gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/sentry/kernel/task_identity.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package kernel
    16  
    17  import (
    18  	"gvisor.dev/gvisor/pkg/abi/linux"
    19  	"gvisor.dev/gvisor/pkg/errors/linuxerr"
    20  	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
    21  	"gvisor.dev/gvisor/pkg/sentry/mm"
    22  )
    23  
    24  // Credentials returns t's credentials.
    25  //
    26  // This value must be considered immutable.
    27  func (t *Task) Credentials() *auth.Credentials {
    28  	return t.creds.Load()
    29  }
    30  
    31  // UserNamespace returns the user namespace associated with the task.
    32  func (t *Task) UserNamespace() *auth.UserNamespace {
    33  	return t.Credentials().UserNamespace
    34  }
    35  
    36  // HasCapabilityIn checks if the task has capability cp in user namespace ns.
    37  func (t *Task) HasCapabilityIn(cp linux.Capability, ns *auth.UserNamespace) bool {
    38  	return t.Credentials().HasCapabilityIn(cp, ns)
    39  }
    40  
    41  // HasCapability checks if the task has capability cp in its user namespace.
    42  func (t *Task) HasCapability(cp linux.Capability) bool {
    43  	return t.Credentials().HasCapability(cp)
    44  }
    45  
    46  // SetUID implements the semantics of setuid(2).
    47  func (t *Task) SetUID(uid auth.UID) error {
    48  	// setuid considers -1 to be invalid.
    49  	if !uid.Ok() {
    50  		return linuxerr.EINVAL
    51  	}
    52  
    53  	t.mu.Lock()
    54  	defer t.mu.Unlock()
    55  
    56  	creds := t.Credentials()
    57  	kuid := creds.UserNamespace.MapToKUID(uid)
    58  	if !kuid.Ok() {
    59  		return linuxerr.EINVAL
    60  	}
    61  	// "setuid() sets the effective user ID of the calling process. If the
    62  	// effective UID of the caller is root (more precisely: if the caller has
    63  	// the CAP_SETUID capability), the real UID and saved set-user-ID are also
    64  	// set." - setuid(2)
    65  	if creds.HasCapability(linux.CAP_SETUID) {
    66  		t.setKUIDsUncheckedLocked(kuid, kuid, kuid)
    67  		return nil
    68  	}
    69  	// "EPERM: The user is not privileged (Linux: does not have the CAP_SETUID
    70  	// capability) and uid does not match the real UID or saved set-user-ID of
    71  	// the calling process."
    72  	if kuid != creds.RealKUID && kuid != creds.SavedKUID {
    73  		return linuxerr.EPERM
    74  	}
    75  	t.setKUIDsUncheckedLocked(creds.RealKUID, kuid, creds.SavedKUID)
    76  	return nil
    77  }
    78  
    79  // SetREUID implements the semantics of setreuid(2).
    80  func (t *Task) SetREUID(r, e auth.UID) error {
    81  	t.mu.Lock()
    82  	defer t.mu.Unlock()
    83  	// "Supplying a value of -1 for either the real or effective user ID forces
    84  	// the system to leave that ID unchanged." - setreuid(2)
    85  	creds := t.Credentials()
    86  	newR := creds.RealKUID
    87  	if r.Ok() {
    88  		newR = creds.UserNamespace.MapToKUID(r)
    89  		if !newR.Ok() {
    90  			return linuxerr.EINVAL
    91  		}
    92  	}
    93  	newE := creds.EffectiveKUID
    94  	if e.Ok() {
    95  		newE = creds.UserNamespace.MapToKUID(e)
    96  		if !newE.Ok() {
    97  			return linuxerr.EINVAL
    98  		}
    99  	}
   100  	if !creds.HasCapability(linux.CAP_SETUID) {
   101  		// "Unprivileged processes may only set the effective user ID to the
   102  		// real user ID, the effective user ID, or the saved set-user-ID."
   103  		if newE != creds.RealKUID && newE != creds.EffectiveKUID && newE != creds.SavedKUID {
   104  			return linuxerr.EPERM
   105  		}
   106  		// "Unprivileged users may only set the real user ID to the real user
   107  		// ID or the effective user ID."
   108  		if newR != creds.RealKUID && newR != creds.EffectiveKUID {
   109  			return linuxerr.EPERM
   110  		}
   111  	}
   112  	// "If the real user ID is set (i.e., ruid is not -1) or the effective user
   113  	// ID is set to a value not equal to the previous real user ID, the saved
   114  	// set-user-ID will be set to the new effective user ID."
   115  	newS := creds.SavedKUID
   116  	if r.Ok() || (e.Ok() && newE != creds.EffectiveKUID) {
   117  		newS = newE
   118  	}
   119  	t.setKUIDsUncheckedLocked(newR, newE, newS)
   120  	return nil
   121  }
   122  
   123  // SetRESUID implements the semantics of the setresuid(2) syscall.
   124  func (t *Task) SetRESUID(r, e, s auth.UID) error {
   125  	t.mu.Lock()
   126  	defer t.mu.Unlock()
   127  	// "Unprivileged user processes may change the real UID, effective UID, and
   128  	// saved set-user-ID, each to one of: the current real UID, the current
   129  	// effective UID or the current saved set-user-ID. Privileged processes (on
   130  	// Linux, those having the CAP_SETUID capability) may set the real UID,
   131  	// effective UID, and saved set-user-ID to arbitrary values. If one of the
   132  	// arguments equals -1, the corresponding value is not changed." -
   133  	// setresuid(2)
   134  	var err error
   135  	creds := t.Credentials()
   136  	newR := creds.RealKUID
   137  	if r.Ok() {
   138  		newR, err = creds.UseUID(r)
   139  		if err != nil {
   140  			return err
   141  		}
   142  	}
   143  	newE := creds.EffectiveKUID
   144  	if e.Ok() {
   145  		newE, err = creds.UseUID(e)
   146  		if err != nil {
   147  			return err
   148  		}
   149  	}
   150  	newS := creds.SavedKUID
   151  	if s.Ok() {
   152  		newS, err = creds.UseUID(s)
   153  		if err != nil {
   154  			return err
   155  		}
   156  	}
   157  	t.setKUIDsUncheckedLocked(newR, newE, newS)
   158  	return nil
   159  }
   160  
   161  // Preconditions: t.mu must be locked.
   162  func (t *Task) setKUIDsUncheckedLocked(newR, newE, newS auth.KUID) {
   163  	creds := t.Credentials().Fork() // The credentials object is immutable. See doc for creds.
   164  	root := creds.UserNamespace.MapToKUID(auth.RootUID)
   165  	oldR, oldE, oldS := creds.RealKUID, creds.EffectiveKUID, creds.SavedKUID
   166  	creds.RealKUID, creds.EffectiveKUID, creds.SavedKUID = newR, newE, newS
   167  
   168  	// "1. If one or more of the real, effective or saved set user IDs was
   169  	// previously 0, and as a result of the UID changes all of these IDs have a
   170  	// nonzero value, then all capabilities are cleared from the permitted and
   171  	// effective capability sets." - capabilities(7)
   172  	if (oldR == root || oldE == root || oldS == root) && (newR != root && newE != root && newS != root) {
   173  		// prctl(2): "PR_SET_KEEPCAP: Set the state of the calling thread's
   174  		// "keep capabilities" flag, which determines whether the thread's permitted
   175  		// capability set is cleared when a change is made to the
   176  		// thread's user IDs such that the thread's real UID, effective
   177  		// UID, and saved set-user-ID all become nonzero when at least
   178  		// one of them previously had the value 0.  By default, the
   179  		// permitted capability set is cleared when such a change is
   180  		// made; setting the "keep capabilities" flag prevents it from
   181  		// being cleared." (A thread's effective capability set is always
   182  		// cleared when such a credential change is made,
   183  		// regardless of the setting of the "keep capabilities" flag.)
   184  		if !creds.KeepCaps {
   185  			creds.PermittedCaps = 0
   186  			creds.EffectiveCaps = 0
   187  		}
   188  	}
   189  	// """
   190  	// 2. If the effective user ID is changed from 0 to nonzero, then all
   191  	// capabilities are cleared from the effective set.
   192  	//
   193  	// 3. If the effective user ID is changed from nonzero to 0, then the
   194  	// permitted set is copied to the effective set.
   195  	// """
   196  	if oldE == root && newE != root {
   197  		creds.EffectiveCaps = 0
   198  	} else if oldE != root && newE == root {
   199  		creds.EffectiveCaps = creds.PermittedCaps
   200  	}
   201  	// "4. If the filesystem user ID is changed from 0 to nonzero (see
   202  	// setfsuid(2)), then the following capabilities are cleared from the
   203  	// effective set: ..."
   204  	// (filesystem UIDs aren't implemented, nor are any of the capabilities in
   205  	// question)
   206  
   207  	if oldE != newE {
   208  		// "[dumpability] is reset to the current value contained in
   209  		// the file /proc/sys/fs/suid_dumpable (which by default has
   210  		// the value 0), in the following circumstances: The process's
   211  		// effective user or group ID is changed." - prctl(2)
   212  		//
   213  		// (suid_dumpable isn't implemented, so we just use the
   214  		// default.
   215  		t.MemoryManager().SetDumpability(mm.NotDumpable)
   216  
   217  		// Not documented, but compare Linux's kernel/cred.c:commit_creds().
   218  		t.parentDeathSignal = 0
   219  	}
   220  	t.creds.Store(creds)
   221  }
   222  
   223  // SetGID implements the semantics of setgid(2).
   224  func (t *Task) SetGID(gid auth.GID) error {
   225  	if !gid.Ok() {
   226  		return linuxerr.EINVAL
   227  	}
   228  
   229  	t.mu.Lock()
   230  	defer t.mu.Unlock()
   231  
   232  	creds := t.Credentials()
   233  	kgid := creds.UserNamespace.MapToKGID(gid)
   234  	if !kgid.Ok() {
   235  		return linuxerr.EINVAL
   236  	}
   237  	if creds.HasCapability(linux.CAP_SETGID) {
   238  		t.setKGIDsUncheckedLocked(kgid, kgid, kgid)
   239  		return nil
   240  	}
   241  	if kgid != creds.RealKGID && kgid != creds.SavedKGID {
   242  		return linuxerr.EPERM
   243  	}
   244  	t.setKGIDsUncheckedLocked(creds.RealKGID, kgid, creds.SavedKGID)
   245  	return nil
   246  }
   247  
   248  // SetREGID implements the semantics of setregid(2).
   249  func (t *Task) SetREGID(r, e auth.GID) error {
   250  	t.mu.Lock()
   251  	defer t.mu.Unlock()
   252  
   253  	creds := t.Credentials()
   254  	newR := creds.RealKGID
   255  	if r.Ok() {
   256  		newR = creds.UserNamespace.MapToKGID(r)
   257  		if !newR.Ok() {
   258  			return linuxerr.EINVAL
   259  		}
   260  	}
   261  	newE := creds.EffectiveKGID
   262  	if e.Ok() {
   263  		newE = creds.UserNamespace.MapToKGID(e)
   264  		if !newE.Ok() {
   265  			return linuxerr.EINVAL
   266  		}
   267  	}
   268  	if !creds.HasCapability(linux.CAP_SETGID) {
   269  		if newE != creds.RealKGID && newE != creds.EffectiveKGID && newE != creds.SavedKGID {
   270  			return linuxerr.EPERM
   271  		}
   272  		if newR != creds.RealKGID && newR != creds.EffectiveKGID {
   273  			return linuxerr.EPERM
   274  		}
   275  	}
   276  	newS := creds.SavedKGID
   277  	if r.Ok() || (e.Ok() && newE != creds.EffectiveKGID) {
   278  		newS = newE
   279  	}
   280  	t.setKGIDsUncheckedLocked(newR, newE, newS)
   281  	return nil
   282  }
   283  
   284  // SetRESGID implements the semantics of the setresgid(2) syscall.
   285  func (t *Task) SetRESGID(r, e, s auth.GID) error {
   286  	var err error
   287  
   288  	t.mu.Lock()
   289  	defer t.mu.Unlock()
   290  
   291  	creds := t.Credentials()
   292  	newR := creds.RealKGID
   293  	if r.Ok() {
   294  		newR, err = creds.UseGID(r)
   295  		if err != nil {
   296  			return err
   297  		}
   298  	}
   299  	newE := creds.EffectiveKGID
   300  	if e.Ok() {
   301  		newE, err = creds.UseGID(e)
   302  		if err != nil {
   303  			return err
   304  		}
   305  	}
   306  	newS := creds.SavedKGID
   307  	if s.Ok() {
   308  		newS, err = creds.UseGID(s)
   309  		if err != nil {
   310  			return err
   311  		}
   312  	}
   313  	t.setKGIDsUncheckedLocked(newR, newE, newS)
   314  	return nil
   315  }
   316  
   317  func (t *Task) setKGIDsUncheckedLocked(newR, newE, newS auth.KGID) {
   318  	creds := t.Credentials().Fork() // The credentials object is immutable. See doc for creds.
   319  	oldE := creds.EffectiveKGID
   320  	creds.RealKGID, creds.EffectiveKGID, creds.SavedKGID = newR, newE, newS
   321  
   322  	if oldE != newE {
   323  		// "[dumpability] is reset to the current value contained in
   324  		// the file /proc/sys/fs/suid_dumpable (which by default has
   325  		// the value 0), in the following circumstances: The process's
   326  		// effective user or group ID is changed." - prctl(2)
   327  		//
   328  		// (suid_dumpable isn't implemented, so we just use the
   329  		// default.
   330  		t.MemoryManager().SetDumpability(mm.NotDumpable)
   331  
   332  		// Not documented, but compare Linux's
   333  		// kernel/cred.c:commit_creds().
   334  		t.parentDeathSignal = 0
   335  	}
   336  	t.creds.Store(creds)
   337  }
   338  
   339  // SetExtraGIDs attempts to change t's supplemental groups. All IDs are
   340  // interpreted as being in t's user namespace.
   341  func (t *Task) SetExtraGIDs(gids []auth.GID) error {
   342  	t.mu.Lock()
   343  	defer t.mu.Unlock()
   344  	creds := t.Credentials()
   345  	if !creds.HasCapability(linux.CAP_SETGID) {
   346  		return linuxerr.EPERM
   347  	}
   348  	kgids := make([]auth.KGID, len(gids))
   349  	for i, gid := range gids {
   350  		kgid := creds.UserNamespace.MapToKGID(gid)
   351  		if !kgid.Ok() {
   352  			return linuxerr.EINVAL
   353  		}
   354  		kgids[i] = kgid
   355  	}
   356  	creds = creds.Fork() // The credentials object is immutable. See doc for creds.
   357  	creds.ExtraKGIDs = kgids
   358  	t.creds.Store(creds)
   359  	return nil
   360  }
   361  
   362  // weakCaps is a set of capabilities that can be disabled externally.
   363  var weakCaps = auth.CapabilitySetOf(linux.CAP_NET_RAW)
   364  
   365  // SetCapabilitySets attempts to change t's permitted, inheritable, and
   366  // effective capability sets.
   367  func (t *Task) SetCapabilitySets(permitted, inheritable, effective auth.CapabilitySet) error {
   368  	t.mu.Lock()
   369  	defer t.mu.Unlock()
   370  	// "Permitted: This is a limiting superset for the effective capabilities
   371  	// that the thread may assume." - capabilities(7)
   372  	if effective & ^permitted != 0 {
   373  		return linuxerr.EPERM
   374  	}
   375  	creds := t.Credentials()
   376  
   377  	// Don't fail if one or more weak capabilities can't be set, just drop them.
   378  	mask := (weakCaps & creds.BoundingCaps) | (auth.AllCapabilities &^ weakCaps)
   379  	permitted &= mask
   380  	inheritable &= mask
   381  	effective &= mask
   382  
   383  	// "It is also a limiting superset for the capabilities that may be added
   384  	// to the inheritable set by a thread that does not have the CAP_SETPCAP
   385  	// capability in its effective set."
   386  	if !creds.HasCapability(linux.CAP_SETPCAP) && (inheritable & ^(creds.InheritableCaps|creds.PermittedCaps) != 0) {
   387  		return linuxerr.EPERM
   388  	}
   389  	// "If a thread drops a capability from its permitted set, it can never
   390  	// reacquire that capability (unless it execve(2)s ..."
   391  	if permitted & ^creds.PermittedCaps != 0 {
   392  		return linuxerr.EPERM
   393  	}
   394  	// "... if a capability is not in the bounding set, then a thread can't add
   395  	// this capability to its inheritable set, even if it was in its permitted
   396  	// capabilities ..."
   397  	if inheritable & ^(creds.InheritableCaps|creds.BoundingCaps) != 0 {
   398  		return linuxerr.EPERM
   399  	}
   400  	creds = creds.Fork() // The credentials object is immutable. See doc for creds.
   401  	creds.PermittedCaps = permitted
   402  	creds.InheritableCaps = inheritable
   403  	creds.EffectiveCaps = effective
   404  	t.creds.Store(creds)
   405  	return nil
   406  }
   407  
   408  // DropBoundingCapability attempts to drop capability cp from t's capability
   409  // bounding set.
   410  func (t *Task) DropBoundingCapability(cp linux.Capability) error {
   411  	t.mu.Lock()
   412  	defer t.mu.Unlock()
   413  	creds := t.Credentials()
   414  	if !creds.HasCapability(linux.CAP_SETPCAP) {
   415  		return linuxerr.EPERM
   416  	}
   417  	creds = creds.Fork() // The credentials object is immutable. See doc for creds.
   418  	creds.BoundingCaps &^= auth.CapabilitySetOf(cp)
   419  	t.creds.Store(creds)
   420  	return nil
   421  }
   422  
   423  // SetUserNamespace attempts to move c into ns.
   424  func (t *Task) SetUserNamespace(ns *auth.UserNamespace) error {
   425  	t.mu.Lock()
   426  	defer t.mu.Unlock()
   427  
   428  	creds := t.Credentials()
   429  	// "A process reassociating itself with a user namespace must have the
   430  	// CAP_SYS_ADMIN capability in the target user namespace." - setns(2)
   431  	//
   432  	// If t just created ns, then t.creds is guaranteed to have CAP_SYS_ADMIN
   433  	// in ns (by rule 3 in auth.Credentials.HasCapability).
   434  	if !creds.HasCapabilityIn(linux.CAP_SYS_ADMIN, ns) {
   435  		return linuxerr.EPERM
   436  	}
   437  
   438  	creds = creds.Fork() // The credentials object is immutable. See doc for creds.
   439  	creds.UserNamespace = ns
   440  	// "The child process created by clone(2) with the CLONE_NEWUSER flag
   441  	// starts out with a complete set of capabilities in the new user
   442  	// namespace. Likewise, a process that creates a new user namespace using
   443  	// unshare(2) or joins an existing user namespace using setns(2) gains a
   444  	// full set of capabilities in that namespace."
   445  	creds.PermittedCaps = auth.AllCapabilities
   446  	creds.InheritableCaps = 0
   447  	creds.EffectiveCaps = auth.AllCapabilities
   448  	creds.BoundingCaps = auth.AllCapabilities
   449  	// "A call to clone(2), unshare(2), or setns(2) using the CLONE_NEWUSER
   450  	// flag sets the "securebits" flags (see capabilities(7)) to their default
   451  	// values (all flags disabled) in the child (for clone(2)) or caller (for
   452  	// unshare(2), or setns(2)." - user_namespaces(7)
   453  	creds.KeepCaps = false
   454  	t.creds.Store(creds)
   455  
   456  	return nil
   457  }
   458  
   459  // SetKeepCaps will set the keep capabilities flag PR_SET_KEEPCAPS.
   460  func (t *Task) SetKeepCaps(k bool) {
   461  	t.mu.Lock()
   462  	defer t.mu.Unlock()
   463  	creds := t.Credentials().Fork() // The credentials object is immutable. See doc for creds.
   464  	creds.KeepCaps = k
   465  	t.creds.Store(creds)
   466  }
   467  
   468  // updateCredsForExecLocked updates t.creds to reflect an execve().
   469  //
   470  // NOTE(b/30815691): We currently do not implement privileged executables
   471  // (set-user/group-ID bits and file capabilities). This allows us to make a lot
   472  // of simplifying assumptions:
   473  //
   474  //   - We assume the no_new_privs bit (set by prctl(SET_NO_NEW_PRIVS)), which
   475  //     disables the features we don't support anyway, is always set. This
   476  //     drastically simplifies this function.
   477  //
   478  //   - We don't set AT_SECURE = 1, because no_new_privs always being set means
   479  //     that the conditions that require AT_SECURE = 1 never arise. (Compare Linux's
   480  //     security/commoncap.c:cap_bprm_set_creds() and cap_bprm_secureexec().)
   481  //
   482  //   - We don't check for CAP_SYS_ADMIN in prctl(PR_SET_SECCOMP), since
   483  //     seccomp-bpf is also allowed if the task has no_new_privs set.
   484  //
   485  //   - Task.ptraceAttach does not serialize with execve as it does in Linux,
   486  //     since no_new_privs being set has the same effect as the presence of an
   487  //     unprivileged tracer.
   488  //
   489  // Preconditions: t.mu must be locked.
   490  func (t *Task) updateCredsForExecLocked() {
   491  	// """
   492  	// During an execve(2), the kernel calculates the new capabilities of
   493  	// the process using the following algorithm:
   494  	//
   495  	//     P'(permitted) = (P(inheritable) & F(inheritable)) |
   496  	//                     (F(permitted) & cap_bset)
   497  	//
   498  	//     P'(effective) = F(effective) ? P'(permitted) : 0
   499  	//
   500  	//     P'(inheritable) = P(inheritable)    [i.e., unchanged]
   501  	//
   502  	// where:
   503  	//
   504  	//     P         denotes the value of a thread capability set before the
   505  	//               execve(2)
   506  	//
   507  	//     P'        denotes the value of a thread capability set after the
   508  	//               execve(2)
   509  	//
   510  	//     F         denotes a file capability set
   511  	//
   512  	//     cap_bset  is the value of the capability bounding set
   513  	//
   514  	// ...
   515  	//
   516  	// In order to provide an all-powerful root using capability sets, during
   517  	// an execve(2):
   518  	//
   519  	// 1. If a set-user-ID-root program is being executed, or the real user ID
   520  	// of the process is 0 (root) then the file inheritable and permitted sets
   521  	// are defined to be all ones (i.e. all capabilities enabled).
   522  	//
   523  	// 2. If a set-user-ID-root program is being executed, then the file
   524  	// effective bit is defined to be one (enabled).
   525  	//
   526  	// The upshot of the above rules, combined with the capabilities
   527  	// transformations described above, is that when a process execve(2)s a
   528  	// set-user-ID-root program, or when a process with an effective UID of 0
   529  	// execve(2)s a program, it gains all capabilities in its permitted and
   530  	// effective capability sets, except those masked out by the capability
   531  	// bounding set.
   532  	// """ - capabilities(7)
   533  	// (ambient capability sets omitted)
   534  	//
   535  	// As the last paragraph implies, the case of "a set-user-ID root program
   536  	// is being executed" also includes the case where (namespace) root is
   537  	// executing a non-set-user-ID program; the actual check is just based on
   538  	// the effective user ID.
   539  	var newPermitted auth.CapabilitySet // since F(inheritable) == F(permitted) == 0
   540  	fileEffective := false
   541  	creds := t.Credentials()
   542  	root := creds.UserNamespace.MapToKUID(auth.RootUID)
   543  	if creds.EffectiveKUID == root || creds.RealKUID == root {
   544  		newPermitted = creds.InheritableCaps | creds.BoundingCaps
   545  		if creds.EffectiveKUID == root {
   546  			fileEffective = true
   547  		}
   548  	}
   549  
   550  	creds = creds.Fork() // The credentials object is immutable. See doc for creds.
   551  
   552  	// Now we enter poorly-documented, somewhat confusing territory. (The
   553  	// accompanying comment in Linux's security/commoncap.c:cap_bprm_set_creds
   554  	// is not very helpful.) My reading of it is:
   555  	//
   556  	// If at least one of the following is true:
   557  	//
   558  	// A1. The execing task is ptraced, and the tracer did not have
   559  	// CAP_SYS_PTRACE in the execing task's user namespace at the time of
   560  	// PTRACE_ATTACH.
   561  	//
   562  	// A2. The execing task shares its FS context with at least one task in
   563  	// another thread group.
   564  	//
   565  	// A3. The execing task has no_new_privs set.
   566  	//
   567  	// AND at least one of the following is true:
   568  	//
   569  	// B1. The new effective user ID (which may come from set-user-ID, or be the
   570  	// execing task's existing effective user ID) is not equal to the task's
   571  	// real UID.
   572  	//
   573  	// B2. The new effective group ID (which may come from set-group-ID, or be
   574  	// the execing task's existing effective group ID) is not equal to the
   575  	// task's real GID.
   576  	//
   577  	// B3. The new permitted capability set contains capabilities not in the
   578  	// task's permitted capability set.
   579  	//
   580  	// Then:
   581  	//
   582  	// C1. Limit the new permitted capability set to the task's permitted
   583  	// capability set.
   584  	//
   585  	// C2. If either the task does not have CAP_SETUID in its user namespace, or
   586  	// the task has no_new_privs set, force the new effective UID and GID to
   587  	// the task's real UID and GID.
   588  	//
   589  	// But since no_new_privs is always set (A3 is always true), this becomes
   590  	// much simpler. If B1 and B2 are false, C2 is a no-op. If B3 is false, C1
   591  	// is a no-op. So we can just do C1 and C2 unconditionally.
   592  	if creds.EffectiveKUID != creds.RealKUID || creds.EffectiveKGID != creds.RealKGID {
   593  		creds.EffectiveKUID = creds.RealKUID
   594  		creds.EffectiveKGID = creds.RealKGID
   595  		t.parentDeathSignal = 0
   596  	}
   597  	// (Saved set-user-ID is always set to the new effective user ID, and saved
   598  	// set-group-ID is always set to the new effective group ID, regardless of
   599  	// the above.)
   600  	creds.SavedKUID = creds.RealKUID
   601  	creds.SavedKGID = creds.RealKGID
   602  	creds.PermittedCaps &= newPermitted
   603  	if fileEffective {
   604  		creds.EffectiveCaps = creds.PermittedCaps
   605  	} else {
   606  		creds.EffectiveCaps = 0
   607  	}
   608  
   609  	// prctl(2): The "keep capabilities" value will be reset to 0 on subsequent
   610  	// calls to execve(2).
   611  	creds.KeepCaps = false
   612  
   613  	// "The bounding set is inherited at fork(2) from the thread's parent, and
   614  	// is preserved across an execve(2)". So we're done.
   615  	t.creds.Store(creds)
   616  }