2
* Copyright (c) 2008 Andrew G. Morgan <morgan@kernel.org>
4
* This is a simple 'bash' wrapper program that can be used to
5
* raise and lower both the bset and pI capabilities before invoking
6
* /bin/bash (hardcoded right now).
8
* The --print option can be used as a quick test whether various
9
* capability manipulations work as expected (or not).
15
#include <sys/prctl.h>
16
#include <sys/capability.h>
21
/* prctl based API for altering character of current process */
22
#define PR_GET_KEEPCAPS 7
23
#define PR_SET_KEEPCAPS 8
24
#define PR_CAPBSET_READ 23
25
#define PR_CAPBSET_DROP 24
26
#define PR_GET_SECUREBITS 25
27
#define PR_SET_SECUREBITS 26
29
static const cap_value_t raise_setpcap[1] = { CAP_SETPCAP };
30
static const cap_value_t raise_chroot[1] = { CAP_SYS_CHROOT };
32
int main(int argc, char *argv[], char *envp[])
39
for (i=1; i<argc; ++i) {
40
if (!memcmp("--drop=", argv[i], 4)) {
42
cap_t orig, raised_for_setpcap;
45
* We need to do this here because --inh=XXX may have reset
46
* orig and it isn't until we are within the --drop code that
47
* we know what the prevailing (orig) pI value is.
49
orig = cap_get_proc();
51
perror("Capabilities not available");
55
raised_for_setpcap = cap_dup(orig);
56
if (raised_for_setpcap == NULL) {
57
fprintf(stderr, "BSET modification requires CAP_SETPCAP\n");
61
if (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
62
raise_setpcap, CAP_SET) != 0) {
63
perror("unable to select CAP_SETPCAP");
67
for (ptr = argv[i]+7; (ptr = strtok(ptr, ",")); ptr = NULL) {
68
/* find name for token */
72
if (cap_from_name(ptr, &cap) != 0) {
73
fprintf(stderr, "capability [%s] is unknown to libcap\n",
77
if (cap_set_proc(raised_for_setpcap) != 0) {
78
perror("unable to raise CAP_SETPCAP for BSET changes");
81
status = prctl(PR_CAPBSET_DROP, cap);
82
if (cap_set_proc(orig) != 0) {
83
perror("unable to lower CAP_SETPCAP post BSET change");
87
fprintf(stderr, "failed to drop [%s=%u]\n", ptr, cap);
92
cap_free(raised_for_setpcap);
94
} else if (!memcmp("--inh=", argv[i], 6)) {
95
cap_t all, raised_for_setpcap;
101
perror("Capabilities not available");
105
raised_for_setpcap = cap_dup(all);
106
if ((raised_for_setpcap != NULL)
107
&& (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
108
raise_setpcap, CAP_SET) != 0)) {
109
cap_free(raised_for_setpcap);
110
raised_for_setpcap = NULL;
113
text = cap_to_text(all, NULL);
116
perror("Fatal error concerning process capabilities");
119
ptr = malloc(10 + strlen(argv[i]+6) + strlen(text));
121
perror("Out of memory for inh set");
124
sprintf(ptr, "%s all-i %s+i", text, argv[i]+6);
126
all = cap_from_text(ptr);
128
perror("Fatal error internalizing capabilities");
134
if (raised_for_setpcap != NULL) {
136
* This is only for the case that pP does not contain
137
* the requested change to pI.. Failing here is not
138
* indicative of the cap_set_proc(all) failing (always).
140
(void) cap_set_proc(raised_for_setpcap);
141
cap_free(raised_for_setpcap);
142
raised_for_setpcap = NULL;
145
if (cap_set_proc(all) != 0) {
146
perror("Unable to set inheritable capabilities");
150
* Since status is based on orig, we don't want to restore
151
* the previous value of 'all' again here!
155
} else if (!memcmp("--caps=", argv[i], 7)) {
156
cap_t all, raised_for_setpcap;
158
raised_for_setpcap = cap_get_proc();
159
if (raised_for_setpcap == NULL) {
160
perror("Capabilities not available");
164
if ((raised_for_setpcap != NULL)
165
&& (cap_set_flag(raised_for_setpcap, CAP_EFFECTIVE, 1,
166
raise_setpcap, CAP_SET) != 0)) {
167
cap_free(raised_for_setpcap);
168
raised_for_setpcap = NULL;
171
all = cap_from_text(argv[i]+7);
173
fprintf(stderr, "unable to interpret [%s]\n", argv[i]);
177
if (raised_for_setpcap != NULL) {
179
* This is only for the case that pP does not contain
180
* the requested change to pI.. Failing here is not
181
* indicative of the cap_set_proc(all) failing (always).
183
(void) cap_set_proc(raised_for_setpcap);
184
cap_free(raised_for_setpcap);
185
raised_for_setpcap = NULL;
188
if (cap_set_proc(all) != 0) {
189
fprintf(stderr, "Unable to set capabilities [%s]\n", argv[i]);
193
* Since status is based on orig, we don't want to restore
194
* the previous value of 'all' again here!
198
} else if (!memcmp("--keep=", argv[i], 7)) {
202
value = strtoul(argv[i]+7, NULL, 0);
203
set = prctl(PR_SET_KEEPCAPS, value);
205
fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n",
206
value, strerror(errno));
209
} else if (!memcmp("--chroot=", argv[i], 9)) {
211
cap_t orig, raised_for_chroot;
213
orig = cap_get_proc();
215
perror("Capabilities not available");
219
raised_for_chroot = cap_dup(orig);
220
if (raised_for_chroot == NULL) {
221
perror("Unable to duplicate capabilities");
225
if (cap_set_flag(raised_for_chroot, CAP_EFFECTIVE, 1, raise_chroot,
227
perror("unable to select CAP_SET_SYS_CHROOT");
231
if (cap_set_proc(raised_for_chroot) != 0) {
232
perror("unable to raise CAP_SYS_CHROOT");
235
cap_free(raised_for_chroot);
237
status = chroot(argv[i]+9);
238
if (cap_set_proc(orig) != 0) {
239
perror("unable to lower CAP_SYS_CHROOT");
245
fprintf(stderr, "Unable to chroot to [%s]", argv[i]+9);
248
} else if (!memcmp("--secbits=", argv[i], 10)) {
252
value = strtoul(argv[i]+10, NULL, 0);
253
status = prctl(PR_SET_SECUREBITS, value);
255
fprintf(stderr, "failed to set securebits to 0%o/0x%x\n",
259
} else if (!memcmp("--forkfor=", argv[i], 10)) {
262
value = strtoul(argv[i]+10, NULL, 0);
268
perror("unable to fork()");
273
} else if (!memcmp("--killit=", argv[i], 9)) {
278
value = strtoul(argv[i]+9, NULL, 0);
280
fprintf(stderr, "no forked process to kill\n");
283
retval = kill(child, value);
285
perror("Unable to kill child process");
288
result = waitpid(child, &status, 0);
289
if (result != child) {
290
fprintf(stderr, "waitpid didn't match child: %u != %u\n",
294
if (WTERMSIG(status) != value) {
295
fprintf(stderr, "child terminated with odd signal (%d != %d)\n"
296
, value, WTERMSIG(status));
299
} else if (!memcmp("--uid=", argv[i], 6)) {
303
value = strtoul(argv[i]+6, NULL, 0);
304
status = setuid(value);
306
fprintf(stderr, "Failed to set uid=%u: %s\n",
307
value, strerror(errno));
310
} else if (!strcmp("--print", argv[i])) {
317
all = cap_get_proc();
318
text = cap_to_text(all, NULL);
319
printf("Current: %s\n", text);
323
printf("Bounding set =");
325
for (cap=0; (set = prctl(PR_CAPBSET_READ, cap)) >= 0; cap++) {
331
ptr = cap_to_name(cap);
333
printf("%s%u", sep, cap);
335
printf("%s%s", sep, ptr);
340
set = prctl(PR_GET_SECUREBITS);
342
printf("Securebits: 0%o/0x%x\n", set, set);
343
printf(" secure-noroot: %s (%s)\n",
344
(set & 1) ? "yes":"no",
345
(set & 2) ? "locked":"unlocked");
346
printf(" secure-no-suid-fixup: %s (%s)\n",
347
(set & 4) ? "yes":"no",
348
(set & 8) ? "locked":"unlocked");
349
printf(" secure-keep-caps: %s (%s)\n",
350
(set & 16) ? "yes":"no",
351
(set & 32) ? "locked":"unlocked");
353
printf("[Securebits ABI not supported]\n");
354
set = prctl(PR_GET_KEEPCAPS);
356
printf(" prctl-keep-caps: %s (locking not supported)\n",
359
printf("[Keepcaps ABI not supported]\n");
362
printf("uid=%u\n", getuid());
363
} else if ((!strcmp("--", argv[i])) || (!strcmp("==", argv[i]))) {
364
argv[i] = strdup(argv[i][0] == '-' ? "/bin/bash" : argv[0]);
366
execve(argv[i], argv+i, envp);
367
fprintf(stderr, "execve /bin/bash failed!\n");
371
printf("usage: %s [args ...]\n"
372
" --help this message\n"
373
" --print display capability relevant state\n"
374
" --drop=xxx remove xxx,.. capabilities from bset\n"
375
" --caps=xxx set caps as per cap_from_text()\n"
376
" --inh=xxx set xxx,.. inheritiable set\n"
377
" --secbits=<n> write a new value for securebits\n"
378
" --keep=<n> set keep-capabability bit to <n>\n"
379
" --uid=<n> set uid to <n> (hint: id <username>)\n"
380
" --chroot=path chroot(2) to this path to invoke bash\n"
381
" --killit=<n> send signal(n) to child\n"
382
" --forkfor=<n> fork and make child sleep for <n> sec\n"
383
" == re-exec(capsh) with args as for --\n"
384
" -- remaing arguments are for /bin/bash\n"
385
" (without -- [%s] will simply exit(0))\n",
388
exit(strcmp("--help", argv[i]) != 0);