1 /*- 2 * Copyright (c) 2008-2011 Robert N. M. Watson 3 * Copyright (c) 2010-2011 Jonathan Anderson 4 * All rights reserved. 5 * 6 * This software was developed at the University of Cambridge Computer 7 * Laboratory with support from a grant from Google, Inc. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 */ 30 31 /* 32 * FreeBSD kernel capability facility. 33 * 34 * Two kernel features are implemented here: capability mode, a sandboxed mode 35 * of execution for processes, and capabilities, a refinement on file 36 * descriptors that allows fine-grained control over operations on the file 37 * descriptor. Collectively, these allow processes to run in the style of a 38 * historic "capability system" in which they can use only resources 39 * explicitly delegated to them. This model is enforced by restricting access 40 * to global namespaces in capability mode. 41 * 42 * Capabilities wrap other file descriptor types, binding them to a constant 43 * rights mask set when the capability is created. New capabilities may be 44 * derived from existing capabilities, but only if they have the same or a 45 * strict subset of the rights on the original capability. 46 * 47 * System calls permitted in capability mode are defined in capabilities.conf; 48 * calls must be carefully audited for safety to ensure that they don't allow 49 * escape from a sandbox. Some calls permit only a subset of operations in 50 * capability mode -- for example, shm_open(2) is limited to creating 51 * anonymous, rather than named, POSIX shared memory objects. 52 */ 53 54 #include "opt_capsicum.h" 55 56 #include <sys/cdefs.h> 57 __FBSDID("$FreeBSD$"); 58 59 #include <sys/param.h> 60 #include <sys/capability.h> 61 #include <sys/file.h> 62 #include <sys/filedesc.h> 63 #include <sys/kernel.h> 64 #include <sys/lock.h> 65 #include <sys/mutex.h> 66 #include <sys/proc.h> 67 #include <sys/sysproto.h> 68 #include <sys/sysctl.h> 69 #include <sys/systm.h> 70 #include <sys/ucred.h> 71 72 #include <security/audit/audit.h> 73 74 #include <vm/uma.h> 75 #include <vm/vm.h> 76 77 #ifdef CAPABILITY_MODE 78 79 FEATURE(security_capability_mode, "Capsicum Capability Mode"); 80 81 /* 82 * System call to enter capability mode for the process. 83 */ 84 int 85 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 86 { 87 struct ucred *newcred, *oldcred; 88 struct proc *p; 89 90 if (IN_CAPABILITY_MODE(td)) 91 return (0); 92 93 newcred = crget(); 94 p = td->td_proc; 95 PROC_LOCK(p); 96 oldcred = p->p_ucred; 97 crcopy(newcred, oldcred); 98 newcred->cr_flags |= CRED_FLAG_CAPMODE; 99 p->p_ucred = newcred; 100 PROC_UNLOCK(p); 101 crfree(oldcred); 102 return (0); 103 } 104 105 /* 106 * System call to query whether the process is in capability mode. 107 */ 108 int 109 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 110 { 111 u_int i; 112 113 i = (IN_CAPABILITY_MODE(td)) ? 1 : 0; 114 return (copyout(&i, uap->modep, sizeof(i))); 115 } 116 117 #else /* !CAPABILITY_MODE */ 118 119 int 120 sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 121 { 122 123 return (ENOSYS); 124 } 125 126 int 127 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 128 { 129 130 return (ENOSYS); 131 } 132 133 #endif /* CAPABILITY_MODE */ 134 135 #ifdef CAPABILITIES 136 137 FEATURE(security_capabilities, "Capsicum Capabilities"); 138 139 /* 140 * struct capability describes a capability, and is hung off of its struct 141 * file f_data field. cap_file and cap_rightss are static once hooked up, as 142 * neither the object it references nor the rights it encapsulates are 143 * permitted to change. 144 */ 145 struct capability { 146 struct file *cap_object; /* Underlying object's file. */ 147 struct file *cap_file; /* Back-pointer to cap's file. */ 148 cap_rights_t cap_rights; /* Mask of rights on object. */ 149 }; 150 151 /* 152 * Capabilities have a fileops vector, but in practice none should ever be 153 * called except for fo_close, as the capability will normally not be 154 * returned during a file descriptor lookup in the system call code. 155 */ 156 static fo_rdwr_t capability_read; 157 static fo_rdwr_t capability_write; 158 static fo_truncate_t capability_truncate; 159 static fo_ioctl_t capability_ioctl; 160 static fo_poll_t capability_poll; 161 static fo_kqfilter_t capability_kqfilter; 162 static fo_stat_t capability_stat; 163 static fo_close_t capability_close; 164 static fo_chmod_t capability_chmod; 165 static fo_chown_t capability_chown; 166 167 static struct fileops capability_ops = { 168 .fo_read = capability_read, 169 .fo_write = capability_write, 170 .fo_truncate = capability_truncate, 171 .fo_ioctl = capability_ioctl, 172 .fo_poll = capability_poll, 173 .fo_kqfilter = capability_kqfilter, 174 .fo_stat = capability_stat, 175 .fo_close = capability_close, 176 .fo_chmod = capability_chmod, 177 .fo_chown = capability_chown, 178 .fo_flags = DFLAG_PASSABLE, 179 }; 180 181 static struct fileops capability_ops_unpassable = { 182 .fo_read = capability_read, 183 .fo_write = capability_write, 184 .fo_truncate = capability_truncate, 185 .fo_ioctl = capability_ioctl, 186 .fo_poll = capability_poll, 187 .fo_kqfilter = capability_kqfilter, 188 .fo_stat = capability_stat, 189 .fo_close = capability_close, 190 .fo_chmod = capability_chmod, 191 .fo_chown = capability_chown, 192 .fo_flags = 0, 193 }; 194 195 static uma_zone_t capability_zone; 196 197 static void 198 capability_init(void *dummy __unused) 199 { 200 201 capability_zone = uma_zcreate("capability", sizeof(struct capability), 202 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); 203 if (capability_zone == NULL) 204 panic("capability_init: capability_zone not initialized"); 205 } 206 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_ANY, capability_init, NULL); 207 208 /* 209 * Test whether a capability grants the requested rights. 210 */ 211 static int 212 cap_check(struct capability *c, cap_rights_t rights) 213 { 214 215 if ((c->cap_rights | rights) != c->cap_rights) 216 return (ENOTCAPABLE); 217 return (0); 218 } 219 220 /* 221 * Extract rights from a capability for monitoring purposes -- not for use in 222 * any other way, as we want to keep all capability permission evaluation in 223 * this one file. 224 */ 225 cap_rights_t 226 cap_rights(struct file *fp_cap) 227 { 228 struct capability *c; 229 230 KASSERT(fp_cap->f_type == DTYPE_CAPABILITY, 231 ("cap_rights: !capability")); 232 233 c = fp_cap->f_data; 234 return (c->cap_rights); 235 } 236 237 /* 238 * System call to create a new capability reference to either an existing 239 * file object or an an existing capability. 240 */ 241 int 242 sys_cap_new(struct thread *td, struct cap_new_args *uap) 243 { 244 int error, capfd; 245 int fd = uap->fd; 246 struct file *fp; 247 cap_rights_t rights = uap->rights; 248 249 AUDIT_ARG_FD(fd); 250 AUDIT_ARG_RIGHTS(rights); 251 error = fget(td, fd, rights, &fp); 252 if (error) 253 return (error); 254 AUDIT_ARG_FILE(td->td_proc, fp); 255 error = kern_capwrap(td, fp, rights, &capfd); 256 if (error) 257 return (error); 258 259 /* 260 * Release our reference to the file (kern_capwrap has held a reference 261 * for the filedesc array). 262 */ 263 fdrop(fp, td); 264 td->td_retval[0] = capfd; 265 return (0); 266 } 267 268 /* 269 * System call to query the rights mask associated with a capability. 270 */ 271 int 272 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap) 273 { 274 struct capability *cp; 275 struct file *fp; 276 int error; 277 278 AUDIT_ARG_FD(uap->fd); 279 error = fgetcap(td, uap->fd, &fp); 280 if (error) 281 return (error); 282 cp = fp->f_data; 283 error = copyout(&cp->cap_rights, uap->rightsp, sizeof(*uap->rightsp)); 284 fdrop(fp, td); 285 return (error); 286 } 287 288 /* 289 * Create a capability to wrap around an existing file. 290 */ 291 int 292 kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, 293 int *capfdp) 294 { 295 struct capability *cp, *cp_old; 296 struct file *fp_object, *fcapp; 297 int error; 298 299 if ((rights | CAP_MASK_VALID) != CAP_MASK_VALID) 300 return (EINVAL); 301 302 /* 303 * If a new capability is being derived from an existing capability, 304 * then the new capability rights must be a subset of the existing 305 * rights. 306 */ 307 if (fp->f_type == DTYPE_CAPABILITY) { 308 cp_old = fp->f_data; 309 if ((cp_old->cap_rights | rights) != cp_old->cap_rights) 310 return (ENOTCAPABLE); 311 } 312 313 /* 314 * Allocate a new file descriptor to hang the capability off of. 315 */ 316 error = falloc(td, &fcapp, capfdp, fp->f_flag); 317 if (error) 318 return (error); 319 320 /* 321 * Rather than nesting capabilities, directly reference the object an 322 * existing capability references. There's nothing else interesting 323 * to preserve for future use, as we've incorporated the previous 324 * rights mask into the new one. This prevents us from having to 325 * deal with capability chains. 326 */ 327 if (fp->f_type == DTYPE_CAPABILITY) 328 fp_object = ((struct capability *)fp->f_data)->cap_object; 329 else 330 fp_object = fp; 331 fhold(fp_object); 332 cp = uma_zalloc(capability_zone, M_WAITOK | M_ZERO); 333 cp->cap_rights = rights; 334 cp->cap_object = fp_object; 335 cp->cap_file = fcapp; 336 if (fp->f_flag & DFLAG_PASSABLE) 337 finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, 338 &capability_ops); 339 else 340 finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp, 341 &capability_ops_unpassable); 342 343 /* 344 * Release our private reference (the proc filedesc still has one). 345 */ 346 fdrop(fcapp, td); 347 return (0); 348 } 349 350 /* 351 * Given a file descriptor, test it against a capability rights mask and then 352 * return the file descriptor on which to actually perform the requested 353 * operation. As long as the reference to fp_cap remains valid, the returned 354 * pointer in *fp will remain valid, so no extra reference management is 355 * required, and the caller should fdrop() fp_cap as normal when done with 356 * both. 357 */ 358 int 359 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp) 360 { 361 struct capability *c; 362 int error; 363 364 if (fp_cap->f_type != DTYPE_CAPABILITY) { 365 *fpp = fp_cap; 366 return (0); 367 } 368 c = fp_cap->f_data; 369 error = cap_check(c, rights); 370 if (error) 371 return (error); 372 *fpp = c->cap_object; 373 return (0); 374 } 375 376 /* 377 * Slightly different routine for memory mapping file descriptors: unwrap the 378 * capability and check CAP_MMAP, but also return a bitmask representing the 379 * maximum mapping rights the capability allows on the object. 380 */ 381 int 382 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, 383 struct file **fpp) 384 { 385 struct capability *c; 386 u_char maxprot; 387 int error; 388 389 if (fp_cap->f_type != DTYPE_CAPABILITY) { 390 *fpp = fp_cap; 391 *maxprotp = VM_PROT_ALL; 392 return (0); 393 } 394 c = fp_cap->f_data; 395 error = cap_check(c, rights | CAP_MMAP); 396 if (error) 397 return (error); 398 *fpp = c->cap_object; 399 maxprot = 0; 400 if (c->cap_rights & CAP_READ) 401 maxprot |= VM_PROT_READ; 402 if (c->cap_rights & CAP_WRITE) 403 maxprot |= VM_PROT_WRITE; 404 if (c->cap_rights & CAP_MAPEXEC) 405 maxprot |= VM_PROT_EXECUTE; 406 *maxprotp = maxprot; 407 return (0); 408 } 409 410 /* 411 * When a capability is closed, simply drop the reference on the underlying 412 * object and free the capability. fdrop() will handle the case where the 413 * underlying object also needs to close, and the caller will have already 414 * performed any object-specific lock or mqueue handling. 415 */ 416 static int 417 capability_close(struct file *fp, struct thread *td) 418 { 419 struct capability *c; 420 struct file *fp_object; 421 422 KASSERT(fp->f_type == DTYPE_CAPABILITY, 423 ("capability_close: !capability")); 424 425 c = fp->f_data; 426 fp->f_ops = &badfileops; 427 fp->f_data = NULL; 428 fp_object = c->cap_object; 429 uma_zfree(capability_zone, c); 430 return (fdrop(fp_object, td)); 431 } 432 433 /* 434 * In general, file descriptor operations should never make it to the 435 * capability, only the underlying file descriptor operation vector, so panic 436 * if we do turn up here. 437 */ 438 static int 439 capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred, 440 int flags, struct thread *td) 441 { 442 443 panic("capability_read"); 444 } 445 446 static int 447 capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred, 448 int flags, struct thread *td) 449 { 450 451 panic("capability_write"); 452 } 453 454 static int 455 capability_truncate(struct file *fp, off_t length, struct ucred *active_cred, 456 struct thread *td) 457 { 458 459 panic("capability_truncate"); 460 } 461 462 static int 463 capability_ioctl(struct file *fp, u_long com, void *data, 464 struct ucred *active_cred, struct thread *td) 465 { 466 467 panic("capability_ioctl"); 468 } 469 470 static int 471 capability_poll(struct file *fp, int events, struct ucred *active_cred, 472 struct thread *td) 473 { 474 475 panic("capability_poll"); 476 } 477 478 static int 479 capability_kqfilter(struct file *fp, struct knote *kn) 480 { 481 482 panic("capability_kqfilter"); 483 } 484 485 static int 486 capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred, 487 struct thread *td) 488 { 489 490 panic("capability_stat"); 491 } 492 493 int 494 capability_chmod(struct file *fp, mode_t mode, struct ucred *active_cred, 495 struct thread *td) 496 { 497 498 panic("capability_chmod"); 499 } 500 501 int 502 capability_chown(struct file *fp, uid_t uid, gid_t gid, 503 struct ucred *active_cred, struct thread *td) 504 { 505 506 panic("capability_chown"); 507 } 508 509 #else /* !CAPABILITIES */ 510 511 /* 512 * Stub Capability functions for when options CAPABILITIES isn't compiled 513 * into the kernel. 514 */ 515 int 516 sys_cap_new(struct thread *td, struct cap_new_args *uap) 517 { 518 519 return (ENOSYS); 520 } 521 522 int 523 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap) 524 { 525 526 return (ENOSYS); 527 } 528 529 int 530 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp) 531 { 532 533 KASSERT(fp_cap->f_type != DTYPE_CAPABILITY, 534 ("cap_funwrap: saw capability")); 535 536 *fpp = fp_cap; 537 return (0); 538 } 539 540 int 541 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, 542 struct file **fpp) 543 { 544 545 KASSERT(fp_cap->f_type != DTYPE_CAPABILITY, 546 ("cap_funwrap_mmap: saw capability")); 547 548 *fpp = fp_cap; 549 *maxprotp = VM_PROT_ALL; 550 return (0); 551 } 552 553 #endif /* CAPABILITIES */ 554