aboutsummaryrefslogtreecommitdiff
path: root/doc/cap_iab.3
diff options
context:
space:
mode:
Diffstat (limited to 'doc/cap_iab.3')
-rw-r--r--doc/cap_iab.3140
1 files changed, 89 insertions, 51 deletions
diff --git a/doc/cap_iab.3 b/doc/cap_iab.3
index a453428..3e6282d 100644
--- a/doc/cap_iab.3
+++ b/doc/cap_iab.3
@@ -1,27 +1,28 @@
-.TH CAP_IAB 3 "2021-03-10" "" "Linux Programmer's Manual"
+.TH CAP_IAB 3 "2022-10-16" "" "Linux Programmer's Manual"
.SH NAME
+cap_iab_init, cap_iab_dup, cap_iab_get_proc, cap_iab_get_pid, \
+cap_iab_set_proc, cap_iab_to_text, cap_iab_from_text, \
+cap_iab_get_vector, cap_iab_compare, cap_iab_set_vector, \
+cap_iab_fill, cap_proc_root \- inheritable IAB tuple support functions
+.SH SYNOPSIS
.nf
#include <sys/capability.h>
cap_iab_t cap_iab_init(void);
-
+cap_iab_t cap_iab_dup(cap_iab_t iab);
cap_iab_t cap_iab_get_proc(void);
-
+cap_iab_t cap_iab_get_pid(pid_t pid);
int cap_iab_set_proc(cap_iab_t iab);
-
char *cap_iab_to_text(cap_iab_t iab);
-
cap_iab_t cap_iab_from_text(const char *text);
-
cap_flag_value_t cap_iab_get_vector(cap_iab_t iab, cap_iab_vector_t vec,
cap_value_t val);
-
+int cap_iab_compare(cap_iab_t a, cap_iab_t b);
int cap_iab_set_vector(cap_iab_t iab, cap_iab_vector_t vec, cap_value_t val,
cap_flag_value_t enable);
-
int cap_iab_fill(cap_iab_t iab, cap_iab_vector_t vec,
cap_t set, cap_flag_t flag);
-
+char *cap_proc_root(const char *root);
.fi
.sp
Link with \fI\-lcap\fP.
@@ -32,42 +33,45 @@ inheritable process capability vectors: Inh, Amb and Bound. This
\fIcap_iab_t\fP combine to pass capabilities from one process to
another through
.BR execve (2)
-system calls. The convolution rules using the IAB set are a fail over
+system calls. The convolution rules using the IAB tuple are a fail over
set of rules when the executed file has no configured
\fIfile-capabilities\fP.
.PP
There are some constraints enforced by the kernel with respect to the
-three components of an IAB set and the Permitted process capability
+three components of an IAB tuple and the Permitted process capability
flag. They are: the Inh vector is entirely equal to the process
-Inheritable flag at all times; the the Amb vector contains no more
+Inheritable flag at all times; the Amb vector contains no more
capability values than the intersection of the Inh vector and the
-Permitted flag for the process; no Amb value blocked in the Bound
-Vector will survive
-.BR execve (2);
-and the Bound (or \fIblocked\fP) vector is the twos-complement of the
-process bounding set.
+Permitted flag for the process; and the Bound (or \fIblocked\fP)
+vector is the twos-complement of the process bounding vector.
.PP
-In some environments, it is considered desirable to naively inherit
-capabilities. That is pass capabilities, independent of the status of
-the executed binary, from parent to child through exec* system
-calls. The surviving capabilities become the Permitted flag for the
-post-exec process. This method of inheritance differs significantly
-from the handshake inheritance between pre-exec* process and
-file-capability bestowed executable of the traditional capability
-mechanism.
+In some environments, it is considered desirable to \fInaively\fP
+inherit capabilities. That is pass capabilities, independent of the
+status of the executed binary, from parent to child through
+\fBexec*\fP system calls. The surviving capabilities become the
+Permitted flag for the post-exec process. This method of inheritance
+differs significantly from the handshake inheritance between a
+pre-exec* process and a file-capability bestowed executable of the
+traditional (POSIX.1e) capability mechanism.
.PP
-The convolution rules for IAB style inheritance are: I'=I; A'= A & ~B;
-P'=A & ~B. Where P etc are the pre-exec values and P' etc are the
+The convolution rules for IAB style inheritance are: I'=I; A'=A&I;
+P'=A&I&P. Where P etc are the pre-exec values and P' etc are the
post-exec values.
.PP
With an understanding of these convolution rules, we can explain how
.BR libcap (3)
-support for the IAB set is managed: the IAB API.
+support for the IAB tuple is managed: the IAB API.
.PP
.BR cap_iab_init ()
returns an empty IAB value. That is a \fImostly-harmless\fP tuple. It
-will not block and capabilities through exec, but it won't bestow any
-either. The returned cap_iab_t should be freed with
+will not block any Permitted file capabilities through exec, but it
+won't bestow any either. The returned \fIcap_iab_t\fP should be freed
+with
+.BR cap_free (3).
+.sp
+.BR cap_iab_dup ()
+returns a copy of the specified IAB value. The returned cap_iab_t
+should be freed with
.BR cap_free (3).
.sp
.BR cap_iab_get_proc ()
@@ -75,31 +79,41 @@ returns a copy of the IAB value for the current process. The returned
cap_iab_t should be freed with
.BR cap_free (3).
.sp
+.BR cap_iab_get_pid ()
+returns a copy of the IAB value for the specified process. The returned
+cap_iab_t should be freed with
+.BR cap_free (3).
+This function defaults to searching
+.BR /proc/ <PID> /status
+for the IAB information, but that location can be overridden using the
+.BR cap_proc_root ()
+function.
+.sp
.BR cap_iab_set_proc ()
can be used to set the IAB value carried by the current process. Such
a setting will fail if the process is insufficiently capable. The
-process requires CAP_SETPCAP and a superset of P values over the A and
-I vectors.
+process requires CAP_SETPCAP raised in the E flag and a superset of P
+and I values over those in the A vectors.
.sp
.BR cap_iab_to_text ()
-will convert an IAB set to a canonical text representation. The
+will convert an IAB tuple to a canonical text representation. The
representation is slightly redundant but libcap will try to generate
as short a representation as it is able.
.sp
.BR cap_iab_from_text ()
-generates an IAB set from a text string (likely generated by the
-previous function). The returned IAB set should be freed with
+generates an IAB tuple from a text string (likely generated by the
+previous function). The returned IAB tuple should be freed with
.BR cap_free (3).
.sp
The text format accepted by
.BR cap_iab_from_text ()
is a comma separated list of capability values. Each capability is
-prefixed by nothing (or %) (Inh); ! (Bound); ^ (Amb). Or, some
-combination thereof. Since the Amb vector is constrained to be no
-greater than the Inh set, ^ is equivalent to %^. Further, unless B is
-non-zero, % can be omitted. The following are legal text
-representations: "!%cap_chown" (Bound but Inh),
-"!cap_setuid,^cap_chown" (Bound, Inh+Amb). "cap_setuid,!cap_chown"
+prefixed by nothing (or %) (Inh); ! (Bound, but think Blocked); ^
+(Amb). Or, some combination thereof. Since the Amb vector is
+constrained to be no greater than the Inh vector, ^ is equivalent to
+%^. Further, unless B is non-zero, % can be omitted. The following are
+legal text representations: "!%cap_chown" (Bound but Inh),
+"!cap_chown,^cap_chown" (Bound, Inh+Amb). "cap_setuid,!cap_chown"
(Inh, Bound). As noted above, this text representation is the syntax
for the \fIpam_cap.so\fP config file.
.sp
@@ -107,14 +121,35 @@ for the \fIpam_cap.so\fP config file.
can be used to determine the specific capability value of an IAB
vector.
.sp
+.BR cap_iab_compare ()
+can be used to compare two cap_iab_t tuples. When the return value is
+non-zero, the macro \fBCAP_IAB_DIFFERS\fR(\fIstatus\fR, \fIvector\fR)
+evaluates to non-zero if the returned status differs in its
+.I vector
+components.
+.sp
.BR cap_iab_set_vector ()
can be used to set a specific vector value to the enable setting.
+.sp
.BR cap_iab_fill ()
can be used to wholesale copy a cap_t flag value into the vec vector
-of the IAB set. Copying into Amb in this way may implicitly raise Inh
-values in the IAB set. Similarly copying into the Inh vector may
+of the IAB tuple. Copying into Amb in this way may implicitly raise Inh
+values in the IAB tuple. Similarly copying into the Inh vector may
implicitly lower Amb values that are not present in the resulting Inh
vector.
+.sp
+.BR cap_proc_root ()
+can be used to determine the current location queried by
+.BR cap_iab_get_pid ().
+Returned values should be released with
+.BR cap_free (3).
+If the argument to
+.BR cap_proc_root ()
+is not \fBNULL\fP, a copy of it will become the replacement for
+.BR /proc .
+Note, this function is \fInot\fP thread safe with respect to
+concurrent calls to
+.BR cap_iab_get_pid ().
.SH "ERRORS"
The functions returning \fIcap_iab_t\fP values or allocated memory in
the form of a string return NULL on error.
@@ -125,10 +160,10 @@ In the case of error consult \fIerrno\fP.
.SH "NOTES"
.PP
Unlike the traditional \fIcap_t\fP capability set, the
-IAB set, taken together, is incompatible with filesystem capabilities
+IAB tuple, taken together, is incompatible with filesystem capabilities
created via tools like
.BR setcap (8).
-That is, the Amb vector of the IAB set is rendered moot when an
+That is, the Amb vector of the IAB tuple is rendered moot when an
executable with a file capability is executed.
.PP
Further, there are libcap
@@ -142,19 +177,22 @@ developed as the configuration syntax for the \fIpam_cap.so\fP
Linux-PAM module in libcap-2.29. It was introduced to extend the
\fIsimple\fP comma separated list of process Inheritable capabilities,
that the module could besow on an authenticated process tree, to
-include enforced limits on the Bounding set and introduce support for
-the Amibient set of capability bits.
+include enforced limits on the Bounding vector and introduce support
+for the Amibient vector of capability bits.
-While the Inheritable and Bounding sets were anticipated by the
-POSIX.1e draft that introduced capabilities, the Ambient set is a
+While the Inheritable and Bounding vectors were anticipated by the
+POSIX.1e draft that introduced capabilities, the Ambient vector is a
Linux invention, and incompatible with the POSIX.1e file capability
model. As such, it was felt that trying to meld together all of the 5
capability vectors into one text representation was not going to
work. Instead the \fIpam_cap.so\fP config syntax was generalized into
a whole set of libcap functions for bundling together all three
-naively inheritable capabilities: the IAB set. The support for this
+naively inheritable capabilities: the IAB tuple. The support for this
debuted in libcap-2.33.
-
+.SH "REPORTING BUGS"
+Please report bugs via:
+.TP
+https://bugzilla.kernel.org/buglist.cgi?component=libcap&list_id=1090757
.SH "SEE ALSO"
.BR libcap (3),
.BR cap_launch (3),
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-11 09:35:57 +0000