Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/kern/sys_capability.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2008-2011 Robert N. M. Watson 5 * Copyright (c) 2010-2011 Jonathan Anderson 6 * Copyright (c) 2012 FreeBSD Foundation 7 * All rights reserved. 8 * 9 * This software was developed at the University of Cambridge Computer 10 * Laboratory with support from a grant from Google, Inc. 11 * 12 * Portions of this software were developed by Pawel Jakub Dawidek under 13 * sponsorship from the FreeBSD Foundation. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37 /* 38 * FreeBSD kernel capability facility. 39 * 40 * Two kernel features are implemented here: capability mode, a sandboxed mode 41 * of execution for processes, and capabilities, a refinement on file 42 * descriptors that allows fine-grained control over operations on the file 43 * descriptor. Collectively, these allow processes to run in the style of a 44 * historic "capability system" in which they can use only resources 45 * explicitly delegated to them. This model is enforced by restricting access 46 * to global namespaces in capability mode. 47 * 48 * Capabilities wrap other file descriptor types, binding them to a constant 49 * rights mask set when the capability is created. New capabilities may be 50 * derived from existing capabilities, but only if they have the same or a 51 * strict subset of the rights on the original capability. 52 * 53 * System calls permitted in capability mode are defined in capabilities.conf; 54 * calls must be carefully audited for safety to ensure that they don't allow 55 * escape from a sandbox. Some calls permit only a subset of operations in 56 * capability mode -- for example, shm_open(2) is limited to creating 57 * anonymous, rather than named, POSIX shared memory objects. 58 */ 59 60 #include <sys/cdefs.h> 61 __FBSDID("$FreeBSD: releng/12.0/sys/kern/sys_capability.c 339341 2018-10-12 23:48:10Z mjg $"); 62 63 #include "opt_capsicum.h" 64 #include "opt_ktrace.h" 65 66 #include <sys/param.h> 67 #include <sys/capsicum.h> 68 #include <sys/file.h> 69 #include <sys/filedesc.h> 70 #include <sys/kernel.h> 71 #include <sys/limits.h> 72 #include <sys/lock.h> 73 #include <sys/mutex.h> 74 #include <sys/proc.h> 75 #include <sys/syscallsubr.h> 76 #include <sys/sysproto.h> 77 #include <sys/sysctl.h> 78 #include <sys/systm.h> 79 #include <sys/ucred.h> 80 #include <sys/uio.h> 81 #include <sys/ktrace.h> 82 83 #include <security/audit/audit.h> 84 85 #include <vm/uma.h> 86 #include <vm/vm.h> 87 88 bool __read_frequently trap_enotcap; 89 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RW, &trap_enotcap, 0, 90 "Deliver SIGTRAP on ENOTCAPABLE"); 91 92 #ifdef CAPABILITY_MODE 93 94 #define IOCTLS_MAX_COUNT 256 /* XXX: Is 256 sane? */ 95 96 FEATURE(security_capability_mode, "Capsicum Capability Mode"); 97 98 /* 99 * System call to enter capability mode for the process. 100 */ 101 int 102 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 103 { 104 struct ucred *newcred, *oldcred; 105 struct proc *p; 106 107 if (IN_CAPABILITY_MODE(td)) 108 return (0); 109 110 newcred = crget(); 111 p = td->td_proc; 112 PROC_LOCK(p); 113 oldcred = crcopysafe(p, newcred); 114 newcred->cr_flags |= CRED_FLAG_CAPMODE; 115 proc_set_cred(p, newcred); 116 PROC_UNLOCK(p); 117 crfree(oldcred); 118 return (0); 119 } 120 121 /* 122 * System call to query whether the process is in capability mode. 123 */ 124 int 125 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 126 { 127 u_int i; 128 129 i = IN_CAPABILITY_MODE(td) ? 1 : 0; 130 return (copyout(&i, uap->modep, sizeof(i))); 131 } 132 133 #else /* !CAPABILITY_MODE */ 134 135 int 136 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 137 { 138 139 return (ENOSYS); 140 } 141 142 int 143 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 144 { 145 146 return (ENOSYS); 147 } 148 149 #endif /* CAPABILITY_MODE */ 150 151 #ifdef CAPABILITIES 152 153 FEATURE(security_capabilities, "Capsicum Capabilities"); 154 155 MALLOC_DECLARE(M_FILECAPS); 156 157 static inline int 158 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp, 159 enum ktr_cap_fail_type type) 160 { 161 162 if (!cap_rights_contains(havep, needp)) { 163 #ifdef KTRACE 164 if (KTRPOINT(curthread, KTR_CAPFAIL)) 165 ktrcapfail(type, needp, havep); 166 #endif 167 return (ENOTCAPABLE); 168 } 169 return (0); 170 } 171 172 /* 173 * Test whether a capability grants the requested rights. 174 */ 175 int 176 cap_check(const cap_rights_t *havep, const cap_rights_t *needp) 177 { 178 179 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE)); 180 } 181 182 /* 183 * Convert capability rights into VM access flags. 184 */ 185 u_char 186 cap_rights_to_vmprot(const cap_rights_t *havep) 187 { 188 u_char maxprot; 189 190 maxprot = VM_PROT_NONE; 191 if (cap_rights_is_set(havep, CAP_MMAP_R)) 192 maxprot |= VM_PROT_READ; 193 if (cap_rights_is_set(havep, CAP_MMAP_W)) 194 maxprot |= VM_PROT_WRITE; 195 if (cap_rights_is_set(havep, CAP_MMAP_X)) 196 maxprot |= VM_PROT_EXECUTE; 197 198 return (maxprot); 199 } 200 201 /* 202 * Extract rights from a capability for monitoring purposes -- not for use in 203 * any other way, as we want to keep all capability permission evaluation in 204 * this one file. 205 */ 206 207 const cap_rights_t * 208 cap_rights_fde(const struct filedescent *fdep) 209 { 210 211 return (cap_rights_fde_inline(fdep)); 212 } 213 214 const cap_rights_t * 215 cap_rights(struct filedesc *fdp, int fd) 216 { 217 218 return (cap_rights_fde(&fdp->fd_ofiles[fd])); 219 } 220 221 int 222 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights) 223 { 224 struct filedesc *fdp; 225 struct filedescent *fdep; 226 int error; 227 228 fdp = td->td_proc->p_fd; 229 FILEDESC_XLOCK(fdp); 230 fdep = fdeget_locked(fdp, fd); 231 if (fdep == NULL) { 232 FILEDESC_XUNLOCK(fdp); 233 return (EBADF); 234 } 235 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE); 236 if (error == 0) { 237 fdep->fde_rights = *rights; 238 if (!cap_rights_is_set(rights, CAP_IOCTL)) { 239 free(fdep->fde_ioctls, M_FILECAPS); 240 fdep->fde_ioctls = NULL; 241 fdep->fde_nioctls = 0; 242 } 243 if (!cap_rights_is_set(rights, CAP_FCNTL)) 244 fdep->fde_fcntls = 0; 245 } 246 FILEDESC_XUNLOCK(fdp); 247 return (error); 248 } 249 250 /* 251 * System call to limit rights of the given capability. 252 */ 253 int 254 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap) 255 { 256 cap_rights_t rights; 257 int error, version; 258 259 cap_rights_init(&rights); 260 261 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0])); 262 if (error != 0) 263 return (error); 264 version = CAPVER(&rights); 265 if (version != CAP_RIGHTS_VERSION_00) 266 return (EINVAL); 267 268 error = copyin(uap->rightsp, &rights, 269 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights)); 270 if (error != 0) 271 return (error); 272 /* Check for race. */ 273 if (CAPVER(&rights) != version) 274 return (EINVAL); 275 276 if (!cap_rights_is_valid(&rights)) 277 return (EINVAL); 278 279 if (version != CAP_RIGHTS_VERSION) { 280 rights.cr_rights[0] &= ~(0x3ULL << 62); 281 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62); 282 } 283 #ifdef KTRACE 284 if (KTRPOINT(td, KTR_STRUCT)) 285 ktrcaprights(&rights); 286 #endif 287 288 AUDIT_ARG_FD(uap->fd); 289 AUDIT_ARG_RIGHTS(&rights); 290 return (kern_cap_rights_limit(td, uap->fd, &rights)); 291 } 292 293 /* 294 * System call to query the rights mask associated with a capability. 295 */ 296 int 297 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap) 298 { 299 struct filedesc *fdp; 300 cap_rights_t rights; 301 int error, fd, i, n; 302 303 if (uap->version != CAP_RIGHTS_VERSION_00) 304 return (EINVAL); 305 306 fd = uap->fd; 307 308 AUDIT_ARG_FD(fd); 309 310 fdp = td->td_proc->p_fd; 311 FILEDESC_SLOCK(fdp); 312 if (fget_locked(fdp, fd) == NULL) { 313 FILEDESC_SUNLOCK(fdp); 314 return (EBADF); 315 } 316 rights = *cap_rights(fdp, fd); 317 FILEDESC_SUNLOCK(fdp); 318 n = uap->version + 2; 319 if (uap->version != CAPVER(&rights)) { 320 /* 321 * For older versions we need to check if the descriptor 322 * doesn't contain rights not understood by the caller. 323 * If it does, we have to return an error. 324 */ 325 for (i = n; i < CAPARSIZE(&rights); i++) { 326 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0) 327 return (EINVAL); 328 } 329 } 330 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n); 331 #ifdef KTRACE 332 if (error == 0 && KTRPOINT(td, KTR_STRUCT)) 333 ktrcaprights(&rights); 334 #endif 335 return (error); 336 } 337 338 /* 339 * Test whether a capability grants the given ioctl command. 340 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and 341 * ENOTCAPABLE will be returned. 342 */ 343 int 344 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd) 345 { 346 struct filedescent *fdep; 347 u_long *cmds; 348 ssize_t ncmds; 349 long i; 350 351 KASSERT(fd >= 0 && fd < fdp->fd_nfiles, 352 ("%s: invalid fd=%d", __func__, fd)); 353 354 fdep = fdeget_locked(fdp, fd); 355 KASSERT(fdep != NULL, 356 ("%s: invalid fd=%d", __func__, fd)); 357 358 ncmds = fdep->fde_nioctls; 359 if (ncmds == -1) 360 return (0); 361 362 cmds = fdep->fde_ioctls; 363 for (i = 0; i < ncmds; i++) { 364 if (cmds[i] == cmd) 365 return (0); 366 } 367 368 return (ENOTCAPABLE); 369 } 370 371 /* 372 * Check if the current ioctls list can be replaced by the new one. 373 */ 374 static int 375 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds, 376 size_t ncmds) 377 { 378 u_long *ocmds; 379 ssize_t oncmds; 380 u_long i; 381 long j; 382 383 oncmds = fdep->fde_nioctls; 384 if (oncmds == -1) 385 return (0); 386 if (oncmds < (ssize_t)ncmds) 387 return (ENOTCAPABLE); 388 389 ocmds = fdep->fde_ioctls; 390 for (i = 0; i < ncmds; i++) { 391 for (j = 0; j < oncmds; j++) { 392 if (cmds[i] == ocmds[j]) 393 break; 394 } 395 if (j == oncmds) 396 return (ENOTCAPABLE); 397 } 398 399 return (0); 400 } 401 402 int 403 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds) 404 { 405 struct filedesc *fdp; 406 struct filedescent *fdep; 407 u_long *ocmds; 408 int error; 409 410 AUDIT_ARG_FD(fd); 411 412 if (ncmds > IOCTLS_MAX_COUNT) { 413 error = EINVAL; 414 goto out_free; 415 } 416 417 fdp = td->td_proc->p_fd; 418 FILEDESC_XLOCK(fdp); 419 420 fdep = fdeget_locked(fdp, fd); 421 if (fdep == NULL) { 422 error = EBADF; 423 goto out; 424 } 425 426 error = cap_ioctl_limit_check(fdep, cmds, ncmds); 427 if (error != 0) 428 goto out; 429 430 ocmds = fdep->fde_ioctls; 431 fdep->fde_ioctls = cmds; 432 fdep->fde_nioctls = ncmds; 433 434 cmds = ocmds; 435 error = 0; 436 out: 437 FILEDESC_XUNLOCK(fdp); 438 out_free: 439 free(cmds, M_FILECAPS); 440 return (error); 441 } 442 443 int 444 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap) 445 { 446 u_long *cmds; 447 size_t ncmds; 448 int error; 449 450 ncmds = uap->ncmds; 451 452 if (ncmds > IOCTLS_MAX_COUNT) 453 return (EINVAL); 454 455 if (ncmds == 0) { 456 cmds = NULL; 457 } else { 458 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK); 459 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds); 460 if (error != 0) { 461 free(cmds, M_FILECAPS); 462 return (error); 463 } 464 } 465 466 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds)); 467 } 468 469 int 470 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap) 471 { 472 struct filedesc *fdp; 473 struct filedescent *fdep; 474 u_long *cmdsp, *dstcmds; 475 size_t maxcmds, ncmds; 476 int16_t count; 477 int error, fd; 478 479 fd = uap->fd; 480 dstcmds = uap->cmds; 481 maxcmds = uap->maxcmds; 482 483 AUDIT_ARG_FD(fd); 484 485 fdp = td->td_proc->p_fd; 486 487 cmdsp = NULL; 488 if (dstcmds != NULL) { 489 cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS, 490 M_WAITOK | M_ZERO); 491 } 492 493 FILEDESC_SLOCK(fdp); 494 fdep = fdeget_locked(fdp, fd); 495 if (fdep == NULL) { 496 error = EBADF; 497 FILEDESC_SUNLOCK(fdp); 498 goto out; 499 } 500 count = fdep->fde_nioctls; 501 if (count != -1 && cmdsp != NULL) { 502 ncmds = MIN(count, maxcmds); 503 memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds); 504 } 505 FILEDESC_SUNLOCK(fdp); 506 507 /* 508 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL) 509 * the only sane thing we can do is to not populate the given array and 510 * return CAP_IOCTLS_ALL. 511 */ 512 if (count != -1) { 513 if (cmdsp != NULL) { 514 error = copyout(cmdsp, dstcmds, 515 sizeof(cmdsp[0]) * ncmds); 516 if (error != 0) 517 goto out; 518 } 519 td->td_retval[0] = count; 520 } else { 521 td->td_retval[0] = CAP_IOCTLS_ALL; 522 } 523 524 error = 0; 525 out: 526 free(cmdsp, M_FILECAPS); 527 return (error); 528 } 529 530 /* 531 * Test whether a capability grants the given fcntl command. 532 */ 533 int 534 cap_fcntl_check_fde(struct filedescent *fdep, int cmd) 535 { 536 uint32_t fcntlcap; 537 538 fcntlcap = (1 << cmd); 539 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0, 540 ("Unsupported fcntl=%d.", cmd)); 541 542 if ((fdep->fde_fcntls & fcntlcap) != 0) 543 return (0); 544 545 return (ENOTCAPABLE); 546 } 547 548 int 549 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd) 550 { 551 552 KASSERT(fd >= 0 && fd < fdp->fd_nfiles, 553 ("%s: invalid fd=%d", __func__, fd)); 554 555 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd)); 556 } 557 558 int 559 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap) 560 { 561 struct filedesc *fdp; 562 struct filedescent *fdep; 563 uint32_t fcntlrights; 564 int fd; 565 566 fd = uap->fd; 567 fcntlrights = uap->fcntlrights; 568 569 AUDIT_ARG_FD(fd); 570 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights); 571 572 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0) 573 return (EINVAL); 574 575 fdp = td->td_proc->p_fd; 576 FILEDESC_XLOCK(fdp); 577 578 fdep = fdeget_locked(fdp, fd); 579 if (fdep == NULL) { 580 FILEDESC_XUNLOCK(fdp); 581 return (EBADF); 582 } 583 584 if ((fcntlrights & ~fdep->fde_fcntls) != 0) { 585 FILEDESC_XUNLOCK(fdp); 586 return (ENOTCAPABLE); 587 } 588 589 fdep->fde_fcntls = fcntlrights; 590 FILEDESC_XUNLOCK(fdp); 591 592 return (0); 593 } 594 595 int 596 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap) 597 { 598 struct filedesc *fdp; 599 struct filedescent *fdep; 600 uint32_t rights; 601 int fd; 602 603 fd = uap->fd; 604 605 AUDIT_ARG_FD(fd); 606 607 fdp = td->td_proc->p_fd; 608 FILEDESC_SLOCK(fdp); 609 fdep = fdeget_locked(fdp, fd); 610 if (fdep == NULL) { 611 FILEDESC_SUNLOCK(fdp); 612 return (EBADF); 613 } 614 rights = fdep->fde_fcntls; 615 FILEDESC_SUNLOCK(fdp); 616 617 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights))); 618 } 619 620 #else /* !CAPABILITIES */ 621 622 /* 623 * Stub Capability functions for when options CAPABILITIES isn't compiled 624 * into the kernel. 625 */ 626 627 int 628 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap) 629 { 630 631 return (ENOSYS); 632 } 633 634 int 635 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap) 636 { 637 638 return (ENOSYS); 639 } 640 641 int 642 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap) 643 { 644 645 return (ENOSYS); 646 } 647 648 int 649 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap) 650 { 651 652 return (ENOSYS); 653 } 654 655 int 656 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap) 657 { 658 659 return (ENOSYS); 660 } 661 662 int 663 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap) 664 { 665 666 return (ENOSYS); 667 } 668 669 #endif /* CAPABILITIES */
Cache object: 9540ceec4d874719b1acacdc2843d70e
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]