xref: /freebsd/sys/kern/sys_capability.c (revision 776d5e11e9516b6297db6bb659602ce782cd1df1)
1 /*-
2  * Copyright (c) 2008-2011 Robert N. M. Watson
3  * Copyright (c) 2010-2011 Jonathan Anderson
4  * Copyright (c) 2012 FreeBSD Foundation
5  * All rights reserved.
6  *
7  * This software was developed at the University of Cambridge Computer
8  * Laboratory with support from a grant from Google, Inc.
9  *
10  * Portions of this software were developed by Pawel Jakub Dawidek under
11  * sponsorship from the FreeBSD Foundation.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  */
34 
35 /*
36  * FreeBSD kernel capability facility.
37  *
38  * Two kernel features are implemented here: capability mode, a sandboxed mode
39  * of execution for processes, and capabilities, a refinement on file
40  * descriptors that allows fine-grained control over operations on the file
41  * descriptor.  Collectively, these allow processes to run in the style of a
42  * historic "capability system" in which they can use only resources
43  * explicitly delegated to them.  This model is enforced by restricting access
44  * to global namespaces in capability mode.
45  *
46  * Capabilities wrap other file descriptor types, binding them to a constant
47  * rights mask set when the capability is created.  New capabilities may be
48  * derived from existing capabilities, but only if they have the same or a
49  * strict subset of the rights on the original capability.
50  *
51  * System calls permitted in capability mode are defined in capabilities.conf;
52  * calls must be carefully audited for safety to ensure that they don't allow
53  * escape from a sandbox.  Some calls permit only a subset of operations in
54  * capability mode -- for example, shm_open(2) is limited to creating
55  * anonymous, rather than named, POSIX shared memory objects.
56  */
57 
58 #include <sys/cdefs.h>
59 __FBSDID("$FreeBSD$");
60 
61 #include "opt_capsicum.h"
62 #include "opt_ktrace.h"
63 
64 #include <sys/param.h>
65 #include <sys/capsicum.h>
66 #include <sys/file.h>
67 #include <sys/filedesc.h>
68 #include <sys/kernel.h>
69 #include <sys/limits.h>
70 #include <sys/lock.h>
71 #include <sys/mutex.h>
72 #include <sys/proc.h>
73 #include <sys/syscallsubr.h>
74 #include <sys/sysproto.h>
75 #include <sys/sysctl.h>
76 #include <sys/systm.h>
77 #include <sys/ucred.h>
78 #include <sys/uio.h>
79 #include <sys/ktrace.h>
80 
81 #include <security/audit/audit.h>
82 
83 #include <vm/uma.h>
84 #include <vm/vm.h>
85 
86 #ifdef CAPABILITY_MODE
87 
88 FEATURE(security_capability_mode, "Capsicum Capability Mode");
89 
90 /*
91  * System call to enter capability mode for the process.
92  */
93 int
94 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
95 {
96 	struct ucred *newcred, *oldcred;
97 	struct proc *p;
98 
99 	if (IN_CAPABILITY_MODE(td))
100 		return (0);
101 
102 	newcred = crget();
103 	p = td->td_proc;
104 	PROC_LOCK(p);
105 	oldcred = crcopysafe(p, newcred);
106 	newcred->cr_flags |= CRED_FLAG_CAPMODE;
107 	proc_set_cred(p, newcred);
108 	PROC_UNLOCK(p);
109 	crfree(oldcred);
110 	return (0);
111 }
112 
113 /*
114  * System call to query whether the process is in capability mode.
115  */
116 int
117 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
118 {
119 	u_int i;
120 
121 	i = IN_CAPABILITY_MODE(td) ? 1 : 0;
122 	return (copyout(&i, uap->modep, sizeof(i)));
123 }
124 
125 #else /* !CAPABILITY_MODE */
126 
127 int
128 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
129 {
130 
131 	return (ENOSYS);
132 }
133 
134 int
135 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
136 {
137 
138 	return (ENOSYS);
139 }
140 
141 #endif /* CAPABILITY_MODE */
142 
143 #ifdef CAPABILITIES
144 
145 FEATURE(security_capabilities, "Capsicum Capabilities");
146 
147 MALLOC_DECLARE(M_FILECAPS);
148 
149 static inline int
150 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
151     enum ktr_cap_fail_type type)
152 {
153 
154 	if (!cap_rights_contains(havep, needp)) {
155 #ifdef KTRACE
156 		if (KTRPOINT(curthread, KTR_CAPFAIL))
157 			ktrcapfail(type, needp, havep);
158 #endif
159 		return (ENOTCAPABLE);
160 	}
161 	return (0);
162 }
163 
164 /*
165  * Test whether a capability grants the requested rights.
166  */
167 int
168 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
169 {
170 
171 	return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
172 }
173 
174 /*
175  * Convert capability rights into VM access flags.
176  */
177 u_char
178 cap_rights_to_vmprot(cap_rights_t *havep)
179 {
180 	u_char maxprot;
181 
182 	maxprot = VM_PROT_NONE;
183 	if (cap_rights_is_set(havep, CAP_MMAP_R))
184 		maxprot |= VM_PROT_READ;
185 	if (cap_rights_is_set(havep, CAP_MMAP_W))
186 		maxprot |= VM_PROT_WRITE;
187 	if (cap_rights_is_set(havep, CAP_MMAP_X))
188 		maxprot |= VM_PROT_EXECUTE;
189 
190 	return (maxprot);
191 }
192 
193 /*
194  * Extract rights from a capability for monitoring purposes -- not for use in
195  * any other way, as we want to keep all capability permission evaluation in
196  * this one file.
197  */
198 
199 cap_rights_t *
200 cap_rights_fde(struct filedescent *fde)
201 {
202 
203 	return (&fde->fde_rights);
204 }
205 
206 cap_rights_t *
207 cap_rights(struct filedesc *fdp, int fd)
208 {
209 
210 	return (cap_rights_fde(&fdp->fd_ofiles[fd]));
211 }
212 
213 int
214 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
215 {
216 	struct filedesc *fdp;
217 	int error;
218 
219 	fdp = td->td_proc->p_fd;
220 	FILEDESC_XLOCK(fdp);
221 	if (fget_locked(fdp, fd) == NULL) {
222 		FILEDESC_XUNLOCK(fdp);
223 		return (EBADF);
224 	}
225 	error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
226 	if (error == 0) {
227 		fdp->fd_ofiles[fd].fde_rights = *rights;
228 		if (!cap_rights_is_set(rights, CAP_IOCTL)) {
229 			free(fdp->fd_ofiles[fd].fde_ioctls, M_FILECAPS);
230 			fdp->fd_ofiles[fd].fde_ioctls = NULL;
231 			fdp->fd_ofiles[fd].fde_nioctls = 0;
232 		}
233 		if (!cap_rights_is_set(rights, CAP_FCNTL))
234 			fdp->fd_ofiles[fd].fde_fcntls = 0;
235 	}
236 	FILEDESC_XUNLOCK(fdp);
237 	return (error);
238 }
239 
240 /*
241  * System call to limit rights of the given capability.
242  */
243 int
244 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
245 {
246 	cap_rights_t rights;
247 	int error, version;
248 
249 	cap_rights_init(&rights);
250 
251 	error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
252 	if (error != 0)
253 		return (error);
254 	version = CAPVER(&rights);
255 	if (version != CAP_RIGHTS_VERSION_00)
256 		return (EINVAL);
257 
258 	error = copyin(uap->rightsp, &rights,
259 	    sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
260 	if (error != 0)
261 		return (error);
262 	/* Check for race. */
263 	if (CAPVER(&rights) != version)
264 		return (EINVAL);
265 
266 	if (!cap_rights_is_valid(&rights))
267 		return (EINVAL);
268 
269 	if (version != CAP_RIGHTS_VERSION) {
270 		rights.cr_rights[0] &= ~(0x3ULL << 62);
271 		rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
272 	}
273 #ifdef KTRACE
274 	if (KTRPOINT(td, KTR_STRUCT))
275 		ktrcaprights(&rights);
276 #endif
277 
278 	AUDIT_ARG_FD(uap->fd);
279 	AUDIT_ARG_RIGHTS(&rights);
280 	return (kern_cap_rights_limit(td, uap->fd, &rights));
281 }
282 
283 /*
284  * System call to query the rights mask associated with a capability.
285  */
286 int
287 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
288 {
289 	struct filedesc *fdp;
290 	cap_rights_t rights;
291 	int error, fd, i, n;
292 
293 	if (uap->version != CAP_RIGHTS_VERSION_00)
294 		return (EINVAL);
295 
296 	fd = uap->fd;
297 
298 	AUDIT_ARG_FD(fd);
299 
300 	fdp = td->td_proc->p_fd;
301 	FILEDESC_SLOCK(fdp);
302 	if (fget_locked(fdp, fd) == NULL) {
303 		FILEDESC_SUNLOCK(fdp);
304 		return (EBADF);
305 	}
306 	rights = *cap_rights(fdp, fd);
307 	FILEDESC_SUNLOCK(fdp);
308 	n = uap->version + 2;
309 	if (uap->version != CAPVER(&rights)) {
310 		/*
311 		 * For older versions we need to check if the descriptor
312 		 * doesn't contain rights not understood by the caller.
313 		 * If it does, we have to return an error.
314 		 */
315 		for (i = n; i < CAPARSIZE(&rights); i++) {
316 			if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
317 				return (EINVAL);
318 		}
319 	}
320 	error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
321 #ifdef KTRACE
322 	if (error == 0 && KTRPOINT(td, KTR_STRUCT))
323 		ktrcaprights(&rights);
324 #endif
325 	return (error);
326 }
327 
328 /*
329  * Test whether a capability grants the given ioctl command.
330  * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
331  * ENOTCAPABLE will be returned.
332  */
333 int
334 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
335 {
336 	u_long *cmds;
337 	ssize_t ncmds;
338 	long i;
339 
340 	FILEDESC_LOCK_ASSERT(fdp);
341 	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
342 	    ("%s: invalid fd=%d", __func__, fd));
343 
344 	ncmds = fdp->fd_ofiles[fd].fde_nioctls;
345 	if (ncmds == -1)
346 		return (0);
347 
348 	cmds = fdp->fd_ofiles[fd].fde_ioctls;
349 	for (i = 0; i < ncmds; i++) {
350 		if (cmds[i] == cmd)
351 			return (0);
352 	}
353 
354 	return (ENOTCAPABLE);
355 }
356 
357 /*
358  * Check if the current ioctls list can be replaced by the new one.
359  */
360 static int
361 cap_ioctl_limit_check(struct filedesc *fdp, int fd, const u_long *cmds,
362     size_t ncmds)
363 {
364 	u_long *ocmds;
365 	ssize_t oncmds;
366 	u_long i;
367 	long j;
368 
369 	oncmds = fdp->fd_ofiles[fd].fde_nioctls;
370 	if (oncmds == -1)
371 		return (0);
372 	if (oncmds < (ssize_t)ncmds)
373 		return (ENOTCAPABLE);
374 
375 	ocmds = fdp->fd_ofiles[fd].fde_ioctls;
376 	for (i = 0; i < ncmds; i++) {
377 		for (j = 0; j < oncmds; j++) {
378 			if (cmds[i] == ocmds[j])
379 				break;
380 		}
381 		if (j == oncmds)
382 			return (ENOTCAPABLE);
383 	}
384 
385 	return (0);
386 }
387 
388 int
389 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
390 {
391 	struct filedesc *fdp;
392 	u_long *ocmds;
393 	int error;
394 
395 	AUDIT_ARG_FD(fd);
396 
397 	fdp = td->td_proc->p_fd;
398 	FILEDESC_XLOCK(fdp);
399 
400 	if (fget_locked(fdp, fd) == NULL) {
401 		error = EBADF;
402 		goto out;
403 	}
404 
405 	error = cap_ioctl_limit_check(fdp, fd, cmds, ncmds);
406 	if (error != 0)
407 		goto out;
408 
409 	ocmds = fdp->fd_ofiles[fd].fde_ioctls;
410 	fdp->fd_ofiles[fd].fde_ioctls = cmds;
411 	fdp->fd_ofiles[fd].fde_nioctls = ncmds;
412 
413 	cmds = ocmds;
414 	error = 0;
415 out:
416 	FILEDESC_XUNLOCK(fdp);
417 	free(cmds, M_FILECAPS);
418 	return (error);
419 }
420 
421 int
422 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
423 {
424 	u_long *cmds;
425 	size_t ncmds;
426 	int error;
427 
428 	ncmds = uap->ncmds;
429 
430 	if (ncmds > 256)	/* XXX: Is 256 sane? */
431 		return (EINVAL);
432 
433 	if (ncmds == 0) {
434 		cmds = NULL;
435 	} else {
436 		cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
437 		error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
438 		if (error != 0) {
439 			free(cmds, M_FILECAPS);
440 			return (error);
441 		}
442 	}
443 
444 	return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
445 }
446 
447 int
448 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
449 {
450 	struct filedesc *fdp;
451 	struct filedescent *fdep;
452 	u_long *cmds;
453 	size_t maxcmds;
454 	int error, fd;
455 
456 	fd = uap->fd;
457 	cmds = uap->cmds;
458 	maxcmds = uap->maxcmds;
459 
460 	AUDIT_ARG_FD(fd);
461 
462 	fdp = td->td_proc->p_fd;
463 	FILEDESC_SLOCK(fdp);
464 
465 	if (fget_locked(fdp, fd) == NULL) {
466 		error = EBADF;
467 		goto out;
468 	}
469 
470 	/*
471 	 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
472 	 * the only sane thing we can do is to not populate the given array and
473 	 * return CAP_IOCTLS_ALL.
474 	 */
475 
476 	fdep = &fdp->fd_ofiles[fd];
477 	if (cmds != NULL && fdep->fde_ioctls != NULL) {
478 		error = copyout(fdep->fde_ioctls, cmds,
479 		    sizeof(cmds[0]) * MIN(fdep->fde_nioctls, maxcmds));
480 		if (error != 0)
481 			goto out;
482 	}
483 	if (fdep->fde_nioctls == -1)
484 		td->td_retval[0] = CAP_IOCTLS_ALL;
485 	else
486 		td->td_retval[0] = fdep->fde_nioctls;
487 
488 	error = 0;
489 out:
490 	FILEDESC_SUNLOCK(fdp);
491 	return (error);
492 }
493 
494 /*
495  * Test whether a capability grants the given fcntl command.
496  */
497 int
498 cap_fcntl_check_fde(struct filedescent *fde, int cmd)
499 {
500 	uint32_t fcntlcap;
501 
502 	fcntlcap = (1 << cmd);
503 	KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
504 	    ("Unsupported fcntl=%d.", cmd));
505 
506 	if ((fde->fde_fcntls & fcntlcap) != 0)
507 		return (0);
508 
509 	return (ENOTCAPABLE);
510 }
511 
512 int
513 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
514 {
515 
516 	KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
517 	    ("%s: invalid fd=%d", __func__, fd));
518 
519 	return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
520 }
521 
522 int
523 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
524 {
525 	struct filedesc *fdp;
526 	uint32_t fcntlrights;
527 	int fd;
528 
529 	fd = uap->fd;
530 	fcntlrights = uap->fcntlrights;
531 
532 	AUDIT_ARG_FD(fd);
533 	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
534 
535 	if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
536 		return (EINVAL);
537 
538 	fdp = td->td_proc->p_fd;
539 	FILEDESC_XLOCK(fdp);
540 
541 	if (fget_locked(fdp, fd) == NULL) {
542 		FILEDESC_XUNLOCK(fdp);
543 		return (EBADF);
544 	}
545 
546 	if ((fcntlrights & ~fdp->fd_ofiles[fd].fde_fcntls) != 0) {
547 		FILEDESC_XUNLOCK(fdp);
548 		return (ENOTCAPABLE);
549 	}
550 
551 	fdp->fd_ofiles[fd].fde_fcntls = fcntlrights;
552 	FILEDESC_XUNLOCK(fdp);
553 
554 	return (0);
555 }
556 
557 int
558 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
559 {
560 	struct filedesc *fdp;
561 	uint32_t rights;
562 	int fd;
563 
564 	fd = uap->fd;
565 
566 	AUDIT_ARG_FD(fd);
567 
568 	fdp = td->td_proc->p_fd;
569 	FILEDESC_SLOCK(fdp);
570 	if (fget_locked(fdp, fd) == NULL) {
571 		FILEDESC_SUNLOCK(fdp);
572 		return (EBADF);
573 	}
574 	rights = fdp->fd_ofiles[fd].fde_fcntls;
575 	FILEDESC_SUNLOCK(fdp);
576 
577 	return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
578 }
579 
580 #else /* !CAPABILITIES */
581 
582 /*
583  * Stub Capability functions for when options CAPABILITIES isn't compiled
584  * into the kernel.
585  */
586 
587 int
588 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
589 {
590 
591 	return (ENOSYS);
592 }
593 
594 int
595 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
596 {
597 
598 	return (ENOSYS);
599 }
600 
601 int
602 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
603 {
604 
605 	return (ENOSYS);
606 }
607 
608 int
609 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
610 {
611 
612 	return (ENOSYS);
613 }
614 
615 int
616 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
617 {
618 
619 	return (ENOSYS);
620 }
621 
622 int
623 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
624 {
625 
626 	return (ENOSYS);
627 }
628 
629 #endif /* CAPABILITIES */
630