1 /*- 2 * Copyright (c) 2008-2011 Robert N. M. Watson 3 * Copyright (c) 2010-2011 Jonathan Anderson 4 * All rights reserved. 5 * 6 * This software was developed at the University of Cambridge Computer 7 * Laboratory with support from a grant from Google, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 /* 32 * FreeBSD kernel capability facility. 33 * 34 * Two kernel features are implemented here: capability mode, a sandboxed mode 35 * of execution for processes, and capabilities, a refinement on file 36 * descriptors that allows fine-grained control over operations on the file 37 * descriptor. Collectively, these allow processes to run in the style of a 38 * historic "capability system" in which they can use only resources 39 * explicitly delegated to them. This model is enforced by restricting access 40 * to global namespaces in capability mode. 41 * 42 * Capabilities wrap other file descriptor types, binding them to a constant 43 * rights mask set when the capability is created. New capabilities may be 44 * derived from existing capabilities, but only if they have the same or a 45 * strict subset of the rights on the original capability. 46 * 47 * System calls permitted in capability mode are defined in capabilities.conf; 48 * calls must be carefully audited for safety to ensure that they don't allow 49 * escape from a sandbox. Some calls permit only a subset of operations in 50 * capability mode -- for example, shm_open(2) is limited to creating 51 * anonymous, rather than named, POSIX shared memory objects. 52 */ 53 54 #include "opt_capsicum.h" 55 #include "opt_ktrace.h" 56 57 #include <sys/cdefs.h> 58 __FBSDID("$FreeBSD$"); 59 60 #include <sys/param.h> 61 #include <sys/capability.h> 62 #include <sys/file.h> 63 #include <sys/filedesc.h> 64 #include <sys/kernel.h> 65 #include <sys/lock.h> 66 #include <sys/mutex.h> 67 #include <sys/proc.h> 68 #include <sys/sysproto.h> 69 #include <sys/sysctl.h> 70 #include <sys/systm.h> 71 #include <sys/ucred.h> 72 #include <sys/uio.h> 73 #include <sys/ktrace.h> 74 75 #include <security/audit/audit.h> 76 77 #include <vm/uma.h> 78 #include <vm/vm.h> 79 80 #ifdef CAPABILITY_MODE 81 82 FEATURE(security_capability_mode, "Capsicum Capability Mode"); 83 84 /* 85 * System call to enter capability mode for the process. 86 */ 87 int 88 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 89 { 90 struct ucred *newcred, *oldcred; 91 struct proc *p; 92 93 if (IN_CAPABILITY_MODE(td)) 94 return (0); 95 96 newcred = crget(); 97 p = td->td_proc; 98 PROC_LOCK(p); 99 oldcred = p->p_ucred; 100 crcopy(newcred, oldcred); 101 newcred->cr_flags |= CRED_FLAG_CAPMODE; 102 p->p_ucred = newcred; 103 PROC_UNLOCK(p); 104 crfree(oldcred); 105 return (0); 106 } 107 108 /* 109 * System call to query whether the process is in capability mode. 110 */ 111 int 112 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 113 { 114 u_int i; 115 116 i = (IN_CAPABILITY_MODE(td)) ? 1 : 0; 117 return (copyout(&i, uap->modep, sizeof(i))); 118 } 119 120 #else /* !CAPABILITY_MODE */ 121 122 int 123 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 124 { 125 126 return (ENOSYS); 127 } 128 129 int 130 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 131 { 132 133 return (ENOSYS); 134 } 135 136 #endif /* CAPABILITY_MODE */ 137 138 #ifdef CAPABILITIES 139 140 FEATURE(security_capabilities, "Capsicum Capabilities"); 141 142 /* 143 * struct capability describes a capability, and is hung off of its struct 144 * file f_data field. cap_file and cap_rightss are static once hooked up, as 145 * neither the object it references nor the rights it encapsulates are 146 * permitted to change. 147 */ 148 struct capability { 149 struct file *cap_object; /* Underlying object's file. */ 150 struct file *cap_file; /* Back-pointer to cap's file. */ 151 cap_rights_t cap_rights; /* Mask of rights on object. */ 152 }; 153 154 /* 155 * Capabilities have a fileops vector, but in practice none should ever be 156 * called except for fo_close, as the capability will normally not be 157 * returned during a file descriptor lookup in the system call code. 158 */ 159 static fo_rdwr_t capability_read; 160 static fo_rdwr_t capability_write; 161 static fo_truncate_t capability_truncate; 162 static fo_ioctl_t capability_ioctl; 163 static fo_poll_t capability_poll; 164 static fo_kqfilter_t capability_kqfilter; 165 static fo_stat_t capability_stat; 166 static fo_close_t capability_close; 167 static fo_chmod_t capability_chmod; 168 static fo_chown_t capability_chown; 169 170 static struct fileops capability_ops = { 171 .fo_read = capability_read, 172 .fo_write = capability_write, 173 .fo_truncate = capability_truncate, 174 .fo_ioctl = capability_ioctl, 175 .fo_poll = capability_poll, 176 .fo_kqfilter = capability_kqfilter, 177 .fo_stat = capability_stat, 178 .fo_close = capability_close, 179 .fo_chmod = capability_chmod, 180 .fo_chown = capability_chown, 181 .fo_flags = DFLAG_PASSABLE, 182 }; 183 184 static struct fileops capability_ops_unpassable = { 185 .fo_read = capability_read, 186 .fo_write = capability_write, 187 .fo_truncate = capability_truncate, 188 .fo_ioctl = capability_ioctl, 189 .fo_poll = capability_poll, 190 .fo_kqfilter = capability_kqfilter, 191 .fo_stat = capability_stat, 192 .fo_close = capability_close, 193 .fo_chmod = capability_chmod, 194 .fo_chown = capability_chown, 195 .fo_flags = 0, 196 }; 197 198 static uma_zone_t capability_zone; 199 200 static void 201 capability_init(void *dummy __unused) 202 { 203 204 capability_zone = uma_zcreate("capability", sizeof(struct capability), 205 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); 206 if (capability_zone == NULL) 207 panic("capability_init: capability_zone not initialized"); 208 } 209 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_ANY, capability_init, NULL); 210 211 /* 212 * Test whether a capability grants the requested rights. 213 */ 214 static int 215 cap_check(struct capability *c, cap_rights_t rights) 216 { 217 218 if ((c->cap_rights | rights) != c->cap_rights) { 219 #ifdef KTRACE 220 if (KTRPOINT(curthread, KTR_CAPFAIL)) 221 ktrcapfail(CAPFAIL_NOTCAPABLE, rights, c->cap_rights); 222 #endif 223 return (ENOTCAPABLE); 224 } 225 return (0); 226 } 227 228 /* 229 * Extract rights from a capability for monitoring purposes -- not for use in 230 * any other way, as we want to keep all capability permission evaluation in 231 * this one file. 232 */ 233 cap_rights_t 234 cap_rights(struct file *fp_cap) 235 { 236 struct capability *c; 237 238 KASSERT(fp_cap->f_type == DTYPE_CAPABILITY, 239 ("cap_rights: !capability")); 240 241 c = fp_cap->f_data; 242 return (c->cap_rights); 243 } 244 245 /* 246 * System call to create a new capability reference to either an existing 247 * file object or an an existing capability. 248 */ 249 int 250 sys_cap_new(struct thread *td, struct cap_new_args *uap) 251 { 252 int error, capfd; 253 int fd = uap->fd; 254 struct file *fp; 255 cap_rights_t rights = uap->rights; 256 257 AUDIT_ARG_FD(fd); 258 AUDIT_ARG_RIGHTS(rights); 259 error = fget(td, fd, rights, &fp); 260 if (error) 261 return (error); 262 AUDIT_ARG_FILE(td->td_proc, fp); 263 error = kern_capwrap(td, fp, rights, &capfd); 264 if (error) 265 return (error); 266 267 /* 268 * Release our reference to the file (kern_capwrap has held a reference 269 * for the filedesc array). 270 */ 271 fdrop(fp, td); 272 td->td_retval[0] = capfd; 273 return (0); 274 } 275 276 /* 277 * System call to query the rights mask associated with a capability. 278 */ 279 int 280 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap) 281 { 282 struct capability *cp; 283 struct file *fp; 284 int error; 285 286 AUDIT_ARG_FD(uap->fd); 287 error = fgetcap(td, uap->fd, &fp); 288 if (error) 289 return (error); 290 cp = fp->f_data; 291 error = copyout(&cp->cap_rights, uap->rightsp, sizeof(*uap->rightsp)); 292 fdrop(fp, td); 293 return (error); 294 } 295 296 /* 297 * Create a capability to wrap around an existing file. 298 */ 299 int 300 kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, 301 int *capfdp) 302 { 303 struct capability *cp, *cp_old; 304 struct file *fp_object, *fcapp; 305 int error; 306 307 if ((rights | CAP_MASK_VALID) != CAP_MASK_VALID) 308 return (EINVAL); 309 310 /* 311 * If a new capability is being derived from an existing capability, 312 * then the new capability rights must be a subset of the existing 313 * rights. 314 */ 315 if (fp->f_type == DTYPE_CAPABILITY) { 316 cp_old = fp->f_data; 317 if ((cp_old->cap_rights | rights) != cp_old->cap_rights) { 318 #ifdef KTRACE 319 if (KTRPOINT(curthread, KTR_CAPFAIL)) 320 ktrcapfail(CAPFAIL_INCREASE, 321 rights, cp_old->cap_rights); 322 #endif 323 return (ENOTCAPABLE); 324 } 325 } 326 327 /* 328 * Allocate a new file descriptor to hang the capability off of. 329 */ 330 error = falloc(td, &fcapp, capfdp, fp->f_flag); 331 if (error) 332 return (error); 333 334 /* 335 * Rather than nesting capabilities, directly reference the object an 336 * existing capability references. There's nothing else interesting 337 * to preserve for future use, as we've incorporated the previous 338 * rights mask into the new one. This prevents us from having to 339 * deal with capability chains. 340 */ 341 if (fp->f_type == DTYPE_CAPABILITY) 342 fp_object = ((struct capability *)fp->f_data)->cap_object; 343 else 344 fp_object = fp; 345 fhold(fp_object); 346 cp = uma_zalloc(capability_zone, M_WAITOK | M_ZERO); 347 cp->cap_rights = rights; 348 cp->cap_object = fp_object; 349 cp->cap_file = fcapp; 350 if (fp->f_flag & DFLAG_PASSABLE) 351 finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, 352 &capability_ops); 353 else 354 finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, 355 &capability_ops_unpassable); 356 357 /* 358 * Release our private reference (the proc filedesc still has one). 359 */ 360 fdrop(fcapp, td); 361 return (0); 362 } 363 364 /* 365 * Given a file descriptor, test it against a capability rights mask and then 366 * return the file descriptor on which to actually perform the requested 367 * operation. As long as the reference to fp_cap remains valid, the returned 368 * pointer in *fp will remain valid, so no extra reference management is 369 * required, and the caller should fdrop() fp_cap as normal when done with 370 * both. 371 */ 372 int 373 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp) 374 { 375 struct capability *c; 376 int error; 377 378 if (fp_cap->f_type != DTYPE_CAPABILITY) { 379 *fpp = fp_cap; 380 return (0); 381 } 382 c = fp_cap->f_data; 383 error = cap_check(c, rights); 384 if (error) 385 return (error); 386 *fpp = c->cap_object; 387 return (0); 388 } 389 390 /* 391 * Slightly different routine for memory mapping file descriptors: unwrap the 392 * capability and check CAP_MMAP, but also return a bitmask representing the 393 * maximum mapping rights the capability allows on the object. 394 */ 395 int 396 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, 397 struct file **fpp) 398 { 399 struct capability *c; 400 u_char maxprot; 401 int error; 402 403 if (fp_cap->f_type != DTYPE_CAPABILITY) { 404 *fpp = fp_cap; 405 *maxprotp = VM_PROT_ALL; 406 return (0); 407 } 408 c = fp_cap->f_data; 409 error = cap_check(c, rights | CAP_MMAP); 410 if (error) 411 return (error); 412 *fpp = c->cap_object; 413 maxprot = 0; 414 if (c->cap_rights & CAP_READ) 415 maxprot |= VM_PROT_READ; 416 if (c->cap_rights & CAP_WRITE) 417 maxprot |= VM_PROT_WRITE; 418 if (c->cap_rights & CAP_MAPEXEC) 419 maxprot |= VM_PROT_EXECUTE; 420 *maxprotp = maxprot; 421 return (0); 422 } 423 424 /* 425 * When a capability is closed, simply drop the reference on the underlying 426 * object and free the capability. fdrop() will handle the case where the 427 * underlying object also needs to close, and the caller will have already 428 * performed any object-specific lock or mqueue handling. 429 */ 430 static int 431 capability_close(struct file *fp, struct thread *td) 432 { 433 struct capability *c; 434 struct file *fp_object; 435 436 KASSERT(fp->f_type == DTYPE_CAPABILITY, 437 ("capability_close: !capability")); 438 439 c = fp->f_data; 440 fp->f_ops = &badfileops; 441 fp->f_data = NULL; 442 fp_object = c->cap_object; 443 uma_zfree(capability_zone, c); 444 return (fdrop(fp_object, td)); 445 } 446 447 /* 448 * In general, file descriptor operations should never make it to the 449 * capability, only the underlying file descriptor operation vector, so panic 450 * if we do turn up here. 451 */ 452 static int 453 capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred, 454 int flags, struct thread *td) 455 { 456 457 panic("capability_read"); 458 } 459 460 static int 461 capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred, 462 int flags, struct thread *td) 463 { 464 465 panic("capability_write"); 466 } 467 468 static int 469 capability_truncate(struct file *fp, off_t length, struct ucred *active_cred, 470 struct thread *td) 471 { 472 473 panic("capability_truncate"); 474 } 475 476 static int 477 capability_ioctl(struct file *fp, u_long com, void *data, 478 struct ucred *active_cred, struct thread *td) 479 { 480 481 panic("capability_ioctl"); 482 } 483 484 static int 485 capability_poll(struct file *fp, int events, struct ucred *active_cred, 486 struct thread *td) 487 { 488 489 panic("capability_poll"); 490 } 491 492 static int 493 capability_kqfilter(struct file *fp, struct knote *kn) 494 { 495 496 panic("capability_kqfilter"); 497 } 498 499 static int 500 capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred, 501 struct thread *td) 502 { 503 504 panic("capability_stat"); 505 } 506 507 int 508 capability_chmod(struct file *fp, mode_t mode, struct ucred *active_cred, 509 struct thread *td) 510 { 511 512 panic("capability_chmod"); 513 } 514 515 int 516 capability_chown(struct file *fp, uid_t uid, gid_t gid, 517 struct ucred *active_cred, struct thread *td) 518 { 519 520 panic("capability_chown"); 521 } 522 523 #else /* !CAPABILITIES */ 524 525 /* 526 * Stub Capability functions for when options CAPABILITIES isn't compiled 527 * into the kernel. 528 */ 529 int 530 sys_cap_new(struct thread *td, struct cap_new_args *uap) 531 { 532 533 return (ENOSYS); 534 } 535 536 int 537 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap) 538 { 539 540 return (ENOSYS); 541 } 542 543 int 544 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp) 545 { 546 547 KASSERT(fp_cap->f_type != DTYPE_CAPABILITY, 548 ("cap_funwrap: saw capability")); 549 550 *fpp = fp_cap; 551 return (0); 552 } 553 554 int 555 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, 556 struct file **fpp) 557 { 558 559 KASSERT(fp_cap->f_type != DTYPE_CAPABILITY, 560 ("cap_funwrap_mmap: saw capability")); 561 562 *fpp = fp_cap; 563 *maxprotp = VM_PROT_ALL; 564 return (0); 565 } 566 567 #endif /* CAPABILITIES */ 568