1 | /*- |
---|
2 | * Copyright (c) 2008-2010 Robert N. M. Watson |
---|
3 | * All rights reserved. |
---|
4 | * |
---|
5 | * This software was developed at the University of Cambridge Computer |
---|
6 | * Laboratory with support from a grant from Google, Inc. |
---|
7 | * |
---|
8 | * Redistribution and use in source and binary forms, with or without |
---|
9 | * modification, are permitted provided that the following conditions |
---|
10 | * are met: |
---|
11 | * 1. Redistributions of source code must retain the above copyright |
---|
12 | * notice, this list of conditions and the following disclaimer. |
---|
13 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
14 | * notice, this list of conditions and the following disclaimer in the |
---|
15 | * documentation and/or other materials provided with the distribution. |
---|
16 | * |
---|
17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
---|
18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
---|
21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
27 | * SUCH DAMAGE. |
---|
28 | * |
---|
29 | * $FreeBSD$ |
---|
30 | */ |
---|
31 | |
---|
32 | /* |
---|
33 | * Definitions for FreeBSD capabilities facility. |
---|
34 | */ |
---|
35 | #ifndef _SYS_CAPABILITY_H_ |
---|
36 | #define _SYS_CAPABILITY_H_ |
---|
37 | |
---|
38 | #include <sys/cdefs.h> |
---|
39 | #include <sys/types.h> |
---|
40 | |
---|
41 | #include <sys/file.h> |
---|
42 | |
---|
43 | /* |
---|
44 | * Possible rights on capabilities. |
---|
45 | * |
---|
46 | * Notes: |
---|
47 | * Some system calls don't require a capability in order to perform an |
---|
48 | * operation on an fd. These include: close, dup, dup2. |
---|
49 | * |
---|
50 | * sendfile is authorized using CAP_READ on the file and CAP_WRITE on the |
---|
51 | * socket. |
---|
52 | * |
---|
53 | * mmap() and aio*() system calls will need special attention as they may |
---|
54 | * involve reads or writes depending a great deal on context. |
---|
55 | */ |
---|
56 | |
---|
57 | /* General file I/O. */ |
---|
58 | #define CAP_READ 0x0000000000000001ULL /* read/recv */ |
---|
59 | #define CAP_WRITE 0x0000000000000002ULL /* write/send */ |
---|
60 | #define CAP_MMAP 0x0000000000000004ULL /* mmap */ |
---|
61 | #define CAP_MAPEXEC 0x0000000000000008ULL /* mmap(2) as exec */ |
---|
62 | #define CAP_FEXECVE 0x0000000000000010ULL |
---|
63 | #define CAP_FSYNC 0x0000000000000020ULL |
---|
64 | #define CAP_FTRUNCATE 0x0000000000000040ULL |
---|
65 | #define CAP_SEEK 0x0000000000000080ULL |
---|
66 | |
---|
67 | /* VFS methods. */ |
---|
68 | #define CAP_FCHFLAGS 0x0000000000000100ULL |
---|
69 | #define CAP_FCHDIR 0x0000000000000200ULL |
---|
70 | #define CAP_FCHMOD 0x0000000000000400ULL |
---|
71 | #define CAP_FCHOWN 0x0000000000000800ULL |
---|
72 | #define CAP_FCNTL 0x0000000000001000ULL |
---|
73 | #define CAP_FPATHCONF 0x0000000000002000ULL |
---|
74 | #define CAP_FLOCK 0x0000000000004000ULL |
---|
75 | #define CAP_FSCK 0x0000000000008000ULL |
---|
76 | #define CAP_FSTAT 0x0000000000010000ULL |
---|
77 | #define CAP_FSTATFS 0x0000000000020000ULL |
---|
78 | #define CAP_FUTIMES 0x0000000000040000ULL |
---|
79 | #define CAP_CREATE 0x0000000000080000ULL |
---|
80 | #define CAP_DELETE 0x0000000000100000ULL |
---|
81 | #define CAP_MKDIR 0x0000000000200000ULL |
---|
82 | #define CAP_RMDIR 0x0000000000400000ULL |
---|
83 | #define CAP_MKFIFO 0x0000000000800000ULL |
---|
84 | |
---|
85 | /* Lookups - used to constrain *at() calls. */ |
---|
86 | #define CAP_LOOKUP 0x0000000001000000ULL |
---|
87 | |
---|
88 | /* Extended attributes. */ |
---|
89 | #define CAP_EXTATTR_DELETE 0x0000000002000000ULL |
---|
90 | #define CAP_EXTATTR_GET 0x0000000004000000ULL |
---|
91 | #define CAP_EXTATTR_LIST 0x0000000008000000ULL |
---|
92 | #define CAP_EXTATTR_SET 0x0000000010000000ULL |
---|
93 | |
---|
94 | /* Access Control Lists. */ |
---|
95 | #define CAP_ACL_CHECK 0x0000000020000000ULL |
---|
96 | #define CAP_ACL_DELETE 0x0000000040000000ULL |
---|
97 | #define CAP_ACL_GET 0x0000000080000000ULL |
---|
98 | #define CAP_ACL_SET 0x0000000100000000ULL |
---|
99 | |
---|
100 | /* Socket operations. */ |
---|
101 | #define CAP_ACCEPT 0x0000000200000000ULL |
---|
102 | #define CAP_BIND 0x0000000400000000ULL |
---|
103 | #define CAP_CONNECT 0x0000000800000000ULL |
---|
104 | #define CAP_GETPEERNAME 0x0000001000000000ULL |
---|
105 | #define CAP_GETSOCKNAME 0x0000002000000000ULL |
---|
106 | #define CAP_GETSOCKOPT 0x0000004000000000ULL |
---|
107 | #define CAP_LISTEN 0x0000008000000000ULL |
---|
108 | #define CAP_PEELOFF 0x0000010000000000ULL |
---|
109 | #define CAP_SETSOCKOPT 0x0000020000000000ULL |
---|
110 | #define CAP_SHUTDOWN 0x0000040000000000ULL |
---|
111 | |
---|
112 | #define CAP_SOCK_ALL \ |
---|
113 | (CAP_ACCEPT | CAP_BIND | CAP_CONNECT \ |
---|
114 | | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT \ |
---|
115 | | CAP_LISTEN | CAP_PEELOFF | CAP_SETSOCKOPT | CAP_SHUTDOWN) |
---|
116 | |
---|
117 | /* Mandatory Access Control. */ |
---|
118 | #define CAP_MAC_GET 0x0000080000000000ULL |
---|
119 | #define CAP_MAC_SET 0x0000100000000000ULL |
---|
120 | |
---|
121 | /* Methods on semaphores. */ |
---|
122 | #define CAP_SEM_GETVALUE 0x0000200000000000ULL |
---|
123 | #define CAP_SEM_POST 0x0000400000000000ULL |
---|
124 | #define CAP_SEM_WAIT 0x0000800000000000ULL |
---|
125 | |
---|
126 | /* kqueue events. */ |
---|
127 | #define CAP_POLL_EVENT 0x0001000000000000ULL |
---|
128 | #define CAP_POST_EVENT 0x0002000000000000ULL |
---|
129 | |
---|
130 | /* Strange and powerful rights that should not be given lightly. */ |
---|
131 | #define CAP_IOCTL 0x0004000000000000ULL |
---|
132 | #define CAP_TTYHOOK 0x0008000000000000ULL |
---|
133 | |
---|
134 | /* Process management via process descriptors. */ |
---|
135 | #define CAP_PDGETPID 0x0010000000000000ULL |
---|
136 | #define CAP_PDWAIT 0x0020000000000000ULL |
---|
137 | #define CAP_PDKILL 0x0040000000000000ULL |
---|
138 | |
---|
139 | /* The mask of all valid method rights. */ |
---|
140 | #define CAP_MASK_VALID 0x007fffffffffffffULL |
---|
141 | |
---|
142 | #ifdef _KERNEL |
---|
143 | |
---|
144 | #define IN_CAPABILITY_MODE(td) (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) |
---|
145 | |
---|
146 | /* |
---|
147 | * Create a capability to wrap a file object. |
---|
148 | */ |
---|
149 | int kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, |
---|
150 | int *capfd); |
---|
151 | |
---|
152 | /* |
---|
153 | * Unwrap a capability if its rights mask is a superset of 'rights'. |
---|
154 | * |
---|
155 | * Unwrapping a non-capability is effectively a no-op; the value of fp_cap |
---|
156 | * is simply copied into fpp. |
---|
157 | */ |
---|
158 | int cap_funwrap(struct file *fp_cap, cap_rights_t rights, |
---|
159 | struct file **fpp); |
---|
160 | int cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, |
---|
161 | u_char *maxprotp, struct file **fpp); |
---|
162 | |
---|
163 | /* |
---|
164 | * For the purposes of procstat(1) and similar tools, allow kern_descrip.c to |
---|
165 | * extract the rights from a capability. However, this should not be used by |
---|
166 | * kernel code generally, instead cap_funwrap() should be used in order to |
---|
167 | * keep all access control in one place. |
---|
168 | */ |
---|
169 | cap_rights_t cap_rights(struct file *fp_cap); |
---|
170 | |
---|
171 | #else /* !_KERNEL */ |
---|
172 | |
---|
173 | __BEGIN_DECLS |
---|
174 | |
---|
175 | /* |
---|
176 | * cap_enter(): Cause the process to enter capability mode, which will |
---|
177 | * prevent it from directly accessing global namespaces. System calls will |
---|
178 | * be limited to process-local, process-inherited, or file descriptor |
---|
179 | * operations. If already in capability mode, a no-op. |
---|
180 | * |
---|
181 | * Currently, process-inherited operations are not properly handled -- in |
---|
182 | * particular, we're interested in things like waitpid(2), kill(2), etc, |
---|
183 | * being properly constrained. One possible solution is to introduce process |
---|
184 | * descriptors. |
---|
185 | */ |
---|
186 | int cap_enter(void); |
---|
187 | |
---|
188 | /* |
---|
189 | * cap_getmode(): Are we in capability mode? |
---|
190 | */ |
---|
191 | int cap_getmode(u_int* modep); |
---|
192 | |
---|
193 | /* |
---|
194 | * cap_new(): Create a new capability derived from an existing file |
---|
195 | * descriptor with the specified rights. If the existing file descriptor is |
---|
196 | * a capability, then the new rights must be a subset of the existing rights. |
---|
197 | */ |
---|
198 | int cap_new(int fd, cap_rights_t rights); |
---|
199 | |
---|
200 | /* |
---|
201 | * cap_getrights(): Query the rights on a capability. |
---|
202 | */ |
---|
203 | int cap_getrights(int fd, cap_rights_t *rightsp); |
---|
204 | |
---|
205 | __END_DECLS |
---|
206 | |
---|
207 | #endif /* !_KERNEL */ |
---|
208 | |
---|
209 | #endif /* !_SYS_CAPABILITY_H_ */ |
---|