7008be5bd7
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
290 lines
7.5 KiB
C
290 lines
7.5 KiB
C
/*-
|
|
* Copyright (c) 1988, 1993
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* @(#)ktrace.h 8.1 (Berkeley) 6/2/93
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#ifndef _SYS_KTRACE_H_
|
|
#define _SYS_KTRACE_H_
|
|
|
|
#include <sys/caprights.h>
|
|
|
|
/*
|
|
* operations to ktrace system call (KTROP(op))
|
|
*/
|
|
#define KTROP_SET 0 /* set trace points */
|
|
#define KTROP_CLEAR 1 /* clear trace points */
|
|
#define KTROP_CLEARFILE 2 /* stop all tracing to file */
|
|
#define KTROP(o) ((o)&3) /* macro to extract operation */
|
|
/*
|
|
* flags (ORed in with operation)
|
|
*/
|
|
#define KTRFLAG_DESCEND 4 /* perform op on all children too */
|
|
|
|
/*
|
|
* ktrace record header
|
|
*/
|
|
struct ktr_header {
|
|
int ktr_len; /* length of buf */
|
|
short ktr_type; /* trace record type */
|
|
pid_t ktr_pid; /* process id */
|
|
char ktr_comm[MAXCOMLEN + 1];/* command name */
|
|
struct timeval ktr_time; /* timestamp */
|
|
intptr_t ktr_tid; /* was ktr_buffer */
|
|
};
|
|
|
|
/*
|
|
* Test for kernel trace point (MP SAFE).
|
|
*
|
|
* KTRCHECK() just checks that the type is enabled and is only for
|
|
* internal use in the ktrace subsystem. KTRPOINT() checks against
|
|
* ktrace recursion as well as checking that the type is enabled and
|
|
* is the public interface.
|
|
*/
|
|
#define KTRCHECK(td, type) ((td)->td_proc->p_traceflag & (1 << type))
|
|
#define KTRPOINT(td, type) \
|
|
(KTRCHECK((td), (type)) && !((td)->td_pflags & TDP_INKTRACE))
|
|
#define KTRCHECKDRAIN(td) (!(STAILQ_EMPTY(&(td)->td_proc->p_ktr)))
|
|
#define KTRUSERRET(td) do { \
|
|
if (KTRCHECKDRAIN(td)) \
|
|
ktruserret(td); \
|
|
} while (0)
|
|
|
|
/*
|
|
* ktrace record types
|
|
*/
|
|
|
|
/*
|
|
* KTR_SYSCALL - system call record
|
|
*/
|
|
#define KTR_SYSCALL 1
|
|
struct ktr_syscall {
|
|
short ktr_code; /* syscall number */
|
|
short ktr_narg; /* number of arguments */
|
|
/*
|
|
* followed by ktr_narg register_t
|
|
*/
|
|
register_t ktr_args[1];
|
|
};
|
|
|
|
/*
|
|
* KTR_SYSRET - return from system call record
|
|
*/
|
|
#define KTR_SYSRET 2
|
|
struct ktr_sysret {
|
|
short ktr_code;
|
|
short ktr_eosys;
|
|
int ktr_error;
|
|
register_t ktr_retval;
|
|
};
|
|
|
|
/*
|
|
* KTR_NAMEI - namei record
|
|
*/
|
|
#define KTR_NAMEI 3
|
|
/* record contains pathname */
|
|
|
|
/*
|
|
* KTR_GENIO - trace generic process i/o
|
|
*/
|
|
#define KTR_GENIO 4
|
|
struct ktr_genio {
|
|
int ktr_fd;
|
|
enum uio_rw ktr_rw;
|
|
/*
|
|
* followed by data successfully read/written
|
|
*/
|
|
};
|
|
|
|
/*
|
|
* KTR_PSIG - trace processed signal
|
|
*/
|
|
#define KTR_PSIG 5
|
|
struct ktr_psig {
|
|
int signo;
|
|
sig_t action;
|
|
int code;
|
|
sigset_t mask;
|
|
};
|
|
|
|
/*
|
|
* KTR_CSW - trace context switches
|
|
*/
|
|
#define KTR_CSW 6
|
|
struct ktr_csw_old {
|
|
int out; /* 1 if switch out, 0 if switch in */
|
|
int user; /* 1 if usermode (ivcsw), 0 if kernel (vcsw) */
|
|
};
|
|
|
|
struct ktr_csw {
|
|
int out; /* 1 if switch out, 0 if switch in */
|
|
int user; /* 1 if usermode (ivcsw), 0 if kernel (vcsw) */
|
|
char wmesg[8];
|
|
};
|
|
|
|
/*
|
|
* KTR_USER - data coming from userland
|
|
*/
|
|
#define KTR_USER_MAXLEN 2048 /* maximum length of passed data */
|
|
#define KTR_USER 7
|
|
|
|
/*
|
|
* KTR_STRUCT - misc. structs
|
|
*/
|
|
#define KTR_STRUCT 8
|
|
/*
|
|
* record contains null-terminated struct name followed by
|
|
* struct contents
|
|
*/
|
|
struct sockaddr;
|
|
struct stat;
|
|
struct sysentvec;
|
|
|
|
/*
|
|
* KTR_SYSCTL - name of a sysctl MIB
|
|
*/
|
|
#define KTR_SYSCTL 9
|
|
/* record contains null-terminated MIB name */
|
|
|
|
/*
|
|
* KTR_PROCCTOR - trace process creation (multiple ABI support)
|
|
*/
|
|
#define KTR_PROCCTOR 10
|
|
struct ktr_proc_ctor {
|
|
u_int sv_flags; /* struct sysentvec sv_flags copy */
|
|
};
|
|
|
|
/*
|
|
* KTR_PROCDTOR - trace process destruction (multiple ABI support)
|
|
*/
|
|
#define KTR_PROCDTOR 11
|
|
|
|
/*
|
|
* KTR_CAPFAIL - trace capability check failures
|
|
*/
|
|
#define KTR_CAPFAIL 12
|
|
enum ktr_cap_fail_type {
|
|
CAPFAIL_NOTCAPABLE, /* insufficient capabilities in cap_check() */
|
|
CAPFAIL_INCREASE, /* attempt to increase capabilities */
|
|
CAPFAIL_SYSCALL, /* disallowed system call */
|
|
CAPFAIL_LOOKUP, /* disallowed VFS lookup */
|
|
};
|
|
struct ktr_cap_fail {
|
|
enum ktr_cap_fail_type cap_type;
|
|
cap_rights_t cap_needed;
|
|
cap_rights_t cap_held;
|
|
};
|
|
|
|
/*
|
|
* KTR_FAULT - page fault record
|
|
*/
|
|
#define KTR_FAULT 13
|
|
struct ktr_fault {
|
|
vm_offset_t vaddr;
|
|
int type;
|
|
};
|
|
|
|
/*
|
|
* KTR_FAULTEND - end of page fault record
|
|
*/
|
|
#define KTR_FAULTEND 14
|
|
struct ktr_faultend {
|
|
int result;
|
|
};
|
|
|
|
/*
|
|
* KTR_DROP - If this bit is set in ktr_type, then at least one event
|
|
* between the previous record and this record was dropped.
|
|
*/
|
|
#define KTR_DROP 0x8000
|
|
|
|
/*
|
|
* kernel trace points (in p_traceflag)
|
|
*/
|
|
#define KTRFAC_MASK 0x00ffffff
|
|
#define KTRFAC_SYSCALL (1<<KTR_SYSCALL)
|
|
#define KTRFAC_SYSRET (1<<KTR_SYSRET)
|
|
#define KTRFAC_NAMEI (1<<KTR_NAMEI)
|
|
#define KTRFAC_GENIO (1<<KTR_GENIO)
|
|
#define KTRFAC_PSIG (1<<KTR_PSIG)
|
|
#define KTRFAC_CSW (1<<KTR_CSW)
|
|
#define KTRFAC_USER (1<<KTR_USER)
|
|
#define KTRFAC_STRUCT (1<<KTR_STRUCT)
|
|
#define KTRFAC_SYSCTL (1<<KTR_SYSCTL)
|
|
#define KTRFAC_PROCCTOR (1<<KTR_PROCCTOR)
|
|
#define KTRFAC_PROCDTOR (1<<KTR_PROCDTOR)
|
|
#define KTRFAC_CAPFAIL (1<<KTR_CAPFAIL)
|
|
#define KTRFAC_FAULT (1<<KTR_FAULT)
|
|
#define KTRFAC_FAULTEND (1<<KTR_FAULTEND)
|
|
|
|
/*
|
|
* trace flags (also in p_traceflags)
|
|
*/
|
|
#define KTRFAC_ROOT 0x80000000 /* root set this trace */
|
|
#define KTRFAC_INHERIT 0x40000000 /* pass trace flags to children */
|
|
#define KTRFAC_DROP 0x20000000 /* last event was dropped */
|
|
|
|
#ifdef _KERNEL
|
|
void ktrnamei(char *);
|
|
void ktrcsw(int, int, const char *);
|
|
void ktrpsig(int, sig_t, sigset_t *, int);
|
|
void ktrfault(vm_offset_t, int);
|
|
void ktrfaultend(int);
|
|
void ktrgenio(int, enum uio_rw, struct uio *, int);
|
|
void ktrsyscall(int, int narg, register_t args[]);
|
|
void ktrsysctl(int *name, u_int namelen);
|
|
void ktrsysret(int, int, register_t);
|
|
void ktrprocctor(struct proc *);
|
|
void ktrprocexec(struct proc *, struct ucred **, struct vnode **);
|
|
void ktrprocexit(struct thread *);
|
|
void ktrprocfork(struct proc *, struct proc *);
|
|
void ktruserret(struct thread *);
|
|
void ktrstruct(const char *, void *, size_t);
|
|
void ktrcapfail(enum ktr_cap_fail_type, const cap_rights_t *,
|
|
const cap_rights_t *);
|
|
#define ktrcaprights(s) \
|
|
ktrstruct("caprights", (s), sizeof(cap_rights_t))
|
|
#define ktrsockaddr(s) \
|
|
ktrstruct("sockaddr", (s), ((struct sockaddr *)(s))->sa_len)
|
|
#define ktrstat(s) \
|
|
ktrstruct("stat", (s), sizeof(struct stat))
|
|
|
|
#else
|
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__BEGIN_DECLS
|
|
int ktrace(const char *, int, int, pid_t);
|
|
int utrace(const void *, size_t);
|
|
__END_DECLS
|
|
|
|
#endif
|
|
|
|
#endif
|