1 /*- 2 * Copyright (c) 2008-2010 Robert N. M. Watson 3 * All rights reserved. 4 * 5 * This software was developed at the University of Cambridge Computer 6 * Laboratory with support from a grant from Google, Inc. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $FreeBSD: stable/9/sys/sys/capability.h 224987 2011-08-18 22:51:30Z jonathan $ 30 */ 31 32 /* 33 * Definitions for FreeBSD capabilities facility. 34 */ 35 #ifndef _SYS_CAPABILITY_H_ 36 #define _SYS_CAPABILITY_H_ 37 38 #include <sys/cdefs.h> 39 #include <sys/types.h> 40 41 #include <sys/file.h> 42 43 /* 44 * Possible rights on capabilities. 45 * 46 * Notes: 47 * Some system calls don't require a capability in order to perform an 48 * operation on an fd. These include: close, dup, dup2. 49 * 50 * sendfile is authorized using CAP_READ on the file and CAP_WRITE on the 51 * socket. 52 * 53 * mmap() and aio*() system calls will need special attention as they may 54 * involve reads or writes depending a great deal on context. 55 */ 56 57 /* General file I/O. */ 58 #define CAP_READ 0x0000000000000001ULL /* read/recv */ 59 #define CAP_WRITE 0x0000000000000002ULL /* write/send */ 60 #define CAP_MMAP 0x0000000000000004ULL /* mmap */ 61 #define CAP_MAPEXEC 0x0000000000000008ULL /* mmap(2) as exec */ 62 #define CAP_FEXECVE 0x0000000000000010ULL 63 #define CAP_FSYNC 0x0000000000000020ULL 64 #define CAP_FTRUNCATE 0x0000000000000040ULL 65 #define CAP_SEEK 0x0000000000000080ULL 66 67 /* VFS methods. */ 68 #define CAP_FCHFLAGS 0x0000000000000100ULL 69 #define CAP_FCHDIR 0x0000000000000200ULL 70 #define CAP_FCHMOD 0x0000000000000400ULL 71 #define CAP_FCHOWN 0x0000000000000800ULL 72 #define CAP_FCNTL 0x0000000000001000ULL 73 #define CAP_FPATHCONF 0x0000000000002000ULL 74 #define CAP_FLOCK 0x0000000000004000ULL 75 #define CAP_FSCK 0x0000000000008000ULL 76 #define CAP_FSTAT 0x0000000000010000ULL 77 #define CAP_FSTATFS 0x0000000000020000ULL 78 #define CAP_FUTIMES 0x0000000000040000ULL 79 #define CAP_CREATE 0x0000000000080000ULL 80 #define CAP_DELETE 0x0000000000100000ULL 81 #define CAP_MKDIR 0x0000000000200000ULL 82 #define CAP_RMDIR 0x0000000000400000ULL 83 #define CAP_MKFIFO 0x0000000000800000ULL 84 85 /* Lookups - used to constrain *at() calls. */ 86 #define CAP_LOOKUP 0x0000000001000000ULL 87 88 /* Extended attributes. */ 89 #define CAP_EXTATTR_DELETE 0x0000000002000000ULL 90 #define CAP_EXTATTR_GET 0x0000000004000000ULL 91 #define CAP_EXTATTR_LIST 0x0000000008000000ULL 92 #define CAP_EXTATTR_SET 0x0000000010000000ULL 93 94 /* Access Control Lists. */ 95 #define CAP_ACL_CHECK 0x0000000020000000ULL 96 #define CAP_ACL_DELETE 0x0000000040000000ULL 97 #define CAP_ACL_GET 0x0000000080000000ULL 98 #define CAP_ACL_SET 0x0000000100000000ULL 99 100 /* Socket operations. */ 101 #define CAP_ACCEPT 0x0000000200000000ULL 102 #define CAP_BIND 0x0000000400000000ULL 103 #define CAP_CONNECT 0x0000000800000000ULL 104 #define CAP_GETPEERNAME 0x0000001000000000ULL 105 #define CAP_GETSOCKNAME 0x0000002000000000ULL 106 #define CAP_GETSOCKOPT 0x0000004000000000ULL 107 #define CAP_LISTEN 0x0000008000000000ULL 108 #define CAP_PEELOFF 0x0000010000000000ULL 109 #define CAP_SETSOCKOPT 0x0000020000000000ULL 110 #define CAP_SHUTDOWN 0x0000040000000000ULL 111 112 #define CAP_SOCK_ALL \ 113 (CAP_ACCEPT | CAP_BIND | CAP_CONNECT \ 114 | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT \ 115 | CAP_LISTEN | CAP_PEELOFF | CAP_SETSOCKOPT | CAP_SHUTDOWN) 116 117 /* Mandatory Access Control. */ 118 #define CAP_MAC_GET 0x0000080000000000ULL 119 #define CAP_MAC_SET 0x0000100000000000ULL 120 121 /* Methods on semaphores. */ 122 #define CAP_SEM_GETVALUE 0x0000200000000000ULL 123 #define CAP_SEM_POST 0x0000400000000000ULL 124 #define CAP_SEM_WAIT 0x0000800000000000ULL 125 126 /* kqueue events. */ 127 #define CAP_POLL_EVENT 0x0001000000000000ULL 128 #define CAP_POST_EVENT 0x0002000000000000ULL 129 130 /* Strange and powerful rights that should not be given lightly. */ 131 #define CAP_IOCTL 0x0004000000000000ULL 132 #define CAP_TTYHOOK 0x0008000000000000ULL 133 134 /* Process management via process descriptors. */ 135 #define CAP_PDGETPID 0x0010000000000000ULL 136 #define CAP_PDWAIT 0x0020000000000000ULL 137 #define CAP_PDKILL 0x0040000000000000ULL 138 139 /* The mask of all valid method rights. */ 140 #define CAP_MASK_VALID 0x007fffffffffffffULL 141 142 #ifdef _KERNEL 143 144 #define IN_CAPABILITY_MODE(td) (td->td_ucred->cr_flags & CRED_FLAG_CAPMODE) 145 146 /* 147 * Create a capability to wrap a file object. 148 */ 149 int kern_capwrap(struct thread *td, struct file *fp, cap_rights_t rights, 150 int *capfd); 151 152 /* 153 * Unwrap a capability if its rights mask is a superset of 'rights'. 154 * 155 * Unwrapping a non-capability is effectively a no-op; the value of fp_cap 156 * is simply copied into fpp. 157 */ 158 int cap_funwrap(struct file *fp_cap, cap_rights_t rights, 159 struct file **fpp); 160 int cap_funwrap_mmap(struct file *fp_cap, cap_rights_t rights, 161 u_char *maxprotp, struct file **fpp); 162 163 /* 164 * For the purposes of procstat(1) and similar tools, allow kern_descrip.c to 165 * extract the rights from a capability. However, this should not be used by 166 * kernel code generally, instead cap_funwrap() should be used in order to 167 * keep all access control in one place. 168 */ 169 cap_rights_t cap_rights(struct file *fp_cap); 170 171 #else /* !_KERNEL */ 172 173 __BEGIN_DECLS 174 175 /* 176 * cap_enter(): Cause the process to enter capability mode, which will 177 * prevent it from directly accessing global namespaces. System calls will 178 * be limited to process-local, process-inherited, or file descriptor 179 * operations. If already in capability mode, a no-op. 180 * 181 * Currently, process-inherited operations are not properly handled -- in 182 * particular, we're interested in things like waitpid(2), kill(2), etc, 183 * being properly constrained. One possible solution is to introduce process 184 * descriptors. 185 */ 186 int cap_enter(void); 187 188 /* 189 * cap_getmode(): Are we in capability mode? 190 */ 191 int cap_getmode(u_int* modep); 192 193 /* 194 * cap_new(): Create a new capability derived from an existing file 195 * descriptor with the specified rights. If the existing file descriptor is 196 * a capability, then the new rights must be a subset of the existing rights. 197 */ 198 int cap_new(int fd, cap_rights_t rights); 199 200 /* 201 * cap_getrights(): Query the rights on a capability. 202 */ 203 int cap_getrights(int fd, cap_rights_t *rightsp); 204 205 __END_DECLS 206 207 #endif /* !_KERNEL */ 208 209 #endif /* !_SYS_CAPABILITY_H_ */ 210