1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2013 FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Pawel Jakub Dawidek under sponsorship from 8 * the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 /* 36 * Note that this file is compiled into the kernel and into libc. 37 */ 38 39 #include <sys/types.h> 40 #include <sys/capsicum.h> 41 42 #ifdef _KERNEL 43 #include <sys/systm.h> 44 #include <sys/kernel.h> 45 #include <machine/stdarg.h> 46 #else /* !_KERNEL */ 47 #include <assert.h> 48 #include <stdarg.h> 49 #include <stdbool.h> 50 #include <stdint.h> 51 #include <string.h> 52 #endif 53 54 #ifdef _KERNEL 55 #define assert(exp) KASSERT((exp), ("%s:%u", __func__, __LINE__)) 56 __read_mostly cap_rights_t cap_accept_rights; 57 __read_mostly cap_rights_t cap_bind_rights; 58 __read_mostly cap_rights_t cap_chflags_rights; 59 __read_mostly cap_rights_t cap_connect_rights; 60 __read_mostly cap_rights_t cap_event_rights; 61 __read_mostly cap_rights_t cap_fchdir_rights; 62 __read_mostly cap_rights_t cap_fchflags_rights; 63 __read_mostly cap_rights_t cap_fchmod_rights; 64 __read_mostly cap_rights_t cap_fchown_rights; 65 __read_mostly cap_rights_t cap_fcntl_rights; 66 __read_mostly cap_rights_t cap_fexecve_rights; 67 __read_mostly cap_rights_t cap_flock_rights; 68 __read_mostly cap_rights_t cap_fpathconf_rights; 69 __read_mostly cap_rights_t cap_fstat_rights; 70 __read_mostly cap_rights_t cap_fstatfs_rights; 71 __read_mostly cap_rights_t cap_fsync_rights; 72 __read_mostly cap_rights_t cap_ftruncate_rights; 73 __read_mostly cap_rights_t cap_futimes_rights; 74 __read_mostly cap_rights_t cap_getpeername_rights; 75 __read_mostly cap_rights_t cap_getsockopt_rights; 76 __read_mostly cap_rights_t cap_getsockname_rights; 77 __read_mostly cap_rights_t cap_ioctl_rights; 78 __read_mostly cap_rights_t cap_listen_rights; 79 __read_mostly cap_rights_t cap_linkat_source_rights; 80 __read_mostly cap_rights_t cap_linkat_target_rights; 81 __read_mostly cap_rights_t cap_mmap_rights; 82 __read_mostly cap_rights_t cap_mkdirat_rights; 83 __read_mostly cap_rights_t cap_mkfifoat_rights; 84 __read_mostly cap_rights_t cap_mknodat_rights; 85 __read_mostly cap_rights_t cap_pdgetpid_rights; 86 __read_mostly cap_rights_t cap_pdkill_rights; 87 __read_mostly cap_rights_t cap_pread_rights; 88 __read_mostly cap_rights_t cap_pwrite_rights; 89 __read_mostly cap_rights_t cap_read_rights; 90 __read_mostly cap_rights_t cap_recv_rights; 91 __read_mostly cap_rights_t cap_renameat_source_rights; 92 __read_mostly cap_rights_t cap_renameat_target_rights; 93 __read_mostly cap_rights_t cap_seek_rights; 94 __read_mostly cap_rights_t cap_send_rights; 95 __read_mostly cap_rights_t cap_send_connect_rights; 96 __read_mostly cap_rights_t cap_setsockopt_rights; 97 __read_mostly cap_rights_t cap_shutdown_rights; 98 __read_mostly cap_rights_t cap_symlinkat_rights; 99 __read_mostly cap_rights_t cap_unlinkat_rights; 100 __read_mostly cap_rights_t cap_write_rights; 101 __read_mostly cap_rights_t cap_no_rights; 102 103 static void 104 __cap_rights_sysinit1(void *arg) 105 { 106 cap_rights_init(&cap_accept_rights, CAP_ACCEPT); 107 cap_rights_init(&cap_bind_rights, CAP_BIND); 108 cap_rights_init(&cap_connect_rights, CAP_CONNECT); 109 cap_rights_init(&cap_event_rights, CAP_EVENT); 110 cap_rights_init(&cap_fchdir_rights, CAP_FCHDIR); 111 cap_rights_init(&cap_fchflags_rights, CAP_FCHFLAGS); 112 cap_rights_init(&cap_fchmod_rights, CAP_FCHMOD); 113 cap_rights_init(&cap_fchown_rights, CAP_FCHOWN); 114 cap_rights_init(&cap_fcntl_rights, CAP_FCNTL); 115 cap_rights_init(&cap_fexecve_rights, CAP_FEXECVE); 116 cap_rights_init(&cap_flock_rights, CAP_FLOCK); 117 cap_rights_init(&cap_fpathconf_rights, CAP_FPATHCONF); 118 cap_rights_init(&cap_fstat_rights, CAP_FSTAT); 119 cap_rights_init(&cap_fstatfs_rights, CAP_FSTATFS); 120 cap_rights_init(&cap_fsync_rights, CAP_FSYNC); 121 cap_rights_init(&cap_ftruncate_rights, CAP_FTRUNCATE); 122 cap_rights_init(&cap_futimes_rights, CAP_FUTIMES); 123 cap_rights_init(&cap_getpeername_rights, CAP_GETPEERNAME); 124 cap_rights_init(&cap_getsockname_rights, CAP_GETSOCKNAME); 125 cap_rights_init(&cap_getsockopt_rights, CAP_GETSOCKOPT); 126 cap_rights_init(&cap_ioctl_rights, CAP_IOCTL); 127 cap_rights_init(&cap_linkat_source_rights, CAP_LINKAT_SOURCE); 128 cap_rights_init(&cap_linkat_target_rights, CAP_LINKAT_TARGET); 129 cap_rights_init(&cap_listen_rights, CAP_LISTEN); 130 cap_rights_init(&cap_mkdirat_rights, CAP_MKDIRAT); 131 cap_rights_init(&cap_mkfifoat_rights, CAP_MKFIFOAT); 132 cap_rights_init(&cap_mknodat_rights, CAP_MKNODAT); 133 cap_rights_init(&cap_mmap_rights, CAP_MMAP); 134 cap_rights_init(&cap_pdgetpid_rights, CAP_PDGETPID); 135 cap_rights_init(&cap_pdkill_rights, CAP_PDKILL); 136 cap_rights_init(&cap_pread_rights, CAP_PREAD); 137 cap_rights_init(&cap_pwrite_rights, CAP_PWRITE); 138 cap_rights_init(&cap_read_rights, CAP_READ); 139 cap_rights_init(&cap_recv_rights, CAP_RECV); 140 cap_rights_init(&cap_renameat_source_rights, CAP_RENAMEAT_SOURCE); 141 cap_rights_init(&cap_renameat_target_rights, CAP_RENAMEAT_TARGET); 142 cap_rights_init(&cap_seek_rights, CAP_SEEK); 143 cap_rights_init(&cap_send_rights, CAP_SEND); 144 cap_rights_init(&cap_send_connect_rights, CAP_SEND, CAP_CONNECT); 145 cap_rights_init(&cap_setsockopt_rights, CAP_SETSOCKOPT); 146 cap_rights_init(&cap_shutdown_rights, CAP_SHUTDOWN); 147 cap_rights_init(&cap_symlinkat_rights, CAP_SYMLINKAT); 148 cap_rights_init(&cap_unlinkat_rights, CAP_UNLINKAT); 149 cap_rights_init(&cap_write_rights, CAP_WRITE); 150 cap_rights_init(&cap_no_rights); 151 } 152 SYSINIT(cap_rights1_sysinit, SI_SUB_COPYRIGHT, SI_ORDER_ANY, \ 153 __cap_rights_sysinit1, NULL); 154 155 #endif 156 157 #define CAPARSIZE_MIN (CAP_RIGHTS_VERSION_00 + 2) 158 #define CAPARSIZE_MAX (CAP_RIGHTS_VERSION + 2) 159 160 static __inline int 161 right_to_index(uint64_t right) 162 { 163 static const int bit2idx[] = { 164 -1, 0, 1, -1, 2, -1, -1, -1, 3, -1, -1, -1, -1, -1, -1, -1, 165 4, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 166 }; 167 int idx; 168 169 idx = CAPIDXBIT(right); 170 assert(idx >= 0 && idx < sizeof(bit2idx) / sizeof(bit2idx[0])); 171 return (bit2idx[idx]); 172 } 173 174 static void 175 cap_rights_vset(cap_rights_t *rights, va_list ap) 176 { 177 uint64_t right; 178 int i, n __unused; 179 180 assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00); 181 182 n = CAPARSIZE(rights); 183 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 184 185 for (;;) { 186 right = (uint64_t)va_arg(ap, unsigned long long); 187 if (right == 0) 188 break; 189 assert(CAPRVER(right) == 0); 190 i = right_to_index(right); 191 assert(i >= 0); 192 assert(i < n); 193 assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right)); 194 rights->cr_rights[i] |= right; 195 assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right)); 196 } 197 } 198 199 static void 200 cap_rights_vclear(cap_rights_t *rights, va_list ap) 201 { 202 uint64_t right; 203 int i, n __unused; 204 205 assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00); 206 207 n = CAPARSIZE(rights); 208 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 209 210 for (;;) { 211 right = (uint64_t)va_arg(ap, unsigned long long); 212 if (right == 0) 213 break; 214 assert(CAPRVER(right) == 0); 215 i = right_to_index(right); 216 assert(i >= 0); 217 assert(i < n); 218 assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right)); 219 rights->cr_rights[i] &= ~(right & 0x01FFFFFFFFFFFFFFULL); 220 assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right)); 221 } 222 } 223 224 static bool 225 cap_rights_is_vset(const cap_rights_t *rights, va_list ap) 226 { 227 uint64_t right; 228 int i, n __unused; 229 230 assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00); 231 232 n = CAPARSIZE(rights); 233 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 234 235 for (;;) { 236 right = (uint64_t)va_arg(ap, unsigned long long); 237 if (right == 0) 238 break; 239 assert(CAPRVER(right) == 0); 240 i = right_to_index(right); 241 assert(i >= 0); 242 assert(i < n); 243 assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right)); 244 if ((rights->cr_rights[i] & right) != right) 245 return (false); 246 } 247 248 return (true); 249 } 250 251 void 252 __cap_rights_sysinit(void *arg) 253 { 254 struct cap_rights_init_args *cria = arg; 255 cap_rights_t *rights = cria->cria_rights; 256 257 __cap_rights_init(CAP_RIGHTS_VERSION, rights, cria->cria_value1, 258 cria->cria_value2, cria->cria_value3, cria->cria_value4, 0ULL); 259 } 260 261 cap_rights_t * 262 __cap_rights_init(int version, cap_rights_t *rights, ...) 263 { 264 unsigned int n __unused; 265 va_list ap; 266 267 assert(version == CAP_RIGHTS_VERSION_00); 268 269 n = version + 2; 270 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 271 CAP_NONE(rights); 272 va_start(ap, rights); 273 cap_rights_vset(rights, ap); 274 va_end(ap); 275 276 return (rights); 277 } 278 279 cap_rights_t * 280 __cap_rights_set(cap_rights_t *rights, ...) 281 { 282 va_list ap; 283 284 assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00); 285 286 va_start(ap, rights); 287 cap_rights_vset(rights, ap); 288 va_end(ap); 289 290 return (rights); 291 } 292 293 cap_rights_t * 294 __cap_rights_clear(cap_rights_t *rights, ...) 295 { 296 va_list ap; 297 298 assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00); 299 300 va_start(ap, rights); 301 cap_rights_vclear(rights, ap); 302 va_end(ap); 303 304 return (rights); 305 } 306 307 bool 308 __cap_rights_is_set(const cap_rights_t *rights, ...) 309 { 310 va_list ap; 311 bool ret; 312 313 assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00); 314 315 va_start(ap, rights); 316 ret = cap_rights_is_vset(rights, ap); 317 va_end(ap); 318 319 return (ret); 320 } 321 322 bool 323 cap_rights_is_valid(const cap_rights_t *rights) 324 { 325 cap_rights_t allrights; 326 int i, j; 327 328 if (CAPVER(rights) != CAP_RIGHTS_VERSION_00) 329 return (false); 330 if (CAPARSIZE(rights) < CAPARSIZE_MIN || 331 CAPARSIZE(rights) > CAPARSIZE_MAX) { 332 return (false); 333 } 334 CAP_ALL(&allrights); 335 if (!cap_rights_contains(&allrights, rights)) 336 return (false); 337 for (i = 0; i < CAPARSIZE(rights); i++) { 338 j = right_to_index(rights->cr_rights[i]); 339 if (i != j) 340 return (false); 341 if (i > 0) { 342 if (CAPRVER(rights->cr_rights[i]) != 0) 343 return (false); 344 } 345 } 346 347 return (true); 348 } 349 350 cap_rights_t * 351 cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src) 352 { 353 unsigned int i, n; 354 355 assert(CAPVER(dst) == CAP_RIGHTS_VERSION_00); 356 assert(CAPVER(src) == CAP_RIGHTS_VERSION_00); 357 assert(CAPVER(dst) == CAPVER(src)); 358 assert(cap_rights_is_valid(src)); 359 assert(cap_rights_is_valid(dst)); 360 361 n = CAPARSIZE(dst); 362 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 363 364 for (i = 0; i < n; i++) 365 dst->cr_rights[i] |= src->cr_rights[i]; 366 367 assert(cap_rights_is_valid(src)); 368 assert(cap_rights_is_valid(dst)); 369 370 return (dst); 371 } 372 373 cap_rights_t * 374 cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src) 375 { 376 unsigned int i, n; 377 378 assert(CAPVER(dst) == CAP_RIGHTS_VERSION_00); 379 assert(CAPVER(src) == CAP_RIGHTS_VERSION_00); 380 assert(CAPVER(dst) == CAPVER(src)); 381 assert(cap_rights_is_valid(src)); 382 assert(cap_rights_is_valid(dst)); 383 384 n = CAPARSIZE(dst); 385 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 386 387 for (i = 0; i < n; i++) { 388 dst->cr_rights[i] &= 389 ~(src->cr_rights[i] & 0x01FFFFFFFFFFFFFFULL); 390 } 391 392 assert(cap_rights_is_valid(src)); 393 assert(cap_rights_is_valid(dst)); 394 395 return (dst); 396 } 397 398 #ifndef _KERNEL 399 bool 400 cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little) 401 { 402 unsigned int i, n; 403 404 assert(CAPVER(big) == CAP_RIGHTS_VERSION_00); 405 assert(CAPVER(little) == CAP_RIGHTS_VERSION_00); 406 assert(CAPVER(big) == CAPVER(little)); 407 408 n = CAPARSIZE(big); 409 assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX); 410 411 for (i = 0; i < n; i++) { 412 if ((big->cr_rights[i] & little->cr_rights[i]) != 413 little->cr_rights[i]) { 414 return (false); 415 } 416 } 417 418 return (true); 419 } 420 #endif 421