subr.c revision 280250 
1/*-
2 * Copyright (c) 2010 The FreeBSD Foundation
3 * Copyright (c) 2011 Pawel Jakub Dawidek <pawel@dawidek.net>
4 * All rights reserved.
5 *
6 * This software was developed by Pawel Jakub Dawidek under sponsorship from
7 * the FreeBSD Foundation.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
32__FBSDID("$FreeBSD: stable/10/sbin/hastd/subr.c 280250 2015-03-19 12:32:48Z rwatson $");
33
34#include <sys/param.h>
35#include <sys/disk.h>
36#include <sys/ioctl.h>
37#include <sys/jail.h>
38#include <sys/stat.h>
39#ifdef HAVE_CAPSICUM
40#include <sys/capsicum.h>
41#include <geom/gate/g_gate.h>
42#endif
43
44#include <errno.h>
45#include <fcntl.h>
46#include <pwd.h>
47#include <stdarg.h>
48#include <stdbool.h>
49#include <stdio.h>
50#include <string.h>
51#include <unistd.h>
52
53#include <pjdlog.h>
54
55#include "hast.h"
56#include "subr.h"
57
58int
59vsnprlcat(char *str, size_t size, const char *fmt, va_list ap)
60{
61	size_t len;
62
63	len = strlen(str);
64	return (vsnprintf(str + len, size - len, fmt, ap));
65}
66
67int
68snprlcat(char *str, size_t size, const char *fmt, ...)
69{
70	va_list ap;
71	int result;
72
73	va_start(ap, fmt);
74	result = vsnprlcat(str, size, fmt, ap);
75	va_end(ap);
76	return (result);
77}
78
79int
80provinfo(struct hast_resource *res, bool dowrite)
81{
82	struct stat sb;
83
84	PJDLOG_ASSERT(res->hr_localpath != NULL &&
85	    res->hr_localpath[0] != '\0');
86
87	if (res->hr_localfd == -1) {
88		res->hr_localfd = open(res->hr_localpath,
89		    dowrite ? O_RDWR : O_RDONLY);
90		if (res->hr_localfd == -1) {
91			pjdlog_errno(LOG_ERR, "Unable to open %s",
92			    res->hr_localpath);
93			return (-1);
94		}
95	}
96	if (fstat(res->hr_localfd, &sb) == -1) {
97		pjdlog_errno(LOG_ERR, "Unable to stat %s", res->hr_localpath);
98		return (-1);
99	}
100	if (S_ISCHR(sb.st_mode)) {
101		/*
102		 * If this is character device, it is most likely GEOM provider.
103		 */
104		if (ioctl(res->hr_localfd, DIOCGMEDIASIZE,
105		    &res->hr_local_mediasize) == -1) {
106			pjdlog_errno(LOG_ERR,
107			    "Unable obtain provider %s mediasize",
108			    res->hr_localpath);
109			return (-1);
110		}
111		if (ioctl(res->hr_localfd, DIOCGSECTORSIZE,
112		    &res->hr_local_sectorsize) == -1) {
113			pjdlog_errno(LOG_ERR,
114			    "Unable obtain provider %s sectorsize",
115			    res->hr_localpath);
116			return (-1);
117		}
118	} else if (S_ISREG(sb.st_mode)) {
119		/*
120		 * We also support regular files for which we hardcode
121		 * sector size of 512 bytes.
122		 */
123		res->hr_local_mediasize = sb.st_size;
124		res->hr_local_sectorsize = 512;
125	} else {
126		/*
127		 * We support no other file types.
128		 */
129		pjdlog_error("%s is neither GEOM provider nor regular file.",
130		    res->hr_localpath);
131		errno = EFTYPE;
132		return (-1);
133	}
134	return (0);
135}
136
137const char *
138role2str(int role)
139{
140
141	switch (role) {
142	case HAST_ROLE_INIT:
143		return ("init");
144	case HAST_ROLE_PRIMARY:
145		return ("primary");
146	case HAST_ROLE_SECONDARY:
147		return ("secondary");
148	}
149	return ("unknown");
150}
151
152int
153drop_privs(const struct hast_resource *res)
154{
155	char jailhost[sizeof(res->hr_name) * 2];
156	struct jail jailst;
157	struct passwd *pw;
158	uid_t ruid, euid, suid;
159	gid_t rgid, egid, sgid;
160	gid_t gidset[1];
161	bool capsicum, jailed;
162
163	/*
164	 * According to getpwnam(3) we have to clear errno before calling the
165	 * function to be able to distinguish between an error and missing
166	 * entry (with is not treated as error by getpwnam(3)).
167	 */
168	errno = 0;
169	pw = getpwnam(HAST_USER);
170	if (pw == NULL) {
171		if (errno != 0) {
172			pjdlog_errno(LOG_ERR,
173			    "Unable to find info about '%s' user", HAST_USER);
174			return (-1);
175		} else {
176			pjdlog_error("'%s' user doesn't exist.", HAST_USER);
177			errno = ENOENT;
178			return (-1);
179		}
180	}
181
182	bzero(&jailst, sizeof(jailst));
183	jailst.version = JAIL_API_VERSION;
184	jailst.path = pw->pw_dir;
185	if (res == NULL) {
186		(void)snprintf(jailhost, sizeof(jailhost), "hastctl");
187	} else {
188		(void)snprintf(jailhost, sizeof(jailhost), "hastd: %s (%s)",
189		    res->hr_name, role2str(res->hr_role));
190	}
191	jailst.hostname = jailhost;
192	jailst.jailname = NULL;
193	jailst.ip4s = 0;
194	jailst.ip4 = NULL;
195	jailst.ip6s = 0;
196	jailst.ip6 = NULL;
197	if (jail(&jailst) >= 0) {
198		jailed = true;
199	} else {
200		jailed = false;
201		pjdlog_errno(LOG_WARNING,
202		    "Unable to jail to directory to %s", pw->pw_dir);
203		if (chroot(pw->pw_dir) == -1) {
204			pjdlog_errno(LOG_ERR,
205			    "Unable to change root directory to %s",
206			    pw->pw_dir);
207			return (-1);
208		}
209	}
210	PJDLOG_VERIFY(chdir("/") == 0);
211	gidset[0] = pw->pw_gid;
212	if (setgroups(1, gidset) == -1) {
213		pjdlog_errno(LOG_ERR, "Unable to set groups to gid %u",
214		    (unsigned int)pw->pw_gid);
215		return (-1);
216	}
217	if (setgid(pw->pw_gid) == -1) {
218		pjdlog_errno(LOG_ERR, "Unable to set gid to %u",
219		    (unsigned int)pw->pw_gid);
220		return (-1);
221	}
222	if (setuid(pw->pw_uid) == -1) {
223		pjdlog_errno(LOG_ERR, "Unable to set uid to %u",
224		    (unsigned int)pw->pw_uid);
225		return (-1);
226	}
227
228#ifdef HAVE_CAPSICUM
229	capsicum = (cap_enter() == 0);
230	if (!capsicum) {
231		pjdlog_common(LOG_DEBUG, 1, errno,
232		    "Unable to sandbox using capsicum");
233	} else if (res != NULL) {
234		cap_rights_t rights;
235		static const unsigned long geomcmds[] = {
236		    DIOCGDELETE,
237		    DIOCGFLUSH
238		};
239
240		PJDLOG_ASSERT(res->hr_role == HAST_ROLE_PRIMARY ||
241		    res->hr_role == HAST_ROLE_SECONDARY);
242
243		cap_rights_init(&rights, CAP_FLOCK, CAP_IOCTL, CAP_PREAD,
244		    CAP_PWRITE);
245		if (cap_rights_limit(res->hr_localfd, &rights) == -1) {
246			pjdlog_errno(LOG_ERR,
247			    "Unable to limit capability rights on local descriptor");
248		}
249		if (cap_ioctls_limit(res->hr_localfd, geomcmds,
250		    sizeof(geomcmds) / sizeof(geomcmds[0])) == -1) {
251			pjdlog_errno(LOG_ERR,
252			    "Unable to limit allowed GEOM ioctls");
253		}
254
255		if (res->hr_role == HAST_ROLE_PRIMARY) {
256			static const unsigned long ggatecmds[] = {
257			    G_GATE_CMD_MODIFY,
258			    G_GATE_CMD_START,
259			    G_GATE_CMD_DONE,
260			    G_GATE_CMD_DESTROY
261			};
262
263			cap_rights_init(&rights, CAP_IOCTL);
264			if (cap_rights_limit(res->hr_ggatefd, &rights) == -1) {
265				pjdlog_errno(LOG_ERR,
266				    "Unable to limit capability rights to CAP_IOCTL on ggate descriptor");
267			}
268			if (cap_ioctls_limit(res->hr_ggatefd, ggatecmds,
269			    sizeof(ggatecmds) / sizeof(ggatecmds[0])) == -1) {
270				pjdlog_errno(LOG_ERR,
271				    "Unable to limit allowed ggate ioctls");
272			}
273		}
274	}
275#else
276	capsicum = false;
277#endif
278
279	/*
280	 * Better be sure that everything succeeded.
281	 */
282	PJDLOG_VERIFY(getresuid(&ruid, &euid, &suid) == 0);
283	PJDLOG_VERIFY(ruid == pw->pw_uid);
284	PJDLOG_VERIFY(euid == pw->pw_uid);
285	PJDLOG_VERIFY(suid == pw->pw_uid);
286	PJDLOG_VERIFY(getresgid(&rgid, &egid, &sgid) == 0);
287	PJDLOG_VERIFY(rgid == pw->pw_gid);
288	PJDLOG_VERIFY(egid == pw->pw_gid);
289	PJDLOG_VERIFY(sgid == pw->pw_gid);
290	PJDLOG_VERIFY(getgroups(0, NULL) == 1);
291	PJDLOG_VERIFY(getgroups(1, gidset) == 1);
292	PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
293
294	pjdlog_debug(1,
295	    "Privileges successfully dropped using %s%s+setgid+setuid.",
296	    capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot");
297
298	return (0);
299}
300