1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright (c) 2008-2011 Robert N. M. Watson
5 * Copyright (c) 2010-2011 Jonathan Anderson
6 * Copyright (c) 2012 FreeBSD Foundation
7 * All rights reserved.
8 *
9 * This software was developed at the University of Cambridge Computer
10 * Laboratory with support from a grant from Google, Inc.
11 *
12 * Portions of this software were developed by Pawel Jakub Dawidek under
13 * sponsorship from the FreeBSD Foundation.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 */
36
37 /*
38 * FreeBSD kernel capability facility.
39 *
40 * Two kernel features are implemented here: capability mode, a sandboxed mode
41 * of execution for processes, and capabilities, a refinement on file
42 * descriptors that allows fine-grained control over operations on the file
43 * descriptor. Collectively, these allow processes to run in the style of a
44 * historic "capability system" in which they can use only resources
45 * explicitly delegated to them. This model is enforced by restricting access
46 * to global namespaces in capability mode.
47 *
48 * Capabilities wrap other file descriptor types, binding them to a constant
49 * rights mask set when the capability is created. New capabilities may be
50 * derived from existing capabilities, but only if they have the same or a
51 * strict subset of the rights on the original capability.
52 *
53 * System calls permitted in capability mode are defined in capabilities.conf;
54 * calls must be carefully audited for safety to ensure that they don't allow
55 * escape from a sandbox. Some calls permit only a subset of operations in
56 * capability mode -- for example, shm_open(2) is limited to creating
57 * anonymous, rather than named, POSIX shared memory objects.
58 */
59
60 #include <sys/cdefs.h>
61 __FBSDID("$FreeBSD$");
62
63 #include "opt_capsicum.h"
64 #include "opt_ktrace.h"
65
66 #include <sys/param.h>
67 #include <sys/capsicum.h>
68 #include <sys/file.h>
69 #include <sys/filedesc.h>
70 #include <sys/kernel.h>
71 #include <sys/limits.h>
72 #include <sys/lock.h>
73 #include <sys/mutex.h>
74 #include <sys/proc.h>
75 #include <sys/syscallsubr.h>
76 #include <sys/sysproto.h>
77 #include <sys/sysctl.h>
78 #include <sys/systm.h>
79 #include <sys/ucred.h>
80 #include <sys/uio.h>
81 #include <sys/ktrace.h>
82
83 #include <security/audit/audit.h>
84
85 #include <vm/uma.h>
86 #include <vm/vm.h>
87
88 bool __read_frequently trap_enotcap;
89 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
90 "Deliver SIGTRAP on ENOTCAPABLE");
91
92 #ifdef CAPABILITY_MODE
93
94 #define IOCTLS_MAX_COUNT 256 /* XXX: Is 256 sane? */
95
96 FEATURE(security_capability_mode, "Capsicum Capability Mode");
97
98 /*
99 * System call to enter capability mode for the process.
100 */
101 int
102 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
103 {
104 struct ucred *newcred, *oldcred;
105 struct proc *p;
106
107 if (IN_CAPABILITY_MODE(td))
108 return (0);
109
110 newcred = crget();
111 p = td->td_proc;
112 PROC_LOCK(p);
113 oldcred = crcopysafe(p, newcred);
114 newcred->cr_flags |= CRED_FLAG_CAPMODE;
115 proc_set_cred(p, newcred);
116 PROC_UNLOCK(p);
117 crfree(oldcred);
118 return (0);
119 }
120
121 /*
122 * System call to query whether the process is in capability mode.
123 */
124 int
125 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
126 {
127 u_int i;
128
129 i = IN_CAPABILITY_MODE(td) ? 1 : 0;
130 return (copyout(&i, uap->modep, sizeof(i)));
131 }
132
133 #else /* !CAPABILITY_MODE */
134
135 int
136 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
137 {
138
139 return (ENOSYS);
140 }
141
142 int
143 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
144 {
145
146 return (ENOSYS);
147 }
148
149 #endif /* CAPABILITY_MODE */
150
151 #ifdef CAPABILITIES
152
153 FEATURE(security_capabilities, "Capsicum Capabilities");
154
155 MALLOC_DECLARE(M_FILECAPS);
156
157 static inline int
158 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
159 enum ktr_cap_fail_type type)
160 {
161
162 if (!cap_rights_contains(havep, needp)) {
163 #ifdef KTRACE
164 if (KTRPOINT(curthread, KTR_CAPFAIL))
165 ktrcapfail(type, needp, havep);
166 #endif
167 return (ENOTCAPABLE);
168 }
169 return (0);
170 }
171
172 /*
173 * Test whether a capability grants the requested rights.
174 */
175 int
176 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
177 {
178
179 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
180 }
181
182 /*
183 * Convert capability rights into VM access flags.
184 */
185 vm_prot_t
186 cap_rights_to_vmprot(const cap_rights_t *havep)
187 {
188 vm_prot_t maxprot;
189
190 maxprot = VM_PROT_NONE;
191 if (cap_rights_is_set(havep, CAP_MMAP_R))
192 maxprot |= VM_PROT_READ;
193 if (cap_rights_is_set(havep, CAP_MMAP_W))
194 maxprot |= VM_PROT_WRITE;
195 if (cap_rights_is_set(havep, CAP_MMAP_X))
196 maxprot |= VM_PROT_EXECUTE;
197
198 return (maxprot);
199 }
200
201 /*
202 * Extract rights from a capability for monitoring purposes -- not for use in
203 * any other way, as we want to keep all capability permission evaluation in
204 * this one file.
205 */
206
207 const cap_rights_t *
208 cap_rights_fde(const struct filedescent *fdep)
209 {
210
211 return (cap_rights_fde_inline(fdep));
212 }
213
214 const cap_rights_t *
215 cap_rights(struct filedesc *fdp, int fd)
216 {
217
218 return (cap_rights_fde(&fdp->fd_ofiles[fd]));
219 }
220
221 int
222 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
223 {
224 struct filedesc *fdp;
225 struct filedescent *fdep;
226 u_long *ioctls;
227 int error;
228
229 fdp = td->td_proc->p_fd;
230 FILEDESC_XLOCK(fdp);
231 fdep = fdeget_locked(fdp, fd);
232 if (fdep == NULL) {
233 FILEDESC_XUNLOCK(fdp);
234 return (EBADF);
235 }
236 ioctls = NULL;
237 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
238 if (error == 0) {
239 seq_write_begin(&fdep->fde_seq);
240 fdep->fde_rights = *rights;
241 if (!cap_rights_is_set(rights, CAP_IOCTL)) {
242 ioctls = fdep->fde_ioctls;
243 fdep->fde_ioctls = NULL;
244 fdep->fde_nioctls = 0;
245 }
246 if (!cap_rights_is_set(rights, CAP_FCNTL))
247 fdep->fde_fcntls = 0;
248 seq_write_end(&fdep->fde_seq);
249 }
250 FILEDESC_XUNLOCK(fdp);
251 free(ioctls, M_FILECAPS);
252 return (error);
253 }
254
255 /*
256 * System call to limit rights of the given capability.
257 */
258 int
259 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
260 {
261 cap_rights_t rights;
262 int error, version;
263
264 cap_rights_init(&rights);
265
266 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
267 if (error != 0)
268 return (error);
269 version = CAPVER(&rights);
270 if (version != CAP_RIGHTS_VERSION_00)
271 return (EINVAL);
272
273 error = copyin(uap->rightsp, &rights,
274 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
275 if (error != 0)
276 return (error);
277 /* Check for race. */
278 if (CAPVER(&rights) != version)
279 return (EINVAL);
280
281 if (!cap_rights_is_valid(&rights))
282 return (EINVAL);
283
284 if (version != CAP_RIGHTS_VERSION) {
285 rights.cr_rights[0] &= ~(0x3ULL << 62);
286 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
287 }
288 #ifdef KTRACE
289 if (KTRPOINT(td, KTR_STRUCT))
290 ktrcaprights(&rights);
291 #endif
292
293 AUDIT_ARG_FD(uap->fd);
294 AUDIT_ARG_RIGHTS(&rights);
295 return (kern_cap_rights_limit(td, uap->fd, &rights));
296 }
297
298 /*
299 * System call to query the rights mask associated with a capability.
300 */
301 int
302 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
303 {
304 struct filedesc *fdp;
305 cap_rights_t rights;
306 int error, fd, i, n;
307
308 if (uap->version != CAP_RIGHTS_VERSION_00)
309 return (EINVAL);
310
311 fd = uap->fd;
312
313 AUDIT_ARG_FD(fd);
314
315 fdp = td->td_proc->p_fd;
316 FILEDESC_SLOCK(fdp);
317 if (fget_locked(fdp, fd) == NULL) {
318 FILEDESC_SUNLOCK(fdp);
319 return (EBADF);
320 }
321 rights = *cap_rights(fdp, fd);
322 FILEDESC_SUNLOCK(fdp);
323 n = uap->version + 2;
324 if (uap->version != CAPVER(&rights)) {
325 /*
326 * For older versions we need to check if the descriptor
327 * doesn't contain rights not understood by the caller.
328 * If it does, we have to return an error.
329 */
330 for (i = n; i < CAPARSIZE(&rights); i++) {
331 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
332 return (EINVAL);
333 }
334 }
335 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
336 #ifdef KTRACE
337 if (error == 0 && KTRPOINT(td, KTR_STRUCT))
338 ktrcaprights(&rights);
339 #endif
340 return (error);
341 }
342
343 /*
344 * Test whether a capability grants the given ioctl command.
345 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
346 * ENOTCAPABLE will be returned.
347 */
348 int
349 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
350 {
351 struct filedescent *fdep;
352 u_long *cmds;
353 ssize_t ncmds;
354 long i;
355
356 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
357 ("%s: invalid fd=%d", __func__, fd));
358
359 fdep = fdeget_locked(fdp, fd);
360 KASSERT(fdep != NULL,
361 ("%s: invalid fd=%d", __func__, fd));
362
363 ncmds = fdep->fde_nioctls;
364 if (ncmds == -1)
365 return (0);
366
367 cmds = fdep->fde_ioctls;
368 for (i = 0; i < ncmds; i++) {
369 if (cmds[i] == cmd)
370 return (0);
371 }
372
373 return (ENOTCAPABLE);
374 }
375
376 /*
377 * Check if the current ioctls list can be replaced by the new one.
378 */
379 static int
380 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
381 size_t ncmds)
382 {
383 u_long *ocmds;
384 ssize_t oncmds;
385 u_long i;
386 long j;
387
388 oncmds = fdep->fde_nioctls;
389 if (oncmds == -1)
390 return (0);
391 if (oncmds < (ssize_t)ncmds)
392 return (ENOTCAPABLE);
393
394 ocmds = fdep->fde_ioctls;
395 for (i = 0; i < ncmds; i++) {
396 for (j = 0; j < oncmds; j++) {
397 if (cmds[i] == ocmds[j])
398 break;
399 }
400 if (j == oncmds)
401 return (ENOTCAPABLE);
402 }
403
404 return (0);
405 }
406
407 int
408 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
409 {
410 struct filedesc *fdp;
411 struct filedescent *fdep;
412 u_long *ocmds;
413 int error;
414
415 AUDIT_ARG_FD(fd);
416
417 if (ncmds > IOCTLS_MAX_COUNT) {
418 error = EINVAL;
419 goto out_free;
420 }
421
422 fdp = td->td_proc->p_fd;
423 FILEDESC_XLOCK(fdp);
424
425 fdep = fdeget_locked(fdp, fd);
426 if (fdep == NULL) {
427 error = EBADF;
428 goto out;
429 }
430
431 error = cap_ioctl_limit_check(fdep, cmds, ncmds);
432 if (error != 0)
433 goto out;
434
435 ocmds = fdep->fde_ioctls;
436 seq_write_begin(&fdep->fde_seq);
437 fdep->fde_ioctls = cmds;
438 fdep->fde_nioctls = ncmds;
439 seq_write_end(&fdep->fde_seq);
440
441 cmds = ocmds;
442 error = 0;
443 out:
444 FILEDESC_XUNLOCK(fdp);
445 out_free:
446 free(cmds, M_FILECAPS);
447 return (error);
448 }
449
450 int
451 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
452 {
453 u_long *cmds;
454 size_t ncmds;
455 int error;
456
457 ncmds = uap->ncmds;
458
459 if (ncmds > IOCTLS_MAX_COUNT)
460 return (EINVAL);
461
462 if (ncmds == 0) {
463 cmds = NULL;
464 } else {
465 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
466 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
467 if (error != 0) {
468 free(cmds, M_FILECAPS);
469 return (error);
470 }
471 }
472
473 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
474 }
475
476 int
477 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
478 {
479 struct filedesc *fdp;
480 struct filedescent *fdep;
481 u_long *cmdsp, *dstcmds;
482 size_t maxcmds, ncmds;
483 int16_t count;
484 int error, fd;
485
486 fd = uap->fd;
487 dstcmds = uap->cmds;
488 maxcmds = uap->maxcmds;
489
490 AUDIT_ARG_FD(fd);
491
492 fdp = td->td_proc->p_fd;
493
494 cmdsp = NULL;
495 if (dstcmds != NULL) {
496 cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
497 M_WAITOK | M_ZERO);
498 }
499
500 FILEDESC_SLOCK(fdp);
501 fdep = fdeget_locked(fdp, fd);
502 if (fdep == NULL) {
503 error = EBADF;
504 FILEDESC_SUNLOCK(fdp);
505 goto out;
506 }
507 count = fdep->fde_nioctls;
508 if (count != -1 && cmdsp != NULL) {
509 ncmds = MIN(count, maxcmds);
510 memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
511 }
512 FILEDESC_SUNLOCK(fdp);
513
514 /*
515 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
516 * the only sane thing we can do is to not populate the given array and
517 * return CAP_IOCTLS_ALL.
518 */
519 if (count != -1) {
520 if (cmdsp != NULL) {
521 error = copyout(cmdsp, dstcmds,
522 sizeof(cmdsp[0]) * ncmds);
523 if (error != 0)
524 goto out;
525 }
526 td->td_retval[0] = count;
527 } else {
528 td->td_retval[0] = CAP_IOCTLS_ALL;
529 }
530
531 error = 0;
532 out:
533 free(cmdsp, M_FILECAPS);
534 return (error);
535 }
536
537 /*
538 * Test whether a capability grants the given fcntl command.
539 */
540 int
541 cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
542 {
543 uint32_t fcntlcap;
544
545 fcntlcap = (1 << cmd);
546 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
547 ("Unsupported fcntl=%d.", cmd));
548
549 if ((fdep->fde_fcntls & fcntlcap) != 0)
550 return (0);
551
552 return (ENOTCAPABLE);
553 }
554
555 int
556 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
557 {
558
559 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
560 ("%s: invalid fd=%d", __func__, fd));
561
562 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
563 }
564
565 int
566 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
567 {
568 struct filedesc *fdp;
569 struct filedescent *fdep;
570 uint32_t fcntlrights;
571 int fd;
572
573 fd = uap->fd;
574 fcntlrights = uap->fcntlrights;
575
576 AUDIT_ARG_FD(fd);
577 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
578
579 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
580 return (EINVAL);
581
582 fdp = td->td_proc->p_fd;
583 FILEDESC_XLOCK(fdp);
584
585 fdep = fdeget_locked(fdp, fd);
586 if (fdep == NULL) {
587 FILEDESC_XUNLOCK(fdp);
588 return (EBADF);
589 }
590
591 if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
592 FILEDESC_XUNLOCK(fdp);
593 return (ENOTCAPABLE);
594 }
595
596 seq_write_begin(&fdep->fde_seq);
597 fdep->fde_fcntls = fcntlrights;
598 seq_write_end(&fdep->fde_seq);
599 FILEDESC_XUNLOCK(fdp);
600
601 return (0);
602 }
603
604 int
605 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
606 {
607 struct filedesc *fdp;
608 struct filedescent *fdep;
609 uint32_t rights;
610 int fd;
611
612 fd = uap->fd;
613
614 AUDIT_ARG_FD(fd);
615
616 fdp = td->td_proc->p_fd;
617 FILEDESC_SLOCK(fdp);
618 fdep = fdeget_locked(fdp, fd);
619 if (fdep == NULL) {
620 FILEDESC_SUNLOCK(fdp);
621 return (EBADF);
622 }
623 rights = fdep->fde_fcntls;
624 FILEDESC_SUNLOCK(fdp);
625
626 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
627 }
628
629 #else /* !CAPABILITIES */
630
631 /*
632 * Stub Capability functions for when options CAPABILITIES isn't compiled
633 * into the kernel.
634 */
635
636 int
637 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
638 {
639
640 return (ENOSYS);
641 }
642
643 int
644 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
645 {
646
647 return (ENOSYS);
648 }
649
650 int
651 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
652 {
653
654 return (ENOSYS);
655 }
656
657 int
658 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
659 {
660
661 return (ENOSYS);
662 }
663
664 int
665 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
666 {
667
668 return (ENOSYS);
669 }
670
671 int
672 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
673 {
674
675 return (ENOSYS);
676 }
677
678 #endif /* CAPABILITIES */
Cache object: b0cd8b9780ac6a28092133143ecda4d5
|