1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2008-2011 Robert N. M. Watson
5 * Copyright (c) 2010-2011 Jonathan Anderson
6 * Copyright (c) 2012 FreeBSD Foundation
7 * All rights reserved.
8 *
9 * This software was developed at the University of Cambridge Computer
10 * Laboratory with support from a grant from Google, Inc.
11 *
12 * Portions of this software were developed by Pawel Jakub Dawidek under
13 * sponsorship from the FreeBSD Foundation.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37 /*
38 * FreeBSD kernel capability facility.
39 *
40 * Two kernel features are implemented here: capability mode, a sandboxed mode
41 * of execution for processes, and capabilities, a refinement on file
42 * descriptors that allows fine-grained control over operations on the file
43 * descriptor. Collectively, these allow processes to run in the style of a
44 * historic "capability system" in which they can use only resources
45 * explicitly delegated to them. This model is enforced by restricting access
46 * to global namespaces in capability mode.
47 *
48 * Capabilities wrap other file descriptor types, binding them to a constant
49 * rights mask set when the capability is created. New capabilities may be
50 * derived from existing capabilities, but only if they have the same or a
51 * strict subset of the rights on the original capability.
52 *
53 * System calls permitted in capability mode are defined in capabilities.conf;
54 * calls must be carefully audited for safety to ensure that they don't allow
55 * escape from a sandbox. Some calls permit only a subset of operations in
56 * capability mode -- for example, shm_open(2) is limited to creating
57 * anonymous, rather than named, POSIX shared memory objects.
58 */
59
60 #include <sys/cdefs.h>
61 __FBSDID("$FreeBSD: releng/12.0/sys/kern/sys_capability.c 339341 2018-10-12 23:48:10Z mjg $");
62
63 #include "opt_capsicum.h"
64 #include "opt_ktrace.h"
65
66 #include <sys/param.h>
67 #include <sys/capsicum.h>
68 #include <sys/file.h>
69 #include <sys/filedesc.h>
70 #include <sys/kernel.h>
71 #include <sys/limits.h>
72 #include <sys/lock.h>
73 #include <sys/mutex.h>
74 #include <sys/proc.h>
75 #include <sys/syscallsubr.h>
76 #include <sys/sysproto.h>
77 #include <sys/sysctl.h>
78 #include <sys/systm.h>
79 #include <sys/ucred.h>
80 #include <sys/uio.h>
81 #include <sys/ktrace.h>
82
83 #include <security/audit/audit.h>
84
85 #include <vm/uma.h>
86 #include <vm/vm.h>
87
88 bool __read_frequently trap_enotcap;
89 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RW, &trap_enotcap, 0,
90 "Deliver SIGTRAP on ENOTCAPABLE");
91
92 #ifdef CAPABILITY_MODE
93
94 #define IOCTLS_MAX_COUNT 256 /* XXX: Is 256 sane? */
95
96 FEATURE(security_capability_mode, "Capsicum Capability Mode");
97
98 /*
99 * System call to enter capability mode for the process.
100 */
101 int
102 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
103 {
104 struct ucred *newcred, *oldcred;
105 struct proc *p;
106
107 if (IN_CAPABILITY_MODE(td))
108 return (0);
109
110 newcred = crget();
111 p = td->td_proc;
112 PROC_LOCK(p);
113 oldcred = crcopysafe(p, newcred);
114 newcred->cr_flags |= CRED_FLAG_CAPMODE;
115 proc_set_cred(p, newcred);
116 PROC_UNLOCK(p);
117 crfree(oldcred);
118 return (0);
119 }
120
121 /*
122 * System call to query whether the process is in capability mode.
123 */
124 int
125 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
126 {
127 u_int i;
128
129 i = IN_CAPABILITY_MODE(td) ? 1 : 0;
130 return (copyout(&i, uap->modep, sizeof(i)));
131 }
132
133 #else /* !CAPABILITY_MODE */
134
135 int
136 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
137 {
138
139 return (ENOSYS);
140 }
141
142 int
143 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
144 {
145
146 return (ENOSYS);
147 }
148
149 #endif /* CAPABILITY_MODE */
150
151 #ifdef CAPABILITIES
152
153 FEATURE(security_capabilities, "Capsicum Capabilities");
154
155 MALLOC_DECLARE(M_FILECAPS);
156
157 static inline int
158 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
159 enum ktr_cap_fail_type type)
160 {
161
162 if (!cap_rights_contains(havep, needp)) {
163 #ifdef KTRACE
164 if (KTRPOINT(curthread, KTR_CAPFAIL))
165 ktrcapfail(type, needp, havep);
166 #endif
167 return (ENOTCAPABLE);
168 }
169 return (0);
170 }
171
172 /*
173 * Test whether a capability grants the requested rights.
174 */
175 int
176 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
177 {
178
179 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
180 }
181
182 /*
183 * Convert capability rights into VM access flags.
184 */
185 u_char
186 cap_rights_to_vmprot(const cap_rights_t *havep)
187 {
188 u_char maxprot;
189
190 maxprot = VM_PROT_NONE;
191 if (cap_rights_is_set(havep, CAP_MMAP_R))
192 maxprot |= VM_PROT_READ;
193 if (cap_rights_is_set(havep, CAP_MMAP_W))
194 maxprot |= VM_PROT_WRITE;
195 if (cap_rights_is_set(havep, CAP_MMAP_X))
196 maxprot |= VM_PROT_EXECUTE;
197
198 return (maxprot);
199 }
200
201 /*
202 * Extract rights from a capability for monitoring purposes -- not for use in
203 * any other way, as we want to keep all capability permission evaluation in
204 * this one file.
205 */
206
207 const cap_rights_t *
208 cap_rights_fde(const struct filedescent *fdep)
209 {
210
211 return (cap_rights_fde_inline(fdep));
212 }
213
214 const cap_rights_t *
215 cap_rights(struct filedesc *fdp, int fd)
216 {
217
218 return (cap_rights_fde(&fdp->fd_ofiles[fd]));
219 }
220
221 int
222 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
223 {
224 struct filedesc *fdp;
225 struct filedescent *fdep;
226 int error;
227
228 fdp = td->td_proc->p_fd;
229 FILEDESC_XLOCK(fdp);
230 fdep = fdeget_locked(fdp, fd);
231 if (fdep == NULL) {
232 FILEDESC_XUNLOCK(fdp);
233 return (EBADF);
234 }
235 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
236 if (error == 0) {
237 fdep->fde_rights = *rights;
238 if (!cap_rights_is_set(rights, CAP_IOCTL)) {
239 free(fdep->fde_ioctls, M_FILECAPS);
240 fdep->fde_ioctls = NULL;
241 fdep->fde_nioctls = 0;
242 }
243 if (!cap_rights_is_set(rights, CAP_FCNTL))
244 fdep->fde_fcntls = 0;
245 }
246 FILEDESC_XUNLOCK(fdp);
247 return (error);
248 }
249
250 /*
251 * System call to limit rights of the given capability.
252 */
253 int
254 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
255 {
256 cap_rights_t rights;
257 int error, version;
258
259 cap_rights_init(&rights);
260
261 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
262 if (error != 0)
263 return (error);
264 version = CAPVER(&rights);
265 if (version != CAP_RIGHTS_VERSION_00)
266 return (EINVAL);
267
268 error = copyin(uap->rightsp, &rights,
269 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
270 if (error != 0)
271 return (error);
272 /* Check for race. */
273 if (CAPVER(&rights) != version)
274 return (EINVAL);
275
276 if (!cap_rights_is_valid(&rights))
277 return (EINVAL);
278
279 if (version != CAP_RIGHTS_VERSION) {
280 rights.cr_rights[0] &= ~(0x3ULL << 62);
281 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
282 }
283 #ifdef KTRACE
284 if (KTRPOINT(td, KTR_STRUCT))
285 ktrcaprights(&rights);
286 #endif
287
288 AUDIT_ARG_FD(uap->fd);
289 AUDIT_ARG_RIGHTS(&rights);
290 return (kern_cap_rights_limit(td, uap->fd, &rights));
291 }
292
293 /*
294 * System call to query the rights mask associated with a capability.
295 */
296 int
297 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
298 {
299 struct filedesc *fdp;
300 cap_rights_t rights;
301 int error, fd, i, n;
302
303 if (uap->version != CAP_RIGHTS_VERSION_00)
304 return (EINVAL);
305
306 fd = uap->fd;
307
308 AUDIT_ARG_FD(fd);
309
310 fdp = td->td_proc->p_fd;
311 FILEDESC_SLOCK(fdp);
312 if (fget_locked(fdp, fd) == NULL) {
313 FILEDESC_SUNLOCK(fdp);
314 return (EBADF);
315 }
316 rights = *cap_rights(fdp, fd);
317 FILEDESC_SUNLOCK(fdp);
318 n = uap->version + 2;
319 if (uap->version != CAPVER(&rights)) {
320 /*
321 * For older versions we need to check if the descriptor
322 * doesn't contain rights not understood by the caller.
323 * If it does, we have to return an error.
324 */
325 for (i = n; i < CAPARSIZE(&rights); i++) {
326 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
327 return (EINVAL);
328 }
329 }
330 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
331 #ifdef KTRACE
332 if (error == 0 && KTRPOINT(td, KTR_STRUCT))
333 ktrcaprights(&rights);
334 #endif
335 return (error);
336 }
337
338 /*
339 * Test whether a capability grants the given ioctl command.
340 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
341 * ENOTCAPABLE will be returned.
342 */
343 int
344 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
345 {
346 struct filedescent *fdep;
347 u_long *cmds;
348 ssize_t ncmds;
349 long i;
350
351 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
352 ("%s: invalid fd=%d", __func__, fd));
353
354 fdep = fdeget_locked(fdp, fd);
355 KASSERT(fdep != NULL,
356 ("%s: invalid fd=%d", __func__, fd));
357
358 ncmds = fdep->fde_nioctls;
359 if (ncmds == -1)
360 return (0);
361
362 cmds = fdep->fde_ioctls;
363 for (i = 0; i < ncmds; i++) {
364 if (cmds[i] == cmd)
365 return (0);
366 }
367
368 return (ENOTCAPABLE);
369 }
370
371 /*
372 * Check if the current ioctls list can be replaced by the new one.
373 */
374 static int
375 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
376 size_t ncmds)
377 {
378 u_long *ocmds;
379 ssize_t oncmds;
380 u_long i;
381 long j;
382
383 oncmds = fdep->fde_nioctls;
384 if (oncmds == -1)
385 return (0);
386 if (oncmds < (ssize_t)ncmds)
387 return (ENOTCAPABLE);
388
389 ocmds = fdep->fde_ioctls;
390 for (i = 0; i < ncmds; i++) {
391 for (j = 0; j < oncmds; j++) {
392 if (cmds[i] == ocmds[j])
393 break;
394 }
395 if (j == oncmds)
396 return (ENOTCAPABLE);
397 }
398
399 return (0);
400 }
401
402 int
403 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
404 {
405 struct filedesc *fdp;
406 struct filedescent *fdep;
407 u_long *ocmds;
408 int error;
409
410 AUDIT_ARG_FD(fd);
411
412 if (ncmds > IOCTLS_MAX_COUNT) {
413 error = EINVAL;
414 goto out_free;
415 }
416
417 fdp = td->td_proc->p_fd;
418 FILEDESC_XLOCK(fdp);
419
420 fdep = fdeget_locked(fdp, fd);
421 if (fdep == NULL) {
422 error = EBADF;
423 goto out;
424 }
425
426 error = cap_ioctl_limit_check(fdep, cmds, ncmds);
427 if (error != 0)
428 goto out;
429
430 ocmds = fdep->fde_ioctls;
431 fdep->fde_ioctls = cmds;
432 fdep->fde_nioctls = ncmds;
433
434 cmds = ocmds;
435 error = 0;
436 out:
437 FILEDESC_XUNLOCK(fdp);
438 out_free:
439 free(cmds, M_FILECAPS);
440 return (error);
441 }
442
443 int
444 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
445 {
446 u_long *cmds;
447 size_t ncmds;
448 int error;
449
450 ncmds = uap->ncmds;
451
452 if (ncmds > IOCTLS_MAX_COUNT)
453 return (EINVAL);
454
455 if (ncmds == 0) {
456 cmds = NULL;
457 } else {
458 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
459 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
460 if (error != 0) {
461 free(cmds, M_FILECAPS);
462 return (error);
463 }
464 }
465
466 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
467 }
468
469 int
470 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
471 {
472 struct filedesc *fdp;
473 struct filedescent *fdep;
474 u_long *cmdsp, *dstcmds;
475 size_t maxcmds, ncmds;
476 int16_t count;
477 int error, fd;
478
479 fd = uap->fd;
480 dstcmds = uap->cmds;
481 maxcmds = uap->maxcmds;
482
483 AUDIT_ARG_FD(fd);
484
485 fdp = td->td_proc->p_fd;
486
487 cmdsp = NULL;
488 if (dstcmds != NULL) {
489 cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
490 M_WAITOK | M_ZERO);
491 }
492
493 FILEDESC_SLOCK(fdp);
494 fdep = fdeget_locked(fdp, fd);
495 if (fdep == NULL) {
496 error = EBADF;
497 FILEDESC_SUNLOCK(fdp);
498 goto out;
499 }
500 count = fdep->fde_nioctls;
501 if (count != -1 && cmdsp != NULL) {
502 ncmds = MIN(count, maxcmds);
503 memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
504 }
505 FILEDESC_SUNLOCK(fdp);
506
507 /*
508 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
509 * the only sane thing we can do is to not populate the given array and
510 * return CAP_IOCTLS_ALL.
511 */
512 if (count != -1) {
513 if (cmdsp != NULL) {
514 error = copyout(cmdsp, dstcmds,
515 sizeof(cmdsp[0]) * ncmds);
516 if (error != 0)
517 goto out;
518 }
519 td->td_retval[0] = count;
520 } else {
521 td->td_retval[0] = CAP_IOCTLS_ALL;
522 }
523
524 error = 0;
525 out:
526 free(cmdsp, M_FILECAPS);
527 return (error);
528 }
529
530 /*
531 * Test whether a capability grants the given fcntl command.
532 */
533 int
534 cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
535 {
536 uint32_t fcntlcap;
537
538 fcntlcap = (1 << cmd);
539 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
540 ("Unsupported fcntl=%d.", cmd));
541
542 if ((fdep->fde_fcntls & fcntlcap) != 0)
543 return (0);
544
545 return (ENOTCAPABLE);
546 }
547
548 int
549 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
550 {
551
552 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
553 ("%s: invalid fd=%d", __func__, fd));
554
555 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
556 }
557
558 int
559 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
560 {
561 struct filedesc *fdp;
562 struct filedescent *fdep;
563 uint32_t fcntlrights;
564 int fd;
565
566 fd = uap->fd;
567 fcntlrights = uap->fcntlrights;
568
569 AUDIT_ARG_FD(fd);
570 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
571
572 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
573 return (EINVAL);
574
575 fdp = td->td_proc->p_fd;
576 FILEDESC_XLOCK(fdp);
577
578 fdep = fdeget_locked(fdp, fd);
579 if (fdep == NULL) {
580 FILEDESC_XUNLOCK(fdp);
581 return (EBADF);
582 }
583
584 if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
585 FILEDESC_XUNLOCK(fdp);
586 return (ENOTCAPABLE);
587 }
588
589 fdep->fde_fcntls = fcntlrights;
590 FILEDESC_XUNLOCK(fdp);
591
592 return (0);
593 }
594
595 int
596 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
597 {
598 struct filedesc *fdp;
599 struct filedescent *fdep;
600 uint32_t rights;
601 int fd;
602
603 fd = uap->fd;
604
605 AUDIT_ARG_FD(fd);
606
607 fdp = td->td_proc->p_fd;
608 FILEDESC_SLOCK(fdp);
609 fdep = fdeget_locked(fdp, fd);
610 if (fdep == NULL) {
611 FILEDESC_SUNLOCK(fdp);
612 return (EBADF);
613 }
614 rights = fdep->fde_fcntls;
615 FILEDESC_SUNLOCK(fdp);
616
617 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
618 }
619
620 #else /* !CAPABILITIES */
621
622 /*
623 * Stub Capability functions for when options CAPABILITIES isn't compiled
624 * into the kernel.
625 */
626
627 int
628 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
629 {
630
631 return (ENOSYS);
632 }
633
634 int
635 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
636 {
637
638 return (ENOSYS);
639 }
640
641 int
642 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
643 {
644
645 return (ENOSYS);
646 }
647
648 int
649 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
650 {
651
652 return (ENOSYS);
653 }
654
655 int
656 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
657 {
658
659 return (ENOSYS);
660 }
661
662 int
663 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
664 {
665
666 return (ENOSYS);
667 }
668
669 #endif /* CAPABILITIES */
Cache object: 9540ceec4d874719b1acacdc2843d70e
|