40; // Number of the last capability (CAP_CHECKPOINT_RESTORE)
+const CAP_VALID_MASK: u64 = (1u64 << (CAP_LAST_CAP + 1)) - 1;
+
+fn make_kernel_cap(low: u32, high: u32) -> u64 {
+    ((low as u64) | ((high as u64) << 32)) & CAP_VALID_MASK
+}
+
+pub fn sys_capset(cap_user_header_addr: Vaddr, cap_user_data_addr: Vaddr) -> Result<SyscallReturn> {
+    let cap_user_header: cap_user_header_t =
+        read_val_from_user::<cap_user_header_t>(cap_user_header_addr)?;
+
+    if cap_user_header.version != LINUX_CAPABILITY_VERSION_3 {
+        return_errno_with_message!(Errno::EINVAL, "not supported (capability version is not 3)");
+    };
+
+    // The ability to set capabilities of any other process has been deprecated.
+    // See: https://elixir.bootlin.com/linux/v6.9.3/source/kernel/capability.c#L209 for more details.
+    let header_pid = cap_user_header.pid;
+    if header_pid != 0 && header_pid != current!().pid() {
+        return_errno_with_message!(Errno::EINVAL, "invalid pid");
+    }
+
+    // Convert the cap(u32) to u64
+    let cap_user_data: cap_user_data_t = read_val_from_user::<cap_user_data_t>(cap_user_data_addr)?;
+    let inheritable = make_kernel_cap(cap_user_data.inheritable, 0);
+    let permitted = make_kernel_cap(cap_user_data.permitted, 0);
+    let effective = make_kernel_cap(cap_user_data.effective, 0);
+
+    let credentials = credentials_mut();
+
+    credentials.set_inheritable_capset(CapSet::from_bits_truncate(inheritable));
+    credentials.set_permitted_capset(CapSet::from_bits_truncate(permitted));
+    credentials.set_effective_capset(CapSet::from_bits_truncate(effective));
+
+    Ok(SyscallReturn::Return(0))
+}