diff options
Diffstat (limited to 'vendor/rustix/src/thread/prctl.rs')
| -rw-r--r-- | vendor/rustix/src/thread/prctl.rs | 459 |
1 files changed, 226 insertions, 233 deletions
diff --git a/vendor/rustix/src/thread/prctl.rs b/vendor/rustix/src/thread/prctl.rs index a2191f7c3..f1ddf7d36 100644 --- a/vendor/rustix/src/thread/prctl.rs +++ b/vendor/rustix/src/thread/prctl.rs @@ -1,3 +1,12 @@ +//! Linux `prctl` wrappers. +//! +//! Rustix wraps variadic/dynamic-dispatch functions like `prctl` in +//! type-safe wrappers. +//! +//! # Safety +//! +//! The inner `prctl` calls are dynamically typed and must be called +//! correctly. #![allow(unsafe_code)] use core::convert::TryFrom; @@ -27,7 +36,7 @@ const PR_GET_KEEPCAPS: c_int = 7; /// Get the current state of the calling thread's `keep capabilities` flag. /// /// # References -/// - [`prctl(PR_GET_KEEPCAPS,...)`] +/// - [`prctl(PR_GET_KEEPCAPS,...)`] /// /// [`prctl(PR_GET_KEEPCAPS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -40,7 +49,7 @@ const PR_SET_KEEPCAPS: c_int = 8; /// Set the state of the calling thread's `keep capabilities` flag. /// /// # References -/// - [`prctl(PR_SET_KEEPCAPS,...)`] +/// - [`prctl(PR_SET_KEEPCAPS,...)`] /// /// [`prctl(PR_SET_KEEPCAPS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -57,7 +66,7 @@ const PR_GET_NAME: c_int = 16; /// Get the name of the calling thread. /// /// # References -/// - [`prctl(PR_GET_NAME,...)`] +/// - [`prctl(PR_GET_NAME,...)`] /// /// [`prctl(PR_GET_NAME,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -74,7 +83,7 @@ const PR_SET_NAME: c_int = 15; /// Set the name of the calling thread. /// /// # References -/// - [`prctl(PR_SET_NAME,...)`] +/// - [`prctl(PR_SET_NAME,...)`] /// /// [`prctl(PR_SET_NAME,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -131,7 +140,7 @@ impl TryFrom<i32> for SecureComputingMode { /// of obtaining the same information, without the risk that the process is killed; see `proc(5)`. /// /// # References -/// - [`prctl(PR_GET_SECCOMP,...)`] +/// - [`prctl(PR_GET_SECCOMP,...)`] /// /// [`prctl(PR_GET_SECCOMP,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -142,10 +151,11 @@ pub fn secure_computing_mode() -> io::Result<SecureComputingMode> { const PR_SET_SECCOMP: c_int = 22; -/// Set the secure computing mode for the calling thread, to limit the available system calls. +/// Set the secure computing mode for the calling thread, to limit the +/// available system calls. /// /// # References -/// - [`prctl(PR_SET_SECCOMP,...)`] +/// - [`prctl(PR_SET_SECCOMP,...)`] /// /// [`prctl(PR_SET_SECCOMP,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -159,249 +169,234 @@ pub fn set_secure_computing_mode(mode: SecureComputingMode) -> io::Result<()> { const PR_CAPBSET_READ: c_int = 23; -const CAP_CHOWN: u32 = 0; -const CAP_DAC_OVERRIDE: u32 = 1; -const CAP_DAC_READ_SEARCH: u32 = 2; -const CAP_FOWNER: u32 = 3; -const CAP_FSETID: u32 = 4; -const CAP_KILL: u32 = 5; -const CAP_SETGID: u32 = 6; -const CAP_SETUID: u32 = 7; -const CAP_SETPCAP: u32 = 8; -const CAP_LINUX_IMMUTABLE: u32 = 9; -const CAP_NET_BIND_SERVICE: u32 = 10; -const CAP_NET_BROADCAST: u32 = 11; -const CAP_NET_ADMIN: u32 = 12; -const CAP_NET_RAW: u32 = 13; -const CAP_IPC_LOCK: u32 = 14; -const CAP_IPC_OWNER: u32 = 15; -const CAP_SYS_MODULE: u32 = 16; -const CAP_SYS_RAWIO: u32 = 17; -const CAP_SYS_CHROOT: u32 = 18; -const CAP_SYS_PTRACE: u32 = 19; -const CAP_SYS_PACCT: u32 = 20; -const CAP_SYS_ADMIN: u32 = 21; -const CAP_SYS_BOOT: u32 = 22; -const CAP_SYS_NICE: u32 = 23; -const CAP_SYS_RESOURCE: u32 = 24; -const CAP_SYS_TIME: u32 = 25; -const CAP_SYS_TTY_CONFIG: u32 = 26; -const CAP_MKNOD: u32 = 27; -const CAP_LEASE: u32 = 28; -const CAP_AUDIT_WRITE: u32 = 29; -const CAP_AUDIT_CONTROL: u32 = 30; -const CAP_SETFCAP: u32 = 31; -const CAP_MAC_OVERRIDE: u32 = 32; -const CAP_MAC_ADMIN: u32 = 33; -const CAP_SYSLOG: u32 = 34; -const CAP_WAKE_ALARM: u32 = 35; -const CAP_BLOCK_SUSPEND: u32 = 36; -const CAP_AUDIT_READ: u32 = 37; -const CAP_PERFMON: u32 = 38; -const CAP_BPF: u32 = 39; -const CAP_CHECKPOINT_RESTORE: u32 = 40; - /// Linux per-thread capability. #[derive(Copy, Clone, Debug, Eq, PartialEq)] #[repr(u32)] pub enum Capability { - /// In a system with the `_POSIX_CHOWN_RESTRICTED` option defined, this overrides - /// the restriction of changing file ownership and group ownership. - ChangeOwnership = CAP_CHOWN, - /// Override all DAC access, including ACL execute access if `_POSIX_ACL` is defined. + /// In a system with the `_POSIX_CHOWN_RESTRICTED` option defined, this + /// overrides the restriction of changing file ownership and group + /// ownership. + ChangeOwnership = linux_raw_sys::general::CAP_CHOWN, + /// Override all DAC access, including ACL execute access if `_POSIX_ACL` + /// is defined. Excluding DAC access covered by + /// [`Capability::LinuxImmutable`]. + DACOverride = linux_raw_sys::general::CAP_DAC_OVERRIDE, + /// Overrides all DAC restrictions regarding read and search on files and + /// directories, including ACL restrictions if `_POSIX_ACL` is defined. /// Excluding DAC access covered by [`Capability::LinuxImmutable`]. - DACOverride = CAP_DAC_OVERRIDE, - /// Overrides all DAC restrictions regarding read and search on files and directories, - /// including ACL restrictions if `_POSIX_ACL` is defined. Excluding DAC access covered - /// by [`Capability::LinuxImmutable`]. - DACReadSearch = CAP_DAC_READ_SEARCH, - /// Overrides all restrictions about allowed operations on files, where file owner ID must be - /// equal to the user ID, except where [`Capability::FileSetID`] is applicable. - /// It doesn't override MAC and DAC restrictions. - FileOwner = CAP_FOWNER, - /// Overrides the following restrictions that the effective user ID shall match the file owner - /// ID when setting the `S_ISUID` and `S_ISGID` bits on that file; that the effective group ID - /// (or one of the supplementary group IDs) shall match the file owner ID when setting the - /// `S_ISGID` bit on that file; that the `S_ISUID` and `S_ISGID` bits are cleared on successful - /// return from `chown` (not implemented). - FileSetID = CAP_FSETID, - /// Overrides the restriction that the real or effective user ID of a process sending a signal - /// must match the real or effective user ID of the process receiving the signal. - Kill = CAP_KILL, - /// Allows `setgid` manipulation. Allows `setgroups`. Allows forged gids on socket - /// credentials passing. - SetGroupID = CAP_SETGID, - /// Allows `set*uid` manipulation (including fsuid). Allows forged pids on socket - /// credentials passing. - SetUserID = CAP_SETUID, + DACReadSearch = linux_raw_sys::general::CAP_DAC_READ_SEARCH, + /// Overrides all restrictions about allowed operations on files, where + /// file owner ID must be equal to the user ID, except where + /// [`Capability::FileSetID`] is applicable. It doesn't override MAC + /// and DAC restrictions. + FileOwner = linux_raw_sys::general::CAP_FOWNER, + /// Overrides the following restrictions that the effective user ID shall + /// match the file owner ID when setting the `S_ISUID` and `S_ISGID` + /// bits on that file; that the effective group ID (or one of the + /// supplementary group IDs) shall match the file owner ID when setting the + /// `S_ISGID` bit on that file; that the `S_ISUID` and `S_ISGID` bits are + /// cleared on successful return from `chown` (not implemented). + FileSetID = linux_raw_sys::general::CAP_FSETID, + /// Overrides the restriction that the real or effective user ID of a + /// process sending a signal must match the real or effective user ID + /// of the process receiving the signal. + Kill = linux_raw_sys::general::CAP_KILL, + /// Allows `setgid` manipulation. Allows `setgroups`. Allows forged gids on + /// socket credentials passing. + SetGroupID = linux_raw_sys::general::CAP_SETGID, + /// Allows `set*uid` manipulation (including fsuid). Allows forged pids on + /// socket credentials passing. + SetUserID = linux_raw_sys::general::CAP_SETUID, /// Without VFS support for capabilities: - /// - Transfer any capability in your permitted set to any pid. - /// - remove any capability in your permitted set from any pid. - /// With VFS support for capabilities (neither of above, but) - /// - Add any capability from current's capability bounding set to the current process' - /// inheritable set. - /// - Allow taking bits out of capability bounding set. - /// - Allow modification of the securebits for a process. - SetPermittedCapabilities = CAP_SETPCAP, + /// - Transfer any capability in your permitted set to any pid. + /// - remove any capability in your permitted set from any pid. With VFS + /// support for capabilities (neither of above, but) + /// - Add any capability from current's capability bounding set to the + /// current process' inheritable set. + /// - Allow taking bits out of capability bounding set. + /// - Allow modification of the securebits for a process. + SetPermittedCapabilities = linux_raw_sys::general::CAP_SETPCAP, /// Allow modification of `S_IMMUTABLE` and `S_APPEND` file attributes. - LinuxImmutable = CAP_LINUX_IMMUTABLE, - /// Allows binding to TCP/UDP sockets below 1024. Allows binding to ATM VCIs below 32. - NetBindService = CAP_NET_BIND_SERVICE, + LinuxImmutable = linux_raw_sys::general::CAP_LINUX_IMMUTABLE, + /// Allows binding to TCP/UDP sockets below 1024. Allows binding to ATM + /// VCIs below 32. + NetBindService = linux_raw_sys::general::CAP_NET_BIND_SERVICE, /// Allow broadcasting, listen to multicast. - NetBroadcast = CAP_NET_BROADCAST, - /// Allow interface configuration. Allow administration of IP firewall, masquerading and - /// accounting. Allow setting debug option on sockets. Allow modification of routing tables. - /// Allow setting arbitrary process / process group ownership on sockets. Allow binding to any - /// address for transparent proxying (also via [`Capability::NetRaw`]). Allow setting TOS - /// (type of service). Allow setting promiscuous mode. Allow clearing driver statistics. - /// Allow multicasting. Allow read/write of device-specific registers. Allow activation of ATM + NetBroadcast = linux_raw_sys::general::CAP_NET_BROADCAST, + /// Allow interface configuration. Allow administration of IP firewall, + /// masquerading and accounting. Allow setting debug option on sockets. + /// Allow modification of routing tables. Allow setting arbitrary + /// process / process group ownership on sockets. Allow binding to any + /// address for transparent proxying (also via [`Capability::NetRaw`]). + /// Allow setting TOS (type of service). Allow setting promiscuous + /// mode. Allow clearing driver statistics. Allow multicasting. Allow + /// read/write of device-specific registers. Allow activation of ATM /// control sockets. - NetAdmin = CAP_NET_ADMIN, - /// Allow use of `RAW` sockets. Allow use of `PACKET` sockets. Allow binding to any address for - /// transparent proxying (also via [`Capability::NetAdmin`]). - NetRaw = CAP_NET_RAW, - /// Allow locking of shared memory segments. Allow mlock and mlockall (which doesn't really have - /// anything to do with IPC). - IPCLock = CAP_IPC_LOCK, + NetAdmin = linux_raw_sys::general::CAP_NET_ADMIN, + /// Allow use of `RAW` sockets. Allow use of `PACKET` sockets. Allow + /// binding to any address for transparent proxying (also via + /// [`Capability::NetAdmin`]). + NetRaw = linux_raw_sys::general::CAP_NET_RAW, + /// Allow locking of shared memory segments. Allow mlock and mlockall + /// (which doesn't really have anything to do with IPC). + IPCLock = linux_raw_sys::general::CAP_IPC_LOCK, /// Override IPC ownership checks. - IPCOwner = CAP_IPC_OWNER, + IPCOwner = linux_raw_sys::general::CAP_IPC_OWNER, /// Insert and remove kernel modules - modify kernel without limit. - SystemModule = CAP_SYS_MODULE, - /// Allow ioperm/iopl access. Allow sending USB messages to any device via `/dev/bus/usb`. - SystemRawIO = CAP_SYS_RAWIO, + SystemModule = linux_raw_sys::general::CAP_SYS_MODULE, + /// Allow ioperm/iopl access. Allow sending USB messages to any device via + /// `/dev/bus/usb`. + SystemRawIO = linux_raw_sys::general::CAP_SYS_RAWIO, /// Allow use of `chroot`. - SystemChangeRoot = CAP_SYS_CHROOT, + SystemChangeRoot = linux_raw_sys::general::CAP_SYS_CHROOT, /// Allow `ptrace` of any process. - SystemProcessTrace = CAP_SYS_PTRACE, + SystemProcessTrace = linux_raw_sys::general::CAP_SYS_PTRACE, /// Allow configuration of process accounting. - SystemProcessAccounting = CAP_SYS_PACCT, - /// Allow configuration of the secure attention key. Allow administration of the random device. - /// Allow examination and configuration of disk quotas. Allow setting the domainname. - /// Allow setting the hostname. Allow `mount` and `umount`, setting up new smb connection. - /// Allow some autofs root ioctls. Allow nfsservctl. Allow `VM86_REQUEST_IRQ`. - /// Allow to read/write pci config on alpha. Allow `irix_prctl` on mips (setstacksize). - /// Allow flushing all cache on m68k (`sys_cacheflush`). Allow removing semaphores. - /// Used instead of [`Capability::ChangeOwnership`] to "chown" IPC message queues, semaphores - /// and shared memory. Allow locking/unlocking of shared memory segment. Allow turning swap - /// on/off. Allow forged pids on socket credentials passing. Allow setting readahead and - /// flushing buffers on block devices. Allow setting geometry in floppy driver. Allow turning - /// DMA on/off in `xd` driver. Allow administration of md devices (mostly the above, but some - /// extra ioctls). Allow tuning the ide driver. Allow access to the nvram device. Allow - /// administration of `apm_bios`, serial and bttv (TV) device. Allow manufacturer commands in - /// isdn CAPI support driver. Allow reading non-standardized portions of pci configuration - /// space. Allow DDI debug ioctl on sbpcd driver. Allow setting up serial ports. Allow sending - /// raw qic-117 commands. Allow enabling/disabling tagged queuing on SCSI controllers and - /// sending arbitrary SCSI commands. Allow setting encryption key on loopback filesystem. - /// Allow setting zone reclaim policy. Allow everything under - /// [`Capability::BerkeleyPacketFilters`] and [`Capability::PerformanceMonitoring`] for backward - /// compatibility. - SystemAdmin = CAP_SYS_ADMIN, + SystemProcessAccounting = linux_raw_sys::general::CAP_SYS_PACCT, + /// Allow configuration of the secure attention key. Allow administration + /// of the random device. Allow examination and configuration of disk + /// quotas. Allow setting the domainname. Allow setting the hostname. + /// Allow `mount` and `umount`, setting up new smb connection. + /// Allow some autofs root ioctls. Allow nfsservctl. Allow + /// `VM86_REQUEST_IRQ`. Allow to read/write pci config on alpha. Allow + /// `irix_prctl` on mips (setstacksize). Allow flushing all cache on + /// m68k (`sys_cacheflush`). Allow removing semaphores. Used instead of + /// [`Capability::ChangeOwnership`] to "chown" IPC message queues, + /// semaphores and shared memory. Allow locking/unlocking of shared + /// memory segment. Allow turning swap on/off. Allow forged pids on + /// socket credentials passing. Allow setting readahead and + /// flushing buffers on block devices. Allow setting geometry in floppy + /// driver. Allow turning DMA on/off in `xd` driver. Allow + /// administration of md devices (mostly the above, but some + /// extra ioctls). Allow tuning the ide driver. Allow access to the nvram + /// device. Allow administration of `apm_bios`, serial and bttv (TV) + /// device. Allow manufacturer commands in isdn CAPI support driver. + /// Allow reading non-standardized portions of pci configuration space. + /// Allow DDI debug ioctl on sbpcd driver. Allow setting up serial ports. + /// Allow sending raw qic-117 commands. Allow enabling/disabling tagged + /// queuing on SCSI controllers and sending arbitrary SCSI commands. + /// Allow setting encryption key on loopback filesystem. Allow setting + /// zone reclaim policy. Allow everything under + /// [`Capability::BerkeleyPacketFilters`] and + /// [`Capability::PerformanceMonitoring`] for backward compatibility. + SystemAdmin = linux_raw_sys::general::CAP_SYS_ADMIN, /// Allow use of `reboot`. - SystemBoot = CAP_SYS_BOOT, - /// Allow raising priority and setting priority on other (different UID) processes. Allow use of - /// FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling - /// algorithm used by another process. Allow setting cpu affinity on other processes. - /// Allow setting realtime ioprio class. Allow setting ioprio class on other processes. - SystemNice = CAP_SYS_NICE, - /// Override resource limits. Set resource limits. Override quota limits. Override reserved - /// space on ext2 filesystem. Modify data journaling mode on ext3 filesystem (uses journaling - /// resources). NOTE: ext2 honors fsuid when checking for resource overrides, so you can - /// override using fsuid too. Override size restrictions on IPC message queues. Allow more than - /// 64hz interrupts from the real-time clock. Override max number of consoles on console - /// allocation. Override max number of keymaps. Control memory reclaim behavior. - SystemResource = CAP_SYS_RESOURCE, - /// Allow manipulation of system clock. Allow `irix_stime` on mips. Allow setting the real-time - /// clock. - SystemTime = CAP_SYS_TIME, + SystemBoot = linux_raw_sys::general::CAP_SYS_BOOT, + /// Allow raising priority and setting priority on other (different UID) + /// processes. Allow use of FIFO and round-robin (realtime) scheduling + /// on own processes and setting the scheduling algorithm used by + /// another process. Allow setting cpu affinity on other processes. + /// Allow setting realtime ioprio class. Allow setting ioprio class on + /// other processes. + SystemNice = linux_raw_sys::general::CAP_SYS_NICE, + /// Override resource limits. Set resource limits. Override quota limits. + /// Override reserved space on ext2 filesystem. Modify data journaling + /// mode on ext3 filesystem (uses journaling resources). NOTE: ext2 + /// honors fsuid when checking for resource overrides, so you can + /// override using fsuid too. Override size restrictions on IPC message + /// queues. Allow more than 64hz interrupts from the real-time clock. + /// Override max number of consoles on console allocation. Override max + /// number of keymaps. Control memory reclaim behavior. + SystemResource = linux_raw_sys::general::CAP_SYS_RESOURCE, + /// Allow manipulation of system clock. Allow `irix_stime` on mips. Allow + /// setting the real-time clock. + SystemTime = linux_raw_sys::general::CAP_SYS_TIME, /// Allow configuration of tty devices. Allow `vhangup` of tty. - SystemTTYConfig = CAP_SYS_TTY_CONFIG, + SystemTTYConfig = linux_raw_sys::general::CAP_SYS_TTY_CONFIG, /// Allow the privileged aspects of `mknod`. - MakeNode = CAP_MKNOD, + MakeNode = linux_raw_sys::general::CAP_MKNOD, /// Allow taking of leases on files. - Lease = CAP_LEASE, + Lease = linux_raw_sys::general::CAP_LEASE, /// Allow writing the audit log via unicast netlink socket. - AuditWrite = CAP_AUDIT_WRITE, + AuditWrite = linux_raw_sys::general::CAP_AUDIT_WRITE, /// Allow configuration of audit via unicast netlink socket. - AuditControl = CAP_AUDIT_CONTROL, - /// Set or remove capabilities on files. Map `uid=0` into a child user namespace. - SetFileCapabilities = CAP_SETFCAP, - /// Override MAC access. The base kernel enforces no MAC policy. An LSM may enforce a MAC - /// policy, and if it does and it chooses to implement capability based overrides of that - /// policy, this is the capability it should use to do so. - MACOverride = CAP_MAC_OVERRIDE, - /// Allow MAC configuration or state changes. The base kernel requires no MAC configuration. - /// An LSM may enforce a MAC policy, and if it does and it chooses to implement capability based - /// checks on modifications to that policy or the data required to maintain it, this is the - /// capability it should use to do so. - MACAdmin = CAP_MAC_ADMIN, + AuditControl = linux_raw_sys::general::CAP_AUDIT_CONTROL, + /// Set or remove capabilities on files. Map `uid=0` into a child user + /// namespace. + SetFileCapabilities = linux_raw_sys::general::CAP_SETFCAP, + /// Override MAC access. The base kernel enforces no MAC policy. An LSM may + /// enforce a MAC policy, and if it does and it chooses to implement + /// capability based overrides of that policy, this is the capability + /// it should use to do so. + MACOverride = linux_raw_sys::general::CAP_MAC_OVERRIDE, + /// Allow MAC configuration or state changes. The base kernel requires no + /// MAC configuration. An LSM may enforce a MAC policy, and if it does + /// and it chooses to implement capability based + /// checks on modifications to that policy or the data required to maintain + /// it, this is the capability it should use to do so. + MACAdmin = linux_raw_sys::general::CAP_MAC_ADMIN, /// Allow configuring the kernel's `syslog` (`printk` behaviour). - SystemLog = CAP_SYSLOG, + SystemLog = linux_raw_sys::general::CAP_SYSLOG, /// Allow triggering something that will wake the system. - WakeAlarm = CAP_WAKE_ALARM, + WakeAlarm = linux_raw_sys::general::CAP_WAKE_ALARM, /// Allow preventing system suspends. - BlockSuspend = CAP_BLOCK_SUSPEND, + BlockSuspend = linux_raw_sys::general::CAP_BLOCK_SUSPEND, /// Allow reading the audit log via multicast netlink socket. - AuditRead = CAP_AUDIT_READ, - /// Allow system performance and observability privileged operations using `perf_events`, - /// `i915_perf` and other kernel subsystems. - PerformanceMonitoring = CAP_PERFMON, + AuditRead = linux_raw_sys::general::CAP_AUDIT_READ, + /// Allow system performance and observability privileged operations using + /// `perf_events`, `i915_perf` and other kernel subsystems. + PerformanceMonitoring = linux_raw_sys::general::CAP_PERFMON, /// This capability allows the following BPF operations: - /// - Creating all types of BPF maps - /// - Advanced verifier features - /// - Indirect variable access - /// - Bounded loops - /// - BPF to BPF function calls - /// - Scalar precision tracking - /// - Larger complexity limits - /// - Dead code elimination - /// - And potentially other features - /// - Loading BPF Type Format (BTF) data - /// - Retrieve `xlated` and JITed code of BPF programs - /// - Use `bpf_spin_lock` helper + /// - Creating all types of BPF maps + /// - Advanced verifier features + /// - Indirect variable access + /// - Bounded loops + /// - BPF to BPF function calls + /// - Scalar precision tracking + /// - Larger complexity limits + /// - Dead code elimination + /// - And potentially other features + /// - Loading BPF Type Format (BTF) data + /// - Retrieve `xlated` and JITed code of BPF programs + /// - Use `bpf_spin_lock` helper /// - /// [`Capability::PerformanceMonitoring`] relaxes the verifier checks further: - /// - BPF progs can use of pointer-to-integer conversions - /// - speculation attack hardening measures are bypassed - /// - `bpf_probe_read` to read arbitrary kernel memory is allowed - /// - `bpf_trace_printk` to print kernel memory is allowed + /// [`Capability::PerformanceMonitoring`] relaxes the verifier checks + /// further: + /// - BPF progs can use of pointer-to-integer conversions + /// - speculation attack hardening measures are bypassed + /// - `bpf_probe_read` to read arbitrary kernel memory is allowed + /// - `bpf_trace_printk` to print kernel memory is allowed /// /// [`Capability::SystemAdmin`] is required to use bpf_probe_write_user. /// /// [`Capability::SystemAdmin`] is required to iterate system wide loaded /// programs, maps, links, BTFs and convert their IDs to file descriptors. /// - /// [`Capability::PerformanceMonitoring`] and [`Capability::BerkeleyPacketFilters`] are required - /// to load tracing programs. - /// [`Capability::NetAdmin`] and [`Capability::BerkeleyPacketFilters`] are required to load + /// [`Capability::PerformanceMonitoring`] and + /// [`Capability::BerkeleyPacketFilters`] are required to load tracing + /// programs. [`Capability::NetAdmin`] and + /// [`Capability::BerkeleyPacketFilters`] are required to load /// networking programs. - BerkeleyPacketFilters = CAP_BPF, - /// Allow checkpoint/restore related operations. Allow PID selection during `clone3`. - /// Allow writing to `ns_last_pid`. - CheckpointRestore = CAP_CHECKPOINT_RESTORE, + BerkeleyPacketFilters = linux_raw_sys::general::CAP_BPF, + /// Allow checkpoint/restore related operations. Allow PID selection during + /// `clone3`. Allow writing to `ns_last_pid`. + CheckpointRestore = linux_raw_sys::general::CAP_CHECKPOINT_RESTORE, } -/// Check if the specified capability is in the calling thread's capability bounding set. +/// Check if the specified capability is in the calling thread's capability +/// bounding set. /// /// # References -/// - [`prctl(PR_CAPBSET_READ,...)`] +/// - [`prctl(PR_CAPBSET_READ,...)`] /// /// [`prctl(PR_CAPBSET_READ,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] -pub fn is_in_capability_bounding_set(capability: Capability) -> io::Result<bool> { +pub fn capability_is_in_bounding_set(capability: Capability) -> io::Result<bool> { unsafe { prctl_2args(PR_CAPBSET_READ, capability as usize as *mut _) }.map(|r| r != 0) } const PR_CAPBSET_DROP: c_int = 24; -/// If the calling thread has the [`Capability::SetPermittedCapabilities`] capability within its -/// user namespace, then drop the specified capability from the thread's capability bounding set. +/// If the calling thread has the [`Capability::SetPermittedCapabilities`] +/// capability within its user namespace, then drop the specified capability +/// from the thread's capability bounding set. /// /// # References -/// - [`prctl(PR_CAPBSET_DROP,...)`] +/// - [`prctl(PR_CAPBSET_DROP,...)`] /// /// [`prctl(PR_CAPBSET_DROP,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] -pub fn remove_capability_from_capability_bounding_set(capability: Capability) -> io::Result<()> { +pub fn remove_capability_from_bounding_set(capability: Capability) -> io::Result<()> { unsafe { prctl_2args(PR_CAPBSET_DROP, capability as usize as *mut _) }.map(|_r| ()) } @@ -442,7 +437,7 @@ bitflags! { /// Get the `securebits` flags of the calling thread. /// /// # References -/// - [`prctl(PR_GET_SECUREBITS,...)`] +/// - [`prctl(PR_GET_SECUREBITS,...)`] /// /// [`prctl(PR_GET_SECUREBITS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -456,7 +451,7 @@ const PR_SET_SECUREBITS: c_int = 28; /// Set the `securebits` flags of the calling thread. /// /// # References -/// - [`prctl(PR_SET_SECUREBITS,...)`] +/// - [`prctl(PR_SET_SECUREBITS,...)`] /// /// [`prctl(PR_SET_SECUREBITS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -473,7 +468,7 @@ const PR_GET_TIMERSLACK: c_int = 30; /// Get the `current` timer slack value of the calling thread. /// /// # References -/// - [`prctl(PR_GET_TIMERSLACK,...)`] +/// - [`prctl(PR_GET_TIMERSLACK,...)`] /// /// [`prctl(PR_GET_TIMERSLACK,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -486,7 +481,7 @@ const PR_SET_TIMERSLACK: c_int = 29; /// Sets the `current` timer slack value for the calling thread. /// /// # References -/// - [`prctl(PR_SET_TIMERSLACK,...)`] +/// - [`prctl(PR_SET_TIMERSLACK,...)`] /// /// [`prctl(PR_SET_TIMERSLACK,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -504,7 +499,7 @@ const PR_GET_NO_NEW_PRIVS: c_int = 39; /// Get the value of the `no_new_privs` attribute for the calling thread. /// /// # References -/// - [`prctl(PR_GET_NO_NEW_PRIVS,...)`] +/// - [`prctl(PR_GET_NO_NEW_PRIVS,...)`] /// /// [`prctl(PR_GET_NO_NEW_PRIVS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -517,7 +512,7 @@ const PR_SET_NO_NEW_PRIVS: c_int = 38; /// Set the calling thread's `no_new_privs` attribute. /// /// # References -/// - [`prctl(PR_SET_NO_NEW_PRIVS,...)`] +/// - [`prctl(PR_SET_NO_NEW_PRIVS,...)`] /// /// [`prctl(PR_SET_NO_NEW_PRIVS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -535,7 +530,7 @@ const PR_GET_TID_ADDRESS: c_int = 40; /// and `clone`'s `CLONE_CHILD_CLEARTID` flag. /// /// # References -/// - [`prctl(PR_GET_TID_ADDRESS,...)`] +/// - [`prctl(PR_GET_TID_ADDRESS,...)`] /// /// [`prctl(PR_GET_TID_ADDRESS,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -552,7 +547,7 @@ const PR_GET_THP_DISABLE: c_int = 42; /// Get the current setting of the `THP disable` flag for the calling thread. /// /// # References -/// - [`prctl(PR_GET_THP_DISABLE,...)`] +/// - [`prctl(PR_GET_THP_DISABLE,...)`] /// /// [`prctl(PR_GET_THP_DISABLE,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -565,7 +560,7 @@ const PR_SET_THP_DISABLE: c_int = 41; /// Set the state of the `THP disable` flag for the calling thread. /// /// # References -/// - [`prctl(PR_SET_THP_DISABLE,...)`] +/// - [`prctl(PR_SET_THP_DISABLE,...)`] /// /// [`prctl(PR_SET_THP_DISABLE,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -584,11 +579,11 @@ const PR_CAP_AMBIENT_IS_SET: usize = 1; /// Check if the specified capability is in the ambient set. /// /// # References -/// - [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_IS_SET,...)`] +/// - [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_IS_SET,...)`] /// /// [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_IS_SET,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] -pub fn capability_is_in_ambient_capability_set(capability: Capability) -> io::Result<bool> { +pub fn capability_is_in_ambient_set(capability: Capability) -> io::Result<bool> { let cap = capability as usize as *mut _; unsafe { prctl_3args(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET as *mut _, cap) }.map(|r| r != 0) } @@ -598,7 +593,7 @@ const PR_CAP_AMBIENT_CLEAR_ALL: usize = 4; /// Remove all capabilities from the ambient set. /// /// # References -/// - [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_CLEAR_ALL,...)`] +/// - [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_CLEAR_ALL,...)`] /// /// [`prctl(PR_CAP_AMBIENT,PR_CAP_AMBIENT_CLEAR_ALL,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -612,14 +607,11 @@ const PR_CAP_AMBIENT_LOWER: usize = 3; /// Add or remove the specified capability to the ambient set. /// /// # References -/// - [`prctl(PR_CAP_AMBIENT,...)`] +/// - [`prctl(PR_CAP_AMBIENT,...)`] /// /// [`prctl(PR_CAP_AMBIENT,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] -pub fn configure_capability_in_ambient_capability_set( - capability: Capability, - enable: bool, -) -> io::Result<()> { +pub fn configure_capability_in_ambient_set(capability: Capability, enable: bool) -> io::Result<()> { let sub_operation = if enable { PR_CAP_AMBIENT_RAISE } else { @@ -651,7 +643,7 @@ pub struct SVEVectorLengthConfig { /// Get the thread's current SVE vector length configuration. /// /// # References -/// - [`prctl(PR_SVE_GET_VL,...)`] +/// - [`prctl(PR_SVE_GET_VL,...)`] /// /// [`prctl(PR_SVE_GET_VL,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -670,7 +662,7 @@ const PR_SVE_SET_VL_ONEXEC: u32 = 1_u32 << 18; /// Configure the thread's vector length of Scalable Vector Extension. /// /// # References -/// - [`prctl(PR_SVE_SET_VL,...)`] +/// - [`prctl(PR_SVE_SET_VL,...)`] /// /// # Safety /// @@ -706,11 +698,11 @@ pub unsafe fn set_sve_vector_length_configuration( const PR_PAC_RESET_KEYS: c_int = 54; -/// Securely reset the thread's pointer authentication keys to fresh random values generated -/// by the kernel. +/// Securely reset the thread's pointer authentication keys to fresh random +/// values generated by the kernel. /// /// # References -/// - [`prctl(PR_PAC_RESET_KEYS,...)`] +/// - [`prctl(PR_PAC_RESET_KEYS,...)`] /// /// # Safety /// @@ -750,7 +742,7 @@ bitflags! { /// Get the current tagged address mode for the calling thread. /// /// # References -/// - [`prctl(PR_GET_TAGGED_ADDR_CTRL,...)`] +/// - [`prctl(PR_GET_TAGGED_ADDR_CTRL,...)`] /// /// [`prctl(PR_GET_TAGGED_ADDR_CTRL,...)`]: https://man7.org/linux/man-pages/man2/prctl.2.html #[inline] @@ -766,7 +758,7 @@ const PR_SET_TAGGED_ADDR_CTRL: c_int = 55; /// Controls support for passing tagged user-space addresses to the kernel. /// /// # References -/// - [`prctl(PR_SET_TAGGED_ADDR_CTRL,...)`] +/// - [`prctl(PR_SET_TAGGED_ADDR_CTRL,...)`] /// /// # Safety /// @@ -795,7 +787,7 @@ const PR_SYS_DISPATCH_OFF: usize = 0; /// Disable Syscall User Dispatch mechanism. /// /// # References -/// - [`prctl(PR_SET_SYSCALL_USER_DISPATCH,PR_SYS_DISPATCH_OFF,...)`] +/// - [`prctl(PR_SET_SYSCALL_USER_DISPATCH,PR_SYS_DISPATCH_OFF,...)`] /// /// # Safety /// @@ -815,8 +807,8 @@ const SYSCALL_DISPATCH_FILTER_ALLOW: u8 = 0; /// Block system calls from executing. const SYSCALL_DISPATCH_FILTER_BLOCK: u8 = 1; -/// Value of the fast switch flag controlling system calls user dispatch mechanism without the need -/// to issue a syscall. +/// Value of the fast switch flag controlling system calls user dispatch +/// mechanism without the need to issue a syscall. #[derive(Copy, Clone, Debug, Eq, PartialEq)] #[repr(u8)] pub enum SysCallUserDispatchFastSwitch { @@ -841,7 +833,7 @@ impl TryFrom<u8> for SysCallUserDispatchFastSwitch { /// Enable Syscall User Dispatch mechanism. /// /// # References -/// - [`prctl(PR_SET_SYSCALL_USER_DISPATCH,PR_SYS_DISPATCH_ON,...)`] +/// - [`prctl(PR_SET_SYSCALL_USER_DISPATCH,PR_SYS_DISPATCH_ON,...)`] /// /// # Safety /// @@ -882,7 +874,8 @@ const PR_SCHED_CORE_SCOPE_PROCESS_GROUP: u32 = 2; pub enum CoreSchedulingScope { /// Operation will be performed for the thread. Thread = PR_SCHED_CORE_SCOPE_THREAD, - /// Operation will be performed for all tasks in the task group of the process. + /// Operation will be performed for all tasks in the task group of the + /// process. ThreadGroup = PR_SCHED_CORE_SCOPE_THREAD_GROUP, /// Operation will be performed for all processes in the process group. ProcessGroup = PR_SCHED_CORE_SCOPE_PROCESS_GROUP, @@ -904,7 +897,7 @@ impl TryFrom<u32> for CoreSchedulingScope { /// Get core scheduling cookie of a process. /// /// # References -/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_GET,...)`] +/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_GET,...)`] /// /// [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_GET,...)`]: https://www.kernel.org/doc/html/v5.18/admin-guide/hw-vuln/core-scheduling.html #[inline] @@ -927,7 +920,7 @@ const PR_SCHED_CORE_CREATE: usize = 1; /// Create unique core scheduling cookie. /// /// # References -/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_CREATE,...)`] +/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_CREATE,...)`] /// /// [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_CREATE,...)`]: https://www.kernel.org/doc/html/v5.18/admin-guide/hw-vuln/core-scheduling.html #[inline] @@ -949,7 +942,7 @@ const PR_SCHED_CORE_SHARE_TO: usize = 2; /// Push core scheduling cookie to a process. /// /// # References -/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_SHARE_TO,...)`] +/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_SHARE_TO,...)`] /// /// [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_SHARE_TO,...)`]: https://www.kernel.org/doc/html/v5.18/admin-guide/hw-vuln/core-scheduling.html #[inline] @@ -971,7 +964,7 @@ const PR_SCHED_CORE_SHARE_FROM: usize = 3; /// Pull core scheduling cookie from a process. /// /// # References -/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_SHARE_FROM,...)`] +/// - [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_SHARE_FROM,...)`] /// /// [`prctl(PR_SCHED_CORE,PR_SCHED_CORE_SHARE_FROM,...)`]: https://www.kernel.org/doc/html/v5.18/admin-guide/hw-vuln/core-scheduling.html #[inline] |