diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2011-03-01 13:23:37 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2011-03-01 13:23:37 +0000 |
commit | 96fcc75fdf74e8ecc798405021f9c9b3c8e01c0d (patch) | |
tree | d773ba10cfdbd686d9589ba5d6bfce8bdd97f0d1 /sys/kern/sys_capability.c | |
parent | 25122f5c5fc022baacef53ab88688fa374bec4eb (diff) | |
download | src-96fcc75fdf74e8ecc798405021f9c9b3c8e01c0d.tar.gz src-96fcc75fdf74e8ecc798405021f9c9b3c8e01c0d.zip |
Add initial support for Capsicum's Capability Mode to the FreeBSD kernel,
compiled conditionally on options CAPABILITIES:
Add a new credential flag, CRED_FLAG_CAPMODE, which indicates that a
subject (typically a process) is in capability mode.
Add two new system calls, cap_enter(2) and cap_getmode(2), which allow
setting and querying (but never clearing) the flag.
Export the capability mode flag via process information sysctls.
Sponsored by: Google, Inc.
Reviewed by: anderson
Discussed with: benl, kris, pjd
Obtained from: Capsicum Project
MFC after: 3 months
Notes
Notes:
svn path=/head/; revision=219129
Diffstat (limited to 'sys/kern/sys_capability.c')
-rw-r--r-- | sys/kern/sys_capability.c | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/sys/kern/sys_capability.c b/sys/kern/sys_capability.c new file mode 100644 index 000000000000..e4d721a6350c --- /dev/null +++ b/sys/kern/sys_capability.c @@ -0,0 +1,123 @@ +/*- + * Copyright (c) 2008-2011 Robert N. M. Watson + * Copyright (c) 2010-2011 Jonathan Anderson + * All rights reserved. + * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * FreeBSD kernel capability facility. + * + * Currently, this file implements only capability mode; capabilities + * (rights-refined file descriptors) will follow. + * + */ + +#include "opt_capabilities.h" + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/capability.h> +#include <sys/file.h> +#include <sys/filedesc.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/mutex.h> +#include <sys/proc.h> +#include <sys/sysproto.h> +#include <sys/sysctl.h> +#include <sys/systm.h> +#include <sys/ucred.h> + +#include <security/audit/audit.h> + +#include <vm/uma.h> +#include <vm/vm.h> + +#ifdef CAPABILITIES + +/* + * We don't currently have any MIB entries for sysctls, but we do expose + * security.capabilities so that it's easy to tell if options CAPABILITIES is + * compiled into the kernel. + */ +SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0, "Capsicum"); + +/* + * System call to enter capability mode for the process. + */ +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + struct ucred *newcred, *oldcred; + struct proc *p; + + if (IN_CAPABILITY_MODE(td)) + return (0); + + newcred = crget(); + p = td->td_proc; + PROC_LOCK(p); + oldcred = p->p_ucred; + crcopy(newcred, oldcred); + newcred->cr_flags |= CRED_FLAG_CAPMODE; + p->p_ucred = newcred; + PROC_UNLOCK(p); + crfree(oldcred); + return (0); +} + +/* + * System call to query whether the process is in capability mode. + */ +int +cap_getmode(struct thread *td, struct cap_getmode_args *uap) +{ + u_int i; + + i = (IN_CAPABILITY_MODE(td)) ? 1 : 0; + return (copyout(&i, uap->modep, sizeof(i))); +} + +#else /* !CAPABILITIES */ + +int +cap_enter(struct thread *td, struct cap_enter_args *uap) +{ + + return (ENOSYS); +} + +int +cap_getmode(struct thread *td, struct cap_getmode_args *uap) +{ + + return (ENOSYS); +} + +#endif /* CAPABILITIES */ |