1/*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2013 FreeBSD Foundation
5 *
6 * This software was developed by Pawel Jakub Dawidek under sponsorship from
7 * the FreeBSD Foundation.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
32/*
33 * Note that this file is compiled into the kernel and into libc.
34 */
35
36#include <sys/types.h>
37#include <sys/capsicum.h>
38
39#ifdef _KERNEL
40#include <sys/systm.h>
41#include <sys/kernel.h>
42#include <machine/stdarg.h>
43#else	/* !_KERNEL */
44#include <assert.h>
45#include <stdarg.h>
46#include <stdbool.h>
47#include <stdint.h>
48#include <string.h>
49#endif
50
51#ifdef _KERNEL
52#define	assert(exp)	KASSERT((exp), ("%s:%u", __func__, __LINE__))
53__read_mostly cap_rights_t cap_accept_rights;
54__read_mostly cap_rights_t cap_bind_rights;
55__read_mostly cap_rights_t cap_chflags_rights;
56__read_mostly cap_rights_t cap_connect_rights;
57__read_mostly cap_rights_t cap_event_rights;
58__read_mostly cap_rights_t cap_fchdir_rights;
59__read_mostly cap_rights_t cap_fchflags_rights;
60__read_mostly cap_rights_t cap_fchmod_rights;
61__read_mostly cap_rights_t cap_fchown_rights;
62__read_mostly cap_rights_t cap_fcntl_rights;
63__read_mostly cap_rights_t cap_fexecve_rights;
64__read_mostly cap_rights_t cap_flock_rights;
65__read_mostly cap_rights_t cap_fpathconf_rights;
66__read_mostly cap_rights_t cap_fstat_rights;
67__read_mostly cap_rights_t cap_fstatfs_rights;
68__read_mostly cap_rights_t cap_fsync_rights;
69__read_mostly cap_rights_t cap_ftruncate_rights;
70__read_mostly cap_rights_t cap_futimes_rights;
71__read_mostly cap_rights_t cap_getpeername_rights;
72__read_mostly cap_rights_t cap_getsockopt_rights;
73__read_mostly cap_rights_t cap_getsockname_rights;
74__read_mostly cap_rights_t cap_ioctl_rights;
75__read_mostly cap_rights_t cap_listen_rights;
76__read_mostly cap_rights_t cap_linkat_source_rights;
77__read_mostly cap_rights_t cap_linkat_target_rights;
78__read_mostly cap_rights_t cap_mmap_rights;
79__read_mostly cap_rights_t cap_mkdirat_rights;
80__read_mostly cap_rights_t cap_mkfifoat_rights;
81__read_mostly cap_rights_t cap_mknodat_rights;
82__read_mostly cap_rights_t cap_pdgetpid_rights;
83__read_mostly cap_rights_t cap_pdkill_rights;
84__read_mostly cap_rights_t cap_pread_rights;
85__read_mostly cap_rights_t cap_pwrite_rights;
86__read_mostly cap_rights_t cap_read_rights;
87__read_mostly cap_rights_t cap_recv_rights;
88__read_mostly cap_rights_t cap_renameat_source_rights;
89__read_mostly cap_rights_t cap_renameat_target_rights;
90__read_mostly cap_rights_t cap_seek_rights;
91__read_mostly cap_rights_t cap_send_rights;
92__read_mostly cap_rights_t cap_send_connect_rights;
93__read_mostly cap_rights_t cap_setsockopt_rights;
94__read_mostly cap_rights_t cap_shutdown_rights;
95__read_mostly cap_rights_t cap_symlinkat_rights;
96__read_mostly cap_rights_t cap_unlinkat_rights;
97__read_mostly cap_rights_t cap_write_rights;
98__read_mostly cap_rights_t cap_no_rights;
99
100static void
101cap_rights_sysinit(void *arg)
102{
103	cap_rights_init_one(&cap_accept_rights, CAP_ACCEPT);
104	cap_rights_init_one(&cap_bind_rights, CAP_BIND);
105	cap_rights_init_one(&cap_connect_rights, CAP_CONNECT);
106	cap_rights_init_one(&cap_event_rights, CAP_EVENT);
107	cap_rights_init_one(&cap_fchdir_rights, CAP_FCHDIR);
108	cap_rights_init_one(&cap_fchflags_rights, CAP_FCHFLAGS);
109	cap_rights_init_one(&cap_fchmod_rights, CAP_FCHMOD);
110	cap_rights_init_one(&cap_fchown_rights, CAP_FCHOWN);
111	cap_rights_init_one(&cap_fcntl_rights, CAP_FCNTL);
112	cap_rights_init_one(&cap_fexecve_rights, CAP_FEXECVE);
113	cap_rights_init_one(&cap_flock_rights, CAP_FLOCK);
114	cap_rights_init_one(&cap_fpathconf_rights, CAP_FPATHCONF);
115	cap_rights_init_one(&cap_fstat_rights, CAP_FSTAT);
116	cap_rights_init_one(&cap_fstatfs_rights, CAP_FSTATFS);
117	cap_rights_init_one(&cap_fsync_rights, CAP_FSYNC);
118	cap_rights_init_one(&cap_ftruncate_rights, CAP_FTRUNCATE);
119	cap_rights_init_one(&cap_futimes_rights, CAP_FUTIMES);
120	cap_rights_init_one(&cap_getpeername_rights, CAP_GETPEERNAME);
121	cap_rights_init_one(&cap_getsockname_rights, CAP_GETSOCKNAME);
122	cap_rights_init_one(&cap_getsockopt_rights, CAP_GETSOCKOPT);
123	cap_rights_init_one(&cap_ioctl_rights, CAP_IOCTL);
124	cap_rights_init_one(&cap_linkat_source_rights, CAP_LINKAT_SOURCE);
125	cap_rights_init_one(&cap_linkat_target_rights, CAP_LINKAT_TARGET);
126	cap_rights_init_one(&cap_listen_rights, CAP_LISTEN);
127	cap_rights_init_one(&cap_mkdirat_rights, CAP_MKDIRAT);
128	cap_rights_init_one(&cap_mkfifoat_rights, CAP_MKFIFOAT);
129	cap_rights_init_one(&cap_mknodat_rights, CAP_MKNODAT);
130	cap_rights_init_one(&cap_mmap_rights, CAP_MMAP);
131	cap_rights_init_one(&cap_pdgetpid_rights, CAP_PDGETPID);
132	cap_rights_init_one(&cap_pdkill_rights, CAP_PDKILL);
133	cap_rights_init_one(&cap_pread_rights, CAP_PREAD);
134	cap_rights_init_one(&cap_pwrite_rights, CAP_PWRITE);
135	cap_rights_init_one(&cap_read_rights, CAP_READ);
136	cap_rights_init_one(&cap_recv_rights, CAP_RECV);
137	cap_rights_init_one(&cap_renameat_source_rights, CAP_RENAMEAT_SOURCE);
138	cap_rights_init_one(&cap_renameat_target_rights, CAP_RENAMEAT_TARGET);
139	cap_rights_init_one(&cap_seek_rights, CAP_SEEK);
140	cap_rights_init_one(&cap_send_rights, CAP_SEND);
141	cap_rights_init(&cap_send_connect_rights, CAP_SEND, CAP_CONNECT);
142	cap_rights_init_one(&cap_setsockopt_rights, CAP_SETSOCKOPT);
143	cap_rights_init_one(&cap_shutdown_rights, CAP_SHUTDOWN);
144	cap_rights_init_one(&cap_symlinkat_rights, CAP_SYMLINKAT);
145	cap_rights_init_one(&cap_unlinkat_rights, CAP_UNLINKAT);
146	cap_rights_init_one(&cap_write_rights, CAP_WRITE);
147	cap_rights_init(&cap_no_rights);
148}
149SYSINIT(cap_rights_sysinit, SI_SUB_COPYRIGHT, SI_ORDER_ANY, cap_rights_sysinit,
150    NULL);
151
152#endif
153
154#define	CAPARSIZE_MIN	(CAP_RIGHTS_VERSION_00 + 2)
155#define	CAPARSIZE_MAX	(CAP_RIGHTS_VERSION + 2)
156
157static __inline int
158right_to_index(uint64_t right)
159{
160	static const int bit2idx[] = {
161		-1, 0, 1, -1, 2, -1, -1, -1, 3, -1, -1, -1, -1, -1, -1, -1,
162		4, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
163	};
164	int idx;
165
166	idx = CAPIDXBIT(right);
167	assert(idx >= 0 && idx < sizeof(bit2idx) / sizeof(bit2idx[0]));
168	return (bit2idx[idx]);
169}
170
171static void
172cap_rights_vset(cap_rights_t *rights, va_list ap)
173{
174	uint64_t right;
175	int i, n __unused;
176
177	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
178
179	n = CAPARSIZE(rights);
180	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
181
182	for (;;) {
183		right = (uint64_t)va_arg(ap, unsigned long long);
184		if (right == 0)
185			break;
186		assert(CAPRVER(right) == 0);
187		i = right_to_index(right);
188		assert(i >= 0);
189		assert(i < n);
190		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
191		rights->cr_rights[i] |= right;
192		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
193	}
194}
195
196static void
197cap_rights_vclear(cap_rights_t *rights, va_list ap)
198{
199	uint64_t right;
200	int i, n __unused;
201
202	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
203
204	n = CAPARSIZE(rights);
205	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
206
207	for (;;) {
208		right = (uint64_t)va_arg(ap, unsigned long long);
209		if (right == 0)
210			break;
211		assert(CAPRVER(right) == 0);
212		i = right_to_index(right);
213		assert(i >= 0);
214		assert(i < n);
215		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
216		rights->cr_rights[i] &= ~(right & 0x01FFFFFFFFFFFFFFULL);
217		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
218	}
219}
220
221static bool
222cap_rights_is_vset(const cap_rights_t *rights, va_list ap)
223{
224	uint64_t right;
225	int i, n __unused;
226
227	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
228
229	n = CAPARSIZE(rights);
230	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
231
232	for (;;) {
233		right = (uint64_t)va_arg(ap, unsigned long long);
234		if (right == 0)
235			break;
236		assert(CAPRVER(right) == 0);
237		i = right_to_index(right);
238		assert(i >= 0);
239		assert(i < n);
240		assert(CAPIDXBIT(rights->cr_rights[i]) == CAPIDXBIT(right));
241		if ((rights->cr_rights[i] & right) != right)
242			return (false);
243	}
244
245	return (true);
246}
247
248cap_rights_t *
249__cap_rights_init(int version, cap_rights_t *rights, ...)
250{
251	unsigned int n __unused;
252	va_list ap;
253
254	assert(version == CAP_RIGHTS_VERSION_00);
255
256	n = version + 2;
257	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
258	CAP_NONE(rights);
259	va_start(ap, rights);
260	cap_rights_vset(rights, ap);
261	va_end(ap);
262
263	return (rights);
264}
265
266cap_rights_t *
267__cap_rights_set(cap_rights_t *rights, ...)
268{
269	va_list ap;
270
271	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
272
273	va_start(ap, rights);
274	cap_rights_vset(rights, ap);
275	va_end(ap);
276
277	return (rights);
278}
279
280cap_rights_t *
281__cap_rights_clear(cap_rights_t *rights, ...)
282{
283	va_list ap;
284
285	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
286
287	va_start(ap, rights);
288	cap_rights_vclear(rights, ap);
289	va_end(ap);
290
291	return (rights);
292}
293
294bool
295__cap_rights_is_set(const cap_rights_t *rights, ...)
296{
297	va_list ap;
298	bool ret;
299
300	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
301
302	va_start(ap, rights);
303	ret = cap_rights_is_vset(rights, ap);
304	va_end(ap);
305
306	return (ret);
307}
308
309bool
310cap_rights_is_empty(const cap_rights_t *rights)
311{
312#ifndef _KERNEL
313	cap_rights_t cap_no_rights;
314	cap_rights_init(&cap_no_rights);
315#endif
316
317	assert(CAPVER(rights) == CAP_RIGHTS_VERSION_00);
318	assert(CAPVER(&cap_no_rights) == CAP_RIGHTS_VERSION_00);
319
320	for (int i = 0; i < CAPARSIZE(rights); i++) {
321		if (rights->cr_rights[i] != cap_no_rights.cr_rights[i])
322			return (false);
323	}
324
325	return (true);
326}
327
328bool
329cap_rights_is_valid(const cap_rights_t *rights)
330{
331	cap_rights_t allrights;
332	int i, j;
333
334	if (CAPVER(rights) != CAP_RIGHTS_VERSION_00)
335		return (false);
336	if (CAPARSIZE(rights) < CAPARSIZE_MIN ||
337	    CAPARSIZE(rights) > CAPARSIZE_MAX) {
338		return (false);
339	}
340	CAP_ALL(&allrights);
341	if (!cap_rights_contains(&allrights, rights))
342		return (false);
343	for (i = 0; i < CAPARSIZE(rights); i++) {
344		j = right_to_index(rights->cr_rights[i]);
345		if (i != j)
346			return (false);
347		if (i > 0) {
348			if (CAPRVER(rights->cr_rights[i]) != 0)
349				return (false);
350		}
351	}
352
353	return (true);
354}
355
356cap_rights_t *
357cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src)
358{
359	unsigned int i, n;
360
361	assert(CAPVER(dst) == CAP_RIGHTS_VERSION_00);
362	assert(CAPVER(src) == CAP_RIGHTS_VERSION_00);
363	assert(CAPVER(dst) == CAPVER(src));
364	assert(cap_rights_is_valid(src));
365	assert(cap_rights_is_valid(dst));
366
367	n = CAPARSIZE(dst);
368	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
369
370	for (i = 0; i < n; i++)
371		dst->cr_rights[i] |= src->cr_rights[i];
372
373	assert(cap_rights_is_valid(src));
374	assert(cap_rights_is_valid(dst));
375
376	return (dst);
377}
378
379cap_rights_t *
380cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src)
381{
382	unsigned int i, n;
383
384	assert(CAPVER(dst) == CAP_RIGHTS_VERSION_00);
385	assert(CAPVER(src) == CAP_RIGHTS_VERSION_00);
386	assert(CAPVER(dst) == CAPVER(src));
387	assert(cap_rights_is_valid(src));
388	assert(cap_rights_is_valid(dst));
389
390	n = CAPARSIZE(dst);
391	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
392
393	for (i = 0; i < n; i++) {
394		dst->cr_rights[i] &=
395		    ~(src->cr_rights[i] & 0x01FFFFFFFFFFFFFFULL);
396	}
397
398	assert(cap_rights_is_valid(src));
399	assert(cap_rights_is_valid(dst));
400
401	return (dst);
402}
403
404#ifndef _KERNEL
405bool
406cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little)
407{
408	unsigned int i, n;
409
410	assert(CAPVER(big) == CAP_RIGHTS_VERSION_00);
411	assert(CAPVER(little) == CAP_RIGHTS_VERSION_00);
412	assert(CAPVER(big) == CAPVER(little));
413
414	n = CAPARSIZE(big);
415	assert(n >= CAPARSIZE_MIN && n <= CAPARSIZE_MAX);
416
417	for (i = 0; i < n; i++) {
418		if ((big->cr_rights[i] & little->cr_rights[i]) !=
419		    little->cr_rights[i]) {
420			return (false);
421		}
422	}
423
424	return (true);
425}
426#endif
427