sys/kern/sys_capability.c

96fcc75fSRobert Watson/*-
8a36da99SPedro F. Giffuni * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
8a36da99SPedro F. Giffuni *
96fcc75fSRobert Watson * Copyright (c) 2008-2011 Robert N. M. Watson
96fcc75fSRobert Watson * Copyright (c) 2010-2011 Jonathan Anderson
2609222aSPawel Jakub Dawidek * Copyright (c) 2012 FreeBSD Foundation
96fcc75fSRobert Watson * All rights reserved.
96fcc75fSRobert Watson *
96fcc75fSRobert Watson * This software was developed at the University of Cambridge Computer
96fcc75fSRobert Watson * Laboratory with support from a grant from Google, Inc.
96fcc75fSRobert Watson *
2609222aSPawel Jakub Dawidek * Portions of this software were developed by Pawel Jakub Dawidek under
2609222aSPawel Jakub Dawidek * sponsorship from the FreeBSD Foundation.
2609222aSPawel Jakub Dawidek *
96fcc75fSRobert Watson * Redistribution and use in source and binary forms, with or without
96fcc75fSRobert Watson * modification, are permitted provided that the following conditions
96fcc75fSRobert Watson * are met:
96fcc75fSRobert Watson * 1. Redistributions of source code must retain the above copyright
96fcc75fSRobert Watson *    notice, this list of conditions and the following disclaimer.
96fcc75fSRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
96fcc75fSRobert Watson *    notice, this list of conditions and the following disclaimer in the
96fcc75fSRobert Watson *    documentation and/or other materials provided with the distribution.
96fcc75fSRobert Watson *
96fcc75fSRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
96fcc75fSRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
96fcc75fSRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
96fcc75fSRobert Watson * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
96fcc75fSRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
96fcc75fSRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
96fcc75fSRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
96fcc75fSRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
96fcc75fSRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
96fcc75fSRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
96fcc75fSRobert Watson * SUCH DAMAGE.
96fcc75fSRobert Watson */
96fcc75fSRobert Watson
96fcc75fSRobert Watson/*
96fcc75fSRobert Watson * FreeBSD kernel capability facility.
96fcc75fSRobert Watson *
73516dbdSRobert Watson * Two kernel features are implemented here: capability mode, a sandboxed mode
73516dbdSRobert Watson * of execution for processes, and capabilities, a refinement on file
73516dbdSRobert Watson * descriptors that allows fine-grained control over operations on the file
73516dbdSRobert Watson * descriptor.  Collectively, these allow processes to run in the style of a
73516dbdSRobert Watson * historic "capability system" in which they can use only resources
73516dbdSRobert Watson * explicitly delegated to them.  This model is enforced by restricting access
73516dbdSRobert Watson * to global namespaces in capability mode.
96fcc75fSRobert Watson *
73516dbdSRobert Watson * Capabilities wrap other file descriptor types, binding them to a constant
73516dbdSRobert Watson * rights mask set when the capability is created.  New capabilities may be
73516dbdSRobert Watson * derived from existing capabilities, but only if they have the same or a
73516dbdSRobert Watson * strict subset of the rights on the original capability.
73516dbdSRobert Watson *
73516dbdSRobert Watson * System calls permitted in capability mode are defined in capabilities.conf;
73516dbdSRobert Watson * calls must be carefully audited for safety to ensure that they don't allow
73516dbdSRobert Watson * escape from a sandbox.  Some calls permit only a subset of operations in
73516dbdSRobert Watson * capability mode -- for example, shm_open(2) is limited to creating
73516dbdSRobert Watson * anonymous, rather than named, POSIX shared memory objects.
96fcc75fSRobert Watson */
96fcc75fSRobert Watson
96fcc75fSRobert Watson#include <sys/cdefs.h>
96fcc75fSRobert Watson__FBSDID("$FreeBSD$");
96fcc75fSRobert Watson
297f1103SPawel Jakub Dawidek#include "opt_capsicum.h"
297f1103SPawel Jakub Dawidek#include "opt_ktrace.h"
297f1103SPawel Jakub Dawidek
96fcc75fSRobert Watson#include <sys/param.h>
4a144410SRobert Watson#include <sys/capsicum.h>
96fcc75fSRobert Watson#include <sys/file.h>
96fcc75fSRobert Watson#include <sys/filedesc.h>
96fcc75fSRobert Watson#include <sys/kernel.h>
2609222aSPawel Jakub Dawidek#include <sys/limits.h>
96fcc75fSRobert Watson#include <sys/lock.h>
96fcc75fSRobert Watson#include <sys/mutex.h>
96fcc75fSRobert Watson#include <sys/proc.h>
0dac22d8SPawel Jakub Dawidek#include <sys/syscallsubr.h>
96fcc75fSRobert Watson#include <sys/sysproto.h>
96fcc75fSRobert Watson#include <sys/sysctl.h>
96fcc75fSRobert Watson#include <sys/systm.h>
96fcc75fSRobert Watson#include <sys/ucred.h>
c601ad8eSDag-Erling Smørgrav#include <sys/uio.h>
c601ad8eSDag-Erling Smørgrav#include <sys/ktrace.h>
96fcc75fSRobert Watson
96fcc75fSRobert Watson#include <security/audit/audit.h>
96fcc75fSRobert Watson
96fcc75fSRobert Watson#include <vm/uma.h>
96fcc75fSRobert Watson#include <vm/vm.h>
96fcc75fSRobert Watson
75e9b455SMateusz Guzikbool __read_frequently trap_enotcap;
afde86ebSMark JohnstonSYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
643f6f47SKonstantin Belousov    "Deliver SIGTRAP on ENOTCAPABLE");
643f6f47SKonstantin Belousov
24c1c3bfSJonathan Anderson#ifdef CAPABILITY_MODE
96fcc75fSRobert Watson
4b83a776SMariusz Zaborski#define        IOCTLS_MAX_COUNT        256     /* XXX: Is 256 sane? */
4b83a776SMariusz Zaborski
854d7b9fSRobert WatsonFEATURE(security_capability_mode, "Capsicum Capability Mode");
d783bbd2SAlexander Leidinger
96fcc75fSRobert Watson/*
96fcc75fSRobert Watson * System call to enter capability mode for the process.
96fcc75fSRobert Watson */
96fcc75fSRobert Watsonint
8451d0ddSKip Macysys_cap_enter(struct thread *td, struct cap_enter_args *uap)
96fcc75fSRobert Watson{
96fcc75fSRobert Watson	struct ucred *newcred, *oldcred;
96fcc75fSRobert Watson	struct proc *p;
96fcc75fSRobert Watson
96fcc75fSRobert Watson	if (IN_CAPABILITY_MODE(td))
96fcc75fSRobert Watson		return (0);
96fcc75fSRobert Watson
96fcc75fSRobert Watson	newcred = crget();
96fcc75fSRobert Watson	p = td->td_proc;
96fcc75fSRobert Watson	PROC_LOCK(p);
bbd685e3SMark Johnston	oldcred = crcopysafe(p, newcred);
96fcc75fSRobert Watson	newcred->cr_flags |= CRED_FLAG_CAPMODE;
daf63fd2SMateusz Guzik	proc_set_cred(p, newcred);
96fcc75fSRobert Watson	PROC_UNLOCK(p);
96fcc75fSRobert Watson	crfree(oldcred);
96fcc75fSRobert Watson	return (0);
96fcc75fSRobert Watson}
96fcc75fSRobert Watson
96fcc75fSRobert Watson/*
96fcc75fSRobert Watson * System call to query whether the process is in capability mode.
96fcc75fSRobert Watson */
96fcc75fSRobert Watsonint
8451d0ddSKip Macysys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
96fcc75fSRobert Watson{
96fcc75fSRobert Watson	u_int i;
96fcc75fSRobert Watson
11b0cfe3SPawel Jakub Dawidek	i = IN_CAPABILITY_MODE(td) ? 1 : 0;
96fcc75fSRobert Watson	return (copyout(&i, uap->modep, sizeof(i)));
96fcc75fSRobert Watson}
96fcc75fSRobert Watson
24c1c3bfSJonathan Anderson#else /* !CAPABILITY_MODE */
96fcc75fSRobert Watson
96fcc75fSRobert Watsonint
8451d0ddSKip Macysys_cap_enter(struct thread *td, struct cap_enter_args *uap)
96fcc75fSRobert Watson{
96fcc75fSRobert Watson
96fcc75fSRobert Watson	return (ENOSYS);
96fcc75fSRobert Watson}
96fcc75fSRobert Watson
96fcc75fSRobert Watsonint
8451d0ddSKip Macysys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
96fcc75fSRobert Watson{
96fcc75fSRobert Watson
96fcc75fSRobert Watson	return (ENOSYS);
96fcc75fSRobert Watson}
96fcc75fSRobert Watson
24c1c3bfSJonathan Anderson#endif /* CAPABILITY_MODE */
af098ed8SJonathan Anderson
af098ed8SJonathan Anderson#ifdef CAPABILITIES
af098ed8SJonathan Anderson
854d7b9fSRobert WatsonFEATURE(security_capabilities, "Capsicum Capabilities");
854d7b9fSRobert Watson
92981fdfSPawel Jakub DawidekMALLOC_DECLARE(M_FILECAPS);
92981fdfSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekstatic inline int
7008be5bSPawel Jakub Dawidek_cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
7008be5bSPawel Jakub Dawidek    enum ktr_cap_fail_type type)
745bae37SJonathan Anderson{
745bae37SJonathan Anderson
7008be5bSPawel Jakub Dawidek	if (!cap_rights_contains(havep, needp)) {
c601ad8eSDag-Erling Smørgrav#ifdef KTRACE
c601ad8eSDag-Erling Smørgrav		if (KTRPOINT(curthread, KTR_CAPFAIL))
7008be5bSPawel Jakub Dawidek			ktrcapfail(type, needp, havep);
c601ad8eSDag-Erling Smørgrav#endif
af098ed8SJonathan Anderson		return (ENOTCAPABLE);
c601ad8eSDag-Erling Smørgrav	}
af098ed8SJonathan Anderson	return (0);
af098ed8SJonathan Anderson}
af098ed8SJonathan Anderson
af098ed8SJonathan Anderson/*
2609222aSPawel Jakub Dawidek * Test whether a capability grants the requested rights.
2609222aSPawel Jakub Dawidek */
2609222aSPawel Jakub Dawidekint
7008be5bSPawel Jakub Dawidekcap_check(const cap_rights_t *havep, const cap_rights_t *needp)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
7008be5bSPawel Jakub Dawidek	return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
bcd1cf4fSMateusz Guzikint
bcd1cf4fSMateusz Guzikcap_check_failed_notcapable(const cap_rights_t *havep, const cap_rights_t *needp)
bcd1cf4fSMateusz Guzik{
bcd1cf4fSMateusz Guzik
bcd1cf4fSMateusz Guzik#ifdef KTRACE
bcd1cf4fSMateusz Guzik	if (KTRPOINT(curthread, KTR_CAPFAIL))
bcd1cf4fSMateusz Guzik		ktrcapfail(CAPFAIL_NOTCAPABLE, needp, havep);
bcd1cf4fSMateusz Guzik#endif
bcd1cf4fSMateusz Guzik	return (ENOTCAPABLE);
bcd1cf4fSMateusz Guzik}
bcd1cf4fSMateusz Guzik
2609222aSPawel Jakub Dawidek/*
2609222aSPawel Jakub Dawidek * Convert capability rights into VM access flags.
2609222aSPawel Jakub Dawidek */
0f5f49efSKyle Evansvm_prot_t
acbde298SMatt Macycap_rights_to_vmprot(const cap_rights_t *havep)
2609222aSPawel Jakub Dawidek{
0f5f49efSKyle Evans	vm_prot_t maxprot;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	maxprot = VM_PROT_NONE;
7008be5bSPawel Jakub Dawidek	if (cap_rights_is_set(havep, CAP_MMAP_R))
2609222aSPawel Jakub Dawidek		maxprot |= VM_PROT_READ;
7008be5bSPawel Jakub Dawidek	if (cap_rights_is_set(havep, CAP_MMAP_W))
2609222aSPawel Jakub Dawidek		maxprot |= VM_PROT_WRITE;
7008be5bSPawel Jakub Dawidek	if (cap_rights_is_set(havep, CAP_MMAP_X))
2609222aSPawel Jakub Dawidek		maxprot |= VM_PROT_EXECUTE;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (maxprot);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek/*
745bae37SJonathan Anderson * Extract rights from a capability for monitoring purposes -- not for use in
745bae37SJonathan Anderson * any other way, as we want to keep all capability permission evaluation in
745bae37SJonathan Anderson * this one file.
745bae37SJonathan Anderson */
a1bf8115SMateusz Guzik
acbde298SMatt Macyconst cap_rights_t *
acbde298SMatt Macycap_rights_fde(const struct filedescent *fdep)
a1bf8115SMateusz Guzik{
a1bf8115SMateusz Guzik
98fca94dSMateusz Guzik	return (cap_rights_fde_inline(fdep));
a1bf8115SMateusz Guzik}
a1bf8115SMateusz Guzik
acbde298SMatt Macyconst cap_rights_t *
2609222aSPawel Jakub Dawidekcap_rights(struct filedesc *fdp, int fd)
745bae37SJonathan Anderson{
745bae37SJonathan Anderson
a1bf8115SMateusz Guzik	return (cap_rights_fde(&fdp->fd_ofiles[fd]));
745bae37SJonathan Anderson}
745bae37SJonathan Anderson
aa04a06dSEd Schoutenint
aa04a06dSEd Schoutenkern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
aa04a06dSEd Schouten{
aa04a06dSEd Schouten	struct filedesc *fdp;
20641651SMariusz Zaborski	struct filedescent *fdep;
2d896b81SMark Johnston	u_long *ioctls;
aa04a06dSEd Schouten	int error;
aa04a06dSEd Schouten
aa04a06dSEd Schouten	fdp = td->td_proc->p_fd;
aa04a06dSEd Schouten	FILEDESC_XLOCK(fdp);
*f17ef286SMateusz Guzik	fdep = fdeget_noref(fdp, fd);
20641651SMariusz Zaborski	if (fdep == NULL) {
aa04a06dSEd Schouten		FILEDESC_XUNLOCK(fdp);
aa04a06dSEd Schouten		return (EBADF);
aa04a06dSEd Schouten	}
2d896b81SMark Johnston	ioctls = NULL;
aa04a06dSEd Schouten	error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
aa04a06dSEd Schouten	if (error == 0) {
2d896b81SMark Johnston		seqc_write_begin(&fdep->fde_seqc);
20641651SMariusz Zaborski		fdep->fde_rights = *rights;
aa04a06dSEd Schouten		if (!cap_rights_is_set(rights, CAP_IOCTL)) {
2d896b81SMark Johnston			ioctls = fdep->fde_ioctls;
20641651SMariusz Zaborski			fdep->fde_ioctls = NULL;
20641651SMariusz Zaborski			fdep->fde_nioctls = 0;
aa04a06dSEd Schouten		}
aa04a06dSEd Schouten		if (!cap_rights_is_set(rights, CAP_FCNTL))
20641651SMariusz Zaborski			fdep->fde_fcntls = 0;
2d896b81SMark Johnston		seqc_write_end(&fdep->fde_seqc);
aa04a06dSEd Schouten	}
aa04a06dSEd Schouten	FILEDESC_XUNLOCK(fdp);
2d896b81SMark Johnston	free(ioctls, M_FILECAPS);
aa04a06dSEd Schouten	return (error);
aa04a06dSEd Schouten}
aa04a06dSEd Schouten
745bae37SJonathan Anderson/*
2609222aSPawel Jakub Dawidek * System call to limit rights of the given capability.
cfb9df55SJonathan Anderson */
cfb9df55SJonathan Andersonint
2609222aSPawel Jakub Dawideksys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
cfb9df55SJonathan Anderson{
2609222aSPawel Jakub Dawidek	cap_rights_t rights;
aa04a06dSEd Schouten	int error, version;
7008be5bSPawel Jakub Dawidek
eb40664dSMateusz Guzik	cap_rights_init_zero(&rights);
7008be5bSPawel Jakub Dawidek
7008be5bSPawel Jakub Dawidek	error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
7008be5bSPawel Jakub Dawidek	if (error != 0)
7008be5bSPawel Jakub Dawidek		return (error);
7008be5bSPawel Jakub Dawidek	version = CAPVER(&rights);
7008be5bSPawel Jakub Dawidek	if (version != CAP_RIGHTS_VERSION_00)
7008be5bSPawel Jakub Dawidek		return (EINVAL);
7008be5bSPawel Jakub Dawidek
7008be5bSPawel Jakub Dawidek	error = copyin(uap->rightsp, &rights,
7008be5bSPawel Jakub Dawidek	    sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
7008be5bSPawel Jakub Dawidek	if (error != 0)
7008be5bSPawel Jakub Dawidek		return (error);
7008be5bSPawel Jakub Dawidek	/* Check for race. */
7008be5bSPawel Jakub Dawidek	if (CAPVER(&rights) != version)
7008be5bSPawel Jakub Dawidek		return (EINVAL);
7008be5bSPawel Jakub Dawidek
7008be5bSPawel Jakub Dawidek	if (!cap_rights_is_valid(&rights))
7008be5bSPawel Jakub Dawidek		return (EINVAL);
7008be5bSPawel Jakub Dawidek
7008be5bSPawel Jakub Dawidek	if (version != CAP_RIGHTS_VERSION) {
7008be5bSPawel Jakub Dawidek		rights.cr_rights[0] &= ~(0x3ULL << 62);
7008be5bSPawel Jakub Dawidek		rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
7008be5bSPawel Jakub Dawidek	}
7008be5bSPawel Jakub Dawidek#ifdef KTRACE
7008be5bSPawel Jakub Dawidek	if (KTRPOINT(td, KTR_STRUCT))
7008be5bSPawel Jakub Dawidek		ktrcaprights(&rights);
7008be5bSPawel Jakub Dawidek#endif
2609222aSPawel Jakub Dawidek
aa04a06dSEd Schouten	AUDIT_ARG_FD(uap->fd);
7008be5bSPawel Jakub Dawidek	AUDIT_ARG_RIGHTS(&rights);
aa04a06dSEd Schouten	return (kern_cap_rights_limit(td, uap->fd, &rights));
cfb9df55SJonathan Anderson}
cfb9df55SJonathan Anderson
cfb9df55SJonathan Anderson/*
cfb9df55SJonathan Anderson * System call to query the rights mask associated with a capability.
cfb9df55SJonathan Anderson */
cfb9df55SJonathan Andersonint
7008be5bSPawel Jakub Dawideksys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
cfb9df55SJonathan Anderson{
2609222aSPawel Jakub Dawidek	struct filedesc *fdp;
2609222aSPawel Jakub Dawidek	cap_rights_t rights;
7008be5bSPawel Jakub Dawidek	int error, fd, i, n;
7008be5bSPawel Jakub Dawidek
7008be5bSPawel Jakub Dawidek	if (uap->version != CAP_RIGHTS_VERSION_00)
7008be5bSPawel Jakub Dawidek		return (EINVAL);
cfb9df55SJonathan Anderson
2609222aSPawel Jakub Dawidek	fd = uap->fd;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	AUDIT_ARG_FD(fd);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fdp = td->td_proc->p_fd;
2609222aSPawel Jakub Dawidek	FILEDESC_SLOCK(fdp);
*f17ef286SMateusz Guzik	if (fget_noref(fdp, fd) == NULL) {
2609222aSPawel Jakub Dawidek		FILEDESC_SUNLOCK(fdp);
2609222aSPawel Jakub Dawidek		return (EBADF);
2609222aSPawel Jakub Dawidek	}
7008be5bSPawel Jakub Dawidek	rights = *cap_rights(fdp, fd);
2609222aSPawel Jakub Dawidek	FILEDESC_SUNLOCK(fdp);
7008be5bSPawel Jakub Dawidek	n = uap->version + 2;
7008be5bSPawel Jakub Dawidek	if (uap->version != CAPVER(&rights)) {
7008be5bSPawel Jakub Dawidek		/*
7008be5bSPawel Jakub Dawidek		 * For older versions we need to check if the descriptor
7008be5bSPawel Jakub Dawidek		 * doesn't contain rights not understood by the caller.
7008be5bSPawel Jakub Dawidek		 * If it does, we have to return an error.
7008be5bSPawel Jakub Dawidek		 */
7008be5bSPawel Jakub Dawidek		for (i = n; i < CAPARSIZE(&rights); i++) {
7008be5bSPawel Jakub Dawidek			if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
7008be5bSPawel Jakub Dawidek				return (EINVAL);
7008be5bSPawel Jakub Dawidek		}
7008be5bSPawel Jakub Dawidek	}
7008be5bSPawel Jakub Dawidek	error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
7008be5bSPawel Jakub Dawidek#ifdef KTRACE
7008be5bSPawel Jakub Dawidek	if (error == 0 && KTRPOINT(td, KTR_STRUCT))
7008be5bSPawel Jakub Dawidek		ktrcaprights(&rights);
7008be5bSPawel Jakub Dawidek#endif
7008be5bSPawel Jakub Dawidek	return (error);
cfb9df55SJonathan Anderson}
cfb9df55SJonathan Anderson
cfb9df55SJonathan Anderson/*
2609222aSPawel Jakub Dawidek * Test whether a capability grants the given ioctl command.
2609222aSPawel Jakub Dawidek * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
2609222aSPawel Jakub Dawidek * ENOTCAPABLE will be returned.
745bae37SJonathan Anderson */
745bae37SJonathan Andersonint
2609222aSPawel Jakub Dawidekcap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
745bae37SJonathan Anderson{
20641651SMariusz Zaborski	struct filedescent *fdep;
2609222aSPawel Jakub Dawidek	u_long *cmds;
2609222aSPawel Jakub Dawidek	ssize_t ncmds;
2609222aSPawel Jakub Dawidek	long i;
745bae37SJonathan Anderson
2609222aSPawel Jakub Dawidek	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
2609222aSPawel Jakub Dawidek		("%s: invalid fd=%d", __func__, fd));
745bae37SJonathan Anderson
*f17ef286SMateusz Guzik	fdep = fdeget_noref(fdp, fd);
965cd211SMariusz Zaborski	KASSERT(fdep != NULL,
20641651SMariusz Zaborski	    ("%s: invalid fd=%d", __func__, fd));
20641651SMariusz Zaborski
20641651SMariusz Zaborski	ncmds = fdep->fde_nioctls;
2609222aSPawel Jakub Dawidek	if (ncmds == -1)
2609222aSPawel Jakub Dawidek		return (0);
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	cmds = fdep->fde_ioctls;
2609222aSPawel Jakub Dawidek	for (i = 0; i < ncmds; i++) {
2609222aSPawel Jakub Dawidek		if (cmds[i] == cmd)
2609222aSPawel Jakub Dawidek			return (0);
2609222aSPawel Jakub Dawidek	}
2609222aSPawel Jakub Dawidek
745bae37SJonathan Anderson	return (ENOTCAPABLE);
745bae37SJonathan Anderson}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek/*
2609222aSPawel Jakub Dawidek * Check if the current ioctls list can be replaced by the new one.
2609222aSPawel Jakub Dawidek */
2609222aSPawel Jakub Dawidekstatic int
20641651SMariusz Zaborskicap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
2609222aSPawel Jakub Dawidek    size_t ncmds)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek	u_long *ocmds;
2609222aSPawel Jakub Dawidek	ssize_t oncmds;
2609222aSPawel Jakub Dawidek	u_long i;
2609222aSPawel Jakub Dawidek	long j;
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	oncmds = fdep->fde_nioctls;
2609222aSPawel Jakub Dawidek	if (oncmds == -1)
2609222aSPawel Jakub Dawidek		return (0);
2609222aSPawel Jakub Dawidek	if (oncmds < (ssize_t)ncmds)
2609222aSPawel Jakub Dawidek		return (ENOTCAPABLE);
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	ocmds = fdep->fde_ioctls;
2609222aSPawel Jakub Dawidek	for (i = 0; i < ncmds; i++) {
2609222aSPawel Jakub Dawidek		for (j = 0; j < oncmds; j++) {
2609222aSPawel Jakub Dawidek			if (cmds[i] == ocmds[j])
2609222aSPawel Jakub Dawidek				break;
2609222aSPawel Jakub Dawidek		}
2609222aSPawel Jakub Dawidek		if (j == oncmds)
2609222aSPawel Jakub Dawidek			return (ENOTCAPABLE);
2609222aSPawel Jakub Dawidek	}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (0);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
0dac22d8SPawel Jakub Dawidekkern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek	struct filedesc *fdp;
20641651SMariusz Zaborski	struct filedescent *fdep;
0dac22d8SPawel Jakub Dawidek	u_long *ocmds;
0dac22d8SPawel Jakub Dawidek	int error;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	AUDIT_ARG_FD(fd);
2609222aSPawel Jakub Dawidek
4b83a776SMariusz Zaborski	if (ncmds > IOCTLS_MAX_COUNT) {
4b83a776SMariusz Zaborski		error = EINVAL;
4b83a776SMariusz Zaborski		goto out_free;
4b83a776SMariusz Zaborski	}
4b83a776SMariusz Zaborski
2609222aSPawel Jakub Dawidek	fdp = td->td_proc->p_fd;
2609222aSPawel Jakub Dawidek	FILEDESC_XLOCK(fdp);
2609222aSPawel Jakub Dawidek
*f17ef286SMateusz Guzik	fdep = fdeget_noref(fdp, fd);
20641651SMariusz Zaborski	if (fdep == NULL) {
2609222aSPawel Jakub Dawidek		error = EBADF;
2609222aSPawel Jakub Dawidek		goto out;
2609222aSPawel Jakub Dawidek	}
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	error = cap_ioctl_limit_check(fdep, cmds, ncmds);
2609222aSPawel Jakub Dawidek	if (error != 0)
2609222aSPawel Jakub Dawidek		goto out;
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	ocmds = fdep->fde_ioctls;
2d896b81SMark Johnston	seqc_write_begin(&fdep->fde_seqc);
20641651SMariusz Zaborski	fdep->fde_ioctls = cmds;
20641651SMariusz Zaborski	fdep->fde_nioctls = ncmds;
2d896b81SMark Johnston	seqc_write_end(&fdep->fde_seqc);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	cmds = ocmds;
2609222aSPawel Jakub Dawidek	error = 0;
2609222aSPawel Jakub Dawidekout:
2609222aSPawel Jakub Dawidek	FILEDESC_XUNLOCK(fdp);
4b83a776SMariusz Zaborskiout_free:
92981fdfSPawel Jakub Dawidek	free(cmds, M_FILECAPS);
2609222aSPawel Jakub Dawidek	return (error);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
0dac22d8SPawel Jakub Dawideksys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
0dac22d8SPawel Jakub Dawidek{
0dac22d8SPawel Jakub Dawidek	u_long *cmds;
0dac22d8SPawel Jakub Dawidek	size_t ncmds;
0dac22d8SPawel Jakub Dawidek	int error;
0dac22d8SPawel Jakub Dawidek
0dac22d8SPawel Jakub Dawidek	ncmds = uap->ncmds;
0dac22d8SPawel Jakub Dawidek
4b83a776SMariusz Zaborski	if (ncmds > IOCTLS_MAX_COUNT)
0dac22d8SPawel Jakub Dawidek		return (EINVAL);
0dac22d8SPawel Jakub Dawidek
0dac22d8SPawel Jakub Dawidek	if (ncmds == 0) {
0dac22d8SPawel Jakub Dawidek		cmds = NULL;
0dac22d8SPawel Jakub Dawidek	} else {
0dac22d8SPawel Jakub Dawidek		cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
0dac22d8SPawel Jakub Dawidek		error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
0dac22d8SPawel Jakub Dawidek		if (error != 0) {
0dac22d8SPawel Jakub Dawidek			free(cmds, M_FILECAPS);
0dac22d8SPawel Jakub Dawidek			return (error);
0dac22d8SPawel Jakub Dawidek		}
0dac22d8SPawel Jakub Dawidek	}
0dac22d8SPawel Jakub Dawidek
0dac22d8SPawel Jakub Dawidek	return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
0dac22d8SPawel Jakub Dawidek}
0dac22d8SPawel Jakub Dawidek
0dac22d8SPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek	struct filedesc *fdp;
2609222aSPawel Jakub Dawidek	struct filedescent *fdep;
4b83a776SMariusz Zaborski	u_long *cmdsp, *dstcmds;
4b83a776SMariusz Zaborski	size_t maxcmds, ncmds;
4b83a776SMariusz Zaborski	int16_t count;
2609222aSPawel Jakub Dawidek	int error, fd;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fd = uap->fd;
4b83a776SMariusz Zaborski	dstcmds = uap->cmds;
2609222aSPawel Jakub Dawidek	maxcmds = uap->maxcmds;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	AUDIT_ARG_FD(fd);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fdp = td->td_proc->p_fd;
2609222aSPawel Jakub Dawidek
4b83a776SMariusz Zaborski	cmdsp = NULL;
4b83a776SMariusz Zaborski	if (dstcmds != NULL) {
4b83a776SMariusz Zaborski		cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
4b83a776SMariusz Zaborski		    M_WAITOK | M_ZERO);
4b83a776SMariusz Zaborski	}
4b83a776SMariusz Zaborski
4b83a776SMariusz Zaborski	FILEDESC_SLOCK(fdp);
*f17ef286SMateusz Guzik	fdep = fdeget_noref(fdp, fd);
4b83a776SMariusz Zaborski	if (fdep == NULL) {
2609222aSPawel Jakub Dawidek		error = EBADF;
4b83a776SMariusz Zaborski		FILEDESC_SUNLOCK(fdp);
2609222aSPawel Jakub Dawidek		goto out;
e141be6fSDag-Erling Smørgrav	}
4b83a776SMariusz Zaborski	count = fdep->fde_nioctls;
4b83a776SMariusz Zaborski	if (count != -1 && cmdsp != NULL) {
4b83a776SMariusz Zaborski		ncmds = MIN(count, maxcmds);
4b83a776SMariusz Zaborski		memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
4b83a776SMariusz Zaborski	}
4b83a776SMariusz Zaborski	FILEDESC_SUNLOCK(fdp);
745bae37SJonathan Anderson
745bae37SJonathan Anderson	/*
2609222aSPawel Jakub Dawidek	 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
2609222aSPawel Jakub Dawidek	 * the only sane thing we can do is to not populate the given array and
2609222aSPawel Jakub Dawidek	 * return CAP_IOCTLS_ALL.
745bae37SJonathan Anderson	 */
4b83a776SMariusz Zaborski	if (count != -1) {
4b83a776SMariusz Zaborski		if (cmdsp != NULL) {
4b83a776SMariusz Zaborski			error = copyout(cmdsp, dstcmds,
4b83a776SMariusz Zaborski			    sizeof(cmdsp[0]) * ncmds);
2609222aSPawel Jakub Dawidek			if (error != 0)
2609222aSPawel Jakub Dawidek				goto out;
2609222aSPawel Jakub Dawidek		}
4b83a776SMariusz Zaborski		td->td_retval[0] = count;
4b83a776SMariusz Zaborski	} else {
2609222aSPawel Jakub Dawidek		td->td_retval[0] = CAP_IOCTLS_ALL;
4b83a776SMariusz Zaborski	}
745bae37SJonathan Anderson
2609222aSPawel Jakub Dawidek	error = 0;
2609222aSPawel Jakub Dawidekout:
4b83a776SMariusz Zaborski	free(cmdsp, M_FILECAPS);
af098ed8SJonathan Anderson	return (error);
af098ed8SJonathan Anderson}
af098ed8SJonathan Anderson
af098ed8SJonathan Anderson/*
2609222aSPawel Jakub Dawidek * Test whether a capability grants the given fcntl command.
af098ed8SJonathan Anderson */
af098ed8SJonathan Andersonint
20641651SMariusz Zaborskicap_fcntl_check_fde(struct filedescent *fdep, int cmd)
af098ed8SJonathan Anderson{
2609222aSPawel Jakub Dawidek	uint32_t fcntlcap;
af098ed8SJonathan Anderson
2609222aSPawel Jakub Dawidek	fcntlcap = (1 << cmd);
2609222aSPawel Jakub Dawidek	KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
2609222aSPawel Jakub Dawidek	    ("Unsupported fcntl=%d.", cmd));
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	if ((fdep->fde_fcntls & fcntlcap) != 0)
2609222aSPawel Jakub Dawidek		return (0);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOTCAPABLE);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
a1bf8115SMateusz Guzikcap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
a1bf8115SMateusz Guzik{
a1bf8115SMateusz Guzik
a1bf8115SMateusz Guzik	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
a1bf8115SMateusz Guzik	    ("%s: invalid fd=%d", __func__, fd));
a1bf8115SMateusz Guzik
a1bf8115SMateusz Guzik	return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
a1bf8115SMateusz Guzik}
a1bf8115SMateusz Guzik
a1bf8115SMateusz Guzikint
2609222aSPawel Jakub Dawideksys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek	struct filedesc *fdp;
20641651SMariusz Zaborski	struct filedescent *fdep;
2609222aSPawel Jakub Dawidek	uint32_t fcntlrights;
2609222aSPawel Jakub Dawidek	int fd;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fd = uap->fd;
2609222aSPawel Jakub Dawidek	fcntlrights = uap->fcntlrights;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	AUDIT_ARG_FD(fd);
2609222aSPawel Jakub Dawidek	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
2609222aSPawel Jakub Dawidek		return (EINVAL);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fdp = td->td_proc->p_fd;
2609222aSPawel Jakub Dawidek	FILEDESC_XLOCK(fdp);
2609222aSPawel Jakub Dawidek
*f17ef286SMateusz Guzik	fdep = fdeget_noref(fdp, fd);
20641651SMariusz Zaborski	if (fdep == NULL) {
2609222aSPawel Jakub Dawidek		FILEDESC_XUNLOCK(fdp);
2609222aSPawel Jakub Dawidek		return (EBADF);
2609222aSPawel Jakub Dawidek	}
2609222aSPawel Jakub Dawidek
20641651SMariusz Zaborski	if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
2609222aSPawel Jakub Dawidek		FILEDESC_XUNLOCK(fdp);
2609222aSPawel Jakub Dawidek		return (ENOTCAPABLE);
2609222aSPawel Jakub Dawidek	}
2609222aSPawel Jakub Dawidek
2d896b81SMark Johnston	seqc_write_begin(&fdep->fde_seqc);
20641651SMariusz Zaborski	fdep->fde_fcntls = fcntlrights;
2d896b81SMark Johnston	seqc_write_end(&fdep->fde_seqc);
2609222aSPawel Jakub Dawidek	FILEDESC_XUNLOCK(fdp);
2609222aSPawel Jakub Dawidek
af098ed8SJonathan Anderson	return (0);
af098ed8SJonathan Anderson}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek	struct filedesc *fdp;
20641651SMariusz Zaborski	struct filedescent *fdep;
2609222aSPawel Jakub Dawidek	uint32_t rights;
2609222aSPawel Jakub Dawidek	int fd;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fd = uap->fd;
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	AUDIT_ARG_FD(fd);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	fdp = td->td_proc->p_fd;
2609222aSPawel Jakub Dawidek	FILEDESC_SLOCK(fdp);
*f17ef286SMateusz Guzik	fdep = fdeget_noref(fdp, fd);
20641651SMariusz Zaborski	if (fdep == NULL) {
2609222aSPawel Jakub Dawidek		FILEDESC_SUNLOCK(fdp);
2609222aSPawel Jakub Dawidek		return (EBADF);
2609222aSPawel Jakub Dawidek	}
20641651SMariusz Zaborski	rights = fdep->fde_fcntls;
2609222aSPawel Jakub Dawidek	FILEDESC_SUNLOCK(fdp);
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
af098ed8SJonathan Anderson#else /* !CAPABILITIES */
af098ed8SJonathan Anderson
af098ed8SJonathan Anderson/*
af098ed8SJonathan Anderson * Stub Capability functions for when options CAPABILITIES isn't compiled
af098ed8SJonathan Anderson * into the kernel.
af098ed8SJonathan Anderson */
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOSYS);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
88eb5488SSean Brunosys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOSYS);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOSYS);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOSYS);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOSYS);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidekint
2609222aSPawel Jakub Dawideksys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
2609222aSPawel Jakub Dawidek{
2609222aSPawel Jakub Dawidek
2609222aSPawel Jakub Dawidek	return (ENOSYS);
2609222aSPawel Jakub Dawidek}
2609222aSPawel Jakub Dawidek
af098ed8SJonathan Anderson#endif /* CAPABILITIES */