Date: Tue, 1 Mar 2011 13:23:37 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r219129 - in head/sys: compat/freebsd32 conf kern sys Message-ID: <201103011323.p21DNbau027743@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rwatson Date: Tue Mar 1 13:23:37 2011 New Revision: 219129 URL: http://svn.freebsd.org/changeset/base/219129 Log: Add initial support for Capsicum's Capability Mode to the FreeBSD kernel, compiled conditionally on options CAPABILITIES: Add a new credential flag, CRED_FLAG_CAPMODE, which indicates that a subject (typically a process) is in capability mode. Add two new system calls, cap_enter(2) and cap_getmode(2), which allow setting and querying (but never clearing) the flag. Export the capability mode flag via process information sysctls. Sponsored by: Google, Inc. Reviewed by: anderson Discussed with: benl, kris, pjd Obtained from: Capsicum Project MFC after: 3 months Added: head/sys/kern/sys_capability.c (contents, props changed) Modified: head/sys/compat/freebsd32/syscalls.master head/sys/conf/NOTES head/sys/conf/options head/sys/kern/kern_proc.c head/sys/kern/syscalls.master head/sys/sys/ucred.h head/sys/sys/user.h Modified: head/sys/compat/freebsd32/syscalls.master ============================================================================== --- head/sys/compat/freebsd32/syscalls.master Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/compat/freebsd32/syscalls.master Tue Mar 1 13:23:37 2011 (r219129) @@ -952,8 +952,8 @@ 513 AUE_LPATHCONF NOPROTO { int lpathconf(char *path, int name); } 514 AUE_CAP_NEW UNIMPL cap_new 515 AUE_CAP_GETRIGHTS UNIMPL cap_getrights -516 AUE_CAP_ENTER UNIMPL cap_enter -517 AUE_CAP_GETMODE UNIMPL cap_getmode +516 AUE_CAP_ENTER NOPROTO { int cap_enter(void); } +517 AUE_CAP_GETMODE NOPROTO { int cap_getmode(u_int *modep); } 518 AUE_PDFORK UNIMPL pdfork 519 AUE_PDKILL UNIMPL pdkill 520 AUE_PDGETPID UNIMPL pdgetpid Modified: head/sys/conf/NOTES ============================================================================== --- head/sys/conf/NOTES Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/conf/NOTES Tue Mar 1 13:23:37 2011 (r219129) @@ -1157,6 +1157,9 @@ options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST +# Support for Capsicum +options CAPABILIITES + ##################################################################### # CLOCK OPTIONS Modified: head/sys/conf/options ============================================================================== --- head/sys/conf/options Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/conf/options Tue Mar 1 13:23:37 2011 (r219129) @@ -63,6 +63,7 @@ SYSCTL_DEBUG opt_sysctl.h ADAPTIVE_LOCKMGRS ALQ AUDIT opt_global.h +CAPABILITIES opt_capabilities.h CODA_COMPAT_5 opt_coda.h COMPAT_43 opt_compat.h COMPAT_43TTY opt_compat.h Modified: head/sys/kern/kern_proc.c ============================================================================== --- head/sys/kern/kern_proc.c Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/kern/kern_proc.c Tue Mar 1 13:23:37 2011 (r219129) @@ -725,7 +725,9 @@ fill_kinfo_proc_only(struct proc *p, str kp->ki_uid = cred->cr_uid; kp->ki_ruid = cred->cr_ruid; kp->ki_svuid = cred->cr_svuid; - kp->ki_cr_flags = cred->cr_flags; + kp->ki_cr_flags = 0; + if (cred->cr_flags & CRED_FLAG_CAPMODE) + kp->ki_cr_flags |= KI_CRF_CAPABILITY_MODE; /* XXX bde doesn't like KI_NGROUPS */ if (cred->cr_ngroups > KI_NGROUPS) { kp->ki_ngroups = KI_NGROUPS; Added: head/sys/kern/sys_capability.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sys/kern/sys_capability.c Tue Mar 1 13:23:37 2011 (r219129) @@ -0,0 +1,123 @@ +/*- + * Copyright (c) 2008-2011 Robert N. M. Watson + * Copyright (c) 2010-2011 Jonathan Anderson + * All rights reserved. + * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * FreeBSD kernel capability facility. + * + * Currently, this file implements only capability mode; capabilities + * (rights-refined file descriptors) will follow. + * + */ + +#include "opt_capabilities.h" + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/capability.h> +#include <sys/file.h> +#include <sys/filedesc.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/mutex.h> +#include <sys/proc.h> +#include <sys/sysproto.h> +#include <sys/sysctl.h> +#include <sys/systm.h> +#include <sys/ucred.h> + +#include <security/audit/audit.h> + +#include <vm/uma.h> +#include <vm/vm.h> + +#ifdef CAPABILITIES + +/* + * We don't currently have any MIB entries for sysctls, but we do expose + * security.capabilities so that it's easy to tell if options CAPABILITIES is + * compiled into the kernel. + */ +SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, "Capsicum"); + +/* + * System call to enter capability mode for the process. + */ +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + struct ucred *newcred, *oldcred; + struct proc *p; + + if (IN_CAPABILITY_MODE(td)) + return (0); + + newcred = crget(); + p = td->td_proc; + PROC_LOCK(p); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); + newcred->cr_flags |= CRED_FLAG_CAPMODE; + p->p_ucred = newcred; + PROC_UNLOCK(p); + crfree(oldcred); + return (0); +} + +/* + * System call to query whether the process is in capability mode. + */ +int +cap_getmode(struct thread *td, struct cap_getmode_args *uap) +{ + u_int i; + + i = (IN_CAPABILITY_MODE(td)) ? 1 : 0; + return (copyout(&i, uap->modep, sizeof(i))); +} + +#else /* !CAPABILITIES */ + +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + + return (ENOSYS); +} + +int +cap_getmode(struct thread *td, struct cap_getmode_args *uap) +{ + + return (ENOSYS); +} + +#endif /* CAPABILITIES */ Modified: head/sys/kern/syscalls.master ============================================================================== --- head/sys/kern/syscalls.master Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/kern/syscalls.master Tue Mar 1 13:23:37 2011 (r219129) @@ -916,8 +916,8 @@ 513 AUE_LPATHCONF STD { int lpathconf(char *path, int name); } 514 AUE_CAP_NEW UNIMPL cap_new 515 AUE_CAP_GETRIGHTS UNIMPL cap_getrights -516 AUE_CAP_ENTER UNIMPL cap_enter -517 AUE_CAP_GETMODE UNIMPL cap_getmode +516 AUE_CAP_ENTER STD { int cap_enter(void); } +517 AUE_CAP_GETMODE STD { int cap_getmode(u_int *modep); } 518 AUE_PDFORK UNIMPL pdfork 519 AUE_PDKILL UNIMPL pdkill 520 AUE_PDGETPID UNIMPL pdgetpid Modified: head/sys/sys/ucred.h ============================================================================== --- head/sys/sys/ucred.h Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/sys/ucred.h Tue Mar 1 13:23:37 2011 (r219129) @@ -70,6 +70,11 @@ struct ucred { #define XU_NGROUPS 16 /* + * Flags for cr_flags. + */ +#define CRED_FLAG_CAPMODE 0x00000001 /* In capability mode. */ + +/* * This is the external representation of struct ucred. */ struct xucred { Modified: head/sys/sys/user.h ============================================================================== --- head/sys/sys/user.h Tue Mar 1 13:14:28 2011 (r219128) +++ head/sys/sys/user.h Tue Mar 1 13:23:37 2011 (r219129) @@ -101,9 +101,11 @@ #define KI_NGROUPS 16 /* number of groups in ki_groups */ #define LOGNAMELEN 17 /* size of returned ki_login */ +/* Flags for the process credential. */ +#define KI_CRF_CAPABILITY_MODE 0x00000001 /* - * Steal a bit from ki_cr_flags (cr_flags is never used) to indicate - * that the cred had more than KI_NGROUPS groups. + * Steal a bit from ki_cr_flags to indicate that the cred had more than + * KI_NGROUPS groups. */ #define KI_CRF_GRP_OVERFLOW 0x80000000
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103011323.p21DNbau027743>