Add initial support for Capsicum's Capability Mode to the FreeBSD kernel,

compiled conditionally on options CAPABILITIES: Add a new credential flag, CRED_FLAG_CAPMODE, which indicates that a subject (typically a process) is in capability mode. Add two new system calls, cap_enter(2) and cap_getmode(2), which allow setting and querying (but never clearing) the flag. Export the capability mode flag via process information sysctls. Sponsored by: Google, Inc. Reviewed by: anderson Discussed with: benl, kris, pjd Obtained from: Capsicum Project MFC after: 3 months
2011-03-01 13:23:37 +00:00 · 2011-03-01 13:23:37 +00:00 · 96fcc75fdf
commit 96fcc75fdf
parent 25122f5c5f
8 changed files with 143 additions and 7 deletions
--- a/sys/compat/freebsd32/syscalls.master
+++ b/sys/compat/freebsd32/syscalls.master
@ -952,8 +952,8 @@
 513	AUE_LPATHCONF	NOPROTO	{ int lpathconf(char *path, int name); }
 514	AUE_CAP_NEW	UNIMPL	cap_new
 515	AUE_CAP_GETRIGHTS	UNIMPL	cap_getrights
-516	AUE_CAP_ENTER	UNIMPL	cap_enter
-517	AUE_CAP_GETMODE	UNIMPL	cap_getmode
+516	AUE_CAP_ENTER	NOPROTO	{ int cap_enter(void); }
+517	AUE_CAP_GETMODE	NOPROTO	{ int cap_getmode(u_int *modep); }
 518	AUE_PDFORK	UNIMPL	pdfork
 519	AUE_PDKILL	UNIMPL	pdkill
 520	AUE_PDGETPID	UNIMPL	pdgetpid
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -1157,6 +1157,9 @@ options 	MAC_SEEOTHERUIDS
 options 	MAC_STUB
 options 	MAC_TEST

+# Support for Capsicum
+options 	CAPABILIITES
+

 #####################################################################
 # CLOCK OPTIONS
--- a/sys/conf/options
+++ b/sys/conf/options
@ -63,6 +63,7 @@ SYSCTL_DEBUG	opt_sysctl.h
 ADAPTIVE_LOCKMGRS
 ALQ
 AUDIT		opt_global.h
+CAPABILITIES	opt_capabilities.h
 CODA_COMPAT_5	opt_coda.h
 COMPAT_43	opt_compat.h
 COMPAT_43TTY	opt_compat.h
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@ -725,7 +725,9 @@ fill_kinfo_proc_only(struct proc *p, struct kinfo_proc *kp)
 		kp->ki_uid = cred->cr_uid;
 		kp->ki_ruid = cred->cr_ruid;
 		kp->ki_svuid = cred->cr_svuid;
-		kp->ki_cr_flags = cred->cr_flags;
+		kp->ki_cr_flags = 0;
+		if (cred->cr_flags & CRED_FLAG_CAPMODE)
+			kp->ki_cr_flags |= KI_CRF_CAPABILITY_MODE;
 		/* XXX bde doesn't like KI_NGROUPS */
 		if (cred->cr_ngroups > KI_NGROUPS) {
 			kp->ki_ngroups = KI_NGROUPS;
--- a/sys/kern/sys_capability.c
+++ b/sys/kern/sys_capability.c
@ -0,0 +1,123 @@
+/*-
+ * Copyright (c) 2008-2011 Robert N. M. Watson
+ * Copyright (c) 2010-2011 Jonathan Anderson
+ * All rights reserved.
+ *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FreeBSD kernel capability facility.
+ *
+ * Currently, this file implements only capability mode; capabilities
+ * (rights-refined file descriptors) will follow.
+ *
+ */
+
+#include "opt_capabilities.h"
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/capability.h>
+#include <sys/file.h>
+#include <sys/filedesc.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/proc.h>
+#include <sys/sysproto.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+#include <sys/ucred.h>
+
+#include <security/audit/audit.h>
+
+#include <vm/uma.h>
+#include <vm/vm.h>
+
+#ifdef CAPABILITIES
+
+/*
+ * We don't currently have any MIB entries for sysctls, but we do expose
+ * security.capabilities so that it's easy to tell if options CAPABILITIES is
+ * compiled into the kernel.
+ */
+SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, "Capsicum");
+
+/*
+ * System call to enter capability mode for the process.
+ */
+int
+cap_enter(struct thread *td, struct cap_enter_args *uap)
+{
+	struct ucred *newcred, *oldcred;
+	struct proc *p;
+
+	if (IN_CAPABILITY_MODE(td))
+		return (0);
+
+	newcred = crget();
+	p = td->td_proc;
+	PROC_LOCK(p);
+	oldcred = p->p_ucred;
+	crcopy(newcred, oldcred);
+	newcred->cr_flags |= CRED_FLAG_CAPMODE;
+	p->p_ucred = newcred;
+	PROC_UNLOCK(p);
+	crfree(oldcred);
+	return (0);
+}
+
+/*
+ * System call to query whether the process is in capability mode.
+ */
+int
+cap_getmode(struct thread *td, struct cap_getmode_args *uap)
+{
+	u_int i;
+
+	i = (IN_CAPABILITY_MODE(td)) ? 1 : 0;
+	return (copyout(&i, uap->modep, sizeof(i)));
+}
+
+#else /* !CAPABILITIES */
+
+int
+cap_enter(struct thread *td, struct cap_enter_args *uap)
+{
+
+	return (ENOSYS);
+}
+
+int
+cap_getmode(struct thread *td, struct cap_getmode_args *uap)
+{
+
+	return (ENOSYS);
+}
+
+#endif /* CAPABILITIES */
--- a/sys/kern/syscalls.master
+++ b/sys/kern/syscalls.master
@ -916,8 +916,8 @@
 513	AUE_LPATHCONF	STD	{ int lpathconf(char *path, int name); }
 514	AUE_CAP_NEW	UNIMPL	cap_new
 515	AUE_CAP_GETRIGHTS	UNIMPL	cap_getrights
-516	AUE_CAP_ENTER	UNIMPL	cap_enter
-517	AUE_CAP_GETMODE	UNIMPL	cap_getmode
+516	AUE_CAP_ENTER	STD	{ int cap_enter(void); }
+517	AUE_CAP_GETMODE	STD	{ int cap_getmode(u_int *modep); }
 518	AUE_PDFORK	UNIMPL	pdfork
 519	AUE_PDKILL	UNIMPL	pdkill
 520	AUE_PDGETPID	UNIMPL	pdgetpid
--- a/sys/sys/ucred.h
+++ b/sys/sys/ucred.h
@ -69,6 +69,11 @@ struct ucred {

 #define	XU_NGROUPS	16

+/*
+ * Flags for cr_flags.
+ */
+#define	CRED_FLAG_CAPMODE	0x00000001	/* In capability mode. */
+
 /*
 * This is the external representation of struct ucred.
 */
--- a/sys/sys/user.h
+++ b/sys/sys/user.h
@ -101,9 +101,11 @@
 #define KI_NGROUPS	16		/* number of groups in ki_groups */
 #define	LOGNAMELEN	17		/* size of returned ki_login */

+/* Flags for the process credential. */
+#define	KI_CRF_CAPABILITY_MODE	0x00000001
 /*
- * Steal a bit from ki_cr_flags (cr_flags is never used) to indicate
- * that the cred had more than KI_NGROUPS groups.
+ * Steal a bit from ki_cr_flags to indicate that the cred had more than
+ * KI_NGROUPS groups.
 */
 #define KI_CRF_GRP_OVERFLOW	0x80000000