2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2008-2011 Robert N. M. Watson
5 * Copyright (c) 2010-2011 Jonathan Anderson
6 * Copyright (c) 2012 FreeBSD Foundation
9 * This software was developed at the University of Cambridge Computer
10 * Laboratory with support from a grant from Google, Inc.
12 * Portions of this software were developed by Pawel Jakub Dawidek under
13 * sponsorship from the FreeBSD Foundation.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * FreeBSD kernel capability facility.
40 * Two kernel features are implemented here: capability mode, a sandboxed mode
41 * of execution for processes, and capabilities, a refinement on file
42 * descriptors that allows fine-grained control over operations on the file
43 * descriptor. Collectively, these allow processes to run in the style of a
44 * historic "capability system" in which they can use only resources
45 * explicitly delegated to them. This model is enforced by restricting access
46 * to global namespaces in capability mode.
48 * Capabilities wrap other file descriptor types, binding them to a constant
49 * rights mask set when the capability is created. New capabilities may be
50 * derived from existing capabilities, but only if they have the same or a
51 * strict subset of the rights on the original capability.
53 * System calls permitted in capability mode are defined in capabilities.conf;
54 * calls must be carefully audited for safety to ensure that they don't allow
55 * escape from a sandbox. Some calls permit only a subset of operations in
56 * capability mode -- for example, shm_open(2) is limited to creating
57 * anonymous, rather than named, POSIX shared memory objects.
60 #include <sys/cdefs.h>
61 __FBSDID("$FreeBSD$");
63 #include "opt_capsicum.h"
64 #include "opt_ktrace.h"
66 #include <sys/param.h>
67 #include <sys/capsicum.h>
69 #include <sys/filedesc.h>
70 #include <sys/kernel.h>
71 #include <sys/limits.h>
73 #include <sys/mutex.h>
75 #include <sys/syscallsubr.h>
76 #include <sys/sysproto.h>
77 #include <sys/sysctl.h>
78 #include <sys/systm.h>
79 #include <sys/ucred.h>
81 #include <sys/ktrace.h>
83 #include <security/audit/audit.h>
88 bool __read_frequently trap_enotcap;
89 SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
90 "Deliver SIGTRAP on ENOTCAPABLE");
92 #ifdef CAPABILITY_MODE
94 #define IOCTLS_MAX_COUNT 256 /* XXX: Is 256 sane? */
96 FEATURE(security_capability_mode, "Capsicum Capability Mode");
99 * System call to enter capability mode for the process.
102 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
104 struct ucred *newcred, *oldcred;
107 if (IN_CAPABILITY_MODE(td))
113 oldcred = crcopysafe(p, newcred);
114 newcred->cr_flags |= CRED_FLAG_CAPMODE;
115 proc_set_cred(p, newcred);
122 * System call to query whether the process is in capability mode.
125 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
129 i = IN_CAPABILITY_MODE(td) ? 1 : 0;
130 return (copyout(&i, uap->modep, sizeof(i)));
133 #else /* !CAPABILITY_MODE */
136 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
143 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
149 #endif /* CAPABILITY_MODE */
153 FEATURE(security_capabilities, "Capsicum Capabilities");
155 MALLOC_DECLARE(M_FILECAPS);
158 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
159 enum ktr_cap_fail_type type)
162 if (!cap_rights_contains(havep, needp)) {
164 if (KTRPOINT(curthread, KTR_CAPFAIL))
165 ktrcapfail(type, needp, havep);
167 return (ENOTCAPABLE);
173 * Test whether a capability grants the requested rights.
176 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
179 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
183 cap_check_failed_notcapable(const cap_rights_t *havep, const cap_rights_t *needp)
187 if (KTRPOINT(curthread, KTR_CAPFAIL))
188 ktrcapfail(CAPFAIL_NOTCAPABLE, needp, havep);
190 return (ENOTCAPABLE);
194 * Convert capability rights into VM access flags.
197 cap_rights_to_vmprot(const cap_rights_t *havep)
201 maxprot = VM_PROT_NONE;
202 if (cap_rights_is_set(havep, CAP_MMAP_R))
203 maxprot |= VM_PROT_READ;
204 if (cap_rights_is_set(havep, CAP_MMAP_W))
205 maxprot |= VM_PROT_WRITE;
206 if (cap_rights_is_set(havep, CAP_MMAP_X))
207 maxprot |= VM_PROT_EXECUTE;
213 * Extract rights from a capability for monitoring purposes -- not for use in
214 * any other way, as we want to keep all capability permission evaluation in
219 cap_rights_fde(const struct filedescent *fdep)
222 return (cap_rights_fde_inline(fdep));
226 cap_rights(struct filedesc *fdp, int fd)
229 return (cap_rights_fde(&fdp->fd_ofiles[fd]));
233 kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
235 struct filedesc *fdp;
236 struct filedescent *fdep;
239 fdp = td->td_proc->p_fd;
241 fdep = fdeget_locked(fdp, fd);
243 FILEDESC_XUNLOCK(fdp);
246 error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
248 fdep->fde_rights = *rights;
249 if (!cap_rights_is_set(rights, CAP_IOCTL)) {
250 free(fdep->fde_ioctls, M_FILECAPS);
251 fdep->fde_ioctls = NULL;
252 fdep->fde_nioctls = 0;
254 if (!cap_rights_is_set(rights, CAP_FCNTL))
255 fdep->fde_fcntls = 0;
257 FILEDESC_XUNLOCK(fdp);
262 * System call to limit rights of the given capability.
265 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
270 cap_rights_init(&rights);
272 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
275 version = CAPVER(&rights);
276 if (version != CAP_RIGHTS_VERSION_00)
279 error = copyin(uap->rightsp, &rights,
280 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
283 /* Check for race. */
284 if (CAPVER(&rights) != version)
287 if (!cap_rights_is_valid(&rights))
290 if (version != CAP_RIGHTS_VERSION) {
291 rights.cr_rights[0] &= ~(0x3ULL << 62);
292 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
295 if (KTRPOINT(td, KTR_STRUCT))
296 ktrcaprights(&rights);
299 AUDIT_ARG_FD(uap->fd);
300 AUDIT_ARG_RIGHTS(&rights);
301 return (kern_cap_rights_limit(td, uap->fd, &rights));
305 * System call to query the rights mask associated with a capability.
308 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
310 struct filedesc *fdp;
314 if (uap->version != CAP_RIGHTS_VERSION_00)
321 fdp = td->td_proc->p_fd;
323 if (fget_locked(fdp, fd) == NULL) {
324 FILEDESC_SUNLOCK(fdp);
327 rights = *cap_rights(fdp, fd);
328 FILEDESC_SUNLOCK(fdp);
329 n = uap->version + 2;
330 if (uap->version != CAPVER(&rights)) {
332 * For older versions we need to check if the descriptor
333 * doesn't contain rights not understood by the caller.
334 * If it does, we have to return an error.
336 for (i = n; i < CAPARSIZE(&rights); i++) {
337 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
341 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
343 if (error == 0 && KTRPOINT(td, KTR_STRUCT))
344 ktrcaprights(&rights);
350 * Test whether a capability grants the given ioctl command.
351 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
352 * ENOTCAPABLE will be returned.
355 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
357 struct filedescent *fdep;
362 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
363 ("%s: invalid fd=%d", __func__, fd));
365 fdep = fdeget_locked(fdp, fd);
366 KASSERT(fdep != NULL,
367 ("%s: invalid fd=%d", __func__, fd));
369 ncmds = fdep->fde_nioctls;
373 cmds = fdep->fde_ioctls;
374 for (i = 0; i < ncmds; i++) {
379 return (ENOTCAPABLE);
383 * Check if the current ioctls list can be replaced by the new one.
386 cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
394 oncmds = fdep->fde_nioctls;
397 if (oncmds < (ssize_t)ncmds)
398 return (ENOTCAPABLE);
400 ocmds = fdep->fde_ioctls;
401 for (i = 0; i < ncmds; i++) {
402 for (j = 0; j < oncmds; j++) {
403 if (cmds[i] == ocmds[j])
407 return (ENOTCAPABLE);
414 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
416 struct filedesc *fdp;
417 struct filedescent *fdep;
423 if (ncmds > IOCTLS_MAX_COUNT) {
428 fdp = td->td_proc->p_fd;
431 fdep = fdeget_locked(fdp, fd);
437 error = cap_ioctl_limit_check(fdep, cmds, ncmds);
441 ocmds = fdep->fde_ioctls;
442 fdep->fde_ioctls = cmds;
443 fdep->fde_nioctls = ncmds;
448 FILEDESC_XUNLOCK(fdp);
450 free(cmds, M_FILECAPS);
455 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
463 if (ncmds > IOCTLS_MAX_COUNT)
469 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
470 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
472 free(cmds, M_FILECAPS);
477 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
481 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
483 struct filedesc *fdp;
484 struct filedescent *fdep;
485 u_long *cmdsp, *dstcmds;
486 size_t maxcmds, ncmds;
492 maxcmds = uap->maxcmds;
496 fdp = td->td_proc->p_fd;
499 if (dstcmds != NULL) {
500 cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
505 fdep = fdeget_locked(fdp, fd);
508 FILEDESC_SUNLOCK(fdp);
511 count = fdep->fde_nioctls;
512 if (count != -1 && cmdsp != NULL) {
513 ncmds = MIN(count, maxcmds);
514 memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
516 FILEDESC_SUNLOCK(fdp);
519 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
520 * the only sane thing we can do is to not populate the given array and
521 * return CAP_IOCTLS_ALL.
525 error = copyout(cmdsp, dstcmds,
526 sizeof(cmdsp[0]) * ncmds);
530 td->td_retval[0] = count;
532 td->td_retval[0] = CAP_IOCTLS_ALL;
537 free(cmdsp, M_FILECAPS);
542 * Test whether a capability grants the given fcntl command.
545 cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
549 fcntlcap = (1 << cmd);
550 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
551 ("Unsupported fcntl=%d.", cmd));
553 if ((fdep->fde_fcntls & fcntlcap) != 0)
556 return (ENOTCAPABLE);
560 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
563 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
564 ("%s: invalid fd=%d", __func__, fd));
566 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
570 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
572 struct filedesc *fdp;
573 struct filedescent *fdep;
574 uint32_t fcntlrights;
578 fcntlrights = uap->fcntlrights;
581 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
583 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
586 fdp = td->td_proc->p_fd;
589 fdep = fdeget_locked(fdp, fd);
591 FILEDESC_XUNLOCK(fdp);
595 if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
596 FILEDESC_XUNLOCK(fdp);
597 return (ENOTCAPABLE);
600 fdep->fde_fcntls = fcntlrights;
601 FILEDESC_XUNLOCK(fdp);
607 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
609 struct filedesc *fdp;
610 struct filedescent *fdep;
618 fdp = td->td_proc->p_fd;
620 fdep = fdeget_locked(fdp, fd);
622 FILEDESC_SUNLOCK(fdp);
625 rights = fdep->fde_fcntls;
626 FILEDESC_SUNLOCK(fdp);
628 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
631 #else /* !CAPABILITIES */
634 * Stub Capability functions for when options CAPABILITIES isn't compiled
639 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
646 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
653 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
660 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
667 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
674 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
680 #endif /* CAPABILITIES */