From: David Drysdale <drysdale@google.com> To: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Meredydd Luff <meredydd@senatehouse.org>, Kees Cook <keescook@chromium.org>, James Morris <james.l.morris@oracle.com>, Andy Lutomirski <luto@amacapital.net>, Paolo Bonzini <pbonzini@redhat.com>, Paul Moore <paul@paul-moore.com>, Christoph Hellwig <hch@infradead.org>, linux-api@vger.kernel.org, David Drysdale <drysdale@google.com> Subject: [PATCH 09/11] capsicum: add syscalls to limit FD rights Date: Fri, 25 Jul 2014 14:47:05 +0100 [thread overview] Message-ID: <1406296033-32693-10-git-send-email-drysdale@google.com> (raw) In-Reply-To: <1406296033-32693-1-git-send-email-drysdale@google.com> Add the cap_rights_get(2) and cap_rights_set(2) syscalls to allow retrieval and modification of the rights associated with a file descriptor. When a normal file descriptor has its rights restricted in any way, it becomes a Capsicum capability file descriptor. This is a wrapper struct file that is installed in the fdtable in place of the original file. From this point on, when the FD is converted to a struct file by fget() (or equivalent), the wrapper is checked for the appropriate rights and the wrapped inner normal file is returned. When a Capsicum capability file descriptor has its rights restricted further (they cannot be expanded), a new wrapper is created with the restricted rights, also wrapping the same inner normal file. In other words, the .underlying field in a struct capsicum_capability is always a normal file, never another Capsicum capability file. These syscalls specify the different components of the compound rights structure separately, allowing components to be unspecified for no change. Note that in FreeBSD 10.x the function of this pair of syscalls is implemented as 3 distinct pairs of syscalls, one pair for each component of the compound rights (primary/fcntl/ioctl). Signed-off-by: David Drysdale <drysdale@google.com> --- arch/x86/syscalls/syscall_64.tbl | 2 + include/linux/syscalls.h | 12 ++++ kernel/sys_ni.c | 4 ++ security/capsicum.c | 146 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 164 insertions(+) diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl index ec255a1646d2..d980d2b8bfad 100644 --- a/arch/x86/syscalls/syscall_64.tbl +++ b/arch/x86/syscalls/syscall_64.tbl @@ -323,6 +323,8 @@ 314 common sched_setattr sys_sched_setattr 315 common sched_getattr sys_sched_getattr 316 common renameat2 sys_renameat2 +318 common cap_rights_limit sys_cap_rights_limit +319 common cap_rights_get sys_cap_rights_get # # x32-specific system call numbers start at 512 to avoid cache impact diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index b0881a0ed322..d754f0846037 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -65,6 +65,7 @@ struct old_linux_dirent; struct perf_event_attr; struct file_handle; struct sigaltstack; +struct cap_rights; #include <linux/types.h> #include <linux/aio_abi.h> @@ -866,4 +867,15 @@ asmlinkage long sys_process_vm_writev(pid_t pid, asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2); asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags); +asmlinkage long sys_cap_rights_limit(unsigned int orig_fd, + const struct cap_rights __user *new_rights, + unsigned int fcntls, + int nioctls, + unsigned int __user *ioctls); +asmlinkage long sys_cap_rights_get(unsigned int fd, + struct cap_rights __user *rightsp, + unsigned int __user *fcntls, + int __user *nioctls, + unsigned int __user *ioctls); + #endif diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 36441b51b5df..ef634cb1bc6c 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -213,3 +213,7 @@ cond_syscall(compat_sys_open_by_handle_at); /* compare kernel pointers */ cond_syscall(sys_kcmp); + +/* capsicum object capabilities */ +cond_syscall(sys_cap_rights_get); +cond_syscall(sys_cap_rights_limit); diff --git a/security/capsicum.c b/security/capsicum.c index 4a004829b9c8..42c14bab4b64 100644 --- a/security/capsicum.c +++ b/security/capsicum.c @@ -125,6 +125,152 @@ out_err: return ERR_PTR(err); } +/* Takes ownership of rights->ioctls */ +static int capsicum_rights_limit(unsigned int fd, + struct capsicum_rights *rights) +{ + int rc = -EBADF; + struct capsicum_capability *cap; + struct file *capf = NULL; + struct file *file; /* current file for fd */ + struct file *underlying; /* base file for capability */ + struct files_struct *files = current->files; + struct fdtable *fdt; + + /* Allocate capability before taking files->file_lock */ + capf = capsicum_cap_alloc(rights, true); + rights->ioctls = NULL; /* capsicum_cap_alloc took ownership */ + if (IS_ERR(capf)) + return PTR_ERR(capf); + cap = capf->private_data; + + spin_lock(&files->file_lock); + fdt = files_fdtable(files); + if (fd >= fdt->max_fds) + goto out_err; + file = fdt->fd[fd]; + if (!file) + goto out_err; + + /* If we're limiting an existing Capsicum capability object, ensure + * we wrap its underlying normal file. */ + if (capsicum_is_cap(file)) { + struct capsicum_capability *old_cap = file->private_data; + /* Reject attempts to widen existing rights */ + if (!cap_rights_contains(&old_cap->rights, &cap->rights)) { + rc = -ENOTCAPABLE; + goto out_err; + } + underlying = old_cap->underlying; + } else { + underlying = file; + } + if (!atomic_long_inc_not_zero(&underlying->f_count)) { + rc = -EBADF; + goto out_err; + } + cap->underlying = underlying; + + fput(file); + rcu_assign_pointer(fdt->fd[fd], capf); + spin_unlock(&files->file_lock); + return 0; +out_err: + spin_unlock(&files->file_lock); + fput(capf); + return rc; +} + +SYSCALL_DEFINE5(cap_rights_limit, + unsigned int, fd, + const struct cap_rights __user *, new_rights, + unsigned int, new_fcntls, + int, nioctls, + unsigned int __user *, new_ioctls) +{ + struct capsicum_rights rights; + + if (!new_rights) + return -EFAULT; + if (nioctls < 0 && nioctls != -1) + return -EINVAL; + if (copy_from_user(&rights.primary, new_rights, + sizeof(struct cap_rights))) + return -EFAULT; + rights.fcntls = new_fcntls; + rights.nioctls = nioctls; + if (rights.nioctls > 0) { + size_t size; + + if (!new_ioctls) + return -EINVAL; + size = rights.nioctls * sizeof(unsigned int); + rights.ioctls = kmalloc(size, GFP_KERNEL); + if (!rights.ioctls) + return -ENOMEM; + if (copy_from_user(rights.ioctls, new_ioctls, size)) { + kfree(rights.ioctls); + return -EFAULT; + } + } else { + rights.ioctls = NULL; + } + if (cap_rights_regularize(&rights)) + return -ENOTCAPABLE; + + return capsicum_rights_limit(fd, &rights); +} + +SYSCALL_DEFINE5(cap_rights_get, + unsigned int, fd, + struct cap_rights __user *, rightsp, + unsigned int __user *, fcntls, + int __user *, nioctls, + unsigned int __user *, ioctls) +{ + int result = -EFAULT; + struct file *file; + struct capsicum_rights *rights = &all_rights; + int ioctls_to_copy = -1; + + file = fget_raw(fd); + if (file == NULL) + return -EBADF; + if (capsicum_is_cap(file)) { + struct capsicum_capability *cap = file->private_data; + + rights = &cap->rights; + } + + if (rightsp) { + if (copy_to_user(rightsp, &rights->primary, + sizeof(struct cap_rights))) + goto out; + } + if (fcntls) { + if (put_user(rights->fcntls, fcntls)) + goto out; + } + if (nioctls) { + int n; + + if (get_user(n, nioctls)) + goto out; + if (put_user(rights->nioctls, nioctls)) + goto out; + ioctls_to_copy = min(rights->nioctls, n); + } + if (ioctls && ioctls_to_copy > 0) { + if (copy_to_user(ioctls, rights->ioctls, + ioctls_to_copy * sizeof(unsigned int))) + goto out; + } + result = 0; +out: + fput(file); + return result; +} + /* * File operations functions. */ -- 2.0.0.526.g5318336
WARNING: multiple messages have this Message-ID (diff)
From: David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> To: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Greg Kroah-Hartman <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org> Cc: Alexander Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>, Meredydd Luff <meredydd-zPN50pYk8eUaUu29zAJCuw@public.gmane.org>, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, James Morris <james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>, Paolo Bonzini <pbonzini-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>, Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> Subject: [PATCH 09/11] capsicum: add syscalls to limit FD rights Date: Fri, 25 Jul 2014 14:47:05 +0100 [thread overview] Message-ID: <1406296033-32693-10-git-send-email-drysdale@google.com> (raw) In-Reply-To: <1406296033-32693-1-git-send-email-drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> Add the cap_rights_get(2) and cap_rights_set(2) syscalls to allow retrieval and modification of the rights associated with a file descriptor. When a normal file descriptor has its rights restricted in any way, it becomes a Capsicum capability file descriptor. This is a wrapper struct file that is installed in the fdtable in place of the original file. From this point on, when the FD is converted to a struct file by fget() (or equivalent), the wrapper is checked for the appropriate rights and the wrapped inner normal file is returned. When a Capsicum capability file descriptor has its rights restricted further (they cannot be expanded), a new wrapper is created with the restricted rights, also wrapping the same inner normal file. In other words, the .underlying field in a struct capsicum_capability is always a normal file, never another Capsicum capability file. These syscalls specify the different components of the compound rights structure separately, allowing components to be unspecified for no change. Note that in FreeBSD 10.x the function of this pair of syscalls is implemented as 3 distinct pairs of syscalls, one pair for each component of the compound rights (primary/fcntl/ioctl). Signed-off-by: David Drysdale <drysdale-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> --- arch/x86/syscalls/syscall_64.tbl | 2 + include/linux/syscalls.h | 12 ++++ kernel/sys_ni.c | 4 ++ security/capsicum.c | 146 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 164 insertions(+) diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl index ec255a1646d2..d980d2b8bfad 100644 --- a/arch/x86/syscalls/syscall_64.tbl +++ b/arch/x86/syscalls/syscall_64.tbl @@ -323,6 +323,8 @@ 314 common sched_setattr sys_sched_setattr 315 common sched_getattr sys_sched_getattr 316 common renameat2 sys_renameat2 +318 common cap_rights_limit sys_cap_rights_limit +319 common cap_rights_get sys_cap_rights_get # # x32-specific system call numbers start at 512 to avoid cache impact diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index b0881a0ed322..d754f0846037 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -65,6 +65,7 @@ struct old_linux_dirent; struct perf_event_attr; struct file_handle; struct sigaltstack; +struct cap_rights; #include <linux/types.h> #include <linux/aio_abi.h> @@ -866,4 +867,15 @@ asmlinkage long sys_process_vm_writev(pid_t pid, asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2); asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags); +asmlinkage long sys_cap_rights_limit(unsigned int orig_fd, + const struct cap_rights __user *new_rights, + unsigned int fcntls, + int nioctls, + unsigned int __user *ioctls); +asmlinkage long sys_cap_rights_get(unsigned int fd, + struct cap_rights __user *rightsp, + unsigned int __user *fcntls, + int __user *nioctls, + unsigned int __user *ioctls); + #endif diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 36441b51b5df..ef634cb1bc6c 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -213,3 +213,7 @@ cond_syscall(compat_sys_open_by_handle_at); /* compare kernel pointers */ cond_syscall(sys_kcmp); + +/* capsicum object capabilities */ +cond_syscall(sys_cap_rights_get); +cond_syscall(sys_cap_rights_limit); diff --git a/security/capsicum.c b/security/capsicum.c index 4a004829b9c8..42c14bab4b64 100644 --- a/security/capsicum.c +++ b/security/capsicum.c @@ -125,6 +125,152 @@ out_err: return ERR_PTR(err); } +/* Takes ownership of rights->ioctls */ +static int capsicum_rights_limit(unsigned int fd, + struct capsicum_rights *rights) +{ + int rc = -EBADF; + struct capsicum_capability *cap; + struct file *capf = NULL; + struct file *file; /* current file for fd */ + struct file *underlying; /* base file for capability */ + struct files_struct *files = current->files; + struct fdtable *fdt; + + /* Allocate capability before taking files->file_lock */ + capf = capsicum_cap_alloc(rights, true); + rights->ioctls = NULL; /* capsicum_cap_alloc took ownership */ + if (IS_ERR(capf)) + return PTR_ERR(capf); + cap = capf->private_data; + + spin_lock(&files->file_lock); + fdt = files_fdtable(files); + if (fd >= fdt->max_fds) + goto out_err; + file = fdt->fd[fd]; + if (!file) + goto out_err; + + /* If we're limiting an existing Capsicum capability object, ensure + * we wrap its underlying normal file. */ + if (capsicum_is_cap(file)) { + struct capsicum_capability *old_cap = file->private_data; + /* Reject attempts to widen existing rights */ + if (!cap_rights_contains(&old_cap->rights, &cap->rights)) { + rc = -ENOTCAPABLE; + goto out_err; + } + underlying = old_cap->underlying; + } else { + underlying = file; + } + if (!atomic_long_inc_not_zero(&underlying->f_count)) { + rc = -EBADF; + goto out_err; + } + cap->underlying = underlying; + + fput(file); + rcu_assign_pointer(fdt->fd[fd], capf); + spin_unlock(&files->file_lock); + return 0; +out_err: + spin_unlock(&files->file_lock); + fput(capf); + return rc; +} + +SYSCALL_DEFINE5(cap_rights_limit, + unsigned int, fd, + const struct cap_rights __user *, new_rights, + unsigned int, new_fcntls, + int, nioctls, + unsigned int __user *, new_ioctls) +{ + struct capsicum_rights rights; + + if (!new_rights) + return -EFAULT; + if (nioctls < 0 && nioctls != -1) + return -EINVAL; + if (copy_from_user(&rights.primary, new_rights, + sizeof(struct cap_rights))) + return -EFAULT; + rights.fcntls = new_fcntls; + rights.nioctls = nioctls; + if (rights.nioctls > 0) { + size_t size; + + if (!new_ioctls) + return -EINVAL; + size = rights.nioctls * sizeof(unsigned int); + rights.ioctls = kmalloc(size, GFP_KERNEL); + if (!rights.ioctls) + return -ENOMEM; + if (copy_from_user(rights.ioctls, new_ioctls, size)) { + kfree(rights.ioctls); + return -EFAULT; + } + } else { + rights.ioctls = NULL; + } + if (cap_rights_regularize(&rights)) + return -ENOTCAPABLE; + + return capsicum_rights_limit(fd, &rights); +} + +SYSCALL_DEFINE5(cap_rights_get, + unsigned int, fd, + struct cap_rights __user *, rightsp, + unsigned int __user *, fcntls, + int __user *, nioctls, + unsigned int __user *, ioctls) +{ + int result = -EFAULT; + struct file *file; + struct capsicum_rights *rights = &all_rights; + int ioctls_to_copy = -1; + + file = fget_raw(fd); + if (file == NULL) + return -EBADF; + if (capsicum_is_cap(file)) { + struct capsicum_capability *cap = file->private_data; + + rights = &cap->rights; + } + + if (rightsp) { + if (copy_to_user(rightsp, &rights->primary, + sizeof(struct cap_rights))) + goto out; + } + if (fcntls) { + if (put_user(rights->fcntls, fcntls)) + goto out; + } + if (nioctls) { + int n; + + if (get_user(n, nioctls)) + goto out; + if (put_user(rights->nioctls, nioctls)) + goto out; + ioctls_to_copy = min(rights->nioctls, n); + } + if (ioctls && ioctls_to_copy > 0) { + if (copy_to_user(ioctls, rights->ioctls, + ioctls_to_copy * sizeof(unsigned int))) + goto out; + } + result = 0; +out: + fput(file); + return result; +} + /* * File operations functions. */ -- 2.0.0.526.g5318336
next prev parent reply other threads:[~2014-07-25 13:51 UTC|newest] Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-07-25 13:46 [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework David Drysdale 2014-07-25 13:46 ` [PATCH 01/11] fs: add O_BENEATH flag to openat(2) David Drysdale 2014-07-25 13:46 ` [PATCH 02/11] selftests: Add test of O_BENEATH & openat(2) David Drysdale 2014-07-25 13:46 ` [PATCH 03/11] capsicum: rights values and structure definitions David Drysdale 2014-07-25 13:47 ` [PATCH 04/11] capsicum: implement fgetr() and friends David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 13:47 ` [PATCH 05/11] capsicum: convert callers to use fgetr() etc David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 13:47 ` [PATCH 06/11] capsicum: implement sockfd_lookupr() David Drysdale 2014-07-25 13:47 ` [PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc David Drysdale 2014-07-25 13:47 ` [PATCH 08/11] capsicum: invoke Capsicum on FD/file conversion David Drysdale 2014-07-25 13:47 ` David Drysdale [this message] 2014-07-25 13:47 ` [PATCH 09/11] capsicum: add syscalls to limit FD rights David Drysdale 2014-07-25 13:47 ` [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-25 14:01 ` Paolo Bonzini 2014-07-25 16:00 ` Andy Lutomirski 2014-07-27 12:08 ` David Drysdale 2014-07-25 13:47 ` [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data David Drysdale 2014-07-25 15:59 ` Andy Lutomirski 2014-07-25 17:10 ` Kees Cook 2014-07-25 17:18 ` Andy Lutomirski 2014-07-25 17:38 ` Kees Cook 2014-07-25 18:24 ` Julien Tinnes 2014-07-25 18:24 ` Julien Tinnes [not found] ` <CAKyRK=j-f92xHTL3+TNr9WOv_y47dkZR=WZkpY_a5YW3Q8HfaQ@mail.gmail.com> 2014-07-25 18:32 ` Andy Lutomirski 2014-07-27 12:10 ` David Drysdale 2014-07-27 12:10 ` David Drysdale 2014-07-27 12:09 ` David Drysdale 2014-07-28 21:18 ` Eric W. Biederman 2014-07-28 21:18 ` Eric W. Biederman 2014-07-30 4:05 ` Andy Lutomirski 2014-07-30 4:05 ` Andy Lutomirski 2014-07-30 4:08 ` Eric W. Biederman 2014-07-30 4:08 ` Eric W. Biederman 2014-07-30 4:35 ` Andy Lutomirski [not found] ` <8761ifie81.fsf@x220.int.ebiederm.org> 2014-07-30 14:52 ` Andy Lutomirski 2014-07-30 14:52 ` Andy Lutomirski 2014-07-25 13:47 ` [PATCH 1/6] open.2: describe O_BENEATH flag David Drysdale 2014-07-25 13:47 ` [PATCH 2/6] capsicum.7: describe Capsicum capability framework David Drysdale 2014-07-25 13:47 ` [PATCH 3/6] rights.7: Describe Capsicum primary rights David Drysdale 2014-07-25 13:47 ` [PATCH 4/6] cap_rights_limit.2: limit FD rights for Capsicum David Drysdale 2014-07-25 13:47 ` [PATCH 5/6] cap_rights_get.2: retrieve Capsicum fd rights David Drysdale 2014-07-25 13:47 ` [PATCH 6/6] prctl.2: describe PR_SET_OPENAT_BENEATH/PR_GET_OPENAT_BENEATH David Drysdale 2014-07-25 13:47 ` David Drysdale 2014-07-26 21:04 ` [RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework Eric W. Biederman 2014-07-26 21:04 ` Eric W. Biederman 2014-07-28 12:30 ` Paolo Bonzini 2014-07-28 12:30 ` Paolo Bonzini 2014-07-28 16:04 ` David Drysdale 2014-07-28 21:13 ` Eric W. Biederman 2014-07-28 21:13 ` Eric W. Biederman 2014-07-29 8:43 ` Paolo Bonzini 2014-07-29 8:43 ` Paolo Bonzini 2014-07-29 10:58 ` David Drysdale 2014-07-30 6:22 ` Eric W. Biederman 2014-07-30 6:22 ` Eric W. Biederman 2014-07-30 14:51 ` Andy Lutomirski
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1406296033-32693-10-git-send-email-drysdale@google.com \ --to=drysdale@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=hch@infradead.org \ --cc=james.l.morris@oracle.com \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=meredydd@senatehouse.org \ --cc=paul@paul-moore.com \ --cc=pbonzini@redhat.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.