1 /*- 2 * Copyright (c) 2008-2011 Robert N. M. Watson 3 * Copyright (c) 2010-2011 Jonathan Anderson 4 * Copyright (c) 2012 FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed at the University of Cambridge Computer 8 * Laboratory with support from a grant from Google, Inc. 9 * 10 * Portions of this software were developed by Pawel Jakub Dawidek under 11 * sponsorship from the FreeBSD Foundation. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 /* 36 * FreeBSD kernel capability facility. 37 * 38 * Two kernel features are implemented here: capability mode, a sandboxed mode 39 * of execution for processes, and capabilities, a refinement on file 40 * descriptors that allows fine-grained control over operations on the file 41 * descriptor. Collectively, these allow processes to run in the style of a 42 * historic "capability system" in which they can use only resources 43 * explicitly delegated to them. This model is enforced by restricting access 44 * to global namespaces in capability mode. 45 * 46 * Capabilities wrap other file descriptor types, binding them to a constant 47 * rights mask set when the capability is created. New capabilities may be 48 * derived from existing capabilities, but only if they have the same or a 49 * strict subset of the rights on the original capability. 50 * 51 * System calls permitted in capability mode are defined in capabilities.conf; 52 * calls must be carefully audited for safety to ensure that they don't allow 53 * escape from a sandbox. Some calls permit only a subset of operations in 54 * capability mode -- for example, shm_open(2) is limited to creating 55 * anonymous, rather than named, POSIX shared memory objects. 56 */ 57 58 #include <sys/cdefs.h> 59 __FBSDID("$FreeBSD$"); 60 61 #include "opt_capsicum.h" 62 #include "opt_ktrace.h" 63 64 #include <sys/param.h> 65 #include <sys/capsicum.h> 66 #include <sys/file.h> 67 #include <sys/filedesc.h> 68 #include <sys/kernel.h> 69 #include <sys/limits.h> 70 #include <sys/lock.h> 71 #include <sys/mutex.h> 72 #include <sys/proc.h> 73 #include <sys/syscallsubr.h> 74 #include <sys/sysproto.h> 75 #include <sys/sysctl.h> 76 #include <sys/systm.h> 77 #include <sys/ucred.h> 78 #include <sys/uio.h> 79 #include <sys/ktrace.h> 80 81 #include <security/audit/audit.h> 82 83 #include <vm/uma.h> 84 #include <vm/vm.h> 85 86 #ifdef CAPABILITY_MODE 87 88 FEATURE(security_capability_mode, "Capsicum Capability Mode"); 89 90 /* 91 * System call to enter capability mode for the process. 92 */ 93 int 94 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 95 { 96 struct ucred *newcred, *oldcred; 97 struct proc *p; 98 99 if (IN_CAPABILITY_MODE(td)) 100 return (0); 101 102 newcred = crget(); 103 p = td->td_proc; 104 PROC_LOCK(p); 105 oldcred = crcopysafe(p, newcred); 106 newcred->cr_flags |= CRED_FLAG_CAPMODE; 107 proc_set_cred(p, newcred); 108 PROC_UNLOCK(p); 109 crfree(oldcred); 110 return (0); 111 } 112 113 /* 114 * System call to query whether the process is in capability mode. 115 */ 116 int 117 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 118 { 119 u_int i; 120 121 i = IN_CAPABILITY_MODE(td) ? 1 : 0; 122 return (copyout(&i, uap->modep, sizeof(i))); 123 } 124 125 #else /* !CAPABILITY_MODE */ 126 127 int 128 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 129 { 130 131 return (ENOSYS); 132 } 133 134 int 135 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 136 { 137 138 return (ENOSYS); 139 } 140 141 #endif /* CAPABILITY_MODE */ 142 143 #ifdef CAPABILITIES 144 145 FEATURE(security_capabilities, "Capsicum Capabilities"); 146 147 MALLOC_DECLARE(M_FILECAPS); 148 149 static inline int 150 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp, 151 enum ktr_cap_fail_type type) 152 { 153 154 if (!cap_rights_contains(havep, needp)) { 155 #ifdef KTRACE 156 if (KTRPOINT(curthread, KTR_CAPFAIL)) 157 ktrcapfail(type, needp, havep); 158 #endif 159 return (ENOTCAPABLE); 160 } 161 return (0); 162 } 163 164 /* 165 * Test whether a capability grants the requested rights. 166 */ 167 int 168 cap_check(const cap_rights_t *havep, const cap_rights_t *needp) 169 { 170 171 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE)); 172 } 173 174 /* 175 * Convert capability rights into VM access flags. 176 */ 177 u_char 178 cap_rights_to_vmprot(cap_rights_t *havep) 179 { 180 u_char maxprot; 181 182 maxprot = VM_PROT_NONE; 183 if (cap_rights_is_set(havep, CAP_MMAP_R)) 184 maxprot |= VM_PROT_READ; 185 if (cap_rights_is_set(havep, CAP_MMAP_W)) 186 maxprot |= VM_PROT_WRITE; 187 if (cap_rights_is_set(havep, CAP_MMAP_X)) 188 maxprot |= VM_PROT_EXECUTE; 189 190 return (maxprot); 191 } 192 193 /* 194 * Extract rights from a capability for monitoring purposes -- not for use in 195 * any other way, as we want to keep all capability permission evaluation in 196 * this one file. 197 */ 198 199 cap_rights_t * 200 cap_rights_fde(struct filedescent *fde) 201 { 202 203 return (&fde->fde_rights); 204 } 205 206 cap_rights_t * 207 cap_rights(struct filedesc *fdp, int fd) 208 { 209 210 return (cap_rights_fde(&fdp->fd_ofiles[fd])); 211 } 212 213 int 214 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights) 215 { 216 struct filedesc *fdp; 217 int error; 218 219 fdp = td->td_proc->p_fd; 220 FILEDESC_XLOCK(fdp); 221 if (fget_locked(fdp, fd) == NULL) { 222 FILEDESC_XUNLOCK(fdp); 223 return (EBADF); 224 } 225 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE); 226 if (error == 0) { 227 fdp->fd_ofiles[fd].fde_rights = *rights; 228 if (!cap_rights_is_set(rights, CAP_IOCTL)) { 229 free(fdp->fd_ofiles[fd].fde_ioctls, M_FILECAPS); 230 fdp->fd_ofiles[fd].fde_ioctls = NULL; 231 fdp->fd_ofiles[fd].fde_nioctls = 0; 232 } 233 if (!cap_rights_is_set(rights, CAP_FCNTL)) 234 fdp->fd_ofiles[fd].fde_fcntls = 0; 235 } 236 FILEDESC_XUNLOCK(fdp); 237 return (error); 238 } 239 240 /* 241 * System call to limit rights of the given capability. 242 */ 243 int 244 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap) 245 { 246 cap_rights_t rights; 247 int error, version; 248 249 cap_rights_init(&rights); 250 251 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0])); 252 if (error != 0) 253 return (error); 254 version = CAPVER(&rights); 255 if (version != CAP_RIGHTS_VERSION_00) 256 return (EINVAL); 257 258 error = copyin(uap->rightsp, &rights, 259 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights)); 260 if (error != 0) 261 return (error); 262 /* Check for race. */ 263 if (CAPVER(&rights) != version) 264 return (EINVAL); 265 266 if (!cap_rights_is_valid(&rights)) 267 return (EINVAL); 268 269 if (version != CAP_RIGHTS_VERSION) { 270 rights.cr_rights[0] &= ~(0x3ULL << 62); 271 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62); 272 } 273 #ifdef KTRACE 274 if (KTRPOINT(td, KTR_STRUCT)) 275 ktrcaprights(&rights); 276 #endif 277 278 AUDIT_ARG_FD(uap->fd); 279 AUDIT_ARG_RIGHTS(&rights); 280 return (kern_cap_rights_limit(td, uap->fd, &rights)); 281 } 282 283 /* 284 * System call to query the rights mask associated with a capability. 285 */ 286 int 287 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap) 288 { 289 struct filedesc *fdp; 290 cap_rights_t rights; 291 int error, fd, i, n; 292 293 if (uap->version != CAP_RIGHTS_VERSION_00) 294 return (EINVAL); 295 296 fd = uap->fd; 297 298 AUDIT_ARG_FD(fd); 299 300 fdp = td->td_proc->p_fd; 301 FILEDESC_SLOCK(fdp); 302 if (fget_locked(fdp, fd) == NULL) { 303 FILEDESC_SUNLOCK(fdp); 304 return (EBADF); 305 } 306 rights = *cap_rights(fdp, fd); 307 FILEDESC_SUNLOCK(fdp); 308 n = uap->version + 2; 309 if (uap->version != CAPVER(&rights)) { 310 /* 311 * For older versions we need to check if the descriptor 312 * doesn't contain rights not understood by the caller. 313 * If it does, we have to return an error. 314 */ 315 for (i = n; i < CAPARSIZE(&rights); i++) { 316 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0) 317 return (EINVAL); 318 } 319 } 320 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n); 321 #ifdef KTRACE 322 if (error == 0 && KTRPOINT(td, KTR_STRUCT)) 323 ktrcaprights(&rights); 324 #endif 325 return (error); 326 } 327 328 /* 329 * Test whether a capability grants the given ioctl command. 330 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and 331 * ENOTCAPABLE will be returned. 332 */ 333 int 334 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd) 335 { 336 u_long *cmds; 337 ssize_t ncmds; 338 long i; 339 340 FILEDESC_LOCK_ASSERT(fdp); 341 KASSERT(fd >= 0 && fd < fdp->fd_nfiles, 342 ("%s: invalid fd=%d", __func__, fd)); 343 344 ncmds = fdp->fd_ofiles[fd].fde_nioctls; 345 if (ncmds == -1) 346 return (0); 347 348 cmds = fdp->fd_ofiles[fd].fde_ioctls; 349 for (i = 0; i < ncmds; i++) { 350 if (cmds[i] == cmd) 351 return (0); 352 } 353 354 return (ENOTCAPABLE); 355 } 356 357 /* 358 * Check if the current ioctls list can be replaced by the new one. 359 */ 360 static int 361 cap_ioctl_limit_check(struct filedesc *fdp, int fd, const u_long *cmds, 362 size_t ncmds) 363 { 364 u_long *ocmds; 365 ssize_t oncmds; 366 u_long i; 367 long j; 368 369 oncmds = fdp->fd_ofiles[fd].fde_nioctls; 370 if (oncmds == -1) 371 return (0); 372 if (oncmds < (ssize_t)ncmds) 373 return (ENOTCAPABLE); 374 375 ocmds = fdp->fd_ofiles[fd].fde_ioctls; 376 for (i = 0; i < ncmds; i++) { 377 for (j = 0; j < oncmds; j++) { 378 if (cmds[i] == ocmds[j]) 379 break; 380 } 381 if (j == oncmds) 382 return (ENOTCAPABLE); 383 } 384 385 return (0); 386 } 387 388 int 389 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds) 390 { 391 struct filedesc *fdp; 392 u_long *ocmds; 393 int error; 394 395 AUDIT_ARG_FD(fd); 396 397 fdp = td->td_proc->p_fd; 398 FILEDESC_XLOCK(fdp); 399 400 if (fget_locked(fdp, fd) == NULL) { 401 error = EBADF; 402 goto out; 403 } 404 405 error = cap_ioctl_limit_check(fdp, fd, cmds, ncmds); 406 if (error != 0) 407 goto out; 408 409 ocmds = fdp->fd_ofiles[fd].fde_ioctls; 410 fdp->fd_ofiles[fd].fde_ioctls = cmds; 411 fdp->fd_ofiles[fd].fde_nioctls = ncmds; 412 413 cmds = ocmds; 414 error = 0; 415 out: 416 FILEDESC_XUNLOCK(fdp); 417 free(cmds, M_FILECAPS); 418 return (error); 419 } 420 421 int 422 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap) 423 { 424 u_long *cmds; 425 size_t ncmds; 426 int error; 427 428 ncmds = uap->ncmds; 429 430 if (ncmds > 256) /* XXX: Is 256 sane? */ 431 return (EINVAL); 432 433 if (ncmds == 0) { 434 cmds = NULL; 435 } else { 436 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK); 437 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds); 438 if (error != 0) { 439 free(cmds, M_FILECAPS); 440 return (error); 441 } 442 } 443 444 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds)); 445 } 446 447 int 448 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap) 449 { 450 struct filedesc *fdp; 451 struct filedescent *fdep; 452 u_long *cmds; 453 size_t maxcmds; 454 int error, fd; 455 456 fd = uap->fd; 457 cmds = uap->cmds; 458 maxcmds = uap->maxcmds; 459 460 AUDIT_ARG_FD(fd); 461 462 fdp = td->td_proc->p_fd; 463 FILEDESC_SLOCK(fdp); 464 465 if (fget_locked(fdp, fd) == NULL) { 466 error = EBADF; 467 goto out; 468 } 469 470 /* 471 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL) 472 * the only sane thing we can do is to not populate the given array and 473 * return CAP_IOCTLS_ALL. 474 */ 475 476 fdep = &fdp->fd_ofiles[fd]; 477 if (cmds != NULL && fdep->fde_ioctls != NULL) { 478 error = copyout(fdep->fde_ioctls, cmds, 479 sizeof(cmds[0]) * MIN(fdep->fde_nioctls, maxcmds)); 480 if (error != 0) 481 goto out; 482 } 483 if (fdep->fde_nioctls == -1) 484 td->td_retval[0] = CAP_IOCTLS_ALL; 485 else 486 td->td_retval[0] = fdep->fde_nioctls; 487 488 error = 0; 489 out: 490 FILEDESC_SUNLOCK(fdp); 491 return (error); 492 } 493 494 /* 495 * Test whether a capability grants the given fcntl command. 496 */ 497 int 498 cap_fcntl_check_fde(struct filedescent *fde, int cmd) 499 { 500 uint32_t fcntlcap; 501 502 fcntlcap = (1 << cmd); 503 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0, 504 ("Unsupported fcntl=%d.", cmd)); 505 506 if ((fde->fde_fcntls & fcntlcap) != 0) 507 return (0); 508 509 return (ENOTCAPABLE); 510 } 511 512 int 513 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd) 514 { 515 516 KASSERT(fd >= 0 && fd < fdp->fd_nfiles, 517 ("%s: invalid fd=%d", __func__, fd)); 518 519 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd)); 520 } 521 522 int 523 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap) 524 { 525 struct filedesc *fdp; 526 uint32_t fcntlrights; 527 int fd; 528 529 fd = uap->fd; 530 fcntlrights = uap->fcntlrights; 531 532 AUDIT_ARG_FD(fd); 533 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights); 534 535 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0) 536 return (EINVAL); 537 538 fdp = td->td_proc->p_fd; 539 FILEDESC_XLOCK(fdp); 540 541 if (fget_locked(fdp, fd) == NULL) { 542 FILEDESC_XUNLOCK(fdp); 543 return (EBADF); 544 } 545 546 if ((fcntlrights & ~fdp->fd_ofiles[fd].fde_fcntls) != 0) { 547 FILEDESC_XUNLOCK(fdp); 548 return (ENOTCAPABLE); 549 } 550 551 fdp->fd_ofiles[fd].fde_fcntls = fcntlrights; 552 FILEDESC_XUNLOCK(fdp); 553 554 return (0); 555 } 556 557 int 558 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap) 559 { 560 struct filedesc *fdp; 561 uint32_t rights; 562 int fd; 563 564 fd = uap->fd; 565 566 AUDIT_ARG_FD(fd); 567 568 fdp = td->td_proc->p_fd; 569 FILEDESC_SLOCK(fdp); 570 if (fget_locked(fdp, fd) == NULL) { 571 FILEDESC_SUNLOCK(fdp); 572 return (EBADF); 573 } 574 rights = fdp->fd_ofiles[fd].fde_fcntls; 575 FILEDESC_SUNLOCK(fdp); 576 577 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights))); 578 } 579 580 #else /* !CAPABILITIES */ 581 582 /* 583 * Stub Capability functions for when options CAPABILITIES isn't compiled 584 * into the kernel. 585 */ 586 587 int 588 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap) 589 { 590 591 return (ENOSYS); 592 } 593 594 int 595 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap) 596 { 597 598 return (ENOSYS); 599 } 600 601 int 602 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap) 603 { 604 605 return (ENOSYS); 606 } 607 608 int 609 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap) 610 { 611 612 return (ENOSYS); 613 } 614 615 int 616 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap) 617 { 618 619 return (ENOSYS); 620 } 621 622 int 623 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap) 624 { 625 626 return (ENOSYS); 627 } 628 629 #endif /* CAPABILITIES */ 630