1 /*- 2 * Copyright (c) 2008-2011 Robert N. M. Watson 3 * Copyright (c) 2010-2011 Jonathan Anderson 4 * All rights reserved. 5 * 6 * This software was developed at the University of Cambridge Computer 7 * Laboratory with support from a grant from Google, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 /* 32 * FreeBSD kernel capability facility. 33 * 34 * Two kernel features are implemented here: capability mode, a sandboxed mode 35 * of execution for processes, and capabilities, a refinement on file 36 * descriptors that allows fine-grained control over operations on the file 37 * descriptor. Collectively, these allow processes to run in the style of a 38 * historic "capability system" in which they can use only resources 39 * explicitly delegated to them. This model is enforced by restricting access 40 * to global namespaces in capability mode. 41 * 42 * Capabilities wrap other file descriptor types, binding them to a constant 43 * rights mask set when the capability is created. New capabilities may be 44 * derived from existing capabilities, but only if they have the same or a 45 * strict subset of the rights on the original capability. 46 * 47 * System calls permitted in capability mode are defined in capabilities.conf; 48 * calls must be carefully audited for safety to ensure that they don't allow 49 * escape from a sandbox. Some calls permit only a subset of operations in 50 * capability mode -- for example, shm_open(2) is limited to creating 51 * anonymous, rather than named, POSIX shared memory objects. 52 */ 53 54 #include <sys/cdefs.h> 55 __FBSDID("$FreeBSD$"); 56 57 #include "opt_capsicum.h" 58 #include "opt_ktrace.h" 59 60 #include <sys/param.h> 61 #include <sys/capability.h> 62 #include <sys/file.h> 63 #include <sys/filedesc.h> 64 #include <sys/kernel.h> 65 #include <sys/lock.h> 66 #include <sys/mutex.h> 67 #include <sys/proc.h> 68 #include <sys/sysproto.h> 69 #include <sys/sysctl.h> 70 #include <sys/systm.h> 71 #include <sys/ucred.h> 72 #include <sys/uio.h> 73 #include <sys/ktrace.h> 74 75 #include <security/audit/audit.h> 76 77 #include <vm/uma.h> 78 #include <vm/vm.h> 79 80 #ifdef CAPABILITY_MODE 81 82 FEATURE(security_capability_mode, "Capsicum Capability Mode"); 83 84 /* 85 * System call to enter capability mode for the process. 86 */ 87 int 88 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 89 { 90 struct ucred *newcred, *oldcred; 91 struct proc *p; 92 93 if (IN_CAPABILITY_MODE(td)) 94 return (0); 95 96 newcred = crget(); 97 p = td->td_proc; 98 PROC_LOCK(p); 99 oldcred = p->p_ucred; 100 crcopy(newcred, oldcred); 101 newcred->cr_flags |= CRED_FLAG_CAPMODE; 102 p->p_ucred = newcred; 103 PROC_UNLOCK(p); 104 crfree(oldcred); 105 return (0); 106 } 107 108 /* 109 * System call to query whether the process is in capability mode. 110 */ 111 int 112 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 113 { 114 u_int i; 115 116 i = (IN_CAPABILITY_MODE(td)) ? 1 : 0; 117 return (copyout(&i, uap->modep, sizeof(i))); 118 } 119 120 #else /* !CAPABILITY_MODE */ 121 122 int 123 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 124 { 125 126 return (ENOSYS); 127 } 128 129 int 130 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 131 { 132 133 return (ENOSYS); 134 } 135 136 #endif /* CAPABILITY_MODE */ 137 138 #ifdef CAPABILITIES 139 140 FEATURE(security_capabilities, "Capsicum Capabilities"); 141 142 /* 143 * struct capability describes a capability, and is hung off of its struct 144 * file f_data field. cap_file and cap_rightss are static once hooked up, as 145 * neither the object it references nor the rights it encapsulates are 146 * permitted to change. 147 */ 148 struct capability { 149 struct file *cap_object; /* Underlying object's file. */ 150 struct file *cap_file; /* Back-pointer to cap's file. */ 151 cap_rights_t cap_rights; /* Mask of rights on object. */ 152 }; 153 154 /* 155 * Capabilities have a fileops vector, but in practice none should ever be 156 * called except for fo_close, as the capability will normally not be 157 * returned during a file descriptor lookup in the system call code. 158 */ 159 static fo_rdwr_t capability_read; 160 static fo_rdwr_t capability_write; 161 static fo_truncate_t capability_truncate; 162 static fo_ioctl_t capability_ioctl; 163 static fo_poll_t capability_poll; 164 static fo_kqfilter_t capability_kqfilter; 165 static fo_stat_t capability_stat; 166 static fo_close_t capability_close; 167 static fo_chmod_t capability_chmod; 168 static fo_chown_t capability_chown; 169 170 static struct fileops capability_ops = { 171 .fo_read = capability_read, 172 .fo_write = capability_write, 173 .fo_truncate = capability_truncate, 174 .fo_ioctl = capability_ioctl, 175 .fo_poll = capability_poll, 176 .fo_kqfilter = capability_kqfilter, 177 .fo_stat = capability_stat, 178 .fo_close = capability_close, 179 .fo_chmod = capability_chmod, 180 .fo_chown = capability_chown, 181 .fo_flags = DFLAG_PASSABLE, 182 }; 183 184 static struct fileops capability_ops_unpassable = { 185 .fo_read = capability_read, 186 .fo_write = capability_write, 187 .fo_truncate = capability_truncate, 188 .fo_ioctl = capability_ioctl, 189 .fo_poll = capability_poll, 190 .fo_kqfilter = capability_kqfilter, 191 .fo_stat = capability_stat, 192 .fo_close = capability_close, 193 .fo_chmod = capability_chmod, 194 .fo_chown = capability_chown, 195 .fo_flags = 0, 196 }; 197 198 static uma_zone_t capability_zone; 199 200 static void 201 capability_init(void *dummy __unused) 202 { 203 204 capability_zone = uma_zcreate("capability", sizeof(struct capability), 205 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); 206 if (capability_zone == NULL) 207 panic("capability_init: capability_zone not initialized"); 208 } 209 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_ANY, capability_init, NULL); 210 211 /* 212 * Test whether a capability grants the requested rights. 213 */ 214 static int 215 cap_check(struct capability *c, cap_rights_t rights) 216 { 217 218 if ((c->cap_rights | rights) != c->cap_rights) { 219 #ifdef KTRACE 220 if (KTRPOINT(curthread, KTR_CAPFAIL)) 221 ktrcapfail(CAPFAIL_NOTCAPABLE, rights, c->cap_rights); 222 #endif 223 return (ENOTCAPABLE); 224 } 225 return (0); 226 } 227 228 /* 229 * Extract rights from a capability for monitoring purposes -- not for use in 230 * any other way, as we want to keep all capability permission evaluation in 231 * this one file. 232 */ 233 cap_rights_t 234 cap_rights(struct file *fp_cap) 235 { 236 struct capability *c; 237 238 KASSERT(fp_cap->f_type == DTYPE_CAPABILITY, 239 ("cap_rights: !capability")); 240 241 c = fp_cap->f_data; 242 return (c->cap_rights); 243 } 244 245 /* 246 * System call to create a new capability reference to either an existing 247 * file object or an an existing capability. 248 */ 249 int 250 sys_cap_new(struct thread *td, struct cap_new_args *uap) 251 { 252 int error, capfd; 253 int fd = uap->fd; 254 struct file *fp; 255 cap_rights_t rights = uap->rights; 256 257 AUDIT_ARG_FD(fd); 258 AUDIT_ARG_RIGHTS(rights); 259 error = fget(td, fd, rights, &fp); 260 if (error) 261 return (error); 262 AUDIT_ARG_FILE(td->td_proc, fp); 263 error = kern_capwrap(td, fp, rights, &capfd); 264 /* 265 * Release our reference to the file (kern_capwrap has held a reference 266 * for the filedesc array). 267 */ 268 fdrop(fp, td); 269 if (error == 0) 270 td->td_retval[0] = capfd; 271 return (error); 272 } 273 274 /* 275 * System call to query the rights mask associated with a capability. 276 */ 277 int 278 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap) 279 { 280 struct capability *cp; 281 struct file *fp; 282 int error; 283 284 AUDIT_ARG_FD(uap->fd); 285 error = fgetcap(td, uap->fd, &fp); 286 if (error) 287 return (error); 288 cp = fp->f_data; 289 error = copyout(&cp->cap_rights, uap->rightsp, sizeof(*uap->rightsp)); 290 fdrop(fp, td); 291 return (error); 292 } 293 294 /* 295 * Create a capability to wrap around an existing file. 296 */ 297 int 298 kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, 299 int *capfdp) 300 { 301 struct capability *cp, *cp_old; 302 struct file *fp_object, *fcapp; 303 int error; 304 305 if ((rights | CAP_MASK_VALID) != CAP_MASK_VALID) 306 return (EINVAL); 307 308 /* 309 * If a new capability is being derived from an existing capability, 310 * then the new capability rights must be a subset of the existing 311 * rights. 312 */ 313 if (fp->f_type == DTYPE_CAPABILITY) { 314 cp_old = fp->f_data; 315 if ((cp_old->cap_rights | rights) != cp_old->cap_rights) { 316 #ifdef KTRACE 317 if (KTRPOINT(curthread, KTR_CAPFAIL)) 318 ktrcapfail(CAPFAIL_INCREASE, 319 rights, cp_old->cap_rights); 320 #endif 321 return (ENOTCAPABLE); 322 } 323 } 324 325 /* 326 * Allocate a new file descriptor to hang the capability off of. 327 */ 328 error = falloc(td, &fcapp, capfdp, fp->f_flag); 329 if (error) 330 return (error); 331 332 /* 333 * Rather than nesting capabilities, directly reference the object an 334 * existing capability references. There's nothing else interesting 335 * to preserve for future use, as we've incorporated the previous 336 * rights mask into the new one. This prevents us from having to 337 * deal with capability chains. 338 */ 339 if (fp->f_type == DTYPE_CAPABILITY) 340 fp_object = ((struct capability *)fp->f_data)->cap_object; 341 else 342 fp_object = fp; 343 fhold(fp_object); 344 cp = uma_zalloc(capability_zone, M_WAITOK | M_ZERO); 345 cp->cap_rights = rights; 346 cp->cap_object = fp_object; 347 cp->cap_file = fcapp; 348 if (fp->f_flag & DFLAG_PASSABLE) 349 finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, 350 &capability_ops); 351 else 352 finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, 353 &capability_ops_unpassable); 354 355 /* 356 * Release our private reference (the proc filedesc still has one). 357 */ 358 fdrop(fcapp, td); 359 return (0); 360 } 361 362 /* 363 * Given a file descriptor, test it against a capability rights mask and then 364 * return the file descriptor on which to actually perform the requested 365 * operation. As long as the reference to fp_cap remains valid, the returned 366 * pointer in *fp will remain valid, so no extra reference management is 367 * required, and the caller should fdrop() fp_cap as normal when done with 368 * both. 369 */ 370 int 371 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp) 372 { 373 struct capability *c; 374 int error; 375 376 if (fp_cap->f_type != DTYPE_CAPABILITY) { 377 *fpp = fp_cap; 378 return (0); 379 } 380 c = fp_cap->f_data; 381 error = cap_check(c, rights); 382 if (error) 383 return (error); 384 *fpp = c->cap_object; 385 return (0); 386 } 387 388 /* 389 * Slightly different routine for memory mapping file descriptors: unwrap the 390 * capability and check CAP_MMAP, but also return a bitmask representing the 391 * maximum mapping rights the capability allows on the object. 392 */ 393 int 394 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, 395 struct file **fpp) 396 { 397 struct capability *c; 398 u_char maxprot; 399 int error; 400 401 if (fp_cap->f_type != DTYPE_CAPABILITY) { 402 *fpp = fp_cap; 403 *maxprotp = VM_PROT_ALL; 404 return (0); 405 } 406 c = fp_cap->f_data; 407 error = cap_check(c, rights | CAP_MMAP); 408 if (error) 409 return (error); 410 *fpp = c->cap_object; 411 maxprot = 0; 412 if (c->cap_rights & CAP_READ) 413 maxprot |= VM_PROT_READ; 414 if (c->cap_rights & CAP_WRITE) 415 maxprot |= VM_PROT_WRITE; 416 if (c->cap_rights & CAP_MAPEXEC) 417 maxprot |= VM_PROT_EXECUTE; 418 *maxprotp = maxprot; 419 return (0); 420 } 421 422 /* 423 * When a capability is closed, simply drop the reference on the underlying 424 * object and free the capability. fdrop() will handle the case where the 425 * underlying object also needs to close, and the caller will have already 426 * performed any object-specific lock or mqueue handling. 427 */ 428 static int 429 capability_close(struct file *fp, struct thread *td) 430 { 431 struct capability *c; 432 struct file *fp_object; 433 434 KASSERT(fp->f_type == DTYPE_CAPABILITY, 435 ("capability_close: !capability")); 436 437 c = fp->f_data; 438 fp->f_ops = &badfileops; 439 fp->f_data = NULL; 440 fp_object = c->cap_object; 441 uma_zfree(capability_zone, c); 442 return (fdrop(fp_object, td)); 443 } 444 445 /* 446 * In general, file descriptor operations should never make it to the 447 * capability, only the underlying file descriptor operation vector, so panic 448 * if we do turn up here. 449 */ 450 static int 451 capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred, 452 int flags, struct thread *td) 453 { 454 455 panic("capability_read"); 456 } 457 458 static int 459 capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred, 460 int flags, struct thread *td) 461 { 462 463 panic("capability_write"); 464 } 465 466 static int 467 capability_truncate(struct file *fp, off_t length, struct ucred *active_cred, 468 struct thread *td) 469 { 470 471 panic("capability_truncate"); 472 } 473 474 static int 475 capability_ioctl(struct file *fp, u_long com, void *data, 476 struct ucred *active_cred, struct thread *td) 477 { 478 479 panic("capability_ioctl"); 480 } 481 482 static int 483 capability_poll(struct file *fp, int events, struct ucred *active_cred, 484 struct thread *td) 485 { 486 487 panic("capability_poll"); 488 } 489 490 static int 491 capability_kqfilter(struct file *fp, struct knote *kn) 492 { 493 494 panic("capability_kqfilter"); 495 } 496 497 static int 498 capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred, 499 struct thread *td) 500 { 501 502 panic("capability_stat"); 503 } 504 505 int 506 capability_chmod(struct file *fp, mode_t mode, struct ucred *active_cred, 507 struct thread *td) 508 { 509 510 panic("capability_chmod"); 511 } 512 513 int 514 capability_chown(struct file *fp, uid_t uid, gid_t gid, 515 struct ucred *active_cred, struct thread *td) 516 { 517 518 panic("capability_chown"); 519 } 520 521 #else /* !CAPABILITIES */ 522 523 /* 524 * Stub Capability functions for when options CAPABILITIES isn't compiled 525 * into the kernel. 526 */ 527 int 528 sys_cap_new(struct thread *td, struct cap_new_args *uap) 529 { 530 531 return (ENOSYS); 532 } 533 534 int 535 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap) 536 { 537 538 return (ENOSYS); 539 } 540 541 int 542 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp) 543 { 544 545 KASSERT(fp_cap->f_type != DTYPE_CAPABILITY, 546 ("cap_funwrap: saw capability")); 547 548 *fpp = fp_cap; 549 return (0); 550 } 551 552 int 553 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, 554 struct file **fpp) 555 { 556 557 KASSERT(fp_cap->f_type != DTYPE_CAPABILITY, 558 ("cap_funwrap_mmap: saw capability")); 559 560 *fpp = fp_cap; 561 *maxprotp = VM_PROT_ALL; 562 return (0); 563 } 564 565 #endif /* CAPABILITIES */ 566