FreeBSD kernel kern code
sys_capability.c
Go to the documentation of this file.
1 /*-
2  * Copyright (c) 2008-2011 Robert N. M. Watson
3  * Copyright (c) 2010-2011 Jonathan Anderson
4  * All rights reserved.
5  *
6  * This software was developed at the University of Cambridge Computer
7  * Laboratory with support from a grant from Google, Inc.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  * notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  * notice, this list of conditions and the following disclaimer in the
16  * documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  */
30 
31 /*
32  * FreeBSD kernel capability facility.
33  *
34  * Two kernel features are implemented here: capability mode, a sandboxed mode
35  * of execution for processes, and capabilities, a refinement on file
36  * descriptors that allows fine-grained control over operations on the file
37  * descriptor. Collectively, these allow processes to run in the style of a
38  * historic "capability system" in which they can use only resources
39  * explicitly delegated to them. This model is enforced by restricting access
40  * to global namespaces in capability mode.
41  *
42  * Capabilities wrap other file descriptor types, binding them to a constant
43  * rights mask set when the capability is created. New capabilities may be
44  * derived from existing capabilities, but only if they have the same or a
45  * strict subset of the rights on the original capability.
46  *
47  * System calls permitted in capability mode are defined in capabilities.conf;
48  * calls must be carefully audited for safety to ensure that they don't allow
49  * escape from a sandbox. Some calls permit only a subset of operations in
50  * capability mode -- for example, shm_open(2) is limited to creating
51  * anonymous, rather than named, POSIX shared memory objects.
52  */
53 
54 #include "opt_capsicum.h"
55 
56 #include <sys/cdefs.h>
57 __FBSDID("$BSDSUniX$");
58 
59 #include <sys/param.h>
60 #include <sys/capability.h>
61 #include <sys/file.h>
62 #include <sys/filedesc.h>
63 #include <sys/kernel.h>
64 #include <sys/lock.h>
65 #include <sys/mutex.h>
66 #include <sys/proc.h>
67 #include <sys/sysproto.h>
68 #include <sys/sysctl.h>
69 #include <sys/systm.h>
70 #include <sys/ucred.h>
71 
72 #include <security/audit/audit.h>
73 
74 #include <vm/uma.h>
75 #include <vm/vm.h>
76 
77 #ifdef CAPABILITY_MODE
78 
79 FEATURE(security_capability_mode, "Capsicum Capability Mode");
80 
81 /*
82  * System call to enter capability mode for the process.
83  */
84 int
85 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
86 {
87  struct ucred *newcred, *oldcred;
88  struct proc *p;
89 
90  if (IN_CAPABILITY_MODE(td))
91  return (0);
92 
93  newcred = crget();
94  p = td->td_proc;
95  PROC_LOCK(p);
96  oldcred = p->p_ucred;
97  crcopy(newcred, oldcred);
98  newcred->cr_flags |= CRED_FLAG_CAPMODE;
99  p->p_ucred = newcred;
100  PROC_UNLOCK(p);
101  crfree(oldcred);
102  return (0);
103 }
104 
105 /*
106  * System call to query whether the process is in capability mode.
107  */
108 int
109 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
110 {
111  u_int i;
112 
113  i = (IN_CAPABILITY_MODE(td)) ? 1 : 0;
114  return (copyout(&i, uap->modep, sizeof(i)));
115 }
116 
117 #else /* !CAPABILITY_MODE */
118 
119 int
120 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
121 {
122 
123  return (ENOSYS);
124 }
125 
126 int
127 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
128 {
129 
130  return (ENOSYS);
131 }
132 
133 #endif /* CAPABILITY_MODE */
134 
135 #ifdef CAPABILITIES
136 
137 FEATURE(security_capabilities, "Capsicum Capabilities");
138 
139 /*
140  * struct capability describes a capability, and is hung off of its struct
141  * file f_data field. cap_file and cap_rightss are static once hooked up, as
142  * neither the object it references nor the rights it encapsulates are
143  * permitted to change.
144  */
145 struct capability {
146  struct file *cap_object; /* Underlying object's file. */
147  struct file *cap_file; /* Back-pointer to cap's file. */
148  cap_rights_t cap_rights; /* Mask of rights on object. */
149 };
150 
151 /*
152  * Capabilities have a fileops vector, but in practice none should ever be
153  * called except for fo_close, as the capability will normally not be
154  * returned during a file descriptor lookup in the system call code.
155  */
156 static fo_rdwr_t capability_read;
157 static fo_rdwr_t capability_write;
158 static fo_truncate_t capability_truncate;
159 static fo_ioctl_t capability_ioctl;
160 static fo_poll_t capability_poll;
161 static fo_kqfilter_t capability_kqfilter;
162 static fo_stat_t capability_stat;
163 static fo_close_t capability_close;
164 static fo_chmod_t capability_chmod;
165 static fo_chown_t capability_chown;
166 
167 static struct fileops capability_ops = {
168  .fo_read = capability_read,
169  .fo_write = capability_write,
170  .fo_truncate = capability_truncate,
171  .fo_ioctl = capability_ioctl,
172  .fo_poll = capability_poll,
173  .fo_kqfilter = capability_kqfilter,
174  .fo_stat = capability_stat,
175  .fo_close = capability_close,
176  .fo_chmod = capability_chmod,
177  .fo_chown = capability_chown,
178  .fo_flags = DFLAG_PASSABLE,
179 };
180 
181 static struct fileops capability_ops_unpassable = {
182  .fo_read = capability_read,
183  .fo_write = capability_write,
184  .fo_truncate = capability_truncate,
185  .fo_ioctl = capability_ioctl,
186  .fo_poll = capability_poll,
187  .fo_kqfilter = capability_kqfilter,
188  .fo_stat = capability_stat,
189  .fo_close = capability_close,
190  .fo_chmod = capability_chmod,
191  .fo_chown = capability_chown,
192  .fo_flags = 0,
193 };
194 
195 static uma_zone_t capability_zone;
196 
197 static void
198 capability_init(void *dummy __unused)
199 {
200 
201  capability_zone = uma_zcreate("capability", sizeof(struct capability),
202  NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
203  if (capability_zone == NULL)
204  panic("capability_init: capability_zone not initialized");
205 }
206 SYSINIT(vfs, SI_SUB_VFS, SI_ORDER_ANY, capability_init, NULL);
207 
208 /*
209  * Test whether a capability grants the requested rights.
210  */
211 static int
212 cap_check(struct capability *c, cap_rights_t rights)
213 {
214 
215  if ((c->cap_rights | rights) != c->cap_rights)
216  return (ENOTCAPABLE);
217  return (0);
218 }
219 
220 /*
221  * Extract rights from a capability for monitoring purposes -- not for use in
222  * any other way, as we want to keep all capability permission evaluation in
223  * this one file.
224  */
225 cap_rights_t
226 cap_rights(struct file *fp_cap)
227 {
228  struct capability *c;
229 
230  KASSERT(fp_cap->f_type == DTYPE_CAPABILITY,
231  ("cap_rights: !capability"));
232 
233  c = fp_cap->f_data;
234  return (c->cap_rights);
235 }
236 
237 /*
238  * System call to create a new capability reference to either an existing
239  * file object or an an existing capability.
240  */
241 int
242 sys_cap_new(struct thread *td, struct cap_new_args *uap)
243 {
244  int error, capfd;
245  int fd = uap->fd;
246  struct file *fp;
247  cap_rights_t rights = uap->rights;
248 
249  AUDIT_ARG_FD(fd);
250  AUDIT_ARG_RIGHTS(rights);
251  error = fget(td, fd, rights, &fp);
252  if (error)
253  return (error);
254  AUDIT_ARG_FILE(td->td_proc, fp);
255  error = kern_capwrap(td, fp, rights, &capfd);
256  /*
257  * Release our reference to the file (kern_capwrap has held a reference
258  * for the filedesc array).
259  */
260  fdrop(fp, td);
261  if (error == 0)
262  td->td_retval[0] = capfd;
263  return (error);
264 }
265 
266 /*
267  * System call to query the rights mask associated with a capability.
268  */
269 int
270 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap)
271 {
272  struct capability *cp;
273  struct file *fp;
274  int error;
275 
276  AUDIT_ARG_FD(uap->fd);
277  error = fgetcap(td, uap->fd, &fp);
278  if (error)
279  return (error);
280  cp = fp->f_data;
281  error = copyout(&cp->cap_rights, uap->rightsp, sizeof(*uap->rightsp));
282  fdrop(fp, td);
283  return (error);
284 }
285 
286 /*
287  * Create a capability to wrap around an existing file.
288  */
289 int
290 kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights,
291  int *capfdp)
292 {
293  struct capability *cp, *cp_old;
294  struct file *fp_object, *fcapp;
295  int error;
296 
297  if ((rights | CAP_MASK_VALID) != CAP_MASK_VALID)
298  return (EINVAL);
299 
300  /*
301  * If a new capability is being derived from an existing capability,
302  * then the new capability rights must be a subset of the existing
303  * rights.
304  */
305  if (fp->f_type == DTYPE_CAPABILITY) {
306  cp_old = fp->f_data;
307  if ((cp_old->cap_rights | rights) != cp_old->cap_rights)
308  return (ENOTCAPABLE);
309  }
310 
311  /*
312  * Allocate a new file descriptor to hang the capability off of.
313  */
314  error = falloc(td, &fcapp, capfdp, fp->f_flag);
315  if (error)
316  return (error);
317 
318  /*
319  * Rather than nesting capabilities, directly reference the object an
320  * existing capability references. There's nothing else interesting
321  * to preserve for future use, as we've incorporated the previous
322  * rights mask into the new one. This prevents us from having to
323  * deal with capability chains.
324  */
325  if (fp->f_type == DTYPE_CAPABILITY)
326  fp_object = ((struct capability *)fp->f_data)->cap_object;
327  else
328  fp_object = fp;
329  fhold(fp_object);
330  cp = uma_zalloc(capability_zone, M_WAITOK | M_ZERO);
331  cp->cap_rights = rights;
332  cp->cap_object = fp_object;
333  cp->cap_file = fcapp;
334  if (fp->f_flag & DFLAG_PASSABLE)
335  finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp,
336  &capability_ops);
337  else
338  finit(fcapp, fp->f_flag, DTYPE_CAPABILITY, cp,
339  &capability_ops_unpassable);
340 
341  /*
342  * Release our private reference (the proc filedesc still has one).
343  */
344  fdrop(fcapp, td);
345  return (0);
346 }
347 
348 /*
349  * Given a file descriptor, test it against a capability rights mask and then
350  * return the file descriptor on which to actually perform the requested
351  * operation. As long as the reference to fp_cap remains valid, the returned
352  * pointer in *fp will remain valid, so no extra reference management is
353  * required, and the caller should fdrop() fp_cap as normal when done with
354  * both.
355  */
356 int
357 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp)
358 {
359  struct capability *c;
360  int error;
361 
362  if (fp_cap->f_type != DTYPE_CAPABILITY) {
363  *fpp = fp_cap;
364  return (0);
365  }
366  c = fp_cap->f_data;
367  error = cap_check(c, rights);
368  if (error)
369  return (error);
370  *fpp = c->cap_object;
371  return (0);
372 }
373 
374 /*
375  * Slightly different routine for memory mapping file descriptors: unwrap the
376  * capability and check CAP_MMAP, but also return a bitmask representing the
377  * maximum mapping rights the capability allows on the object.
378  */
379 int
380 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp,
381  struct file **fpp)
382 {
383  struct capability *c;
384  u_char maxprot;
385  int error;
386 
387  if (fp_cap->f_type != DTYPE_CAPABILITY) {
388  *fpp = fp_cap;
389  *maxprotp = VM_PROT_ALL;
390  return (0);
391  }
392  c = fp_cap->f_data;
393  error = cap_check(c, rights | CAP_MMAP);
394  if (error)
395  return (error);
396  *fpp = c->cap_object;
397  maxprot = 0;
398  if (c->cap_rights & CAP_READ)
399  maxprot |= VM_PROT_READ;
400  if (c->cap_rights & CAP_WRITE)
401  maxprot |= VM_PROT_WRITE;
402  if (c->cap_rights & CAP_MAPEXEC)
403  maxprot |= VM_PROT_EXECUTE;
404  *maxprotp = maxprot;
405  return (0);
406 }
407 
408 /*
409  * When a capability is closed, simply drop the reference on the underlying
410  * object and free the capability. fdrop() will handle the case where the
411  * underlying object also needs to close, and the caller will have already
412  * performed any object-specific lock or mqueue handling.
413  */
414 static int
415 capability_close(struct file *fp, struct thread *td)
416 {
417  struct capability *c;
418  struct file *fp_object;
419 
420  KASSERT(fp->f_type == DTYPE_CAPABILITY,
421  ("capability_close: !capability"));
422 
423  c = fp->f_data;
424  fp->f_ops = &badfileops;
425  fp->f_data = NULL;
426  fp_object = c->cap_object;
427  uma_zfree(capability_zone, c);
428  return (fdrop(fp_object, td));
429 }
430 
431 /*
432  * In general, file descriptor operations should never make it to the
433  * capability, only the underlying file descriptor operation vector, so panic
434  * if we do turn up here.
435  */
436 static int
437 capability_read(struct file *fp, struct uio *uio, struct ucred *active_cred,
438  int flags, struct thread *td)
439 {
440 
441  panic("capability_read");
442 }
443 
444 static int
445 capability_write(struct file *fp, struct uio *uio, struct ucred *active_cred,
446  int flags, struct thread *td)
447 {
448 
449  panic("capability_write");
450 }
451 
452 static int
453 capability_truncate(struct file *fp, off_t length, struct ucred *active_cred,
454  struct thread *td)
455 {
456 
457  panic("capability_truncate");
458 }
459 
460 static int
461 capability_ioctl(struct file *fp, u_long com, void *data,
462  struct ucred *active_cred, struct thread *td)
463 {
464 
465  panic("capability_ioctl");
466 }
467 
468 static int
469 capability_poll(struct file *fp, int events, struct ucred *active_cred,
470  struct thread *td)
471 {
472 
473  panic("capability_poll");
474 }
475 
476 static int
477 capability_kqfilter(struct file *fp, struct knote *kn)
478 {
479 
480  panic("capability_kqfilter");
481 }
482 
483 static int
484 capability_stat(struct file *fp, struct stat *sb, struct ucred *active_cred,
485  struct thread *td)
486 {
487 
488  panic("capability_stat");
489 }
490 
491 int
492 capability_chmod(struct file *fp, mode_t mode, struct ucred *active_cred,
493  struct thread *td)
494 {
495 
496  panic("capability_chmod");
497 }
498 
499 int
500 capability_chown(struct file *fp, uid_t uid, gid_t gid,
501  struct ucred *active_cred, struct thread *td)
502 {
503 
504  panic("capability_chown");
505 }
506 
507 #else /* !CAPABILITIES */
508 
509 /*
510  * Stub Capability functions for when options CAPABILITIES isn't compiled
511  * into the kernel.
512  */
513 int
514 sys_cap_new(struct thread *td, struct cap_new_args *uap)
515 {
516 
517  return (ENOSYS);
518 }
519 
520 int
521 sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap)
522 {
523 
524  return (ENOSYS);
525 }
526 
527 int
528 cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp)
529 {
530 
531  KASSERT(fp_cap->f_type != DTYPE_CAPABILITY,
532  ("cap_funwrap: saw capability"));
533 
534  *fpp = fp_cap;
535  return (0);
536 }
537 
538 int
539 cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp,
540  struct file **fpp)
541 {
542 
543  KASSERT(fp_cap->f_type != DTYPE_CAPABILITY,
544  ("cap_funwrap_mmap: saw capability"));
545 
546  *fpp = fp_cap;
547  *maxprotp = VM_PROT_ALL;
548  return (0);
549 }
550 
551 #endif /* CAPABILITIES */
fd
int fd
Definition: kern_exec.c:199
mode
int mode
Definition: vfs_syscalls.c:2158
cap_funwrap
int cap_funwrap(struct file *fp_cap, cap_rights_t rights, struct file **fpp)
Definition: sys_capability.c:528
sys_cap_getmode
int sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
Definition: sys_capability.c:127
panic
void panic(const char *fmt,...)
Definition: kern_shutdown.c:557
SYSINIT
SYSINIT(placeholder, SI_SUB_DUMMY, SI_ORDER_ANY, NULL, NULL)
knote
void knote(struct knlist *list, long hint, int lockflags)
Definition: kern_event.c:1806
fgetcap
int fgetcap(struct thread *td, int fd, struct file **fpp)
Definition: kern_descrip.c:2520
falloc
int falloc(struct thread *td, struct file **resultfp, int *resultfd, int flags)
Definition: kern_descrip.c:1666
fget
int fget(struct thread *td, int fd, cap_rights_t rights, struct file **fpp)
Definition: kern_descrip.c:2486
dummy
static int dummy
Definition: uipc_sockbuf.c:1116
sys_cap_new
int sys_cap_new(struct thread *td, struct cap_new_args *uap)
Definition: sys_capability.c:514
crfree
void crfree(struct ucred *cr)
Definition: kern_prot.c:1835
sys_cap_getrights
int sys_cap_getrights(struct thread *td, struct cap_getrights_args *uap)
Definition: sys_capability.c:521
sys_cap_enter
int sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
Definition: sys_capability.c:120
cap_funwrap_mmap
int cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, u_char *maxprotp, struct file **fpp)
Definition: sys_capability.c:539
__FBSDID
__FBSDID("$BSDSUniX$")
finit
void finit(struct file *fp, u_int flag, short type, void *data, struct fileops *ops)
Definition: kern_descrip.c:2321
crcopy
void crcopy(struct ucred *dest, struct ucred *src)
Definition: kern_prot.c:1882
FEATURE
FEATURE(kdtrace_hooks,"Kernel DTrace hooks which are required to load DTrace kernel modules")
crget
struct ucred * crget(void)
Definition: kern_prot.c:1804
badfileops
struct fileops badfileops
Definition: kern_descrip.c:4004