1 /*-
2 * Copyright (c) 2008-2011 Robert N. M. Watson
3 * Copyright (c) 2010-2011 Jonathan Anderson
4 * Copyright (c) 2012 FreeBSD Foundation
5 * All rights reserved.
6 *
7 * This software was developed at the University of Cambridge Computer
8 * Laboratory with support from a grant from Google, Inc.
9 *
10 * Portions of this software were developed by Pawel Jakub Dawidek under
11 * sponsorship from the FreeBSD Foundation.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 /*
36 * FreeBSD kernel capability facility.
37 *
38 * Two kernel features are implemented here: capability mode, a sandboxed mode
39 * of execution for processes, and capabilities, a refinement on file
40 * descriptors that allows fine-grained control over operations on the file
41 * descriptor. Collectively, these allow processes to run in the style of a
42 * historic "capability system" in which they can use only resources
43 * explicitly delegated to them. This model is enforced by restricting access
44 * to global namespaces in capability mode.
45 *
46 * Capabilities wrap other file descriptor types, binding them to a constant
47 * rights mask set when the capability is created. New capabilities may be
48 * derived from existing capabilities, but only if they have the same or a
49 * strict subset of the rights on the original capability.
50 *
51 * System calls permitted in capability mode are defined in capabilities.conf;
52 * calls must be carefully audited for safety to ensure that they don't allow
53 * escape from a sandbox. Some calls permit only a subset of operations in
54 * capability mode -- for example, shm_open(2) is limited to creating
55 * anonymous, rather than named, POSIX shared memory objects.
56 */
57
58 #include <sys/cdefs.h>
59 __FBSDID("$FreeBSD: releng/11.0/sys/kern/sys_capability.c 286618 2015-08-11 08:43:50Z ed $");
60
61 #include "opt_capsicum.h"
62 #include "opt_ktrace.h"
63
64 #include <sys/param.h>
65 #include <sys/capsicum.h>
66 #include <sys/file.h>
67 #include <sys/filedesc.h>
68 #include <sys/kernel.h>
69 #include <sys/limits.h>
70 #include <sys/lock.h>
71 #include <sys/mutex.h>
72 #include <sys/proc.h>
73 #include <sys/syscallsubr.h>
74 #include <sys/sysproto.h>
75 #include <sys/sysctl.h>
76 #include <sys/systm.h>
77 #include <sys/ucred.h>
78 #include <sys/uio.h>
79 #include <sys/ktrace.h>
80
81 #include <security/audit/audit.h>
82
83 #include <vm/uma.h>
84 #include <vm/vm.h>
85
86 #ifdef CAPABILITY_MODE
87
88 FEATURE(security_capability_mode, "Capsicum Capability Mode");
89
90 /*
91 * System call to enter capability mode for the process.
92 */
93 int
94 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
95 {
96 struct ucred *newcred, *oldcred;
97 struct proc *p;
98
99 if (IN_CAPABILITY_MODE(td))
100 return (0);
101
102 newcred = crget();
103 p = td->td_proc;
104 PROC_LOCK(p);
105 oldcred = crcopysafe(p, newcred);
106 newcred->cr_flags |= CRED_FLAG_CAPMODE;
107 proc_set_cred(p, newcred);
108 PROC_UNLOCK(p);
109 crfree(oldcred);
110 return (0);
111 }
112
113 /*
114 * System call to query whether the process is in capability mode.
115 */
116 int
117 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
118 {
119 u_int i;
120
121 i = IN_CAPABILITY_MODE(td) ? 1 : 0;
122 return (copyout(&i, uap->modep, sizeof(i)));
123 }
124
125 #else /* !CAPABILITY_MODE */
126
127 int
128 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
129 {
130
131 return (ENOSYS);
132 }
133
134 int
135 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
136 {
137
138 return (ENOSYS);
139 }
140
141 #endif /* CAPABILITY_MODE */
142
143 #ifdef CAPABILITIES
144
145 FEATURE(security_capabilities, "Capsicum Capabilities");
146
147 MALLOC_DECLARE(M_FILECAPS);
148
149 static inline int
150 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
151 enum ktr_cap_fail_type type)
152 {
153 int i;
154
155 for (i = 0; i < nitems(havep->cr_rights); i++) {
156 if (!cap_rights_contains(havep, needp)) {
157 #ifdef KTRACE
158 if (KTRPOINT(curthread, KTR_CAPFAIL))
159 ktrcapfail(type, needp, havep);
160 #endif
161 return (ENOTCAPABLE);
162 }
163 }
164 return (0);
165 }
166
167 /*
168 * Test whether a capability grants the requested rights.
169 */
170 int
171 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
172 {
173
174 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
175 }
176
177 /*
178 * Convert capability rights into VM access flags.
179 */
180 u_char
181 cap_rights_to_vmprot(cap_rights_t *havep)
182 {
183 u_char maxprot;
184
185 maxprot = VM_PROT_NONE;
186 if (cap_rights_is_set(havep, CAP_MMAP_R))
187 maxprot |= VM_PROT_READ;
188 if (cap_rights_is_set(havep, CAP_MMAP_W))
189 maxprot |= VM_PROT_WRITE;
190 if (cap_rights_is_set(havep, CAP_MMAP_X))
191 maxprot |= VM_PROT_EXECUTE;
192
193 return (maxprot);
194 }
195
196 /*
197 * Extract rights from a capability for monitoring purposes -- not for use in
198 * any other way, as we want to keep all capability permission evaluation in
199 * this one file.
200 */
201
202 cap_rights_t *
203 cap_rights_fde(struct filedescent *fde)
204 {
205
206 return (&fde->fde_rights);
207 }
208
209 cap_rights_t *
210 cap_rights(struct filedesc *fdp, int fd)
211 {
212
213 return (cap_rights_fde(&fdp->fd_ofiles[fd]));
214 }
215
216 int
217 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
218 {
219 struct filedesc *fdp;
220 int error;
221
222 fdp = td->td_proc->p_fd;
223 FILEDESC_XLOCK(fdp);
224 if (fget_locked(fdp, fd) == NULL) {
225 FILEDESC_XUNLOCK(fdp);
226 return (EBADF);
227 }
228 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
229 if (error == 0) {
230 fdp->fd_ofiles[fd].fde_rights = *rights;
231 if (!cap_rights_is_set(rights, CAP_IOCTL)) {
232 free(fdp->fd_ofiles[fd].fde_ioctls, M_FILECAPS);
233 fdp->fd_ofiles[fd].fde_ioctls = NULL;
234 fdp->fd_ofiles[fd].fde_nioctls = 0;
235 }
236 if (!cap_rights_is_set(rights, CAP_FCNTL))
237 fdp->fd_ofiles[fd].fde_fcntls = 0;
238 }
239 FILEDESC_XUNLOCK(fdp);
240 return (error);
241 }
242
243 /*
244 * System call to limit rights of the given capability.
245 */
246 int
247 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
248 {
249 cap_rights_t rights;
250 int error, version;
251
252 cap_rights_init(&rights);
253
254 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
255 if (error != 0)
256 return (error);
257 version = CAPVER(&rights);
258 if (version != CAP_RIGHTS_VERSION_00)
259 return (EINVAL);
260
261 error = copyin(uap->rightsp, &rights,
262 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
263 if (error != 0)
264 return (error);
265 /* Check for race. */
266 if (CAPVER(&rights) != version)
267 return (EINVAL);
268
269 if (!cap_rights_is_valid(&rights))
270 return (EINVAL);
271
272 if (version != CAP_RIGHTS_VERSION) {
273 rights.cr_rights[0] &= ~(0x3ULL << 62);
274 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
275 }
276 #ifdef KTRACE
277 if (KTRPOINT(td, KTR_STRUCT))
278 ktrcaprights(&rights);
279 #endif
280
281 AUDIT_ARG_FD(uap->fd);
282 AUDIT_ARG_RIGHTS(&rights);
283 return (kern_cap_rights_limit(td, uap->fd, &rights));
284 }
285
286 /*
287 * System call to query the rights mask associated with a capability.
288 */
289 int
290 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
291 {
292 struct filedesc *fdp;
293 cap_rights_t rights;
294 int error, fd, i, n;
295
296 if (uap->version != CAP_RIGHTS_VERSION_00)
297 return (EINVAL);
298
299 fd = uap->fd;
300
301 AUDIT_ARG_FD(fd);
302
303 fdp = td->td_proc->p_fd;
304 FILEDESC_SLOCK(fdp);
305 if (fget_locked(fdp, fd) == NULL) {
306 FILEDESC_SUNLOCK(fdp);
307 return (EBADF);
308 }
309 rights = *cap_rights(fdp, fd);
310 FILEDESC_SUNLOCK(fdp);
311 n = uap->version + 2;
312 if (uap->version != CAPVER(&rights)) {
313 /*
314 * For older versions we need to check if the descriptor
315 * doesn't contain rights not understood by the caller.
316 * If it does, we have to return an error.
317 */
318 for (i = n; i < CAPARSIZE(&rights); i++) {
319 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
320 return (EINVAL);
321 }
322 }
323 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
324 #ifdef KTRACE
325 if (error == 0 && KTRPOINT(td, KTR_STRUCT))
326 ktrcaprights(&rights);
327 #endif
328 return (error);
329 }
330
331 /*
332 * Test whether a capability grants the given ioctl command.
333 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
334 * ENOTCAPABLE will be returned.
335 */
336 int
337 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
338 {
339 u_long *cmds;
340 ssize_t ncmds;
341 long i;
342
343 FILEDESC_LOCK_ASSERT(fdp);
344 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
345 ("%s: invalid fd=%d", __func__, fd));
346
347 ncmds = fdp->fd_ofiles[fd].fde_nioctls;
348 if (ncmds == -1)
349 return (0);
350
351 cmds = fdp->fd_ofiles[fd].fde_ioctls;
352 for (i = 0; i < ncmds; i++) {
353 if (cmds[i] == cmd)
354 return (0);
355 }
356
357 return (ENOTCAPABLE);
358 }
359
360 /*
361 * Check if the current ioctls list can be replaced by the new one.
362 */
363 static int
364 cap_ioctl_limit_check(struct filedesc *fdp, int fd, const u_long *cmds,
365 size_t ncmds)
366 {
367 u_long *ocmds;
368 ssize_t oncmds;
369 u_long i;
370 long j;
371
372 oncmds = fdp->fd_ofiles[fd].fde_nioctls;
373 if (oncmds == -1)
374 return (0);
375 if (oncmds < (ssize_t)ncmds)
376 return (ENOTCAPABLE);
377
378 ocmds = fdp->fd_ofiles[fd].fde_ioctls;
379 for (i = 0; i < ncmds; i++) {
380 for (j = 0; j < oncmds; j++) {
381 if (cmds[i] == ocmds[j])
382 break;
383 }
384 if (j == oncmds)
385 return (ENOTCAPABLE);
386 }
387
388 return (0);
389 }
390
391 int
392 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
393 {
394 struct filedesc *fdp;
395 u_long *ocmds;
396 int error;
397
398 AUDIT_ARG_FD(fd);
399
400 fdp = td->td_proc->p_fd;
401 FILEDESC_XLOCK(fdp);
402
403 if (fget_locked(fdp, fd) == NULL) {
404 error = EBADF;
405 goto out;
406 }
407
408 error = cap_ioctl_limit_check(fdp, fd, cmds, ncmds);
409 if (error != 0)
410 goto out;
411
412 ocmds = fdp->fd_ofiles[fd].fde_ioctls;
413 fdp->fd_ofiles[fd].fde_ioctls = cmds;
414 fdp->fd_ofiles[fd].fde_nioctls = ncmds;
415
416 cmds = ocmds;
417 error = 0;
418 out:
419 FILEDESC_XUNLOCK(fdp);
420 free(cmds, M_FILECAPS);
421 return (error);
422 }
423
424 int
425 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
426 {
427 u_long *cmds;
428 size_t ncmds;
429 int error;
430
431 ncmds = uap->ncmds;
432
433 if (ncmds > 256) /* XXX: Is 256 sane? */
434 return (EINVAL);
435
436 if (ncmds == 0) {
437 cmds = NULL;
438 } else {
439 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
440 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
441 if (error != 0) {
442 free(cmds, M_FILECAPS);
443 return (error);
444 }
445 }
446
447 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
448 }
449
450 int
451 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
452 {
453 struct filedesc *fdp;
454 struct filedescent *fdep;
455 u_long *cmds;
456 size_t maxcmds;
457 int error, fd;
458
459 fd = uap->fd;
460 cmds = uap->cmds;
461 maxcmds = uap->maxcmds;
462
463 AUDIT_ARG_FD(fd);
464
465 fdp = td->td_proc->p_fd;
466 FILEDESC_SLOCK(fdp);
467
468 if (fget_locked(fdp, fd) == NULL) {
469 error = EBADF;
470 goto out;
471 }
472
473 /*
474 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
475 * the only sane thing we can do is to not populate the given array and
476 * return CAP_IOCTLS_ALL.
477 */
478
479 fdep = &fdp->fd_ofiles[fd];
480 if (cmds != NULL && fdep->fde_ioctls != NULL) {
481 error = copyout(fdep->fde_ioctls, cmds,
482 sizeof(cmds[0]) * MIN(fdep->fde_nioctls, maxcmds));
483 if (error != 0)
484 goto out;
485 }
486 if (fdep->fde_nioctls == -1)
487 td->td_retval[0] = CAP_IOCTLS_ALL;
488 else
489 td->td_retval[0] = fdep->fde_nioctls;
490
491 error = 0;
492 out:
493 FILEDESC_SUNLOCK(fdp);
494 return (error);
495 }
496
497 /*
498 * Test whether a capability grants the given fcntl command.
499 */
500 int
501 cap_fcntl_check_fde(struct filedescent *fde, int cmd)
502 {
503 uint32_t fcntlcap;
504
505 fcntlcap = (1 << cmd);
506 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
507 ("Unsupported fcntl=%d.", cmd));
508
509 if ((fde->fde_fcntls & fcntlcap) != 0)
510 return (0);
511
512 return (ENOTCAPABLE);
513 }
514
515 int
516 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
517 {
518
519 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
520 ("%s: invalid fd=%d", __func__, fd));
521
522 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
523 }
524
525 int
526 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
527 {
528 struct filedesc *fdp;
529 uint32_t fcntlrights;
530 int fd;
531
532 fd = uap->fd;
533 fcntlrights = uap->fcntlrights;
534
535 AUDIT_ARG_FD(fd);
536 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
537
538 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
539 return (EINVAL);
540
541 fdp = td->td_proc->p_fd;
542 FILEDESC_XLOCK(fdp);
543
544 if (fget_locked(fdp, fd) == NULL) {
545 FILEDESC_XUNLOCK(fdp);
546 return (EBADF);
547 }
548
549 if ((fcntlrights & ~fdp->fd_ofiles[fd].fde_fcntls) != 0) {
550 FILEDESC_XUNLOCK(fdp);
551 return (ENOTCAPABLE);
552 }
553
554 fdp->fd_ofiles[fd].fde_fcntls = fcntlrights;
555 FILEDESC_XUNLOCK(fdp);
556
557 return (0);
558 }
559
560 int
561 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
562 {
563 struct filedesc *fdp;
564 uint32_t rights;
565 int fd;
566
567 fd = uap->fd;
568
569 AUDIT_ARG_FD(fd);
570
571 fdp = td->td_proc->p_fd;
572 FILEDESC_SLOCK(fdp);
573 if (fget_locked(fdp, fd) == NULL) {
574 FILEDESC_SUNLOCK(fdp);
575 return (EBADF);
576 }
577 rights = fdp->fd_ofiles[fd].fde_fcntls;
578 FILEDESC_SUNLOCK(fdp);
579
580 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
581 }
582
583 #else /* !CAPABILITIES */
584
585 /*
586 * Stub Capability functions for when options CAPABILITIES isn't compiled
587 * into the kernel.
588 */
589
590 int
591 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
592 {
593
594 return (ENOSYS);
595 }
596
597 int
598 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
599 {
600
601 return (ENOSYS);
602 }
603
604 int
605 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
606 {
607
608 return (ENOSYS);
609 }
610
611 int
612 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
613 {
614
615 return (ENOSYS);
616 }
617
618 int
619 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
620 {
621
622 return (ENOSYS);
623 }
624
625 int
626 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
627 {
628
629 return (ENOSYS);
630 }
631
632 #endif /* CAPABILITIES */
Cache object: 350d5b2e973882e2fe50b3bf325ab0d1
|