From 96fcc75fdf74e8ecc798405021f9c9b3c8e01c0d Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Tue, 1 Mar 2011 13:23:37 +0000 Subject: [PATCH] Add initial support for Capsicum's Capability Mode to the FreeBSD kernel, compiled conditionally on options CAPABILITIES: Add a new credential flag, CRED_FLAG_CAPMODE, which indicates that a subject (typically a process) is in capability mode. Add two new system calls, cap_enter(2) and cap_getmode(2), which allow setting and querying (but never clearing) the flag. Export the capability mode flag via process information sysctls. Sponsored by: Google, Inc. Reviewed by: anderson Discussed with: benl, kris, pjd Obtained from: Capsicum Project MFC after: 3 months --- sys/compat/freebsd32/syscalls.master | 4 +- sys/conf/NOTES | 3 + sys/conf/options | 1 + sys/kern/kern_proc.c | 4 +- sys/kern/sys_capability.c | 123 +++++++++++++++++++++++++++ sys/kern/syscalls.master | 4 +- sys/sys/ucred.h | 5 ++ sys/sys/user.h | 6 +- 8 files changed, 143 insertions(+), 7 deletions(-) create mode 100644 sys/kern/sys_capability.c diff --git a/sys/compat/freebsd32/syscalls.master b/sys/compat/freebsd32/syscalls.master index 4f1fc28337d4..4aa8d3e4c99d 100644 --- a/sys/compat/freebsd32/syscalls.master +++ b/sys/compat/freebsd32/syscalls.master @@ -952,8 +952,8 @@ 513 AUE_LPATHCONF NOPROTO { int lpathconf(char *path, int name); } 514 AUE_CAP_NEW UNIMPL cap_new 515 AUE_CAP_GETRIGHTS UNIMPL cap_getrights -516 AUE_CAP_ENTER UNIMPL cap_enter -517 AUE_CAP_GETMODE UNIMPL cap_getmode +516 AUE_CAP_ENTER NOPROTO { int cap_enter(void); } +517 AUE_CAP_GETMODE NOPROTO { int cap_getmode(u_int *modep); } 518 AUE_PDFORK UNIMPL pdfork 519 AUE_PDKILL UNIMPL pdkill 520 AUE_PDGETPID UNIMPL pdgetpid diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 462894f222ae..e6b64b64a79c 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1157,6 +1157,9 @@ options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST +# Support for Capsicum +options CAPABILIITES + ##################################################################### # CLOCK OPTIONS diff --git a/sys/conf/options b/sys/conf/options index 9a96c94dc421..1ea73408fe56 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -63,6 +63,7 @@ SYSCTL_DEBUG opt_sysctl.h ADAPTIVE_LOCKMGRS ALQ AUDIT opt_global.h +CAPABILITIES opt_capabilities.h CODA_COMPAT_5 opt_coda.h COMPAT_43 opt_compat.h COMPAT_43TTY opt_compat.h diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index 422a16f57a62..1e576ed27439 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -725,7 +725,9 @@ fill_kinfo_proc_only(struct proc *p, struct kinfo_proc *kp) kp->ki_uid = cred->cr_uid; kp->ki_ruid = cred->cr_ruid; kp->ki_svuid = cred->cr_svuid; - kp->ki_cr_flags = cred->cr_flags; + kp->ki_cr_flags = 0; + if (cred->cr_flags & CRED_FLAG_CAPMODE) + kp->ki_cr_flags |= KI_CRF_CAPABILITY_MODE; /* XXX bde doesn't like KI_NGROUPS */ if (cred->cr_ngroups > KI_NGROUPS) { kp->ki_ngroups = KI_NGROUPS; diff --git a/sys/kern/sys_capability.c b/sys/kern/sys_capability.c new file mode 100644 index 000000000000..e4d721a6350c --- /dev/null +++ b/sys/kern/sys_capability.c @@ -0,0 +1,123 @@ +/*- + * Copyright (c) 2008-2011 Robert N. M. Watson + * Copyright (c) 2010-2011 Jonathan Anderson + * All rights reserved. + * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * FreeBSD kernel capability facility. + * + * Currently, this file implements only capability mode; capabilities + * (rights-refined file descriptors) will follow. + * + */ + +#include "opt_capabilities.h" + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include + +#ifdef CAPABILITIES + +/* + * We don't currently have any MIB entries for sysctls, but we do expose + * security.capabilities so that it's easy to tell if options CAPABILITIES is + * compiled into the kernel. + */ +SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, "Capsicum"); + +/* + * System call to enter capability mode for the process. + */ +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + struct ucred *newcred, *oldcred; + struct proc *p; + + if (IN_CAPABILITY_MODE(td)) + return (0); + + newcred = crget(); + p = td->td_proc; + PROC_LOCK(p); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); + newcred->cr_flags |= CRED_FLAG_CAPMODE; + p->p_ucred = newcred; + PROC_UNLOCK(p); + crfree(oldcred); + return (0); +} + +/* + * System call to query whether the process is in capability mode. + */ +int +cap_getmode(struct thread *td, struct cap_getmode_args *uap) +{ + u_int i; + + i = (IN_CAPABILITY_MODE(td)) ? 1 : 0; + return (copyout(&i, uap->modep, sizeof(i))); +} + +#else /* !CAPABILITIES */ + +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + + return (ENOSYS); +} + +int +cap_getmode(struct thread *td, struct cap_getmode_args *uap) +{ + + return (ENOSYS); +} + +#endif /* CAPABILITIES */ diff --git a/sys/kern/syscalls.master b/sys/kern/syscalls.master index ef6082847ca3..f3723e3dbf2d 100644 --- a/sys/kern/syscalls.master +++ b/sys/kern/syscalls.master @@ -916,8 +916,8 @@ 513 AUE_LPATHCONF STD { int lpathconf(char *path, int name); } 514 AUE_CAP_NEW UNIMPL cap_new 515 AUE_CAP_GETRIGHTS UNIMPL cap_getrights -516 AUE_CAP_ENTER UNIMPL cap_enter -517 AUE_CAP_GETMODE UNIMPL cap_getmode +516 AUE_CAP_ENTER STD { int cap_enter(void); } +517 AUE_CAP_GETMODE STD { int cap_getmode(u_int *modep); } 518 AUE_PDFORK UNIMPL pdfork 519 AUE_PDKILL UNIMPL pdkill 520 AUE_PDGETPID UNIMPL pdgetpid diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h index a8934cec4f5d..4e2ca02b6301 100644 --- a/sys/sys/ucred.h +++ b/sys/sys/ucred.h @@ -69,6 +69,11 @@ struct ucred { #define XU_NGROUPS 16 +/* + * Flags for cr_flags. + */ +#define CRED_FLAG_CAPMODE 0x00000001 /* In capability mode. */ + /* * This is the external representation of struct ucred. */ diff --git a/sys/sys/user.h b/sys/sys/user.h index b32ca04989b4..5c34c9d1f3b5 100644 --- a/sys/sys/user.h +++ b/sys/sys/user.h @@ -101,9 +101,11 @@ #define KI_NGROUPS 16 /* number of groups in ki_groups */ #define LOGNAMELEN 17 /* size of returned ki_login */ +/* Flags for the process credential. */ +#define KI_CRF_CAPABILITY_MODE 0x00000001 /* - * Steal a bit from ki_cr_flags (cr_flags is never used) to indicate - * that the cred had more than KI_NGROUPS groups. + * Steal a bit from ki_cr_flags to indicate that the cred had more than + * KI_NGROUPS groups. */ #define KI_CRF_GRP_OVERFLOW 0x80000000