File Manager

003 File Manager

Current Path: /usr/src/sys/kern

📁 ..
📄 Make.tags.inc(2.13 KB)
📄 Makefile(302 B)
📄 bus_if.m(26.31 KB)
📄 capabilities.conf(13.67 KB)
📄 clock_if.m(1.7 KB)
📄 cpufreq_if.m(2.27 KB)
📄 device_if.m(10.41 KB)
📄 firmw.S(2.15 KB)
📄 genassym.sh(1.11 KB)
📄 genoffset.c(1.68 KB)
📄 genoffset.sh(3.58 KB)
📄 imgact_aout.c(9.45 KB)
📄 imgact_binmisc.c(18.64 KB)
📄 imgact_elf.c(76.32 KB)
📄 imgact_elf32.c(1.47 KB)
📄 imgact_elf64.c(1.47 KB)
📄 imgact_shell.c(8.41 KB)
📄 init_main.c(24.31 KB)
📄 init_sysent.c(95.3 KB)
📄 kern_acct.c(19.03 KB)
📄 kern_alq.c(24.97 KB)
📄 kern_clock.c(21.12 KB)
📄 kern_clocksource.c(23.34 KB)
📄 kern_condvar.c(11.28 KB)
📄 kern_conf.c(36.14 KB)
📄 kern_cons.c(15.75 KB)
📄 kern_context.c(3.59 KB)
📄 kern_cpu.c(30.77 KB)
📄 kern_cpuset.c(59.78 KB)
📄 kern_ctf.c(8.73 KB)
📄 kern_descrip.c(112.87 KB)
📄 kern_dtrace.c(2.94 KB)
📄 kern_dump.c(8.51 KB)
📄 kern_environment.c(22.75 KB)
📄 kern_et.c(7.1 KB)
📄 kern_event.c(62.49 KB)
📄 kern_exec.c(46.67 KB)
📄 kern_exit.c(34.61 KB)
📄 kern_fail.c(29.32 KB)
📄 kern_ffclock.c(12.66 KB)
📄 kern_fork.c(28.29 KB)
📄 kern_hhook.c(13.58 KB)
📄 kern_idle.c(2.74 KB)
📄 kern_intr.c(40.44 KB)
📄 kern_jail.c(112.67 KB)
📄 kern_kcov.c(15.32 KB)
📄 kern_khelp.c(9.45 KB)
📄 kern_kthread.c(11.8 KB)
📄 kern_ktr.c(11.93 KB)
📄 kern_ktrace.c(31.41 KB)
📄 kern_linker.c(54.3 KB)
📄 kern_lock.c(46.99 KB)
📄 kern_lockf.c(64.46 KB)
📄 kern_lockstat.c(3.8 KB)
📄 kern_loginclass.c(6.69 KB)
📄 kern_malloc.c(37.09 KB)
📄 kern_mbuf.c(43.16 KB)
📄 kern_mib.c(24.26 KB)
📄 kern_module.c(11.05 KB)
📄 kern_mtxpool.c(5.82 KB)
📄 kern_mutex.c(33.62 KB)
📄 kern_ntptime.c(32.49 KB)
📄 kern_osd.c(12.37 KB)
📄 kern_physio.c(5.74 KB)
📄 kern_pmc.c(8.89 KB)
📄 kern_poll.c(15.86 KB)
📄 kern_priv.c(9.14 KB)
📄 kern_proc.c(80.01 KB)
📄 kern_procctl.c(19.48 KB)
📄 kern_prot.c(57.94 KB)
📄 kern_racct.c(34.01 KB)
📄 kern_rangelock.c(8.67 KB)
📄 kern_rctl.c(53.87 KB)
📄 kern_resource.c(36.66 KB)
📄 kern_rmlock.c(28.27 KB)
📄 kern_rwlock.c(40.72 KB)
📄 kern_sdt.c(2.05 KB)
📄 kern_sema.c(4.85 KB)
📄 kern_sendfile.c(33.97 KB)
📄 kern_sharedpage.c(10.37 KB)
📄 kern_shutdown.c(43.34 KB)
📄 kern_sig.c(101.89 KB)
📄 kern_switch.c(13.85 KB)
📄 kern_sx.c(40.27 KB)
📄 kern_synch.c(18.17 KB)
📄 kern_syscalls.c(6.74 KB)
📄 kern_sysctl.c(67.24 KB)
📄 kern_tc.c(55.73 KB)
📄 kern_thr.c(14.14 KB)
📄 kern_thread.c(41.75 KB)
📄 kern_time.c(40.89 KB)
📄 kern_timeout.c(43.08 KB)
📄 kern_tslog.c(3.44 KB)
📄 kern_ubsan.c(50.74 KB)
📄 kern_umtx.c(107.14 KB)
📄 kern_uuid.c(11.68 KB)
📄 kern_xxx.c(10.44 KB)
📄 ksched.c(6.56 KB)
📄 link_elf.c(47.99 KB)
📄 link_elf_obj.c(44.41 KB)
📄 linker_if.m(3.96 KB)
📄 makesyscalls.sh(23.57 KB)
📄 md4c.c(7.89 KB)
📄 md5c.c(9.56 KB)
📄 msi_if.m(2.48 KB)
📄 p1003_1b.c(8.84 KB)
📄 pic_if.m(3.9 KB)
📄 posix4_mib.c(5.59 KB)
📄 sched_4bsd.c(45.03 KB)
📄 sched_ule.c(82.65 KB)
📄 serdev_if.m(3.49 KB)
📄 stack_protector.c(613 B)
📄 subr_acl_nfs4.c(37.42 KB)
📄 subr_acl_posix1e.c(17.71 KB)
📄 subr_atomic64.c(3.97 KB)
📄 subr_autoconf.c(7.7 KB)
📄 subr_blist.c(31.88 KB)
📄 subr_boot.c(5.8 KB)
📄 subr_bufring.c(2.21 KB)
📄 subr_bus.c(145.4 KB)
📄 subr_bus_dma.c(19.67 KB)
📄 subr_busdma_bufalloc.c(5.24 KB)
📄 subr_capability.c(11.93 KB)
📄 subr_clock.c(10.61 KB)
📄 subr_compressor.c(13.11 KB)
📄 subr_counter.c(4.44 KB)
📄 subr_coverage.c(6.17 KB)
📄 subr_csan.c(25.39 KB)
📄 subr_devmap.c(9.8 KB)
📄 subr_devstat.c(16.21 KB)
📄 subr_disk.c(8.54 KB)
📄 subr_dummy_vdso_tc.c(1.7 KB)
📄 subr_early.c(2.26 KB)
📄 subr_epoch.c(25.02 KB)
📄 subr_eventhandler.c(9.17 KB)
📄 subr_fattime.c(9.98 KB)
📄 subr_filter.c(12.2 KB)
📄 subr_firmware.c(13.88 KB)
📄 subr_gtaskqueue.c(20.19 KB)
📄 subr_hash.c(4.8 KB)
📄 subr_hints.c(12.87 KB)
📄 subr_intr.c(40.61 KB)
📄 subr_kdb.c(16.13 KB)
📄 subr_kobj.c(7.1 KB)
📄 subr_lock.c(18.81 KB)
📄 subr_log.c(7.64 KB)
📄 subr_mchain.c(11.06 KB)
📄 subr_module.c(12.98 KB)
📄 subr_msgbuf.c(10.6 KB)
📄 subr_param.c(10.93 KB)
📄 subr_pcpu.c(10.18 KB)
📄 subr_pctrie.c(20.99 KB)
📄 subr_physmem.c(11.52 KB)
📄 subr_pidctrl.c(5.43 KB)
📄 subr_power.c(3.13 KB)
📄 subr_prf.c(27.42 KB)
📄 subr_prng.c(3.36 KB)
📄 subr_prof.c(15.43 KB)
📄 subr_rangeset.c(8.5 KB)
📄 subr_rman.c(27.61 KB)
📄 subr_rtc.c(11.42 KB)
📄 subr_sbuf.c(20.53 KB)
📄 subr_scanf.c(15.59 KB)
📄 subr_sfbuf.c(6.17 KB)
📄 subr_sglist.c(22.83 KB)
📄 subr_sleepqueue.c(39.43 KB)
📄 subr_smp.c(31.62 KB)
📄 subr_smr.c(20.17 KB)
📄 subr_stack.c(6.47 KB)
📄 subr_stats.c(103.01 KB)
📄 subr_syscall.c(7.98 KB)
📄 subr_taskqueue.c(21.1 KB)
📄 subr_terminal.c(15.52 KB)
📄 subr_trap.c(10.87 KB)
📄 subr_turnstile.c(35.58 KB)
📄 subr_uio.c(11.38 KB)
📄 subr_unit.c(22.97 KB)
📄 subr_vmem.c(43.25 KB)
📄 subr_witness.c(84.59 KB)
📄 sys_capability.c(15.06 KB)
📄 sys_eventfd.c(8.42 KB)
📄 sys_generic.c(44.22 KB)
📄 sys_getrandom.c(4.21 KB)
📄 sys_pipe.c(45.14 KB)
📄 sys_procdesc.c(14.57 KB)
📄 sys_process.c(30.73 KB)
📄 sys_socket.c(20.11 KB)
📄 syscalls.c(22.73 KB)
📄 syscalls.master(60.26 KB)
📄 systrace_args.c(178.49 KB)
📄 sysv_ipc.c(6.53 KB)
📄 sysv_msg.c(48.65 KB)
📄 sysv_sem.c(49.85 KB)
📄 sysv_shm.c(43.93 KB)
📄 tty.c(55.14 KB)
📄 tty_compat.c(11.46 KB)
📄 tty_info.c(9.93 KB)
📄 tty_inq.c(12.22 KB)
📄 tty_outq.c(8.74 KB)
📄 tty_pts.c(19.74 KB)
📄 tty_tty.c(2.83 KB)
📄 tty_ttydisc.c(28.6 KB)
📄 uipc_accf.c(8.07 KB)
📄 uipc_debug.c(12.42 KB)
📄 uipc_domain.c(13.13 KB)
📄 uipc_ktls.c(55.7 KB)
📄 uipc_mbuf.c(52.45 KB)
📄 uipc_mbuf2.c(12.64 KB)
📄 uipc_mbufhash.c(4.9 KB)
📄 uipc_mqueue.c(64.64 KB)
📄 uipc_sem.c(25.18 KB)
📄 uipc_shm.c(50.47 KB)
📄 uipc_sockbuf.c(42.9 KB)
📄 uipc_socket.c(110.61 KB)
📄 uipc_syscalls.c(35.94 KB)
📄 uipc_usrreq.c(75.11 KB)
📄 vfs_acl.c(14.5 KB)
📄 vfs_aio.c(76.32 KB)
📄 vfs_bio.c(145.39 KB)
📄 vfs_cache.c(143.09 KB)
📄 vfs_cluster.c(28.36 KB)
📄 vfs_default.c(33.16 KB)
📄 vfs_export.c(14.55 KB)
📄 vfs_extattr.c(17.91 KB)
📄 vfs_hash.c(6 KB)
📄 vfs_init.c(15.86 KB)
📄 vfs_lookup.c(45.48 KB)
📄 vfs_mount.c(62.58 KB)
📄 vfs_mountroot.c(26.23 KB)
📄 vfs_subr.c(167.52 KB)
📄 vfs_syscalls.c(106.86 KB)
📄 vfs_vnops.c(86.28 KB)
📄 vnode_if.src(13.66 KB)

Editing: sys_capability.c

/*-
 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
 *
 * Copyright (c) 2008-2011 Robert N. M. Watson
 * Copyright (c) 2010-2011 Jonathan Anderson
 * Copyright (c) 2012 FreeBSD Foundation
 * All rights reserved.
 *
 * This software was developed at the University of Cambridge Computer
 * Laboratory with support from a grant from Google, Inc.
 *
 * Portions of this software were developed by Pawel Jakub Dawidek under
 * sponsorship from the FreeBSD Foundation.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/*
 * FreeBSD kernel capability facility.
 *
 * Two kernel features are implemented here: capability mode, a sandboxed mode
 * of execution for processes, and capabilities, a refinement on file
 * descriptors that allows fine-grained control over operations on the file
 * descriptor.  Collectively, these allow processes to run in the style of a
 * historic "capability system" in which they can use only resources
 * explicitly delegated to them.  This model is enforced by restricting access
 * to global namespaces in capability mode.
 *
 * Capabilities wrap other file descriptor types, binding them to a constant
 * rights mask set when the capability is created.  New capabilities may be
 * derived from existing capabilities, but only if they have the same or a
 * strict subset of the rights on the original capability.
 *
 * System calls permitted in capability mode are defined in capabilities.conf;
 * calls must be carefully audited for safety to ensure that they don't allow
 * escape from a sandbox.  Some calls permit only a subset of operations in
 * capability mode -- for example, shm_open(2) is limited to creating
 * anonymous, rather than named, POSIX shared memory objects.
 */

#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");

#include "opt_capsicum.h"
#include "opt_ktrace.h"

#include <sys/param.h>
#include <sys/capsicum.h>
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/kernel.h>
#include <sys/limits.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/proc.h>
#include <sys/syscallsubr.h>
#include <sys/sysproto.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <sys/ucred.h>
#include <sys/uio.h>
#include <sys/ktrace.h>

#include <security/audit/audit.h>

#include <vm/uma.h>
#include <vm/vm.h>

bool __read_frequently trap_enotcap;
SYSCTL_BOOL(_kern, OID_AUTO, trap_enotcap, CTLFLAG_RWTUN, &trap_enotcap, 0,
    "Deliver SIGTRAP on ENOTCAPABLE");

#ifdef CAPABILITY_MODE

#define        IOCTLS_MAX_COUNT        256     /* XXX: Is 256 sane? */

FEATURE(security_capability_mode, "Capsicum Capability Mode");

/*
 * System call to enter capability mode for the process.
 */
int
sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
{
	struct ucred *newcred, *oldcred;
	struct proc *p;

if (IN_CAPABILITY_MODE(td))
		return (0);

newcred = crget();
	p = td->td_proc;
	PROC_LOCK(p);
	oldcred = crcopysafe(p, newcred);
	newcred->cr_flags |= CRED_FLAG_CAPMODE;
	proc_set_cred(p, newcred);
	PROC_UNLOCK(p);
	crfree(oldcred);
	return (0);
}

/*
 * System call to query whether the process is in capability mode.
 */
int
sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
{
	u_int i;

i = IN_CAPABILITY_MODE(td) ? 1 : 0;
	return (copyout(&i, uap->modep, sizeof(i)));
}

#else /* !CAPABILITY_MODE */

int
sys_cap_enter(struct thread *td, struct cap_enter_args *uap)
{

return (ENOSYS);
}

int
sys_cap_getmode(struct thread *td, struct cap_getmode_args *uap)
{

return (ENOSYS);
}

#endif /* CAPABILITY_MODE */

#ifdef CAPABILITIES

FEATURE(security_capabilities, "Capsicum Capabilities");

MALLOC_DECLARE(M_FILECAPS);

static inline int
_cap_check(const cap_rights_t *havep, const cap_rights_t *needp,
    enum ktr_cap_fail_type type)
{

if (!cap_rights_contains(havep, needp)) {
#ifdef KTRACE
		if (KTRPOINT(curthread, KTR_CAPFAIL))
			ktrcapfail(type, needp, havep);
#endif
		return (ENOTCAPABLE);
	}
	return (0);
}

/*
 * Test whether a capability grants the requested rights.
 */
int
cap_check(const cap_rights_t *havep, const cap_rights_t *needp)
{

return (_cap_check(havep, needp, CAPFAIL_NOTCAPABLE));
}

int
cap_check_failed_notcapable(const cap_rights_t *havep, const cap_rights_t *needp)
{

#ifdef KTRACE
	if (KTRPOINT(curthread, KTR_CAPFAIL))
		ktrcapfail(CAPFAIL_NOTCAPABLE, needp, havep);
#endif
	return (ENOTCAPABLE);
}

/*
 * Convert capability rights into VM access flags.
 */
vm_prot_t
cap_rights_to_vmprot(const cap_rights_t *havep)
{
	vm_prot_t maxprot;

maxprot = VM_PROT_NONE;
	if (cap_rights_is_set(havep, CAP_MMAP_R))
		maxprot |= VM_PROT_READ;
	if (cap_rights_is_set(havep, CAP_MMAP_W))
		maxprot |= VM_PROT_WRITE;
	if (cap_rights_is_set(havep, CAP_MMAP_X))
		maxprot |= VM_PROT_EXECUTE;

return (maxprot);
}

/*
 * Extract rights from a capability for monitoring purposes -- not for use in
 * any other way, as we want to keep all capability permission evaluation in
 * this one file.
 */

const cap_rights_t *
cap_rights_fde(const struct filedescent *fdep)
{

return (cap_rights_fde_inline(fdep));
}

const cap_rights_t *
cap_rights(struct filedesc *fdp, int fd)
{

return (cap_rights_fde(&fdp->fd_ofiles[fd]));
}

int
kern_cap_rights_limit(struct thread *td, int fd, cap_rights_t *rights)
{
	struct filedesc *fdp;
	struct filedescent *fdep;
	u_long *ioctls;
	int error;

fdp = td->td_proc->p_fd;
	FILEDESC_XLOCK(fdp);
	fdep = fdeget_locked(fdp, fd);
	if (fdep == NULL) {
		FILEDESC_XUNLOCK(fdp);
		return (EBADF);
	}
	ioctls = NULL;
	error = _cap_check(cap_rights(fdp, fd), rights, CAPFAIL_INCREASE);
	if (error == 0) {
		seqc_write_begin(&fdep->fde_seqc);
		fdep->fde_rights = *rights;
		if (!cap_rights_is_set(rights, CAP_IOCTL)) {
			ioctls = fdep->fde_ioctls;
			fdep->fde_ioctls = NULL;
			fdep->fde_nioctls = 0;
		}
		if (!cap_rights_is_set(rights, CAP_FCNTL))
			fdep->fde_fcntls = 0;
		seqc_write_end(&fdep->fde_seqc);
	}
	FILEDESC_XUNLOCK(fdp);
	free(ioctls, M_FILECAPS);
	return (error);
}

/*
 * System call to limit rights of the given capability.
 */
int
sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
{
	cap_rights_t rights;
	int error, version;

cap_rights_init_zero(&rights);

error = copyin(uap->rightsp, &rights, sizeof(rights.cr_rights[0]));
	if (error != 0)
		return (error);
	version = CAPVER(&rights);
	if (version != CAP_RIGHTS_VERSION_00)
		return (EINVAL);

error = copyin(uap->rightsp, &rights,
	    sizeof(rights.cr_rights[0]) * CAPARSIZE(&rights));
	if (error != 0)
		return (error);
	/* Check for race. */
	if (CAPVER(&rights) != version)
		return (EINVAL);

if (!cap_rights_is_valid(&rights))
		return (EINVAL);

if (version != CAP_RIGHTS_VERSION) {
		rights.cr_rights[0] &= ~(0x3ULL << 62);
		rights.cr_rights[0] |= ((uint64_t)CAP_RIGHTS_VERSION << 62);
	}
#ifdef KTRACE
	if (KTRPOINT(td, KTR_STRUCT))
		ktrcaprights(&rights);
#endif

AUDIT_ARG_FD(uap->fd);
	AUDIT_ARG_RIGHTS(&rights);
	return (kern_cap_rights_limit(td, uap->fd, &rights));
}

/*
 * System call to query the rights mask associated with a capability.
 */
int
sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
{
	struct filedesc *fdp;
	cap_rights_t rights;
	int error, fd, i, n;

if (uap->version != CAP_RIGHTS_VERSION_00)
		return (EINVAL);

fd = uap->fd;

AUDIT_ARG_FD(fd);

fdp = td->td_proc->p_fd;
	FILEDESC_SLOCK(fdp);
	if (fget_locked(fdp, fd) == NULL) {
		FILEDESC_SUNLOCK(fdp);
		return (EBADF);
	}
	rights = *cap_rights(fdp, fd);
	FILEDESC_SUNLOCK(fdp);
	n = uap->version + 2;
	if (uap->version != CAPVER(&rights)) {
		/*
		 * For older versions we need to check if the descriptor
		 * doesn't contain rights not understood by the caller.
		 * If it does, we have to return an error.
		 */
		for (i = n; i < CAPARSIZE(&rights); i++) {
			if ((rights.cr_rights[i] & ~(0x7FULL << 57)) != 0)
				return (EINVAL);
		}
	}
	error = copyout(&rights, uap->rightsp, sizeof(rights.cr_rights[0]) * n);
#ifdef KTRACE
	if (error == 0 && KTRPOINT(td, KTR_STRUCT))
		ktrcaprights(&rights);
#endif
	return (error);
}

/*
 * Test whether a capability grants the given ioctl command.
 * If descriptor doesn't have CAP_IOCTL, then ioctls list is empty and
 * ENOTCAPABLE will be returned.
 */
int
cap_ioctl_check(struct filedesc *fdp, int fd, u_long cmd)
{
	struct filedescent *fdep;
	u_long *cmds;
	ssize_t ncmds;
	long i;

KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
		("%s: invalid fd=%d", __func__, fd));

fdep = fdeget_locked(fdp, fd);
	KASSERT(fdep != NULL,
	    ("%s: invalid fd=%d", __func__, fd));

ncmds = fdep->fde_nioctls;
	if (ncmds == -1)
		return (0);

cmds = fdep->fde_ioctls;
	for (i = 0; i < ncmds; i++) {
		if (cmds[i] == cmd)
			return (0);
	}

return (ENOTCAPABLE);
}

/*
 * Check if the current ioctls list can be replaced by the new one.
 */
static int
cap_ioctl_limit_check(struct filedescent *fdep, const u_long *cmds,
    size_t ncmds)
{
	u_long *ocmds;
	ssize_t oncmds;
	u_long i;
	long j;

oncmds = fdep->fde_nioctls;
	if (oncmds == -1)
		return (0);
	if (oncmds < (ssize_t)ncmds)
		return (ENOTCAPABLE);

ocmds = fdep->fde_ioctls;
	for (i = 0; i < ncmds; i++) {
		for (j = 0; j < oncmds; j++) {
			if (cmds[i] == ocmds[j])
				break;
		}
		if (j == oncmds)
			return (ENOTCAPABLE);
	}

return (0);
}

int
kern_cap_ioctls_limit(struct thread *td, int fd, u_long *cmds, size_t ncmds)
{
	struct filedesc *fdp;
	struct filedescent *fdep;
	u_long *ocmds;
	int error;

AUDIT_ARG_FD(fd);

if (ncmds > IOCTLS_MAX_COUNT) {
		error = EINVAL;
		goto out_free;
	}

fdp = td->td_proc->p_fd;
	FILEDESC_XLOCK(fdp);

fdep = fdeget_locked(fdp, fd);
	if (fdep == NULL) {
		error = EBADF;
		goto out;
	}

error = cap_ioctl_limit_check(fdep, cmds, ncmds);
	if (error != 0)
		goto out;

ocmds = fdep->fde_ioctls;
	seqc_write_begin(&fdep->fde_seqc);
	fdep->fde_ioctls = cmds;
	fdep->fde_nioctls = ncmds;
	seqc_write_end(&fdep->fde_seqc);

cmds = ocmds;
	error = 0;
out:
	FILEDESC_XUNLOCK(fdp);
out_free:
	free(cmds, M_FILECAPS);
	return (error);
}

int
sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
{
	u_long *cmds;
	size_t ncmds;
	int error;

ncmds = uap->ncmds;

if (ncmds > IOCTLS_MAX_COUNT)
		return (EINVAL);

if (ncmds == 0) {
		cmds = NULL;
	} else {
		cmds = malloc(sizeof(cmds[0]) * ncmds, M_FILECAPS, M_WAITOK);
		error = copyin(uap->cmds, cmds, sizeof(cmds[0]) * ncmds);
		if (error != 0) {
			free(cmds, M_FILECAPS);
			return (error);
		}
	}

return (kern_cap_ioctls_limit(td, uap->fd, cmds, ncmds));
}

int
sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
{
	struct filedesc *fdp;
	struct filedescent *fdep;
	u_long *cmdsp, *dstcmds;
	size_t maxcmds, ncmds;
	int16_t count;
	int error, fd;

fd = uap->fd;
	dstcmds = uap->cmds;
	maxcmds = uap->maxcmds;

AUDIT_ARG_FD(fd);

fdp = td->td_proc->p_fd;

cmdsp = NULL;
	if (dstcmds != NULL) {
		cmdsp = malloc(sizeof(cmdsp[0]) * IOCTLS_MAX_COUNT, M_FILECAPS,
		    M_WAITOK | M_ZERO);
	}

FILEDESC_SLOCK(fdp);
	fdep = fdeget_locked(fdp, fd);
	if (fdep == NULL) {
		error = EBADF;
		FILEDESC_SUNLOCK(fdp);
		goto out;
	}
	count = fdep->fde_nioctls;
	if (count != -1 && cmdsp != NULL) {
		ncmds = MIN(count, maxcmds);
		memcpy(cmdsp, fdep->fde_ioctls, sizeof(cmdsp[0]) * ncmds);
	}
	FILEDESC_SUNLOCK(fdp);

/*
	 * If all ioctls are allowed (fde_nioctls == -1 && fde_ioctls == NULL)
	 * the only sane thing we can do is to not populate the given array and
	 * return CAP_IOCTLS_ALL.
	 */
	if (count != -1) {
		if (cmdsp != NULL) {
			error = copyout(cmdsp, dstcmds,
			    sizeof(cmdsp[0]) * ncmds);
			if (error != 0)
				goto out;
		}
		td->td_retval[0] = count;
	} else {
		td->td_retval[0] = CAP_IOCTLS_ALL;
	}

error = 0;
out:
	free(cmdsp, M_FILECAPS);
	return (error);
}

/*
 * Test whether a capability grants the given fcntl command.
 */
int
cap_fcntl_check_fde(struct filedescent *fdep, int cmd)
{
	uint32_t fcntlcap;

fcntlcap = (1 << cmd);
	KASSERT((CAP_FCNTL_ALL & fcntlcap) != 0,
	    ("Unsupported fcntl=%d.", cmd));

if ((fdep->fde_fcntls & fcntlcap) != 0)
		return (0);

return (ENOTCAPABLE);
}

int
cap_fcntl_check(struct filedesc *fdp, int fd, int cmd)
{

KASSERT(fd >= 0 && fd < fdp->fd_nfiles,
	    ("%s: invalid fd=%d", __func__, fd));

return (cap_fcntl_check_fde(&fdp->fd_ofiles[fd], cmd));
}

int
sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
{
	struct filedesc *fdp;
	struct filedescent *fdep;
	uint32_t fcntlrights;
	int fd;

fd = uap->fd;
	fcntlrights = uap->fcntlrights;

AUDIT_ARG_FD(fd);
	AUDIT_ARG_FCNTL_RIGHTS(fcntlrights);

if ((fcntlrights & ~CAP_FCNTL_ALL) != 0)
		return (EINVAL);

fdp = td->td_proc->p_fd;
	FILEDESC_XLOCK(fdp);

fdep = fdeget_locked(fdp, fd);
	if (fdep == NULL) {
		FILEDESC_XUNLOCK(fdp);
		return (EBADF);
	}

if ((fcntlrights & ~fdep->fde_fcntls) != 0) {
		FILEDESC_XUNLOCK(fdp);
		return (ENOTCAPABLE);
	}

seqc_write_begin(&fdep->fde_seqc);
	fdep->fde_fcntls = fcntlrights;
	seqc_write_end(&fdep->fde_seqc);
	FILEDESC_XUNLOCK(fdp);

return (0);
}

int
sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
{
	struct filedesc *fdp;
	struct filedescent *fdep;
	uint32_t rights;
	int fd;

fd = uap->fd;

AUDIT_ARG_FD(fd);

fdp = td->td_proc->p_fd;
	FILEDESC_SLOCK(fdp);
	fdep = fdeget_locked(fdp, fd);
	if (fdep == NULL) {
		FILEDESC_SUNLOCK(fdp);
		return (EBADF);
	}
	rights = fdep->fde_fcntls;
	FILEDESC_SUNLOCK(fdp);

return (copyout(&rights, uap->fcntlrightsp, sizeof(rights)));
}

#else /* !CAPABILITIES */

/*
 * Stub Capability functions for when options CAPABILITIES isn't compiled
 * into the kernel.
 */

int
sys_cap_rights_limit(struct thread *td, struct cap_rights_limit_args *uap)
{

return (ENOSYS);
}

int
sys___cap_rights_get(struct thread *td, struct __cap_rights_get_args *uap)
{

return (ENOSYS);
}

int
sys_cap_ioctls_limit(struct thread *td, struct cap_ioctls_limit_args *uap)
{

return (ENOSYS);
}

int
sys_cap_ioctls_get(struct thread *td, struct cap_ioctls_get_args *uap)
{

return (ENOSYS);
}

int
sys_cap_fcntls_limit(struct thread *td, struct cap_fcntls_limit_args *uap)
{

return (ENOSYS);
}

int
sys_cap_fcntls_get(struct thread *td, struct cap_fcntls_get_args *uap)
{

return (ENOSYS);
}

#endif /* CAPABILITIES */

003 File Manager

Editing: sys_capability.c

Upload File

Create Folder