xref: /freebsd/sys/kern/sys_capability.c (revision 19fe57fdb4fd2c18a37f2a972617c8769609cdb8)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2008-2011 Robert N. M. Watson
5  * Copyright (c) 2010-2011 Jonathan Anderson
6  * Copyright (c) 2012 FreeBSD Foundation
7  * All rights reserved.
8  *
9  * This software was developed at the University of Cambridge Computer
10  * Laboratory with support from a grant from Google, Inc.
11  *
12  * Portions of this software were developed by Pawel Jakub Dawidek under
13  * sponsorship from the FreeBSD Foundation.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  */
36 
37 /*
38  * FreeBSD kernel capability facility.
39  *
40  * Two kernel features are implemented here: capability mode, a sandboxed mode
41  * of execution for processes, and capabilities, a refinement on file
42  * descriptors that allows fine-grained control over operations on the file
43  * descriptor.  Collectively, these allow processes to run in the style of a
44  * historic "capability system" in which they can use only resources
45  * explicitly delegated to them.  This model is enforced by restricting access
46  * to global namespaces in capability mode.
47  *
48  * Capabilities wrap other file descriptor types, binding them to a constant
49  * rights mask set when the capability is created.  New capabilities may be
50  * derived from existing capabilities, but only if they have the same or a
51  * strict subset of the rights on the original capability.
52  *
53  * System calls permitted in capability mode are defined in capabilities.conf;
54  * calls must be carefully audited for safety to ensure that they don't allow
55  * escape from a sandbox.  Some calls permit only a subset of operations in
56  * capability mode -- for example, shm_open(2) is limited to creating
57  * anonymous, rather than named, POSIX shared memory objects.
58  */
59 
60 #include <sys/cdefs.h>
61 __FBSDID("$FreeBSD$");
62 
63 #include "opt_capsicum.h"
64 #include "opt_ktrace.h"
65 
66 #include <sys/param.h>
67 #include <sys/capsicum.h>
68 #include <sys/file.h>
69 #include <sys/filedesc.h>
70 #include <sys/kernel.h>
71 #include <sys/limits.h>
72 #include <sys/lock.h>
73 #include <sys/mutex.h>
74 #include <sys/proc.h>
75 #include <sys/syscallsubr.h>
76 #include <sys/sysproto.h>
77 #include <sys/sysctl.h>
78 #include <sys/systm.h>
79 #include <sys/ucred.h>
80 #include <sys/uio.h>
81 #include <sys/ktrace.h>
82 
83 #include <security/audit/audit.h>
84 
85 #include <vm/uma.h>
86 #include <vm/vm.h>
87 
88 bool __read_frequently trap_enotcap;
89 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
90     "Deliver SIGTRAP on ENOTCAPABLE");
91 
92 #ifdef CAPABILITY_MODE
93 
94 #define        IOCTLS_MAX_COUNT        256     /* XXX: Is 256 sane? */
95 
96 FEATURE(security_capability_mode, "Capsicum Capability Mode");
97 
98 /*
99  * System call to enter capability mode for the process.
100  */
101 int
102 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
103 {
104 	struct ucred *newcred, *oldcred;
105 	struct proc *p;
106 
107 	if (IN_CAPABILITY_MODE(td))
108 		return (0);
109 
110 	newcred = crget();
111 	p = td->td_proc;
112 	PROC_LOCK(p);
113 	oldcred = crcopysafe(p, newcred);
114 	newcred->cr_flags |= CRED_FLAG_CAPMODE;
115 	proc_set_cred(p, newcred);
116 	PROC_UNLOCK(p);
117 	crfree(oldcred);
118 	return (0);
119 }
120 
121 /*
122  * System call to query whether the process is in capability mode.
123  */
124 int
125 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
126 {
127 	u_int i;
128 
129 	i = IN_CAPABILITY_MODE(td) ? 1 : 0;
130 	return (copyout(&i, uap->modep, sizeof(i)));
131 }
132 
133 #else /* !CAPABILITY_MODE */
134 
135 int
136 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
137 {
138 
139 	return (ENOSYS);
140 }
141 
142 int
143 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
144 {
145 
146 	return (ENOSYS);
147 }
148 
149 #endif /* CAPABILITY_MODE */
150 
151 #ifdef CAPABILITIES
152 
153 FEATURE(security_capabilities, "Capsicum Capabilities");
154 
155 MALLOC_DECLARE(M_FILECAPS);
156 
157 static inline int
158 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
159     enum ktr_cap_fail_type type)
160 {
161 
162 	if (!cap_rights_contains(havep, needp)) {
163 #ifdef KTRACE
164 		if (KTRPOINT(curthread, KTR_CAPFAIL))
165 			ktrcapfail(type, needp, havep);
166 #endif
167 		return (ENOTCAPABLE);
168 	}
169 	return (0);
170 }
171 
172 /*
173  * Test whether a capability grants the requested rights.
174  */
175 int
176 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
177 {
178 
179 	return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
180 }
181 
182 int
183 cap_check_failed_notcapable(const cap_rights_t *havep, const cap_rights_t *needp)
184 {
185 
186 #ifdef KTRACE
187 	if (KTRPOINT(curthread, KTR_CAPFAIL))
188 		ktrcapfail(CAPFAIL_NOTCAPABLE, needp, havep);
189 #endif
190 	return (ENOTCAPABLE);
191 }
192 
193 /*
194  * Convert capability rights into VM access flags.
195  */
196 vm_prot_t
197 cap_rights_to_vmprot(const cap_rights_t *havep)
198 {
199 	vm_prot_t maxprot;
200 
201 	maxprot = VM_PROT_NONE;
202 	if (cap_rights_is_set(havep, CAP_MMAP_R))
203 		maxprot |= VM_PROT_READ;
204 	if (cap_rights_is_set(havep, CAP_MMAP_W))
205 		maxprot |= VM_PROT_WRITE;
206 	if (cap_rights_is_set(havep, CAP_MMAP_X))
207 		maxprot |= VM_PROT_EXECUTE;
208 
209 	return (maxprot);
210 }
211 
212 /*
213  * Extract rights from a capability for monitoring purposes -- not for use in
214  * any other way, as we want to keep all capability permission evaluation in
215  * this one file.
216  */
217 
218 const cap_rights_t *
219 cap_rights_fde(const struct filedescent *fdep)
220 {
221 
222 	return (cap_rights_fde_inline(fdep));
223 }
224 
225 const cap_rights_t *
226 cap_rights(struct filedesc *fdp, int fd)
227 {
228 
229 	return (cap_rights_fde(&fdp->fd_ofiles[fd]));
230 }
231 
232 int
233 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
234 {
235 	struct filedesc *fdp;
236 	struct filedescent *fdep;
237 	int error;
238 
239 	fdp = td->td_proc->p_fd;
240 	FILEDESC_XLOCK(fdp);
241 	fdep = fdeget_locked(fdp, fd);
242 	if (fdep == NULL) {
243 		FILEDESC_XUNLOCK(fdp);
244 		return (EBADF);
245 	}
246 	error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
247 	if (error == 0) {
248 		fdep->fde_rights = *rights;
249 		if (!cap_rights_is_set(rights, CAP_IOCTL)) {
250 			free(fdep->fde_ioctls, M_FILECAPS);
251 			fdep->fde_ioctls = NULL;
252 			fdep->fde_nioctls = 0;
253 		}
254 		if (!cap_rights_is_set(rights, CAP_FCNTL))
255 			fdep->fde_fcntls = 0;
256 	}
257 	FILEDESC_XUNLOCK(fdp);
258 	return (error);
259 }
260 
261 /*
262  * System call to limit rights of the given capability.
263  */
264 int
265 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
266 {
267 	cap_rights_t rights;
268 	int error, version;
269 
270 	cap_rights_init_zero(&rights);
271 
272 	error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
273 	if (error != 0)
274 		return (error);
275 	version = CAPVER(&rights);
276 	if (version != CAP_RIGHTS_VERSION_00)
277 		return (EINVAL);
278 
279 	error = copyin(uap->rightsp, &rights,
280 	    sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
281 	if (error != 0)
282 		return (error);
283 	/* Check for race. */
284 	if (CAPVER(&rights) != version)
285 		return (EINVAL);
286 
287 	if (!cap_rights_is_valid(&rights))
288 		return (EINVAL);
289 
290 	if (version != CAP_RIGHTS_VERSION) {
291 		rights.cr_rights[0] &= ~(0x3ULL << 62);
292 		rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
293 	}
294 #ifdef KTRACE
295 	if (KTRPOINT(td, KTR_STRUCT))
296 		ktrcaprights(&rights);
297 #endif
298 
299 	AUDIT_ARG_FD(uap->fd);
300 	AUDIT_ARG_RIGHTS(&rights);
301 	return (kern_cap_rights_limit(td, uap->fd, &rights));
302 }
303 
304 /*
305  * System call to query the rights mask associated with a capability.
306  */
307 int
308 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
309 {
310 	struct filedesc *fdp;
311 	cap_rights_t rights;
312 	int error, fd, i, n;
313 
314 	if (uap->version != CAP_RIGHTS_VERSION_00)
315 		return (EINVAL);
316 
317 	fd = uap->fd;
318 
319 	AUDIT_ARG_FD(fd);
320 
321 	fdp = td->td_proc->p_fd;
322 	FILEDESC_SLOCK(fdp);
323 	if (fget_locked(fdp, fd) == NULL) {
324 		FILEDESC_SUNLOCK(fdp);
325 		return (EBADF);
326 	}
327 	rights = *cap_rights(fdp, fd);
328 	FILEDESC_SUNLOCK(fdp);
329 	n = uap->version + 2;
330 	if (uap->version != CAPVER(&rights)) {
331 		/*
332 		 * For older versions we need to check if the descriptor
333 		 * doesn't contain rights not understood by the caller.
334 		 * If it does, we have to return an error.
335 		 */
336 		for (i = n; i < CAPARSIZE(&rights); i++) {
337 			if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
338 				return (EINVAL);
339 		}
340 	}
341 	error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
342 #ifdef KTRACE
343 	if (error == 0 && KTRPOINT(td, KTR_STRUCT))
344 		ktrcaprights(&rights);
345 #endif
346 	return (error);
347 }
348 
349 /*
350  * Test whether a capability grants the given ioctl command.
351  * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
352  * ENOTCAPABLE will be returned.
353  */
354 int
355 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
356 {
357 	struct filedescent *fdep;
358 	u_long *cmds;
359 	ssize_t ncmds;
360 	long i;
361 
362 	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
363 		("%s: invalid fd=%d", __func__, fd));
364 
365 	fdep = fdeget_locked(fdp, fd);
366 	KASSERT(fdep != NULL,
367 	    ("%s: invalid fd=%d", __func__, fd));
368 
369 	ncmds = fdep->fde_nioctls;
370 	if (ncmds == -1)
371 		return (0);
372 
373 	cmds = fdep->fde_ioctls;
374 	for (i = 0; i < ncmds; i++) {
375 		if (cmds[i] == cmd)
376 			return (0);
377 	}
378 
379 	return (ENOTCAPABLE);
380 }
381 
382 /*
383  * Check if the current ioctls list can be replaced by the new one.
384  */
385 static int
386 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
387     size_t ncmds)
388 {
389 	u_long *ocmds;
390 	ssize_t oncmds;
391 	u_long i;
392 	long j;
393 
394 	oncmds = fdep->fde_nioctls;
395 	if (oncmds == -1)
396 		return (0);
397 	if (oncmds < (ssize_t)ncmds)
398 		return (ENOTCAPABLE);
399 
400 	ocmds = fdep->fde_ioctls;
401 	for (i = 0; i < ncmds; i++) {
402 		for (j = 0; j < oncmds; j++) {
403 			if (cmds[i] == ocmds[j])
404 				break;
405 		}
406 		if (j == oncmds)
407 			return (ENOTCAPABLE);
408 	}
409 
410 	return (0);
411 }
412 
413 int
414 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
415 {
416 	struct filedesc *fdp;
417 	struct filedescent *fdep;
418 	u_long *ocmds;
419 	int error;
420 
421 	AUDIT_ARG_FD(fd);
422 
423 	if (ncmds > IOCTLS_MAX_COUNT) {
424 		error = EINVAL;
425 		goto out_free;
426 	}
427 
428 	fdp = td->td_proc->p_fd;
429 	FILEDESC_XLOCK(fdp);
430 
431 	fdep = fdeget_locked(fdp, fd);
432 	if (fdep == NULL) {
433 		error = EBADF;
434 		goto out;
435 	}
436 
437 	error = cap_ioctl_limit_check(fdep, cmds, ncmds);
438 	if (error != 0)
439 		goto out;
440 
441 	ocmds = fdep->fde_ioctls;
442 	fdep->fde_ioctls = cmds;
443 	fdep->fde_nioctls = ncmds;
444 
445 	cmds = ocmds;
446 	error = 0;
447 out:
448 	FILEDESC_XUNLOCK(fdp);
449 out_free:
450 	free(cmds, M_FILECAPS);
451 	return (error);
452 }
453 
454 int
455 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
456 {
457 	u_long *cmds;
458 	size_t ncmds;
459 	int error;
460 
461 	ncmds = uap->ncmds;
462 
463 	if (ncmds > IOCTLS_MAX_COUNT)
464 		return (EINVAL);
465 
466 	if (ncmds == 0) {
467 		cmds = NULL;
468 	} else {
469 		cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
470 		error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
471 		if (error != 0) {
472 			free(cmds, M_FILECAPS);
473 			return (error);
474 		}
475 	}
476 
477 	return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
478 }
479 
480 int
481 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
482 {
483 	struct filedesc *fdp;
484 	struct filedescent *fdep;
485 	u_long *cmdsp, *dstcmds;
486 	size_t maxcmds, ncmds;
487 	int16_t count;
488 	int error, fd;
489 
490 	fd = uap->fd;
491 	dstcmds = uap->cmds;
492 	maxcmds = uap->maxcmds;
493 
494 	AUDIT_ARG_FD(fd);
495 
496 	fdp = td->td_proc->p_fd;
497 
498 	cmdsp = NULL;
499 	if (dstcmds != NULL) {
500 		cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
501 		    M_WAITOK | M_ZERO);
502 	}
503 
504 	FILEDESC_SLOCK(fdp);
505 	fdep = fdeget_locked(fdp, fd);
506 	if (fdep == NULL) {
507 		error = EBADF;
508 		FILEDESC_SUNLOCK(fdp);
509 		goto out;
510 	}
511 	count = fdep->fde_nioctls;
512 	if (count != -1 && cmdsp != NULL) {
513 		ncmds = MIN(count, maxcmds);
514 		memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
515 	}
516 	FILEDESC_SUNLOCK(fdp);
517 
518 	/*
519 	 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
520 	 * the only sane thing we can do is to not populate the given array and
521 	 * return CAP_IOCTLS_ALL.
522 	 */
523 	if (count != -1) {
524 		if (cmdsp != NULL) {
525 			error = copyout(cmdsp, dstcmds,
526 			    sizeof(cmdsp[0]) * ncmds);
527 			if (error != 0)
528 				goto out;
529 		}
530 		td->td_retval[0] = count;
531 	} else {
532 		td->td_retval[0] = CAP_IOCTLS_ALL;
533 	}
534 
535 	error = 0;
536 out:
537 	free(cmdsp, M_FILECAPS);
538 	return (error);
539 }
540 
541 /*
542  * Test whether a capability grants the given fcntl command.
543  */
544 int
545 cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
546 {
547 	uint32_t fcntlcap;
548 
549 	fcntlcap = (1 << cmd);
550 	KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
551 	    ("Unsupported fcntl=%d.", cmd));
552 
553 	if ((fdep->fde_fcntls & fcntlcap) != 0)
554 		return (0);
555 
556 	return (ENOTCAPABLE);
557 }
558 
559 int
560 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
561 {
562 
563 	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
564 	    ("%s: invalid fd=%d", __func__, fd));
565 
566 	return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
567 }
568 
569 int
570 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
571 {
572 	struct filedesc *fdp;
573 	struct filedescent *fdep;
574 	uint32_t fcntlrights;
575 	int fd;
576 
577 	fd = uap->fd;
578 	fcntlrights = uap->fcntlrights;
579 
580 	AUDIT_ARG_FD(fd);
581 	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
582 
583 	if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
584 		return (EINVAL);
585 
586 	fdp = td->td_proc->p_fd;
587 	FILEDESC_XLOCK(fdp);
588 
589 	fdep = fdeget_locked(fdp, fd);
590 	if (fdep == NULL) {
591 		FILEDESC_XUNLOCK(fdp);
592 		return (EBADF);
593 	}
594 
595 	if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
596 		FILEDESC_XUNLOCK(fdp);
597 		return (ENOTCAPABLE);
598 	}
599 
600 	fdep->fde_fcntls = fcntlrights;
601 	FILEDESC_XUNLOCK(fdp);
602 
603 	return (0);
604 }
605 
606 int
607 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
608 {
609 	struct filedesc *fdp;
610 	struct filedescent *fdep;
611 	uint32_t rights;
612 	int fd;
613 
614 	fd = uap->fd;
615 
616 	AUDIT_ARG_FD(fd);
617 
618 	fdp = td->td_proc->p_fd;
619 	FILEDESC_SLOCK(fdp);
620 	fdep = fdeget_locked(fdp, fd);
621 	if (fdep == NULL) {
622 		FILEDESC_SUNLOCK(fdp);
623 		return (EBADF);
624 	}
625 	rights = fdep->fde_fcntls;
626 	FILEDESC_SUNLOCK(fdp);
627 
628 	return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
629 }
630 
631 #else /* !CAPABILITIES */
632 
633 /*
634  * Stub Capability functions for when options CAPABILITIES isn't compiled
635  * into the kernel.
636  */
637 
638 int
639 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
640 {
641 
642 	return (ENOSYS);
643 }
644 
645 int
646 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
647 {
648 
649 	return (ENOSYS);
650 }
651 
652 int
653 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
654 {
655 
656 	return (ENOSYS);
657 }
658 
659 int
660 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
661 {
662 
663 	return (ENOSYS);
664 }
665 
666 int
667 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
668 {
669 
670 	return (ENOSYS);
671 }
672 
673 int
674 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
675 {
676 
677 	return (ENOSYS);
678 }
679 
680 #endif /* CAPABILITIES */
681