1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2008-2011 Robert N. M. Watson 5 * Copyright (c) 2010-2011 Jonathan Anderson 6 * Copyright (c) 2012 FreeBSD Foundation 7 * All rights reserved. 8 * 9 * This software was developed at the University of Cambridge Computer 10 * Laboratory with support from a grant from Google, Inc. 11 * 12 * Portions of this software were developed by Pawel Jakub Dawidek under 13 * sponsorship from the FreeBSD Foundation. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37/* 38 * FreeBSD kernel capability facility. 39 * 40 * Two kernel features are implemented here: capability mode, a sandboxed mode 41 * of execution for processes, and capabilities, a refinement on file 42 * descriptors that allows fine-grained control over operations on the file 43 * descriptor. Collectively, these allow processes to run in the style of a 44 * historic "capability system" in which they can use only resources 45 * explicitly delegated to them. This model is enforced by restricting access 46 * to global namespaces in capability mode. 47 * 48 * Capabilities wrap other file descriptor types, binding them to a constant 49 * rights mask set when the capability is created. New capabilities may be 50 * derived from existing capabilities, but only if they have the same or a 51 * strict subset of the rights on the original capability. 52 * 53 * System calls permitted in capability mode are defined in capabilities.conf; 54 * calls must be carefully audited for safety to ensure that they don't allow 55 * escape from a sandbox. Some calls permit only a subset of operations in 56 * capability mode -- for example, shm_open(2) is limited to creating 57 * anonymous, rather than named, POSIX shared memory objects. 58 */ 59 60#include <sys/cdefs.h> 61__FBSDID("$FreeBSD$"); 62 63#include "opt_capsicum.h" 64#include "opt_ktrace.h" 65 66#include <sys/param.h> 67#include <sys/capsicum.h> 68#include <sys/file.h> 69#include <sys/filedesc.h> 70#include <sys/kernel.h> 71#include <sys/limits.h> 72#include <sys/lock.h> 73#include <sys/mutex.h> 74#include <sys/proc.h> 75#include <sys/syscallsubr.h> 76#include <sys/sysproto.h> 77#include <sys/sysctl.h> 78#include <sys/systm.h> 79#include <sys/ucred.h> 80#include <sys/uio.h> 81#include <sys/ktrace.h> 82 83#include <security/audit/audit.h> 84 85#include <vm/uma.h> 86#include <vm/vm.h> 87 88bool __read_frequently trap_enotcap; 89SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0, 90 "Deliver SIGTRAP on ENOTCAPABLE"); 91 92#ifdef CAPABILITY_MODE 93 94#define IOCTLS_MAX_COUNT 256 /* XXX: Is 256 sane? */ 95 96FEATURE(security_capability_mode, "Capsicum Capability Mode"); 97 98/* 99 * System call to enter capability mode for the process. 100 */ 101int 102sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 103{ 104 struct ucred *newcred, *oldcred; 105 struct proc *p; 106 107 if (IN_CAPABILITY_MODE(td)) 108 return (0); 109 110 newcred = crget(); 111 p = td->td_proc; 112 PROC_LOCK(p); 113 oldcred = crcopysafe(p, newcred); 114 newcred->cr_flags |= CRED_FLAG_CAPMODE; 115 proc_set_cred(p, newcred); 116 PROC_UNLOCK(p); 117 crfree(oldcred); 118 return (0); 119} 120 121/* 122 * System call to query whether the process is in capability mode. 123 */ 124int 125sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 126{ 127 u_int i; 128 129 i = IN_CAPABILITY_MODE(td) ? 1 : 0; 130 return (copyout(&i, uap->modep, sizeof(i))); 131} 132 133#else /* !CAPABILITY_MODE */ 134 135int 136sys_cap_enter(struct thread *td, struct cap_enter_args *uap) 137{ 138 139 return (ENOSYS); 140} 141 142int 143sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap) 144{ 145 146 return (ENOSYS); 147} 148 149#endif /* CAPABILITY_MODE */ 150 151#ifdef CAPABILITIES 152 153FEATURE(security_capabilities, "Capsicum Capabilities"); 154 155MALLOC_DECLARE(M_FILECAPS); 156 157static inline int 158_cap_check(const cap_rights_t *havep, const cap_rights_t *needp, 159 enum ktr_cap_fail_type type) 160{ 161 162 if (!cap_rights_contains(havep, needp)) { 163#ifdef KTRACE 164 if (KTRPOINT(curthread, KTR_CAPFAIL)) 165 ktrcapfail(type, needp, havep); 166#endif 167 return (ENOTCAPABLE); 168 } 169 return (0); 170} 171 172/* 173 * Test whether a capability grants the requested rights. 174 */ 175int 176cap_check(const cap_rights_t *havep, const cap_rights_t *needp) 177{ 178 179 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE)); 180} 181 182/* 183 * Convert capability rights into VM access flags. 184 */ 185vm_prot_t 186cap_rights_to_vmprot(const cap_rights_t *havep) 187{ 188 vm_prot_t maxprot; 189 190 maxprot = VM_PROT_NONE; 191 if (cap_rights_is_set(havep, CAP_MMAP_R)) 192 maxprot |= VM_PROT_READ; 193 if (cap_rights_is_set(havep, CAP_MMAP_W)) 194 maxprot |= VM_PROT_WRITE; 195 if (cap_rights_is_set(havep, CAP_MMAP_X)) 196 maxprot |= VM_PROT_EXECUTE; 197 198 return (maxprot); 199} 200 201/* 202 * Extract rights from a capability for monitoring purposes -- not for use in 203 * any other way, as we want to keep all capability permission evaluation in 204 * this one file. 205 */ 206 207const cap_rights_t * 208cap_rights_fde(const struct filedescent *fdep) 209{ 210 211 return (cap_rights_fde_inline(fdep)); 212} 213 214const cap_rights_t * 215cap_rights(struct filedesc *fdp, int fd) 216{ 217 218 return (cap_rights_fde(&fdp->fd_ofiles[fd])); 219} 220 221int 222kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights) 223{ 224 struct filedesc *fdp; 225 struct filedescent *fdep; 226 u_long *ioctls; 227 int error; 228 229 fdp = td->td_proc->p_fd; 230 FILEDESC_XLOCK(fdp); 231 fdep = fdeget_locked(fdp, fd); 232 if (fdep == NULL) { 233 FILEDESC_XUNLOCK(fdp); 234 return (EBADF); 235 } 236 ioctls = NULL; 237 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE); 238 if (error == 0) { 239 seq_write_begin(&fdep->fde_seq); 240 fdep->fde_rights = *rights; 241 if (!cap_rights_is_set(rights, CAP_IOCTL)) { 242 ioctls = fdep->fde_ioctls; 243 fdep->fde_ioctls = NULL; 244 fdep->fde_nioctls = 0; 245 } 246 if (!cap_rights_is_set(rights, CAP_FCNTL)) 247 fdep->fde_fcntls = 0; 248 seq_write_end(&fdep->fde_seq); 249 } 250 FILEDESC_XUNLOCK(fdp); 251 free(ioctls, M_FILECAPS); 252 return (error); 253} 254 255/* 256 * System call to limit rights of the given capability. 257 */ 258int 259sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap) 260{ 261 cap_rights_t rights; 262 int error, version; 263 264 cap_rights_init(&rights); 265 266 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0])); 267 if (error != 0) 268 return (error); 269 version = CAPVER(&rights); 270 if (version != CAP_RIGHTS_VERSION_00) 271 return (EINVAL); 272 273 error = copyin(uap->rightsp, &rights, 274 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights)); 275 if (error != 0) 276 return (error); 277 /* Check for race. */ 278 if (CAPVER(&rights) != version) 279 return (EINVAL); 280 281 if (!cap_rights_is_valid(&rights)) 282 return (EINVAL); 283 284 if (version != CAP_RIGHTS_VERSION) { 285 rights.cr_rights[0] &= ~(0x3ULL << 62); 286 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62); 287 } 288#ifdef KTRACE 289 if (KTRPOINT(td, KTR_STRUCT)) 290 ktrcaprights(&rights); 291#endif 292 293 AUDIT_ARG_FD(uap->fd); 294 AUDIT_ARG_RIGHTS(&rights); 295 return (kern_cap_rights_limit(td, uap->fd, &rights)); 296} 297 298/* 299 * System call to query the rights mask associated with a capability. 300 */ 301int 302sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap) 303{ 304 struct filedesc *fdp; 305 cap_rights_t rights; 306 int error, fd, i, n; 307 308 if (uap->version != CAP_RIGHTS_VERSION_00) 309 return (EINVAL); 310 311 fd = uap->fd; 312 313 AUDIT_ARG_FD(fd); 314 315 fdp = td->td_proc->p_fd; 316 FILEDESC_SLOCK(fdp); 317 if (fget_locked(fdp, fd) == NULL) { 318 FILEDESC_SUNLOCK(fdp); 319 return (EBADF); 320 } 321 rights = *cap_rights(fdp, fd); 322 FILEDESC_SUNLOCK(fdp); 323 n = uap->version + 2; 324 if (uap->version != CAPVER(&rights)) { 325 /* 326 * For older versions we need to check if the descriptor 327 * doesn't contain rights not understood by the caller. 328 * If it does, we have to return an error. 329 */ 330 for (i = n; i < CAPARSIZE(&rights); i++) { 331 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0) 332 return (EINVAL); 333 } 334 } 335 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n); 336#ifdef KTRACE 337 if (error == 0 && KTRPOINT(td, KTR_STRUCT)) 338 ktrcaprights(&rights); 339#endif 340 return (error); 341} 342 343/* 344 * Test whether a capability grants the given ioctl command. 345 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and 346 * ENOTCAPABLE will be returned. 347 */ 348int 349cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd) 350{ 351 struct filedescent *fdep; 352 u_long *cmds; 353 ssize_t ncmds; 354 long i; 355 356 KASSERT(fd >= 0 && fd < fdp->fd_nfiles, 357 ("%s: invalid fd=%d", __func__, fd)); 358 359 fdep = fdeget_locked(fdp, fd); 360 KASSERT(fdep != NULL, 361 ("%s: invalid fd=%d", __func__, fd)); 362 363 ncmds = fdep->fde_nioctls; 364 if (ncmds == -1) 365 return (0); 366 367 cmds = fdep->fde_ioctls; 368 for (i = 0; i < ncmds; i++) { 369 if (cmds[i] == cmd) 370 return (0); 371 } 372 373 return (ENOTCAPABLE); 374} 375 376/* 377 * Check if the current ioctls list can be replaced by the new one. 378 */ 379static int 380cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds, 381 size_t ncmds) 382{ 383 u_long *ocmds; 384 ssize_t oncmds; 385 u_long i; 386 long j; 387 388 oncmds = fdep->fde_nioctls; 389 if (oncmds == -1) 390 return (0); 391 if (oncmds < (ssize_t)ncmds) 392 return (ENOTCAPABLE); 393 394 ocmds = fdep->fde_ioctls; 395 for (i = 0; i < ncmds; i++) { 396 for (j = 0; j < oncmds; j++) { 397 if (cmds[i] == ocmds[j]) 398 break; 399 } 400 if (j == oncmds) 401 return (ENOTCAPABLE); 402 } 403 404 return (0); 405} 406 407int 408kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds) 409{ 410 struct filedesc *fdp; 411 struct filedescent *fdep; 412 u_long *ocmds; 413 int error; 414 415 AUDIT_ARG_FD(fd); 416 417 if (ncmds > IOCTLS_MAX_COUNT) { 418 error = EINVAL; 419 goto out_free; 420 } 421 422 fdp = td->td_proc->p_fd; 423 FILEDESC_XLOCK(fdp); 424 425 fdep = fdeget_locked(fdp, fd); 426 if (fdep == NULL) { 427 error = EBADF; 428 goto out; 429 } 430 431 error = cap_ioctl_limit_check(fdep, cmds, ncmds); 432 if (error != 0) 433 goto out; 434 435 ocmds = fdep->fde_ioctls; 436 seq_write_begin(&fdep->fde_seq); 437 fdep->fde_ioctls = cmds; 438 fdep->fde_nioctls = ncmds; 439 seq_write_end(&fdep->fde_seq); 440 441 cmds = ocmds; 442 error = 0; 443out: 444 FILEDESC_XUNLOCK(fdp); 445out_free: 446 free(cmds, M_FILECAPS); 447 return (error); 448} 449 450int 451sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap) 452{ 453 u_long *cmds; 454 size_t ncmds; 455 int error; 456 457 ncmds = uap->ncmds; 458 459 if (ncmds > IOCTLS_MAX_COUNT) 460 return (EINVAL); 461 462 if (ncmds == 0) { 463 cmds = NULL; 464 } else { 465 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK); 466 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds); 467 if (error != 0) { 468 free(cmds, M_FILECAPS); 469 return (error); 470 } 471 } 472 473 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds)); 474} 475 476int 477sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap) 478{ 479 struct filedesc *fdp; 480 struct filedescent *fdep; 481 u_long *cmdsp, *dstcmds; 482 size_t maxcmds, ncmds; 483 int16_t count; 484 int error, fd; 485 486 fd = uap->fd; 487 dstcmds = uap->cmds; 488 maxcmds = uap->maxcmds; 489 490 AUDIT_ARG_FD(fd); 491 492 fdp = td->td_proc->p_fd; 493 494 cmdsp = NULL; 495 if (dstcmds != NULL) { 496 cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS, 497 M_WAITOK | M_ZERO); 498 } 499 500 FILEDESC_SLOCK(fdp); 501 fdep = fdeget_locked(fdp, fd); 502 if (fdep == NULL) { 503 error = EBADF; 504 FILEDESC_SUNLOCK(fdp); 505 goto out; 506 } 507 count = fdep->fde_nioctls; 508 if (count != -1 && cmdsp != NULL) { 509 ncmds = MIN(count, maxcmds); 510 memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds); 511 } 512 FILEDESC_SUNLOCK(fdp); 513 514 /* 515 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL) 516 * the only sane thing we can do is to not populate the given array and 517 * return CAP_IOCTLS_ALL. 518 */ 519 if (count != -1) { 520 if (cmdsp != NULL) { 521 error = copyout(cmdsp, dstcmds, 522 sizeof(cmdsp[0]) * ncmds); 523 if (error != 0) 524 goto out; 525 } 526 td->td_retval[0] = count; 527 } else { 528 td->td_retval[0] = CAP_IOCTLS_ALL; 529 } 530 531 error = 0; 532out: 533 free(cmdsp, M_FILECAPS); 534 return (error); 535} 536 537/* 538 * Test whether a capability grants the given fcntl command. 539 */ 540int 541cap_fcntl_check_fde(struct filedescent *fdep, int cmd) 542{ 543 uint32_t fcntlcap; 544 545 fcntlcap = (1 << cmd); 546 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0, 547 ("Unsupported fcntl=%d.", cmd)); 548 549 if ((fdep->fde_fcntls & fcntlcap) != 0) 550 return (0); 551 552 return (ENOTCAPABLE); 553} 554 555int 556cap_fcntl_check(struct filedesc *fdp, int fd, int cmd) 557{ 558 559 KASSERT(fd >= 0 && fd < fdp->fd_nfiles, 560 ("%s: invalid fd=%d", __func__, fd)); 561 562 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd)); 563} 564 565int 566sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap) 567{ 568 struct filedesc *fdp; 569 struct filedescent *fdep; 570 uint32_t fcntlrights; 571 int fd; 572 573 fd = uap->fd; 574 fcntlrights = uap->fcntlrights; 575 576 AUDIT_ARG_FD(fd); 577 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights); 578 579 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0) 580 return (EINVAL); 581 582 fdp = td->td_proc->p_fd; 583 FILEDESC_XLOCK(fdp); 584 585 fdep = fdeget_locked(fdp, fd); 586 if (fdep == NULL) { 587 FILEDESC_XUNLOCK(fdp); 588 return (EBADF); 589 } 590 591 if ((fcntlrights & ~fdep->fde_fcntls) != 0) { 592 FILEDESC_XUNLOCK(fdp); 593 return (ENOTCAPABLE); 594 } 595 596 seq_write_begin(&fdep->fde_seq); 597 fdep->fde_fcntls = fcntlrights; 598 seq_write_end(&fdep->fde_seq); 599 FILEDESC_XUNLOCK(fdp); 600 601 return (0); 602} 603 604int 605sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap) 606{ 607 struct filedesc *fdp; 608 struct filedescent *fdep; 609 uint32_t rights; 610 int fd; 611 612 fd = uap->fd; 613 614 AUDIT_ARG_FD(fd); 615 616 fdp = td->td_proc->p_fd; 617 FILEDESC_SLOCK(fdp); 618 fdep = fdeget_locked(fdp, fd); 619 if (fdep == NULL) { 620 FILEDESC_SUNLOCK(fdp); 621 return (EBADF); 622 } 623 rights = fdep->fde_fcntls; 624 FILEDESC_SUNLOCK(fdp); 625 626 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights))); 627} 628 629#else /* !CAPABILITIES */ 630 631/* 632 * Stub Capability functions for when options CAPABILITIES isn't compiled 633 * into the kernel. 634 */ 635 636int 637sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap) 638{ 639 640 return (ENOSYS); 641} 642 643int 644sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap) 645{ 646 647 return (ENOSYS); 648} 649 650int 651sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap) 652{ 653 654 return (ENOSYS); 655} 656 657int 658sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap) 659{ 660 661 return (ENOSYS); 662} 663 664int 665sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap) 666{ 667 668 return (ENOSYS); 669} 670 671int 672sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap) 673{ 674 675 return (ENOSYS); 676} 677 678#endif /* CAPABILITIES */ 679