xref: /freebsd/sys/kern/subr_capability.c (revision 9768746ba83efa02837c5b9c66348db6e900208f) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2013 FreeBSD Foundation
5  *
6  * This software was developed by Pawel Jakub Dawidek under sponsorship from
7  * the FreeBSD Foundation.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 
31 #include <sys/cdefs.h>
32 __FBSDID("$FreeBSD$");
33 
34 /*
35  * Note that this file is compiled into the kernel and into libc.
36  */
37 
38 #include <sys/types.h>
39 #include <sys/capsicum.h>
40 
41 #ifdef _KERNEL
42 #include <sys/systm.h>
43 #include <sys/kernel.h>
44 #include <machine/stdarg.h>
45 #else	/* !_KERNEL */
46 #include <assert.h>
47 #include <stdarg.h>
48 #include <stdbool.h>
49 #include <stdint.h>
50 #include <string.h>
51 #endif
52 
53 #ifdef _KERNEL
54 #define	assert(exp)	KASSERT((exp), ("%s:%u", __func__, __LINE__))
55 __read_mostly cap_rights_t cap_accept_rights;
56 __read_mostly cap_rights_t cap_bind_rights;
57 __read_mostly cap_rights_t cap_chflags_rights;
58 __read_mostly cap_rights_t cap_connect_rights;
59 __read_mostly cap_rights_t cap_event_rights;
60 __read_mostly cap_rights_t cap_fchdir_rights;
61 __read_mostly cap_rights_t cap_fchflags_rights;
62 __read_mostly cap_rights_t cap_fchmod_rights;
63 __read_mostly cap_rights_t cap_fchown_rights;
64 __read_mostly cap_rights_t cap_fcntl_rights;
65 __read_mostly cap_rights_t cap_fexecve_rights;
66 __read_mostly cap_rights_t cap_flock_rights;
67 __read_mostly cap_rights_t cap_fpathconf_rights;
68 __read_mostly cap_rights_t cap_fstat_rights;
69 __read_mostly cap_rights_t cap_fstatfs_rights;
70 __read_mostly cap_rights_t cap_fsync_rights;
71 __read_mostly cap_rights_t cap_ftruncate_rights;
72 __read_mostly cap_rights_t cap_futimes_rights;
73 __read_mostly cap_rights_t cap_getpeername_rights;
74 __read_mostly cap_rights_t cap_getsockopt_rights;
75 __read_mostly cap_rights_t cap_getsockname_rights;
76 __read_mostly cap_rights_t cap_ioctl_rights;
77 __read_mostly cap_rights_t cap_listen_rights;
78 __read_mostly cap_rights_t cap_linkat_source_rights;
79 __read_mostly cap_rights_t cap_linkat_target_rights;
80 __read_mostly cap_rights_t cap_mmap_rights;
81 __read_mostly cap_rights_t cap_mkdirat_rights;
82 __read_mostly cap_rights_t cap_mkfifoat_rights;
83 __read_mostly cap_rights_t cap_mknodat_rights;
84 __read_mostly cap_rights_t cap_pdgetpid_rights;
85 __read_mostly cap_rights_t cap_pdkill_rights;
86 __read_mostly cap_rights_t cap_pread_rights;
87 __read_mostly cap_rights_t cap_pwrite_rights;
88 __read_mostly cap_rights_t cap_read_rights;
89 __read_mostly cap_rights_t cap_recv_rights;
90 __read_mostly cap_rights_t cap_renameat_source_rights;
91 __read_mostly cap_rights_t cap_renameat_target_rights;
92 __read_mostly cap_rights_t cap_seek_rights;
93 __read_mostly cap_rights_t cap_send_rights;
94 __read_mostly cap_rights_t cap_send_connect_rights;
95 __read_mostly cap_rights_t cap_setsockopt_rights;
96 __read_mostly cap_rights_t cap_shutdown_rights;
97 __read_mostly cap_rights_t cap_symlinkat_rights;
98 __read_mostly cap_rights_t cap_unlinkat_rights;
99 __read_mostly cap_rights_t cap_write_rights;
100 __read_mostly cap_rights_t cap_no_rights;
101 
102 static void
103 cap_rights_sysinit(void *arg)
104 {
105 	cap_rights_init_one(&cap_accept_rights, CAP_ACCEPT);
106 	cap_rights_init_one(&cap_bind_rights, CAP_BIND);
107 	cap_rights_init_one(&cap_connect_rights, CAP_CONNECT);
108 	cap_rights_init_one(&cap_event_rights, CAP_EVENT);
109 	cap_rights_init_one(&cap_fchdir_rights, CAP_FCHDIR);
110 	cap_rights_init_one(&cap_fchflags_rights, CAP_FCHFLAGS);
111 	cap_rights_init_one(&cap_fchmod_rights, CAP_FCHMOD);
112 	cap_rights_init_one(&cap_fchown_rights, CAP_FCHOWN);
113 	cap_rights_init_one(&cap_fcntl_rights, CAP_FCNTL);
114 	cap_rights_init_one(&cap_fexecve_rights, CAP_FEXECVE);
115 	cap_rights_init_one(&cap_flock_rights, CAP_FLOCK);
116 	cap_rights_init_one(&cap_fpathconf_rights, CAP_FPATHCONF);
117 	cap_rights_init_one(&cap_fstat_rights, CAP_FSTAT);
118 	cap_rights_init_one(&cap_fstatfs_rights, CAP_FSTATFS);
119 	cap_rights_init_one(&cap_fsync_rights, CAP_FSYNC);
120 	cap_rights_init_one(&cap_ftruncate_rights, CAP_FTRUNCATE);
121 	cap_rights_init_one(&cap_futimes_rights, CAP_FUTIMES);
122 	cap_rights_init_one(&cap_getpeername_rights, CAP_GETPEERNAME);
123 	cap_rights_init_one(&cap_getsockname_rights, CAP_GETSOCKNAME);
124 	cap_rights_init_one(&cap_getsockopt_rights, CAP_GETSOCKOPT);
125 	cap_rights_init_one(&cap_ioctl_rights, CAP_IOCTL);
126 	cap_rights_init_one(&cap_linkat_source_rights, CAP_LINKAT_SOURCE);
127 	cap_rights_init_one(&cap_linkat_target_rights, CAP_LINKAT_TARGET);
128 	cap_rights_init_one(&cap_listen_rights, CAP_LISTEN);
129 	cap_rights_init_one(&cap_mkdirat_rights, CAP_MKDIRAT);
130 	cap_rights_init_one(&cap_mkfifoat_rights, CAP_MKFIFOAT);
131 	cap_rights_init_one(&cap_mknodat_rights, CAP_MKNODAT);
132 	cap_rights_init_one(&cap_mmap_rights, CAP_MMAP);
133 	cap_rights_init_one(&cap_pdgetpid_rights, CAP_PDGETPID);
134 	cap_rights_init_one(&cap_pdkill_rights, CAP_PDKILL);
135 	cap_rights_init_one(&cap_pread_rights, CAP_PREAD);
136 	cap_rights_init_one(&cap_pwrite_rights, CAP_PWRITE);
137 	cap_rights_init_one(&cap_read_rights, CAP_READ);
138 	cap_rights_init_one(&cap_recv_rights, CAP_RECV);
139 	cap_rights_init_one(&cap_renameat_source_rights, CAP_RENAMEAT_SOURCE);
140 	cap_rights_init_one(&cap_renameat_target_rights, CAP_RENAMEAT_TARGET);
141 	cap_rights_init_one(&cap_seek_rights, CAP_SEEK);
142 	cap_rights_init_one(&cap_send_rights, CAP_SEND);
143 	cap_rights_init(&cap_send_connect_rights, CAP_SEND, CAP_CONNECT);
144 	cap_rights_init_one(&cap_setsockopt_rights, CAP_SETSOCKOPT);
145 	cap_rights_init_one(&cap_shutdown_rights, CAP_SHUTDOWN);
146 	cap_rights_init_one(&cap_symlinkat_rights, CAP_SYMLINKAT);
147 	cap_rights_init_one(&cap_unlinkat_rights, CAP_UNLINKAT);
148 	cap_rights_init_one(&cap_write_rights, CAP_WRITE);
149 	cap_rights_init(&cap_no_rights);
150 }
151 SYSINIT(cap_rights_sysinit, SI_SUB_COPYRIGHT, SI_ORDER_ANY, cap_rights_sysinit,
152     NULL);
153 
154 #endif
155 
156 #define	CAPARSIZE_MIN	(CAP_RIGHTS_VERSION_00 + 2)
157 #define	CAPARSIZE_MAX	(CAP_RIGHTS_VERSION + 2)
158 
159 static __inline int
160 right_to_index(uint64_t right)
161 {
162 	static const int bit2idx[] = {
163 		-1, 0, 1, -1, 2, -1, -1, -1, 3, -1, -1, -1, -1, -1, -1, -1,
164 		4, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
165 	};
166 	int idx;
167 
168 	idx = CAPIDXBIT(right);
169 	assert(idx >= 0 && idx < sizeof(bit2idx) / sizeof(bit2idx[0]));
170 	return (bit2idx[idx]);
171 }
172 
173 static void
174 cap_rights_vset(cap_rights_t *rights, va_list ap)
175 {
176 	uint64_t right;
177 	int i, n __unused;
178 
179 	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
180 
181 	n = CAPARSIZE(rights);
182 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
183 
184 	for (;;) {
185 		right = (uint64_t)va_arg(ap, unsigned long long);
186 		if (right == 0)
187 			break;
188 		assert(CAPRVER(right) == 0);
189 		i = right_to_index(right);
190 		assert(i >= 0);
191 		assert(i < n);
192 		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
193 		rights->cr_rights[i] |= right;
194 		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
195 	}
196 }
197 
198 static void
199 cap_rights_vclear(cap_rights_t *rights, va_list ap)
200 {
201 	uint64_t right;
202 	int i, n __unused;
203 
204 	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
205 
206 	n = CAPARSIZE(rights);
207 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
208 
209 	for (;;) {
210 		right = (uint64_t)va_arg(ap, unsigned long long);
211 		if (right == 0)
212 			break;
213 		assert(CAPRVER(right) == 0);
214 		i = right_to_index(right);
215 		assert(i >= 0);
216 		assert(i < n);
217 		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
218 		rights->cr_rights[i] &= ~(right & 0x01FFFFFFFFFFFFFFULL);
219 		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
220 	}
221 }
222 
223 static bool
224 cap_rights_is_vset(const cap_rights_t *rights, va_list ap)
225 {
226 	uint64_t right;
227 	int i, n __unused;
228 
229 	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
230 
231 	n = CAPARSIZE(rights);
232 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
233 
234 	for (;;) {
235 		right = (uint64_t)va_arg(ap, unsigned long long);
236 		if (right == 0)
237 			break;
238 		assert(CAPRVER(right) == 0);
239 		i = right_to_index(right);
240 		assert(i >= 0);
241 		assert(i < n);
242 		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
243 		if ((rights->cr_rights[i] & right) != right)
244 			return (false);
245 	}
246 
247 	return (true);
248 }
249 
250 cap_rights_t *
251 __cap_rights_init(int version, cap_rights_t *rights, ...)
252 {
253 	unsigned int n __unused;
254 	va_list ap;
255 
256 	assert(version == CAP_RIGHTS_VERSION_00);
257 
258 	n = version + 2;
259 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
260 	CAP_NONE(rights);
261 	va_start(ap, rights);
262 	cap_rights_vset(rights, ap);
263 	va_end(ap);
264 
265 	return (rights);
266 }
267 
268 cap_rights_t *
269 __cap_rights_set(cap_rights_t *rights, ...)
270 {
271 	va_list ap;
272 
273 	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
274 
275 	va_start(ap, rights);
276 	cap_rights_vset(rights, ap);
277 	va_end(ap);
278 
279 	return (rights);
280 }
281 
282 cap_rights_t *
283 __cap_rights_clear(cap_rights_t *rights, ...)
284 {
285 	va_list ap;
286 
287 	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
288 
289 	va_start(ap, rights);
290 	cap_rights_vclear(rights, ap);
291 	va_end(ap);
292 
293 	return (rights);
294 }
295 
296 bool
297 __cap_rights_is_set(const cap_rights_t *rights, ...)
298 {
299 	va_list ap;
300 	bool ret;
301 
302 	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
303 
304 	va_start(ap, rights);
305 	ret = cap_rights_is_vset(rights, ap);
306 	va_end(ap);
307 
308 	return (ret);
309 }
310 
311 bool
312 cap_rights_is_valid(const cap_rights_t *rights)
313 {
314 	cap_rights_t allrights;
315 	int i, j;
316 
317 	if (CAPVER(rights) != CAP_RIGHTS_VERSION_00)
318 		return (false);
319 	if (CAPARSIZE(rights) < CAPARSIZE_MIN ||
320 	    CAPARSIZE(rights) > CAPARSIZE_MAX) {
321 		return (false);
322 	}
323 	CAP_ALL(&allrights);
324 	if (!cap_rights_contains(&allrights, rights))
325 		return (false);
326 	for (i = 0; i < CAPARSIZE(rights); i++) {
327 		j = right_to_index(rights->cr_rights[i]);
328 		if (i != j)
329 			return (false);
330 		if (i > 0) {
331 			if (CAPRVER(rights->cr_rights[i]) != 0)
332 				return (false);
333 		}
334 	}
335 
336 	return (true);
337 }
338 
339 cap_rights_t *
340 cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src)
341 {
342 	unsigned int i, n;
343 
344 	assert(CAPVER(dst) == CAP_RIGHTS_VERSION_00);
345 	assert(CAPVER(src) == CAP_RIGHTS_VERSION_00);
346 	assert(CAPVER(dst) == CAPVER(src));
347 	assert(cap_rights_is_valid(src));
348 	assert(cap_rights_is_valid(dst));
349 
350 	n = CAPARSIZE(dst);
351 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
352 
353 	for (i = 0; i < n; i++)
354 		dst->cr_rights[i] |= src->cr_rights[i];
355 
356 	assert(cap_rights_is_valid(src));
357 	assert(cap_rights_is_valid(dst));
358 
359 	return (dst);
360 }
361 
362 cap_rights_t *
363 cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src)
364 {
365 	unsigned int i, n;
366 
367 	assert(CAPVER(dst) == CAP_RIGHTS_VERSION_00);
368 	assert(CAPVER(src) == CAP_RIGHTS_VERSION_00);
369 	assert(CAPVER(dst) == CAPVER(src));
370 	assert(cap_rights_is_valid(src));
371 	assert(cap_rights_is_valid(dst));
372 
373 	n = CAPARSIZE(dst);
374 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
375 
376 	for (i = 0; i < n; i++) {
377 		dst->cr_rights[i] &=
378 		    ~(src->cr_rights[i] & 0x01FFFFFFFFFFFFFFULL);
379 	}
380 
381 	assert(cap_rights_is_valid(src));
382 	assert(cap_rights_is_valid(dst));
383 
384 	return (dst);
385 }
386 
387 #ifndef _KERNEL
388 bool
389 cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little)
390 {
391 	unsigned int i, n;
392 
393 	assert(CAPVER(big) == CAP_RIGHTS_VERSION_00);
394 	assert(CAPVER(little) == CAP_RIGHTS_VERSION_00);
395 	assert(CAPVER(big) == CAPVER(little));
396 
397 	n = CAPARSIZE(big);
398 	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
399 
400 	for (i = 0; i < n; i++) {
401 		if ((big->cr_rights[i] & little->cr_rights[i]) !=
402 		    little->cr_rights[i]) {
403 			return (false);
404 		}
405 	}
406 
407 	return (true);
408 }
409 #endif
410