svn commit: r219129 - in head/sys: compat/freebsd32 conf kern sys

Robert Watson rwatson at FreeBSD.org
Tue Mar 1 13:23:37 UTC 2011 

Author: rwatson
Date: Tue Mar  1 13:23:37 2011
New Revision: 219129
URL: http://svn.freebsd.org/changeset/base/219129

Log:
  Add initial support for Capsicum's Capability Mode to the FreeBSD kernel,
  compiled conditionally on options CAPABILITIES:
  
  Add a new credential flag, CRED_FLAG_CAPMODE, which indicates that a
  subject (typically a process) is in capability mode.
  
  Add two new system calls, cap_enter(2) and cap_getmode(2), which allow
  setting and querying (but never clearing) the flag.
  
  Export the capability mode flag via process information sysctls.
  
  Sponsored by:	Google, Inc.
  Reviewed by:	anderson
  Discussed with:	benl, kris, pjd
  Obtained from:	Capsicum Project
  MFC after:	3 months

Added:
  head/sys/kern/sys_capability.c   (contents, props changed)
Modified:
  head/sys/compat/freebsd32/syscalls.master
  head/sys/conf/NOTES
  head/sys/conf/options
  head/sys/kern/kern_proc.c
  head/sys/kern/syscalls.master
  head/sys/sys/ucred.h
  head/sys/sys/user.h

Modified: head/sys/compat/freebsd32/syscalls.master
==============================================================================
--- head/sys/compat/freebsd32/syscalls.master	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/compat/freebsd32/syscalls.master	Tue Mar  1 13:23:37 2011	(r219129)
@@ -952,8 +952,8 @@
 513	AUE_LPATHCONF	NOPROTO	{ int lpathconf(char *path, int name); }
 514	AUE_CAP_NEW	UNIMPL	cap_new
 515	AUE_CAP_GETRIGHTS	UNIMPL	cap_getrights
-516	AUE_CAP_ENTER	UNIMPL	cap_enter
-517	AUE_CAP_GETMODE	UNIMPL	cap_getmode
+516	AUE_CAP_ENTER	NOPROTO	{ int cap_enter(void); }
+517	AUE_CAP_GETMODE	NOPROTO	{ int cap_getmode(u_int *modep); }
 518	AUE_PDFORK	UNIMPL	pdfork
 519	AUE_PDKILL	UNIMPL	pdkill
 520	AUE_PDGETPID	UNIMPL	pdgetpid

Modified: head/sys/conf/NOTES
==============================================================================
--- head/sys/conf/NOTES	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/conf/NOTES	Tue Mar  1 13:23:37 2011	(r219129)
@@ -1157,6 +1157,9 @@ options 	MAC_SEEOTHERUIDS
 options 	MAC_STUB
 options 	MAC_TEST
 
+# Support for Capsicum
+options 	CAPABILIITES
+
 
 #####################################################################
 # CLOCK OPTIONS

Modified: head/sys/conf/options
==============================================================================
--- head/sys/conf/options	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/conf/options	Tue Mar  1 13:23:37 2011	(r219129)
@@ -63,6 +63,7 @@ SYSCTL_DEBUG	opt_sysctl.h
 ADAPTIVE_LOCKMGRS
 ALQ
 AUDIT		opt_global.h
+CAPABILITIES	opt_capabilities.h
 CODA_COMPAT_5	opt_coda.h
 COMPAT_43	opt_compat.h
 COMPAT_43TTY	opt_compat.h

Modified: head/sys/kern/kern_proc.c
==============================================================================
--- head/sys/kern/kern_proc.c	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/kern/kern_proc.c	Tue Mar  1 13:23:37 2011	(r219129)
@@ -725,7 +725,9 @@ fill_kinfo_proc_only(struct proc *p, str
 		kp->ki_uid = cred->cr_uid;
 		kp->ki_ruid = cred->cr_ruid;
 		kp->ki_svuid = cred->cr_svuid;
-		kp->ki_cr_flags = cred->cr_flags;
+		kp->ki_cr_flags = 0;
+		if (cred->cr_flags & CRED_FLAG_CAPMODE)
+			kp->ki_cr_flags |= KI_CRF_CAPABILITY_MODE;
 		/* XXX bde doesn't like KI_NGROUPS */
 		if (cred->cr_ngroups > KI_NGROUPS) {
 			kp->ki_ngroups = KI_NGROUPS;

Added: head/sys/kern/sys_capability.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sys/kern/sys_capability.c	Tue Mar  1 13:23:37 2011	(r219129)
@@ -0,0 +1,123 @@
+/*-
+ * Copyright (c) 2008-2011 Robert N. M. Watson
+ * Copyright (c) 2010-2011 Jonathan Anderson
+ * All rights reserved.
+ *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * FreeBSD kernel capability facility.
+ *
+ * Currently, this file implements only capability mode; capabilities
+ * (rights-refined file descriptors) will follow.
+ *
+ */
+
+#include "opt_capabilities.h"
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/capability.h>
+#include <sys/file.h>
+#include <sys/filedesc.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/proc.h>
+#include <sys/sysproto.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+#include <sys/ucred.h>
+
+#include <security/audit/audit.h>
+
+#include <vm/uma.h>
+#include <vm/vm.h>
+
+#ifdef CAPABILITIES
+
+/*
+ * We don't currently have any MIB entries for sysctls, but we do expose
+ * security.capabilities so that it's easy to tell if options CAPABILITIES is
+ * compiled into the kernel.
+ */
+SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, "Capsicum");
+
+/*
+ * System call to enter capability mode for the process.
+ */
+int
+cap_enter(struct thread *td, struct cap_enter_args *uap)
+{
+	struct ucred *newcred, *oldcred;
+	struct proc *p;
+
+	if (IN_CAPABILITY_MODE(td))
+		return (0);
+
+	newcred = crget();
+	p = td->td_proc;
+	PROC_LOCK(p);
+	oldcred = p->p_ucred;
+	crcopy(newcred, oldcred);
+	newcred->cr_flags |= CRED_FLAG_CAPMODE;
+	p->p_ucred = newcred;
+	PROC_UNLOCK(p);
+	crfree(oldcred);
+	return (0);
+}
+
+/*
+ * System call to query whether the process is in capability mode.
+ */
+int
+cap_getmode(struct thread *td, struct cap_getmode_args *uap)
+{
+	u_int i;
+
+	i = (IN_CAPABILITY_MODE(td)) ? 1 : 0;
+	return (copyout(&i, uap->modep, sizeof(i)));
+}
+
+#else /* !CAPABILITIES */
+
+int
+cap_enter(struct thread *td, struct cap_enter_args *uap)
+{
+
+	return (ENOSYS);
+}
+
+int
+cap_getmode(struct thread *td, struct cap_getmode_args *uap)
+{
+
+	return (ENOSYS);
+}
+
+#endif /* CAPABILITIES */

Modified: head/sys/kern/syscalls.master
==============================================================================
--- head/sys/kern/syscalls.master	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/kern/syscalls.master	Tue Mar  1 13:23:37 2011	(r219129)
@@ -916,8 +916,8 @@
 513	AUE_LPATHCONF	STD	{ int lpathconf(char *path, int name); }
 514	AUE_CAP_NEW	UNIMPL	cap_new
 515	AUE_CAP_GETRIGHTS	UNIMPL	cap_getrights
-516	AUE_CAP_ENTER	UNIMPL	cap_enter
-517	AUE_CAP_GETMODE	UNIMPL	cap_getmode
+516	AUE_CAP_ENTER	STD	{ int cap_enter(void); }
+517	AUE_CAP_GETMODE	STD	{ int cap_getmode(u_int *modep); }
 518	AUE_PDFORK	UNIMPL	pdfork
 519	AUE_PDKILL	UNIMPL	pdkill
 520	AUE_PDGETPID	UNIMPL	pdgetpid

Modified: head/sys/sys/ucred.h
==============================================================================
--- head/sys/sys/ucred.h	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/sys/ucred.h	Tue Mar  1 13:23:37 2011	(r219129)
@@ -70,6 +70,11 @@ struct ucred {
 #define	XU_NGROUPS	16
 
 /*
+ * Flags for cr_flags.
+ */
+#define	CRED_FLAG_CAPMODE	0x00000001	/* In capability mode. */
+
+/*
  * This is the external representation of struct ucred.
  */
 struct xucred {

Modified: head/sys/sys/user.h
==============================================================================
--- head/sys/sys/user.h	Tue Mar  1 13:14:28 2011	(r219128)
+++ head/sys/sys/user.h	Tue Mar  1 13:23:37 2011	(r219129)
@@ -101,9 +101,11 @@
 #define KI_NGROUPS	16		/* number of groups in ki_groups */
 #define	LOGNAMELEN	17		/* size of returned ki_login */
 
+/* Flags for the process credential. */
+#define	KI_CRF_CAPABILITY_MODE	0x00000001
 /*
- * Steal a bit from ki_cr_flags (cr_flags is never used) to indicate
- * that the cred had more than KI_NGROUPS groups.
+ * Steal a bit from ki_cr_flags to indicate that the cred had more than
+ * KI_NGROUPS groups.
  */
 #define KI_CRF_GRP_OVERFLOW	0x80000000

More information about the svn-src-all mailing list