1/*-
2 * Copyright (c) 2010 The FreeBSD Foundation
3 * Copyright (c) 2011 Pawel Jakub Dawidek <pawel@dawidek.net>
4 * All rights reserved.
5 *
6 * This software was developed by Pawel Jakub Dawidek under sponsorship from
7 * the FreeBSD Foundation.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
| 1/*-
2 * Copyright (c) 2010 The FreeBSD Foundation
3 * Copyright (c) 2011 Pawel Jakub Dawidek <pawel@dawidek.net>
4 * All rights reserved.
5 *
6 * This software was developed by Pawel Jakub Dawidek under sponsorship from
7 * the FreeBSD Foundation.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
|
32__FBSDID("$FreeBSD: head/sbin/hastd/subr.c 229945 2012-01-10 22:39:07Z pjd $");
| 32__FBSDID("$FreeBSD: head/sbin/hastd/subr.c 248297 2013-03-14 23:14:47Z pjd $");
|
33
| 33
|
34#ifdef HAVE_CAPSICUM
35#include <sys/capability.h>
36#endif
| |
37#include <sys/param.h>
38#include <sys/disk.h>
39#include <sys/ioctl.h>
40#include <sys/jail.h>
41#include <sys/stat.h>
| 34#include <sys/param.h>
35#include <sys/disk.h>
36#include <sys/ioctl.h>
37#include <sys/jail.h>
38#include <sys/stat.h>
|
| 39#ifdef HAVE_CAPSICUM
40#include <sys/capability.h>
41#include <geom/gate/g_gate.h>
42#endif
|
42
43#include <errno.h>
44#include <fcntl.h>
45#include <pwd.h>
46#include <stdarg.h>
47#include <stdbool.h>
48#include <stdio.h>
49#include <string.h>
50#include <unistd.h>
51
52#include <pjdlog.h>
53
54#include "hast.h"
55#include "subr.h"
56
57int
58vsnprlcat(char *str, size_t size, const char *fmt, va_list ap)
59{
60 size_t len;
61
62 len = strlen(str);
63 return (vsnprintf(str + len, size - len, fmt, ap));
64}
65
66int
67snprlcat(char *str, size_t size, const char *fmt, ...)
68{
69 va_list ap;
70 int result;
71
72 va_start(ap, fmt);
73 result = vsnprlcat(str, size, fmt, ap);
74 va_end(ap);
75 return (result);
76}
77
78int
79provinfo(struct hast_resource *res, bool dowrite)
80{
81 struct stat sb;
82
83 PJDLOG_ASSERT(res->hr_localpath != NULL &&
84 res->hr_localpath[0] != '\0');
85
86 if (res->hr_localfd == -1) {
87 res->hr_localfd = open(res->hr_localpath,
88 dowrite ? O_RDWR : O_RDONLY);
89 if (res->hr_localfd == -1) {
90 pjdlog_errno(LOG_ERR, "Unable to open %s",
91 res->hr_localpath);
92 return (-1);
93 }
94 }
95 if (fstat(res->hr_localfd, &sb) == -1) {
96 pjdlog_errno(LOG_ERR, "Unable to stat %s", res->hr_localpath);
97 return (-1);
98 }
99 if (S_ISCHR(sb.st_mode)) {
100 /*
101 * If this is character device, it is most likely GEOM provider.
102 */
103 if (ioctl(res->hr_localfd, DIOCGMEDIASIZE,
104 &res->hr_local_mediasize) == -1) {
105 pjdlog_errno(LOG_ERR,
106 "Unable obtain provider %s mediasize",
107 res->hr_localpath);
108 return (-1);
109 }
110 if (ioctl(res->hr_localfd, DIOCGSECTORSIZE,
111 &res->hr_local_sectorsize) == -1) {
112 pjdlog_errno(LOG_ERR,
113 "Unable obtain provider %s sectorsize",
114 res->hr_localpath);
115 return (-1);
116 }
117 } else if (S_ISREG(sb.st_mode)) {
118 /*
119 * We also support regular files for which we hardcode
120 * sector size of 512 bytes.
121 */
122 res->hr_local_mediasize = sb.st_size;
123 res->hr_local_sectorsize = 512;
124 } else {
125 /*
126 * We support no other file types.
127 */
128 pjdlog_error("%s is neither GEOM provider nor regular file.",
129 res->hr_localpath);
130 errno = EFTYPE;
131 return (-1);
132 }
133 return (0);
134}
135
136const char *
137role2str(int role)
138{
139
140 switch (role) {
141 case HAST_ROLE_INIT:
142 return ("init");
143 case HAST_ROLE_PRIMARY:
144 return ("primary");
145 case HAST_ROLE_SECONDARY:
146 return ("secondary");
147 }
148 return ("unknown");
149}
150
151int
152drop_privs(const struct hast_resource *res)
153{
154 char jailhost[sizeof(res->hr_name) * 2];
155 struct jail jailst;
156 struct passwd *pw;
157 uid_t ruid, euid, suid;
158 gid_t rgid, egid, sgid;
159 gid_t gidset[1];
160 bool capsicum, jailed;
161
162 /*
163 * According to getpwnam(3) we have to clear errno before calling the
164 * function to be able to distinguish between an error and missing
165 * entry (with is not treated as error by getpwnam(3)).
166 */
167 errno = 0;
168 pw = getpwnam(HAST_USER);
169 if (pw == NULL) {
170 if (errno != 0) {
171 pjdlog_errno(LOG_ERR,
172 "Unable to find info about '%s' user", HAST_USER);
173 return (-1);
174 } else {
175 pjdlog_error("'%s' user doesn't exist.", HAST_USER);
176 errno = ENOENT;
177 return (-1);
178 }
179 }
180
181 bzero(&jailst, sizeof(jailst));
182 jailst.version = JAIL_API_VERSION;
183 jailst.path = pw->pw_dir;
184 if (res == NULL) {
185 (void)snprintf(jailhost, sizeof(jailhost), "hastctl");
186 } else {
187 (void)snprintf(jailhost, sizeof(jailhost), "hastd: %s (%s)",
188 res->hr_name, role2str(res->hr_role));
189 }
190 jailst.hostname = jailhost;
191 jailst.jailname = NULL;
192 jailst.ip4s = 0;
193 jailst.ip4 = NULL;
194 jailst.ip6s = 0;
195 jailst.ip6 = NULL;
196 if (jail(&jailst) >= 0) {
197 jailed = true;
198 } else {
199 jailed = false;
200 pjdlog_errno(LOG_WARNING,
201 "Unable to jail to directory to %s", pw->pw_dir);
202 if (chroot(pw->pw_dir) == -1) {
203 pjdlog_errno(LOG_ERR,
204 "Unable to change root directory to %s",
205 pw->pw_dir);
206 return (-1);
207 }
208 }
209 PJDLOG_VERIFY(chdir("/") == 0);
210 gidset[0] = pw->pw_gid;
211 if (setgroups(1, gidset) == -1) {
212 pjdlog_errno(LOG_ERR, "Unable to set groups to gid %u",
213 (unsigned int)pw->pw_gid);
214 return (-1);
215 }
216 if (setgid(pw->pw_gid) == -1) {
217 pjdlog_errno(LOG_ERR, "Unable to set gid to %u",
218 (unsigned int)pw->pw_gid);
219 return (-1);
220 }
221 if (setuid(pw->pw_uid) == -1) {
222 pjdlog_errno(LOG_ERR, "Unable to set uid to %u",
223 (unsigned int)pw->pw_uid);
224 return (-1);
225 }
226
| 43
44#include <errno.h>
45#include <fcntl.h>
46#include <pwd.h>
47#include <stdarg.h>
48#include <stdbool.h>
49#include <stdio.h>
50#include <string.h>
51#include <unistd.h>
52
53#include <pjdlog.h>
54
55#include "hast.h"
56#include "subr.h"
57
58int
59vsnprlcat(char *str, size_t size, const char *fmt, va_list ap)
60{
61 size_t len;
62
63 len = strlen(str);
64 return (vsnprintf(str + len, size - len, fmt, ap));
65}
66
67int
68snprlcat(char *str, size_t size, const char *fmt, ...)
69{
70 va_list ap;
71 int result;
72
73 va_start(ap, fmt);
74 result = vsnprlcat(str, size, fmt, ap);
75 va_end(ap);
76 return (result);
77}
78
79int
80provinfo(struct hast_resource *res, bool dowrite)
81{
82 struct stat sb;
83
84 PJDLOG_ASSERT(res->hr_localpath != NULL &&
85 res->hr_localpath[0] != '\0');
86
87 if (res->hr_localfd == -1) {
88 res->hr_localfd = open(res->hr_localpath,
89 dowrite ? O_RDWR : O_RDONLY);
90 if (res->hr_localfd == -1) {
91 pjdlog_errno(LOG_ERR, "Unable to open %s",
92 res->hr_localpath);
93 return (-1);
94 }
95 }
96 if (fstat(res->hr_localfd, &sb) == -1) {
97 pjdlog_errno(LOG_ERR, "Unable to stat %s", res->hr_localpath);
98 return (-1);
99 }
100 if (S_ISCHR(sb.st_mode)) {
101 /*
102 * If this is character device, it is most likely GEOM provider.
103 */
104 if (ioctl(res->hr_localfd, DIOCGMEDIASIZE,
105 &res->hr_local_mediasize) == -1) {
106 pjdlog_errno(LOG_ERR,
107 "Unable obtain provider %s mediasize",
108 res->hr_localpath);
109 return (-1);
110 }
111 if (ioctl(res->hr_localfd, DIOCGSECTORSIZE,
112 &res->hr_local_sectorsize) == -1) {
113 pjdlog_errno(LOG_ERR,
114 "Unable obtain provider %s sectorsize",
115 res->hr_localpath);
116 return (-1);
117 }
118 } else if (S_ISREG(sb.st_mode)) {
119 /*
120 * We also support regular files for which we hardcode
121 * sector size of 512 bytes.
122 */
123 res->hr_local_mediasize = sb.st_size;
124 res->hr_local_sectorsize = 512;
125 } else {
126 /*
127 * We support no other file types.
128 */
129 pjdlog_error("%s is neither GEOM provider nor regular file.",
130 res->hr_localpath);
131 errno = EFTYPE;
132 return (-1);
133 }
134 return (0);
135}
136
137const char *
138role2str(int role)
139{
140
141 switch (role) {
142 case HAST_ROLE_INIT:
143 return ("init");
144 case HAST_ROLE_PRIMARY:
145 return ("primary");
146 case HAST_ROLE_SECONDARY:
147 return ("secondary");
148 }
149 return ("unknown");
150}
151
152int
153drop_privs(const struct hast_resource *res)
154{
155 char jailhost[sizeof(res->hr_name) * 2];
156 struct jail jailst;
157 struct passwd *pw;
158 uid_t ruid, euid, suid;
159 gid_t rgid, egid, sgid;
160 gid_t gidset[1];
161 bool capsicum, jailed;
162
163 /*
164 * According to getpwnam(3) we have to clear errno before calling the
165 * function to be able to distinguish between an error and missing
166 * entry (with is not treated as error by getpwnam(3)).
167 */
168 errno = 0;
169 pw = getpwnam(HAST_USER);
170 if (pw == NULL) {
171 if (errno != 0) {
172 pjdlog_errno(LOG_ERR,
173 "Unable to find info about '%s' user", HAST_USER);
174 return (-1);
175 } else {
176 pjdlog_error("'%s' user doesn't exist.", HAST_USER);
177 errno = ENOENT;
178 return (-1);
179 }
180 }
181
182 bzero(&jailst, sizeof(jailst));
183 jailst.version = JAIL_API_VERSION;
184 jailst.path = pw->pw_dir;
185 if (res == NULL) {
186 (void)snprintf(jailhost, sizeof(jailhost), "hastctl");
187 } else {
188 (void)snprintf(jailhost, sizeof(jailhost), "hastd: %s (%s)",
189 res->hr_name, role2str(res->hr_role));
190 }
191 jailst.hostname = jailhost;
192 jailst.jailname = NULL;
193 jailst.ip4s = 0;
194 jailst.ip4 = NULL;
195 jailst.ip6s = 0;
196 jailst.ip6 = NULL;
197 if (jail(&jailst) >= 0) {
198 jailed = true;
199 } else {
200 jailed = false;
201 pjdlog_errno(LOG_WARNING,
202 "Unable to jail to directory to %s", pw->pw_dir);
203 if (chroot(pw->pw_dir) == -1) {
204 pjdlog_errno(LOG_ERR,
205 "Unable to change root directory to %s",
206 pw->pw_dir);
207 return (-1);
208 }
209 }
210 PJDLOG_VERIFY(chdir("/") == 0);
211 gidset[0] = pw->pw_gid;
212 if (setgroups(1, gidset) == -1) {
213 pjdlog_errno(LOG_ERR, "Unable to set groups to gid %u",
214 (unsigned int)pw->pw_gid);
215 return (-1);
216 }
217 if (setgid(pw->pw_gid) == -1) {
218 pjdlog_errno(LOG_ERR, "Unable to set gid to %u",
219 (unsigned int)pw->pw_gid);
220 return (-1);
221 }
222 if (setuid(pw->pw_uid) == -1) {
223 pjdlog_errno(LOG_ERR, "Unable to set uid to %u",
224 (unsigned int)pw->pw_uid);
225 return (-1);
226 }
227
|
227 /*
228 * Until capsicum doesn't allow ioctl(2) we cannot use it to sandbox
229 * primary and secondary worker processes, as primary uses GGATE
230 * ioctls and secondary uses ioctls to handle BIO_DELETE and BIO_FLUSH.
231 * For now capsicum is only used to sandbox hastctl.
232 */
| |
233#ifdef HAVE_CAPSICUM
| 228#ifdef HAVE_CAPSICUM
|
234 if (res == NULL) {
235 capsicum = (cap_enter() == 0);
236 if (!capsicum) {
237 pjdlog_common(LOG_DEBUG, 1, errno,
238 "Unable to sandbox using capsicum");
| 229 capsicum = (cap_enter() == 0);
230 if (!capsicum) {
231 pjdlog_common(LOG_DEBUG, 1, errno,
232 "Unable to sandbox using capsicum");
233 } else if (res != NULL) {
234 static const unsigned long geomcmds[] = {
235 DIOCGDELETE,
236 DIOCGFLUSH
237 };
238
239 PJDLOG_ASSERT(res->hr_role == HAST_ROLE_PRIMARY ||
240 res->hr_role == HAST_ROLE_SECONDARY);
241
242 if (cap_rights_limit(res->hr_localfd,
243 CAP_FLOCK | CAP_IOCTL | CAP_PREAD | CAP_PWRITE) == -1) {
244 pjdlog_errno(LOG_ERR,
245 "Unable to limit capability rights on local descriptor");
|
239 }
| 246 }
|
240 } else
| 247 if (cap_ioctls_limit(res->hr_localfd, geomcmds,
248 sizeof(geomcmds) / sizeof(geomcmds[0])) == -1) {
249 pjdlog_errno(LOG_ERR,
250 "Unable to limit allowed GEOM ioctls");
251 }
252
253 if (res->hr_role == HAST_ROLE_PRIMARY) {
254 static const unsigned long ggatecmds[] = {
255 G_GATE_CMD_MODIFY,
256 G_GATE_CMD_START,
257 G_GATE_CMD_DONE,
258 G_GATE_CMD_DESTROY
259 };
260
261 if (cap_rights_limit(res->hr_ggatefd, CAP_IOCTL) == -1) {
262 pjdlog_errno(LOG_ERR,
263 "Unable to limit capability rights to CAP_IOCTL on ggate descriptor");
264 }
265 if (cap_ioctls_limit(res->hr_ggatefd, ggatecmds,
266 sizeof(ggatecmds) / sizeof(ggatecmds[0])) == -1) {
267 pjdlog_errno(LOG_ERR,
268 "Unable to limit allowed ggate ioctls");
269 }
270 }
271 }
272#else
273 capsicum = false;
|
241#endif
| 274#endif
|
242 capsicum = false;
| |
243
244 /*
245 * Better be sure that everything succeeded.
246 */
247 PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0);
248 PJDLOG_VERIFY(ruid == pw->pw_uid);
249 PJDLOG_VERIFY(euid == pw->pw_uid);
250 PJDLOG_VERIFY(suid == pw->pw_uid);
251 PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0);
252 PJDLOG_VERIFY(rgid == pw->pw_gid);
253 PJDLOG_VERIFY(egid == pw->pw_gid);
254 PJDLOG_VERIFY(sgid == pw->pw_gid);
255 PJDLOG_VERIFY(getgroups(0, NULL) == 1);
256 PJDLOG_VERIFY(getgroups(1, gidset) == 1);
257 PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
258
259 pjdlog_debug(1,
260 "Privileges successfully dropped using %s%s+setgid+setuid.",
261 capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot");
262
263 return (0);
264}
| 275
276 /*
277 * Better be sure that everything succeeded.
278 */
279 PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0);
280 PJDLOG_VERIFY(ruid == pw->pw_uid);
281 PJDLOG_VERIFY(euid == pw->pw_uid);
282 PJDLOG_VERIFY(suid == pw->pw_uid);
283 PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0);
284 PJDLOG_VERIFY(rgid == pw->pw_gid);
285 PJDLOG_VERIFY(egid == pw->pw_gid);
286 PJDLOG_VERIFY(sgid == pw->pw_gid);
287 PJDLOG_VERIFY(getgroups(0, NULL) == 1);
288 PJDLOG_VERIFY(getgroups(1, gidset) == 1);
289 PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
290
291 pjdlog_debug(1,
292 "Privileges successfully dropped using %s%s+setgid+setuid.",
293 capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot");
294
295 return (0);
296}
|