From nobody Sun Apr 07 23:57:10 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VCTfb0cL5z5Fbcl; Sun, 7 Apr 2024 23:57:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VCTfZ6DKCz4C8p; Sun, 7 Apr 2024 23:57:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712534230; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ML1MgU6nUr64iYiaGIRjd8yR0Ad59ng74job3pAKllY=; b=yKHIpSXRvuUCjqVKgd03ZTuNv/R6VtOXRk4kDKXhRth6ilztdZ6q7eiE0pc+yU/sZGbBhs shL+LnsIv2UrbHi9qJTqZt3+OTGFuxlDGctO7LxQSrpwkQSYr3EqQFdHoOd/Z+8dGg+m7v xXy+mWl5qbgtyDIrDtf1xOx7sMDUWPGxJG5ase3sVlVUB5SHRJEZdLNDSf70nUqc8YXGq7 F+NoWH2I1MtaHqP6XhNB828epB7UNQ8djwFCE1DNIEOZkYn5ZKZA3cAGtUDKfU5K2wtJAo RTd6BDhwd7ukvJJKlQaVwc1SlywxDqmqVLI8V5ufRbQr5aJaKdtDhN/iK4+Q6A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712534230; a=rsa-sha256; cv=none; b=RNAXTBzLdZLlQkUEfoROIjb4wz60FgHSz9hMVUT7WMvbMC01JmDN57weQUyJDkoVQK460w JptXG+qzLoCZwlPawDB+QA7SWOVVPSg4t6UnCOyfXSqdzShnWXg+3gxQEPgyuwBtNrs/p4 MdoKSzAPhj/EZ43WGyi+yIMQWdvgE9uFY37CJiLB5K+RHvhrqUu1dPi6jKTr4KwkokS9Kz GubwOMF9Jkmf8eX6xSiRHYOhyKcgvUmr3tVDVaCbSLU50XSRNo+1joXW0uyWiJRryh2INr gXvA8odCfQBMdYkKk8+X84q/C2v01ASLfpeZ+8aHIVKbMuMKO2mlMECg1A4c7Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712534230; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ML1MgU6nUr64iYiaGIRjd8yR0Ad59ng74job3pAKllY=; b=o76O4UuUnC/Zmds51JWsPTehiokklWayRpCYBk0g6KX0U2SHRYvA+rBcStQuQ1h+pfkH8u hOw5L/speQqsXEngcpafq1tw6E5hkl3FnQppY9s2AMLNALhYMQxP3gwLoLno+D94M4PeNN tZSfzDHMSTX0LJQ54w3SLiubRcwons9OmugRYP+wGdSxgynVY4mDdEYj/LzCn1c+rtk3Ty Ui2TkdR9BH2D9/4xalaY+dpf3NV9mG0rOdvxtRA4UL0cDMtffdQ8ryxjjx2SeTdkJNO94x i47hTIjA78AJtmv4bezEES4bZmkSYD+NmcTlZJE+fcrJIpwK+A3fRKV57nV8Sg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VCTfZ5Wr6zpPy; Sun, 7 Apr 2024 23:57:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 437NvAqU037524; Sun, 7 Apr 2024 23:57:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 437NvA5L037521; Sun, 7 Apr 2024 23:57:10 GMT (envelope-from git) Date: Sun, 7 Apr 2024 23:57:10 GMT Message-Id: <202404072357.437NvA5L037521@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Jake Freeland Subject: git: 0cd9cde767c3 - main - ktrace: Record namei violations with KTR_CAPFAIL List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jfree X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0cd9cde767c32780df9abee7ba9d2a8a51536728 Auto-Submitted: auto-generated The branch main has been updated by jfree: URL: https://cgit.FreeBSD.org/src/commit/?id=0cd9cde767c32780df9abee7ba9d2a8a51536728 commit 0cd9cde767c32780df9abee7ba9d2a8a51536728 Author: Jake Freeland AuthorDate: 2024-04-06 18:31:25 +0000 Commit: Jake Freeland CommitDate: 2024-04-07 23:52:51 +0000 ktrace: Record namei violations with KTR_CAPFAIL Report namei path lookups while Capsicum violation tracing with CAPFAIL_NAMEI. vfs caching is also ignored when tracing to mimic capability mode behavior. Reviewed by: markj Approved by: markj (mentor) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D40680 --- sys/kern/kern_descrip.c | 4 +-- sys/kern/kern_exec.c | 2 ++ sys/kern/uipc_shm.c | 8 +++-- sys/kern/uipc_syscalls.c | 16 ++++++--- sys/kern/vfs_cache.c | 2 +- sys/kern/vfs_lookup.c | 90 ++++++++++++++++++++++++++---------------------- sys/sys/namei.h | 11 +++++- 7 files changed, 81 insertions(+), 52 deletions(-) diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index f626f5a38ca8..ef7aea82a609 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -3054,7 +3054,7 @@ fgetvp_lookup_smr(struct nameidata *ndp, struct vnode **vpp, bool *fsearch) ndp->ni_filecaps.fc_fcntls != CAP_FCNTL_ALL || ndp->ni_filecaps.fc_nioctls != -1) { #ifdef notyet - ndp->ni_lcf |= NI_LCF_STRICTRELATIVE; + ndp->ni_lcf |= NI_LCF_STRICTREL; #else return (EAGAIN); #endif @@ -3146,7 +3146,7 @@ fgetvp_lookup(struct nameidata *ndp, struct vnode **vpp) if (!cap_rights_contains(&ndp->ni_filecaps.fc_rights, &rights) || ndp->ni_filecaps.fc_fcntls != CAP_FCNTL_ALL || ndp->ni_filecaps.fc_nioctls != -1) { - ndp->ni_lcf |= NI_LCF_STRICTRELATIVE; + ndp->ni_lcf |= NI_LCF_STRICTREL; ndp->ni_resflags |= NIRES_STRICTREL; } #endif diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index ae2b624c2659..6727872b5b10 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -454,6 +454,8 @@ do_execve(struct thread *td, struct image_args *args, struct mac *mac_p, interpret: if (args->fname != NULL) { #ifdef CAPABILITY_MODE + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_NAMEI, args->fname); /* * While capability mode can't reach this point via direct * path arguments to execve(), we also don't allow diff --git a/sys/kern/uipc_shm.c b/sys/kern/uipc_shm.c index 13fb0915cdaa..5347378c2b4d 100644 --- a/sys/kern/uipc_shm.c +++ b/sys/kern/uipc_shm.c @@ -1177,8 +1177,12 @@ kern_shm_open2(struct thread *td, const char *userpath, int flags, mode_t mode, /* * shm_open(2) is only allowed for anonymous objects. */ - if (IN_CAPABILITY_MODE(td) && (userpath != SHM_ANON)) - return (ECAPMODE); + if (userpath != SHM_ANON) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_NAMEI, userpath); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } #endif AUDIT_ARG_FFLAGS(flags); diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index b2d03d932b99..58b993dea5f2 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -199,8 +199,12 @@ kern_bindat(struct thread *td, int dirfd, int fd, struct sockaddr *sa) int error; #ifdef CAPABILITY_MODE - if (IN_CAPABILITY_MODE(td) && (dirfd == AT_FDCWD)) - return (ECAPMODE); + if (dirfd == AT_FDCWD) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_NAMEI, "AT_FDCWD"); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } #endif AUDIT_ARG_FD(fd); @@ -468,8 +472,12 @@ kern_connectat(struct thread *td, int dirfd, int fd, struct sockaddr *sa) int error; #ifdef CAPABILITY_MODE - if (IN_CAPABILITY_MODE(td) && (dirfd == AT_FDCWD)) - return (ECAPMODE); + if (dirfd == AT_FDCWD) { + if (CAP_TRACING(td)) + ktrcapfail(CAPFAIL_NAMEI, "AT_FDCWD"); + if (IN_CAPABILITY_MODE(td)) + return (ECAPMODE); + } #endif AUDIT_ARG_FD(fd); diff --git a/sys/kern/vfs_cache.c b/sys/kern/vfs_cache.c index f8626be7bda7..375b682e1f3a 100644 --- a/sys/kern/vfs_cache.c +++ b/sys/kern/vfs_cache.c @@ -4483,7 +4483,7 @@ cache_can_fplookup(struct cache_fpl *fpl) cache_fpl_aborted_early(fpl); return (false); } - if (IN_CAPABILITY_MODE(td)) { + if (IN_CAPABILITY_MODE(td) || CAP_TRACING(td)) { cache_fpl_aborted_early(fpl); return (false); } diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 4104400d77bb..7d708bac607e 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -236,14 +236,17 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp) struct mount *mp; if (dp == NULL || dp->v_type != VDIR || (ndp->ni_lcf & - NI_LCF_STRICTRELATIVE) == 0) + NI_LCF_STRICTREL) == 0) return (0); + if (__predict_false((ndp->ni_lcf & (NI_LCF_STRICTREL_KTR | + NI_LCF_CAP_DOTDOT_KTR)) == NI_LCF_STRICTREL_KTR)) + NI_CAP_VIOLATION(ndp, ndp->ni_cnd.cn_pnbuf); if ((ndp->ni_lcf & NI_LCF_CAP_DOTDOT) == 0) return (ENOTCAPABLE); mp = dp->v_mount; if (lookup_cap_dotdot_nonlocal == 0 && mp != NULL && (mp->mnt_flag & MNT_LOCAL) == 0) - return (ENOTCAPABLE); + goto capfail; TAILQ_FOREACH_REVERSE(nt, &ndp->ni_cap_tracker, nameicap_tracker_head, nm_link) { if (dp == nt->dp) { @@ -253,6 +256,10 @@ nameicap_check_dotdot(struct nameidata *ndp, struct vnode *dp) return (0); } } + +capfail: + if (__predict_false((ndp->ni_lcf & NI_LCF_STRICTREL_KTR) != 0)) + NI_CAP_VIOLATION(ndp, ndp->ni_cnd.cn_pnbuf); return (ENOTCAPABLE); } @@ -271,12 +278,12 @@ namei_handle_root(struct nameidata *ndp, struct vnode **dpp) struct componentname *cnp; cnp = &ndp->ni_cnd; - if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0) { -#ifdef KTRACE - if (KTRPOINT(curthread, KTR_CAPFAIL)) - ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); -#endif - return (ENOTCAPABLE); + if (__predict_false((ndp->ni_lcf & (NI_LCF_STRICTREL | + NI_LCF_STRICTREL_KTR)) != 0)) { + if ((ndp->ni_lcf & NI_LCF_STRICTREL_KTR) != 0) + NI_CAP_VIOLATION(ndp, cnp->cn_pnbuf); + if ((ndp->ni_lcf & NI_LCF_STRICTREL) != 0) + return (ENOTCAPABLE); } while (*(cnp->cn_nameptr) == '/') { cnp->cn_nameptr++; @@ -317,15 +324,17 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp) * previously walked by us, which prevents an escape from * the relative root. */ - if (IN_CAPABILITY_MODE(td) && (cnp->cn_flags & NOCAPCHECK) == 0) { - ndp->ni_lcf |= NI_LCF_STRICTRELATIVE; - ndp->ni_resflags |= NIRES_STRICTREL; - if (ndp->ni_dirfd == AT_FDCWD) { -#ifdef KTRACE - if (KTRPOINT(td, KTR_CAPFAIL)) - ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); -#endif - return (ECAPMODE); + if ((cnp->cn_flags & NOCAPCHECK) == 0) { + if (CAP_TRACING(td)) { + ndp->ni_lcf |= NI_LCF_STRICTREL_KTR; + if (ndp->ni_dirfd == AT_FDCWD) + NI_CAP_VIOLATION(ndp, "AT_FDCWD"); + } + if (IN_CAPABILITY_MODE(td)) { + ndp->ni_lcf |= NI_LCF_STRICTREL; + ndp->ni_resflags |= NIRES_STRICTREL; + if (ndp->ni_dirfd == AT_FDCWD) + return (ECAPMODE); } } #endif @@ -368,8 +377,8 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp) if (error == 0 && (cnp->cn_flags & RBENEATH) != 0) { if (cnp->cn_pnbuf[0] == '/') { error = ENOTCAPABLE; - } else if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0) { - ndp->ni_lcf |= NI_LCF_STRICTRELATIVE | + } else if ((ndp->ni_lcf & NI_LCF_STRICTREL) == 0) { + ndp->ni_lcf |= NI_LCF_STRICTREL | NI_LCF_CAP_DOTDOT; } } @@ -391,9 +400,12 @@ namei_setup(struct nameidata *ndp, struct vnode **dpp, struct pwd **pwdp) pwd_drop(pwd); return (error); } - if ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 && - lookup_cap_dotdot != 0) - ndp->ni_lcf |= NI_LCF_CAP_DOTDOT; + if (lookup_cap_dotdot != 0) { + if ((ndp->ni_lcf & NI_LCF_STRICTREL_KTR) != 0) + ndp->ni_lcf |= NI_LCF_CAP_DOTDOT_KTR; + if ((ndp->ni_lcf & NI_LCF_STRICTREL) != 0) + ndp->ni_lcf |= NI_LCF_CAP_DOTDOT; + } SDT_PROBE4(vfs, namei, lookup, entry, *dpp, cnp->cn_pnbuf, cnp->cn_flags, false); *pwdp = pwd; @@ -1168,12 +1180,11 @@ dirloop: * result of dotdot lookup. */ if (cnp->cn_flags & ISDOTDOT) { - if ((ndp->ni_lcf & (NI_LCF_STRICTRELATIVE | NI_LCF_CAP_DOTDOT)) - == NI_LCF_STRICTRELATIVE) { -#ifdef KTRACE - if (KTRPOINT(curthread, KTR_CAPFAIL)) - ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); -#endif + if (__predict_false((ndp->ni_lcf & (NI_LCF_STRICTREL_KTR | + NI_LCF_CAP_DOTDOT_KTR)) == NI_LCF_STRICTREL_KTR)) + NI_CAP_VIOLATION(ndp, cnp->cn_pnbuf); + if (__predict_false((ndp->ni_lcf & (NI_LCF_STRICTREL | + NI_LCF_CAP_DOTDOT)) == NI_LCF_STRICTREL)) { error = ENOTCAPABLE; goto bad; } @@ -1190,10 +1201,14 @@ dirloop: bool isroot = dp == ndp->ni_rootdir || dp == ndp->ni_topdir || dp == rootvnode || pr != NULL; - if (isroot && (ndp->ni_lcf & - NI_LCF_STRICTRELATIVE) != 0) { - error = ENOTCAPABLE; - goto capdotdot; + if (__predict_false(isroot && (ndp->ni_lcf & + (NI_LCF_STRICTREL | NI_LCF_STRICTREL_KTR)) != 0)) { + if ((ndp->ni_lcf & NI_LCF_STRICTREL_KTR) != 0) + NI_CAP_VIOLATION(ndp, cnp->cn_pnbuf); + if ((ndp->ni_lcf & NI_LCF_STRICTREL) != 0) { + error = ENOTCAPABLE; + goto capdotdot; + } } if (isroot || ((dp->v_vflag & VV_ROOT) != 0 && (cnp->cn_flags & NOCROSSMOUNT) != 0)) { @@ -1218,10 +1233,6 @@ dirloop: error = nameicap_check_dotdot(ndp, dp); if (error != 0) { capdotdot: -#ifdef KTRACE - if (KTRPOINT(curthread, KTR_CAPFAIL)) - ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); -#endif goto bad; } } @@ -1374,13 +1385,8 @@ nextname: } if (cnp->cn_flags & ISDOTDOT) { error = nameicap_check_dotdot(ndp, ndp->ni_vp); - if (error != 0) { -#ifdef KTRACE - if (KTRPOINT(curthread, KTR_CAPFAIL)) - ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); -#endif + if (error != 0) goto bad2; - } } if (*ndp->ni_next == '/') { cnp->cn_nameptr = ndp->ni_next; diff --git a/sys/sys/namei.h b/sys/sys/namei.h index 1b84bc1df488..cb69fc96b112 100644 --- a/sys/sys/namei.h +++ b/sys/sys/namei.h @@ -196,8 +196,17 @@ int cache_fplookup(struct nameidata *ndp, enum cache_fpl_status *status, /* * Flags in ni_lcf, valid for the duration of the namei call. */ -#define NI_LCF_STRICTRELATIVE 0x0001 /* relative lookup only */ +#define NI_LCF_STRICTREL 0x0001 /* relative lookup only */ #define NI_LCF_CAP_DOTDOT 0x0002 /* ".." in strictrelative case */ +/* Track capability restrictions seperately for violation ktracing. */ +#define NI_LCF_STRICTREL_KTR 0x0004 /* trace relative lookups */ +#define NI_LCF_CAP_DOTDOT_KTR 0x0008 /* ".." in strictrelative case */ +#define NI_LCF_KTR_FLAGS (NI_LCF_STRICTREL_KTR | NI_LCF_CAP_DOTDOT_KTR) + +#define NI_CAP_VIOLATION(ndp, path) do { \ + ktrcapfail(CAPFAIL_NAMEI, (path)); \ + (ndp)->ni_lcf &= ~NI_LCF_KTR_FLAGS; \ +} while (0) /* * Initialization of a nameidata structure.