Samuka007/asterinas
1
0
Fork 0
mirror of https://github.com/asterinas/asterinas.git synced 2025-06-15 16:26:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add permission checks for sys_capset

Browse Source
This commit is contained in:
Fabing Li 2024-12-05 07:49:29 +00:00 committed by Tate, Hongliang Tian
parent 636efe68fd
commit d72ce0351a
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
kernel/src/syscall/capset.rs
View File

@ -24,7 +24,7 @@ pub fn sys_capset(
if cap_user_header.version != LINUX_CAPABILITY_VERSION_3 { if cap_user_header.version != LINUX_CAPABILITY_VERSION_3 {
return_errno_with_message!(Errno::EINVAL, "not supported (capability version is not 3)"); return_errno_with_message!(Errno::EINVAL, "not supported (capability version is not 3)");
}; }
// The ability to set capabilities of any other process has been deprecated. // The ability to set capabilities of any other process has been deprecated.
// See: https://elixir.bootlin.com/linux/v6.9.3/source/kernel/capability.c#L209 for more details. // See: https://elixir.bootlin.com/linux/v6.9.3/source/kernel/capability.c#L209 for more details.
@ -33,6 +33,16 @@ pub fn sys_capset(
return_errno_with_message!(Errno::EINVAL, "invalid pid"); return_errno_with_message!(Errno::EINVAL, "invalid pid");
} }
// Check if the current process has CAP_SET_CAP capability
if !(ctx
.posix_thread
.credentials()
.permitted_capset()
.contains(CapSet::SETPCAP))
{
return_errno_with_message!(Errno::EPERM, "permission denied");
}
// Convert the cap(u32) to u64 // Convert the cap(u32) to u64
let cap_user_data: cap_user_data_t = let cap_user_data: cap_user_data_t =
user_space.read_val::<cap_user_data_t>(cap_user_data_addr)?; user_space.read_val::<cap_user_data_t>(cap_user_data_addr)?;