2 * Copyright (c) 2008-2011 Robert N. M. Watson
3 * Copyright (c) 2010-2011 Jonathan Anderson
4 * Copyright (c) 2012 FreeBSD Foundation
7 * This software was developed at the University of Cambridge Computer
8 * Laboratory with support from a grant from Google, Inc.
10 * Portions of this software were developed by Pawel Jakub Dawidek under
11 * sponsorship from the FreeBSD Foundation.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * FreeBSD kernel capability facility.
38 * Two kernel features are implemented here: capability mode, a sandboxed mode
39 * of execution for processes, and capabilities, a refinement on file
40 * descriptors that allows fine-grained control over operations on the file
41 * descriptor. Collectively, these allow processes to run in the style of a
42 * historic "capability system" in which they can use only resources
43 * explicitly delegated to them. This model is enforced by restricting access
44 * to global namespaces in capability mode.
46 * Capabilities wrap other file descriptor types, binding them to a constant
47 * rights mask set when the capability is created. New capabilities may be
48 * derived from existing capabilities, but only if they have the same or a
49 * strict subset of the rights on the original capability.
51 * System calls permitted in capability mode are defined in capabilities.conf;
52 * calls must be carefully audited for safety to ensure that they don't allow
53 * escape from a sandbox. Some calls permit only a subset of operations in
54 * capability mode -- for example, shm_open(2) is limited to creating
55 * anonymous, rather than named, POSIX shared memory objects.
58 #include <sys/cdefs.h>
59 __FBSDID("$FreeBSD$");
61 #include "opt_capsicum.h"
62 #include "opt_ktrace.h"
64 #include <sys/param.h>
65 #include <sys/capsicum.h>
67 #include <sys/filedesc.h>
68 #include <sys/kernel.h>
69 #include <sys/limits.h>
71 #include <sys/mutex.h>
73 #include <sys/syscallsubr.h>
74 #include <sys/sysproto.h>
75 #include <sys/sysctl.h>
76 #include <sys/systm.h>
77 #include <sys/ucred.h>
79 #include <sys/ktrace.h>
81 #include <security/audit/audit.h>
86 #ifdef CAPABILITY_MODE
88 FEATURE(security_capability_mode, "Capsicum Capability Mode");
91 * System call to enter capability mode for the process.
94 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
96 struct ucred *newcred, *oldcred;
99 if (IN_CAPABILITY_MODE(td))
105 oldcred = crcopysafe(p, newcred);
106 newcred->cr_flags |= CRED_FLAG_CAPMODE;
107 proc_set_cred(p, newcred);
114 * System call to query whether the process is in capability mode.
117 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
121 i = IN_CAPABILITY_MODE(td) ? 1 : 0;
122 return (copyout(&i, uap->modep, sizeof(i)));
125 #else /* !CAPABILITY_MODE */
128 sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
135 sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
141 #endif /* CAPABILITY_MODE */
145 FEATURE(security_capabilities, "Capsicum Capabilities");
147 MALLOC_DECLARE(M_FILECAPS);
150 _cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
151 enum ktr_cap_fail_type type)
155 for (i = 0; i < nitems(havep->cr_rights); i++) {
156 if (!cap_rights_contains(havep, needp)) {
158 if (KTRPOINT(curthread, KTR_CAPFAIL))
159 ktrcapfail(type, needp, havep);
161 return (ENOTCAPABLE);
168 * Test whether a capability grants the requested rights.
171 cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
174 return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
178 * Convert capability rights into VM access flags.
181 cap_rights_to_vmprot(cap_rights_t *havep)
185 maxprot = VM_PROT_NONE;
186 if (cap_rights_is_set(havep, CAP_MMAP_R))
187 maxprot |= VM_PROT_READ;
188 if (cap_rights_is_set(havep, CAP_MMAP_W))
189 maxprot |= VM_PROT_WRITE;
190 if (cap_rights_is_set(havep, CAP_MMAP_X))
191 maxprot |= VM_PROT_EXECUTE;
197 * Extract rights from a capability for monitoring purposes -- not for use in
198 * any other way, as we want to keep all capability permission evaluation in
203 cap_rights_fde(struct filedescent *fde)
206 return (&fde->fde_rights);
210 cap_rights(struct filedesc *fdp, int fd)
213 return (cap_rights_fde(&fdp->fd_ofiles[fd]));
217 * System call to limit rights of the given capability.
220 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
222 struct filedesc *fdp;
224 int error, fd, version;
226 cap_rights_init(&rights);
228 error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
231 version = CAPVER(&rights);
232 if (version != CAP_RIGHTS_VERSION_00)
235 error = copyin(uap->rightsp, &rights,
236 sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
239 /* Check for race. */
240 if (CAPVER(&rights) != version)
243 if (!cap_rights_is_valid(&rights))
246 if (version != CAP_RIGHTS_VERSION) {
247 rights.cr_rights[0] &= ~(0x3ULL << 62);
248 rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
251 if (KTRPOINT(td, KTR_STRUCT))
252 ktrcaprights(&rights);
258 AUDIT_ARG_RIGHTS(&rights);
260 fdp = td->td_proc->p_fd;
262 if (fget_locked(fdp, fd) == NULL) {
263 FILEDESC_XUNLOCK(fdp);
266 error = _cap_check(cap_rights(fdp, fd), &rights, CAPFAIL_INCREASE);
268 fdp->fd_ofiles[fd].fde_rights = rights;
269 if (!cap_rights_is_set(&rights, CAP_IOCTL)) {
270 free(fdp->fd_ofiles[fd].fde_ioctls, M_FILECAPS);
271 fdp->fd_ofiles[fd].fde_ioctls = NULL;
272 fdp->fd_ofiles[fd].fde_nioctls = 0;
274 if (!cap_rights_is_set(&rights, CAP_FCNTL))
275 fdp->fd_ofiles[fd].fde_fcntls = 0;
277 FILEDESC_XUNLOCK(fdp);
282 * System call to query the rights mask associated with a capability.
285 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
287 struct filedesc *fdp;
291 if (uap->version != CAP_RIGHTS_VERSION_00)
298 fdp = td->td_proc->p_fd;
300 if (fget_locked(fdp, fd) == NULL) {
301 FILEDESC_SUNLOCK(fdp);
304 rights = *cap_rights(fdp, fd);
305 FILEDESC_SUNLOCK(fdp);
306 n = uap->version + 2;
307 if (uap->version != CAPVER(&rights)) {
309 * For older versions we need to check if the descriptor
310 * doesn't contain rights not understood by the caller.
311 * If it does, we have to return an error.
313 for (i = n; i < CAPARSIZE(&rights); i++) {
314 if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
318 error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
320 if (error == 0 && KTRPOINT(td, KTR_STRUCT))
321 ktrcaprights(&rights);
327 * Test whether a capability grants the given ioctl command.
328 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
329 * ENOTCAPABLE will be returned.
332 cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
338 FILEDESC_LOCK_ASSERT(fdp);
339 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
340 ("%s: invalid fd=%d", __func__, fd));
342 ncmds = fdp->fd_ofiles[fd].fde_nioctls;
346 cmds = fdp->fd_ofiles[fd].fde_ioctls;
347 for (i = 0; i < ncmds; i++) {
352 return (ENOTCAPABLE);
356 * Check if the current ioctls list can be replaced by the new one.
359 cap_ioctl_limit_check(struct filedesc *fdp, int fd, const u_long *cmds,
367 oncmds = fdp->fd_ofiles[fd].fde_nioctls;
370 if (oncmds < (ssize_t)ncmds)
371 return (ENOTCAPABLE);
373 ocmds = fdp->fd_ofiles[fd].fde_ioctls;
374 for (i = 0; i < ncmds; i++) {
375 for (j = 0; j < oncmds; j++) {
376 if (cmds[i] == ocmds[j])
380 return (ENOTCAPABLE);
387 kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
389 struct filedesc *fdp;
395 fdp = td->td_proc->p_fd;
398 if (fget_locked(fdp, fd) == NULL) {
403 error = cap_ioctl_limit_check(fdp, fd, cmds, ncmds);
407 ocmds = fdp->fd_ofiles[fd].fde_ioctls;
408 fdp->fd_ofiles[fd].fde_ioctls = cmds;
409 fdp->fd_ofiles[fd].fde_nioctls = ncmds;
414 FILEDESC_XUNLOCK(fdp);
415 free(cmds, M_FILECAPS);
420 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
428 if (ncmds > 256) /* XXX: Is 256 sane? */
434 cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
435 error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
437 free(cmds, M_FILECAPS);
442 return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
446 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
448 struct filedesc *fdp;
449 struct filedescent *fdep;
456 maxcmds = uap->maxcmds;
460 fdp = td->td_proc->p_fd;
463 if (fget_locked(fdp, fd) == NULL) {
469 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
470 * the only sane thing we can do is to not populate the given array and
471 * return CAP_IOCTLS_ALL.
474 fdep = &fdp->fd_ofiles[fd];
475 if (cmds != NULL && fdep->fde_ioctls != NULL) {
476 error = copyout(fdep->fde_ioctls, cmds,
477 sizeof(cmds[0]) * MIN(fdep->fde_nioctls, maxcmds));
481 if (fdep->fde_nioctls == -1)
482 td->td_retval[0] = CAP_IOCTLS_ALL;
484 td->td_retval[0] = fdep->fde_nioctls;
488 FILEDESC_SUNLOCK(fdp);
493 * Test whether a capability grants the given fcntl command.
496 cap_fcntl_check_fde(struct filedescent *fde, int cmd)
500 fcntlcap = (1 << cmd);
501 KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
502 ("Unsupported fcntl=%d.", cmd));
504 if ((fde->fde_fcntls & fcntlcap) != 0)
507 return (ENOTCAPABLE);
511 cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
514 KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
515 ("%s: invalid fd=%d", __func__, fd));
517 return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
521 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
523 struct filedesc *fdp;
524 uint32_t fcntlrights;
528 fcntlrights = uap->fcntlrights;
531 AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);
533 if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
536 fdp = td->td_proc->p_fd;
539 if (fget_locked(fdp, fd) == NULL) {
540 FILEDESC_XUNLOCK(fdp);
544 if ((fcntlrights & ~fdp->fd_ofiles[fd].fde_fcntls) != 0) {
545 FILEDESC_XUNLOCK(fdp);
546 return (ENOTCAPABLE);
549 fdp->fd_ofiles[fd].fde_fcntls = fcntlrights;
550 FILEDESC_XUNLOCK(fdp);
556 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
558 struct filedesc *fdp;
566 fdp = td->td_proc->p_fd;
568 if (fget_locked(fdp, fd) == NULL) {
569 FILEDESC_SUNLOCK(fdp);
572 rights = fdp->fd_ofiles[fd].fde_fcntls;
573 FILEDESC_SUNLOCK(fdp);
575 return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
578 #else /* !CAPABILITIES */
581 * Stub Capability functions for when options CAPABILITIES isn't compiled
586 sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
593 sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
600 sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
607 sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
614 sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
621 sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
627 #endif /* CAPABILITIES */