xref: /freebsd/sys/kern/sys_capability.c (revision 3231251399f9e60fc7175b6352eb5291e9296fe8) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2008-2011 Robert N. M. Watson
5  * Copyright (c) 2010-2011 Jonathan Anderson
6  * Copyright (c) 2012 FreeBSD Foundation
7  * All rights reserved.
8  *
9  * This software was developed at the University of Cambridge Computer
10  * Laboratory with support from a grant from Google, Inc.
11  *
12  * Portions of this software were developed by Pawel Jakub Dawidek under
13  * sponsorship from the FreeBSD Foundation.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  *
24  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  */
36 
37 /*
38  * FreeBSD kernel capability facility.
39  *
40  * Two kernel features are implemented here: capability mode, a sandboxed mode
41  * of execution for processes, and capabilities, a refinement on file
42  * descriptors that allows fine-grained control over operations on the file
43  * descriptor.  Collectively, these allow processes to run in the style of a
44  * historic "capability system" in which they can use only resources
45  * explicitly delegated to them.  This model is enforced by restricting access
46  * to global namespaces in capability mode.
47  *
48  * Capabilities wrap other file descriptor types, binding them to a constant
49  * rights mask set when the capability is created.  New capabilities may be
50  * derived from existing capabilities, but only if they have the same or a
51  * strict subset of the rights on the original capability.
52  *
53  * System calls permitted in capability mode are defined in capabilities.conf;
54  * calls must be carefully audited for safety to ensure that they don't allow
55  * escape from a sandbox.  Some calls permit only a subset of operations in
56  * capability mode -- for example, shm_open(2) is limited to creating
57  * anonymous, rather than named, POSIX shared memory objects.
58  */
59 
60 #include <sys/cdefs.h>
61 __FBSDID("$FreeBSD$");
62 
63 #include "opt_capsicum.h"
64 #include "opt_ktrace.h"
65 
66 #include <sys/param.h>
67 #include <sys/capsicum.h>
68 #include <sys/file.h>
69 #include <sys/filedesc.h>
70 #include <sys/kernel.h>
71 #include <sys/limits.h>
72 #include <sys/lock.h>
73 #include <sys/mutex.h>
74 #include <sys/proc.h>
75 #include <sys/syscallsubr.h>
76 #include <sys/sysproto.h>
77 #include <sys/sysctl.h>
78 #include <sys/systm.h>
79 #include <sys/ucred.h>
80 #include <sys/uio.h>
81 #include <sys/ktrace.h>
82 
83 #include <security/audit/audit.h>
84 
85 #include <vm/uma.h>
86 #include <vm/vm.h>
87 
88 bool __read_frequently trap_enotcap;
89 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
90     "Deliver SIGTRAP on ENOTCAPABLE");
91 
92 #ifdef CAPABILITY_MODE
93 
94 #define        IOCTLS_MAX_COUNT        256     /* XXX: Is 256 sane? */
95 
96 FEATURE(security_capability_mode, "Capsicum Capability Mode");
97 
98 /*
99  * System call to enter capability mode for the process.
100  */
101 int
102 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
103 {
104 	struct ucred *newcred, *oldcred;
105 	struct proc *p;
106 
107 	if (IN_CAPABILITY_MODE(td))
108 		return (0);
109 
110 	newcred = crget();
111 	p = td->td_proc;
112 	PROC_LOCK(p);
113 	oldcred = crcopysafe(p, newcred);
114 	newcred->cr_flags |= CRED_FLAG_CAPMODE;
115 	proc_set_cred(p, newcred);
116 	PROC_UNLOCK(p);
117 	crfree(oldcred);
118 	return (0);
119 }
120 
121 /*
122  * System call to query whether the process is in capability mode.
123  */
124 int
125 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
126 {
127 	u_int i;
128 
129 	i = IN_CAPABILITY_MODE(td) ? 1 : 0;
130 	return (copyout(&i, uap->modep, sizeof(i)));
131 }
132 
133 #else /* !CAPABILITY_MODE */
134 
135 int
136 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
137 {
138 
139 	return (ENOSYS);
140 }
141 
142 int
143 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
144 {
145 
146 	return (ENOSYS);
147 }
148 
149 #endif /* CAPABILITY_MODE */
150 
151 #ifdef CAPABILITIES
152 
153 FEATURE(security_capabilities, "Capsicum Capabilities");
154 
155 MALLOC_DECLARE(M_FILECAPS);
156 
157 static inline int
158 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
159     enum ktr_cap_fail_type type)
160 {
161 
162 	if (!cap_rights_contains(havep, needp)) {
163 #ifdef KTRACE
164 		if (KTRPOINT(curthread, KTR_CAPFAIL))
165 			ktrcapfail(type, needp, havep);
166 #endif
167 		return (ENOTCAPABLE);
168 	}
169 	return (0);
170 }
171 
172 /*
173  * Test whether a capability grants the requested rights.
174  */
175 int
176 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
177 {
178 
179 	return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
180 }
181 
182 /*
183  * Convert capability rights into VM access flags.
184  */
185 u_char
186 cap_rights_to_vmprot(const cap_rights_t *havep)
187 {
188 	u_char maxprot;
189 
190 	maxprot = VM_PROT_NONE;
191 	if (cap_rights_is_set(havep, CAP_MMAP_R))
192 		maxprot |= VM_PROT_READ;
193 	if (cap_rights_is_set(havep, CAP_MMAP_W))
194 		maxprot |= VM_PROT_WRITE;
195 	if (cap_rights_is_set(havep, CAP_MMAP_X))
196 		maxprot |= VM_PROT_EXECUTE;
197 
198 	return (maxprot);
199 }
200 
201 /*
202  * Extract rights from a capability for monitoring purposes -- not for use in
203  * any other way, as we want to keep all capability permission evaluation in
204  * this one file.
205  */
206 
207 const cap_rights_t *
208 cap_rights_fde(const struct filedescent *fdep)
209 {
210 
211 	return (cap_rights_fde_inline(fdep));
212 }
213 
214 const cap_rights_t *
215 cap_rights(struct filedesc *fdp, int fd)
216 {
217 
218 	return (cap_rights_fde(&fdp->fd_ofiles[fd]));
219 }
220 
221 int
222 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
223 {
224 	struct filedesc *fdp;
225 	struct filedescent *fdep;
226 	int error;
227 
228 	fdp = td->td_proc->p_fd;
229 	FILEDESC_XLOCK(fdp);
230 	fdep = fdeget_locked(fdp, fd);
231 	if (fdep == NULL) {
232 		FILEDESC_XUNLOCK(fdp);
233 		return (EBADF);
234 	}
235 	error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
236 	if (error == 0) {
237 		fdep->fde_rights = *rights;
238 		if (!cap_rights_is_set(rights, CAP_IOCTL)) {
239 			free(fdep->fde_ioctls, M_FILECAPS);
240 			fdep->fde_ioctls = NULL;
241 			fdep->fde_nioctls = 0;
242 		}
243 		if (!cap_rights_is_set(rights, CAP_FCNTL))
244 			fdep->fde_fcntls = 0;
245 	}
246 	FILEDESC_XUNLOCK(fdp);
247 	return (error);
248 }
249 
250 /*
251  * System call to limit rights of the given capability.
252  */
253 int
254 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
255 {
256 	cap_rights_t rights;
257 	int error, version;
258 
259 	cap_rights_init(&rights);
260 
261 	error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
262 	if (error != 0)
263 		return (error);
264 	version = CAPVER(&rights);
265 	if (version != CAP_RIGHTS_VERSION_00)
266 		return (EINVAL);
267 
268 	error = copyin(uap->rightsp, &rights,
269 	    sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
270 	if (error != 0)
271 		return (error);
272 	/* Check for race. */
273 	if (CAPVER(&rights) != version)
274 		return (EINVAL);
275 
276 	if (!cap_rights_is_valid(&rights))
277 		return (EINVAL);
278 
279 	if (version != CAP_RIGHTS_VERSION) {
280 		rights.cr_rights[0] &= ~(0x3ULL << 62);
281 		rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
282 	}
283 #ifdef KTRACE
284 	if (KTRPOINT(td, KTR_STRUCT))
285 		ktrcaprights(&rights);
286 #endif
287 
288 	AUDIT_ARG_FD(uap->fd);
289 	AUDIT_ARG_RIGHTS(&rights);
290 	return (kern_cap_rights_limit(td, uap->fd, &rights));
291 }
292 
293 /*
294  * System call to query the rights mask associated with a capability.
295  */
296 int
297 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
298 {
299 	struct filedesc *fdp;
300 	cap_rights_t rights;
301 	int error, fd, i, n;
302 
303 	if (uap->version != CAP_RIGHTS_VERSION_00)
304 		return (EINVAL);
305 
306 	fd = uap->fd;
307 
308 	AUDIT_ARG_FD(fd);
309 
310 	fdp = td->td_proc->p_fd;
311 	FILEDESC_SLOCK(fdp);
312 	if (fget_locked(fdp, fd) == NULL) {
313 		FILEDESC_SUNLOCK(fdp);
314 		return (EBADF);
315 	}
316 	rights = *cap_rights(fdp, fd);
317 	FILEDESC_SUNLOCK(fdp);
318 	n = uap->version + 2;
319 	if (uap->version != CAPVER(&rights)) {
320 		/*
321 		 * For older versions we need to check if the descriptor
322 		 * doesn't contain rights not understood by the caller.
323 		 * If it does, we have to return an error.
324 		 */
325 		for (i = n; i < CAPARSIZE(&rights); i++) {
326 			if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
327 				return (EINVAL);
328 		}
329 	}
330 	error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
331 #ifdef KTRACE
332 	if (error == 0 && KTRPOINT(td, KTR_STRUCT))
333 		ktrcaprights(&rights);
334 #endif
335 	return (error);
336 }
337 
338 /*
339  * Test whether a capability grants the given ioctl command.
340  * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
341  * ENOTCAPABLE will be returned.
342  */
343 int
344 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
345 {
346 	struct filedescent *fdep;
347 	u_long *cmds;
348 	ssize_t ncmds;
349 	long i;
350 
351 	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
352 		("%s: invalid fd=%d", __func__, fd));
353 
354 	fdep = fdeget_locked(fdp, fd);
355 	KASSERT(fdep != NULL,
356 	    ("%s: invalid fd=%d", __func__, fd));
357 
358 	ncmds = fdep->fde_nioctls;
359 	if (ncmds == -1)
360 		return (0);
361 
362 	cmds = fdep->fde_ioctls;
363 	for (i = 0; i < ncmds; i++) {
364 		if (cmds[i] == cmd)
365 			return (0);
366 	}
367 
368 	return (ENOTCAPABLE);
369 }
370 
371 /*
372  * Check if the current ioctls list can be replaced by the new one.
373  */
374 static int
375 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
376     size_t ncmds)
377 {
378 	u_long *ocmds;
379 	ssize_t oncmds;
380 	u_long i;
381 	long j;
382 
383 	oncmds = fdep->fde_nioctls;
384 	if (oncmds == -1)
385 		return (0);
386 	if (oncmds < (ssize_t)ncmds)
387 		return (ENOTCAPABLE);
388 
389 	ocmds = fdep->fde_ioctls;
390 	for (i = 0; i < ncmds; i++) {
391 		for (j = 0; j < oncmds; j++) {
392 			if (cmds[i] == ocmds[j])
393 				break;
394 		}
395 		if (j == oncmds)
396 			return (ENOTCAPABLE);
397 	}
398 
399 	return (0);
400 }
401 
402 int
403 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
404 {
405 	struct filedesc *fdp;
406 	struct filedescent *fdep;
407 	u_long *ocmds;
408 	int error;
409 
410 	AUDIT_ARG_FD(fd);
411 
412 	if (ncmds > IOCTLS_MAX_COUNT) {
413 		error = EINVAL;
414 		goto out_free;
415 	}
416 
417 	fdp = td->td_proc->p_fd;
418 	FILEDESC_XLOCK(fdp);
419 
420 	fdep = fdeget_locked(fdp, fd);
421 	if (fdep == NULL) {
422 		error = EBADF;
423 		goto out;
424 	}
425 
426 	error = cap_ioctl_limit_check(fdep, cmds, ncmds);
427 	if (error != 0)
428 		goto out;
429 
430 	ocmds = fdep->fde_ioctls;
431 	fdep->fde_ioctls = cmds;
432 	fdep->fde_nioctls = ncmds;
433 
434 	cmds = ocmds;
435 	error = 0;
436 out:
437 	FILEDESC_XUNLOCK(fdp);
438 out_free:
439 	free(cmds, M_FILECAPS);
440 	return (error);
441 }
442 
443 int
444 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
445 {
446 	u_long *cmds;
447 	size_t ncmds;
448 	int error;
449 
450 	ncmds = uap->ncmds;
451 
452 	if (ncmds > IOCTLS_MAX_COUNT)
453 		return (EINVAL);
454 
455 	if (ncmds == 0) {
456 		cmds = NULL;
457 	} else {
458 		cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
459 		error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
460 		if (error != 0) {
461 			free(cmds, M_FILECAPS);
462 			return (error);
463 		}
464 	}
465 
466 	return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
467 }
468 
469 int
470 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
471 {
472 	struct filedesc *fdp;
473 	struct filedescent *fdep;
474 	u_long *cmdsp, *dstcmds;
475 	size_t maxcmds, ncmds;
476 	int16_t count;
477 	int error, fd;
478 
479 	fd = uap->fd;
480 	dstcmds = uap->cmds;
481 	maxcmds = uap->maxcmds;
482 
483 	AUDIT_ARG_FD(fd);
484 
485 	fdp = td->td_proc->p_fd;
486 
487 	cmdsp = NULL;
488 	if (dstcmds != NULL) {
489 		cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
490 		    M_WAITOK | M_ZERO);
491 	}
492 
493 	FILEDESC_SLOCK(fdp);
494 	fdep = fdeget_locked(fdp, fd);
495 	if (fdep == NULL) {
496 		error = EBADF;
497 		FILEDESC_SUNLOCK(fdp);
498 		goto out;
499 	}
500 	count = fdep->fde_nioctls;
501 	if (count != -1 && cmdsp != NULL) {
502 		ncmds = MIN(count, maxcmds);
503 		memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
504 	}
505 	FILEDESC_SUNLOCK(fdp);
506 
507 	/*
508 	 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
509 	 * the only sane thing we can do is to not populate the given array and
510 	 * return CAP_IOCTLS_ALL.
511 	 */
512 	if (count != -1) {
513 		if (cmdsp != NULL) {
514 			error = copyout(cmdsp, dstcmds,
515 			    sizeof(cmdsp[0]) * ncmds);
516 			if (error != 0)
517 				goto out;
518 		}
519 		td->td_retval[0] = count;
520 	} else {
521 		td->td_retval[0] = CAP_IOCTLS_ALL;
522 	}
523 
524 	error = 0;
525 out:
526 	free(cmdsp, M_FILECAPS);
527 	return (error);
528 }
529 
530 /*
531  * Test whether a capability grants the given fcntl command.
532  */
533 int
534 cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
535 {
536 	uint32_t fcntlcap;
537 
538 	fcntlcap = (1 << cmd);
539 	KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
540 	    ("Unsupported fcntl=%d.", cmd));
541 
542 	if ((fdep->fde_fcntls & fcntlcap) != 0)
543 		return (0);
544 
545 	return (ENOTCAPABLE);
546 }
547 
548 int
549 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
550 {
551 
552 	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
553 	    ("%s: invalid fd=%d", __func__, fd));
554 
555 	return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
556 }
557 
558 int
559 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
560 {
561 	struct filedesc *fdp;
562 	struct filedescent *fdep;
563 	uint32_t fcntlrights;
564 	int fd;
565 
566 	fd = uap->fd;
567 	fcntlrights = uap->fcntlrights;
568 
569 	AUDIT_ARG_FD(fd);
570 	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
571 
572 	if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
573 		return (EINVAL);
574 
575 	fdp = td->td_proc->p_fd;
576 	FILEDESC_XLOCK(fdp);
577 
578 	fdep = fdeget_locked(fdp, fd);
579 	if (fdep == NULL) {
580 		FILEDESC_XUNLOCK(fdp);
581 		return (EBADF);
582 	}
583 
584 	if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
585 		FILEDESC_XUNLOCK(fdp);
586 		return (ENOTCAPABLE);
587 	}
588 
589 	fdep->fde_fcntls = fcntlrights;
590 	FILEDESC_XUNLOCK(fdp);
591 
592 	return (0);
593 }
594 
595 int
596 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
597 {
598 	struct filedesc *fdp;
599 	struct filedescent *fdep;
600 	uint32_t rights;
601 	int fd;
602 
603 	fd = uap->fd;
604 
605 	AUDIT_ARG_FD(fd);
606 
607 	fdp = td->td_proc->p_fd;
608 	FILEDESC_SLOCK(fdp);
609 	fdep = fdeget_locked(fdp, fd);
610 	if (fdep == NULL) {
611 		FILEDESC_SUNLOCK(fdp);
612 		return (EBADF);
613 	}
614 	rights = fdep->fde_fcntls;
615 	FILEDESC_SUNLOCK(fdp);
616 
617 	return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
618 }
619 
620 #else /* !CAPABILITIES */
621 
622 /*
623  * Stub Capability functions for when options CAPABILITIES isn't compiled
624  * into the kernel.
625  */
626 
627 int
628 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
629 {
630 
631 	return (ENOSYS);
632 }
633 
634 int
635 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
636 {
637 
638 	return (ENOSYS);
639 }
640 
641 int
642 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
643 {
644 
645 	return (ENOSYS);
646 }
647 
648 int
649 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
650 {
651 
652 	return (ENOSYS);
653 }
654 
655 int
656 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
657 {
658 
659 	return (ENOSYS);
660 }
661 
662 int
663 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
664 {
665 
666 	return (ENOSYS);
667 }
668 
669 #endif /* CAPABILITIES */
670