Page MenuHomeFreeBSD
Differential D41967

copy_file_range: fix capabilities premissions
ClosedPublic
Actions

Authored by oshogbo on Sep 24 2023, 8:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Apr 28, 8:38 AM
Unknown Object (File)
Fri, Apr 26, 6:31 AM
Unknown Object (File)
Fri, Apr 26, 6:30 AM
Unknown Object (File)
Fri, Apr 26, 4:10 AM
Unknown Object (File)
Fri, Apr 26, 3:09 AM
Unknown Object (File)
Fri, Apr 26, 3:08 AM
Unknown Object (File)
Fri, Apr 26, 3:07 AM
Unknown Object (File)
Thu, Apr 25, 9:13 PM
View All 39 Files
Subscribers
imp
jonathan
markj

Details

Reviewers
emaste
theraven
kib
Group Reviewers
secteam
Commits
rG1abd98ecf9e3: cat: add CAP_SEEK capability
rG5f527dbe41b8: cat: add CAP_SEEK capability
rG2d23f6c33431: copy_file_range: require CAP_SEEK capability
rG3f0ce63828dc: copy_file_range: require CAP_SEEK capability
rG857ce53d1d46: copy_file_range: require CAP_SEEK capability
rG87d68b131ef6: copy_file_range: require CAP_SEEK capability
rG62d3f57c22ee: capsicum: add tests for copy_file_range
rG15a51d3abaef: copy_file_range: require CAP_SEEK capability
rG64c6327738fc: cat: add CAP_SEEK capability
Summary

Align copy_file_range(2) permissions with pread(2)/pwrite(2) for offset usage

Ensure that copy_file_range(2), like pread(2)/pwrite(2), requires the CAP_SEEK capability due to its offset argument.
This alignment prevents unauthorized file offset manipulations by processes.

Reported by: theraven@

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

oshogbo requested review of this revision.Sep 24 2023, 8:11 PM
oshogbo created this revision.
oshogbo created this object with visibility "secteam (Project)".
oshogbo changed the visibility from "secteam (Project)" to "Custom Policy".
emaste added a comment.Sep 24 2023, 10:11 PM

It looks like it should be permitted without CAP_SEEK if inoffp/outoffp is NULL?
I think you can commit the bin/cat change now.

oshogbo added a comment.Sep 24 2023, 10:18 PM

Yea, I guess you are right when copy_file_range has offset NULLed it behaves more like read/write then pread/pwrite.

theraven added a comment.Sep 25 2023, 9:32 AM

Ensure that copy_file_range(2), like pread(2)/pwrite(2), requires the CAP_SEEK capability due to its offset argument.
This alignment prevents unauthorized file offset manipulations by processes.

It should require CAP_SEEK only when given a non-NULL offset. Both of these cases appear to be using it with NULL offsets. I think it would be a POLA violation for it to unconditionally require CAP_SEEK and it would also make it far less usable in Capsicum applications.

oshogbo updated this revision to Diff 127742.Sep 25 2023, 10:20 AM
kib added inline comments.Sep 25 2023, 10:37 AM
sys/kern/vfs_syscalls.c
4905 ↗(On Diff #127742)
incap = inoffp != NULL ? &cap_read_rights : &cap_pread_rights;

or even inline the expression into fget_XXX() call arg, avoiding single-use local

theraven added a comment.Sep 25 2023, 11:12 AM

This looks like it fixes the capsicum bits. I believe we're still missing correct auditing events. In kern_{read,write}*, these are handled in dofile{read,write} but, since copy_file_range bypasses these calls, they need to be added explicitly.

oshogbo updated this revision to Diff 127769.Sep 25 2023, 12:44 PM
emaste added a comment.Sep 25 2023, 1:28 PM

This looks like it fixes the capsicum bits. I believe we're still missing correct auditing events.

I think it's OK to follow up with a second commit for those.

emaste added a comment.Sep 25 2023, 1:32 PM

The new test can also be sent to https://github.com/google/capsicum-test

kib accepted this revision.Sep 25 2023, 2:19 PM
kib added inline comments.
sys/kern/vfs_syscalls.c
4903 ↗(On Diff #127769)
4915 ↗(On Diff #127769)
This revision is now accepted and ready to land.Sep 25 2023, 2:19 PM
emaste accepted this revision.Sep 25 2023, 4:01 PM
theraven accepted this revision.Sep 25 2023, 4:21 PM
theraven added inline comments.
sys/kern/vfs_syscalls.c
4903 ↗(On Diff #127769)

Do you really think removing these brackets increases readability? It's obvious to me what the first version does. The second requires me to skip around the line to and mentally parse the code to find the end of the argument.

kib added inline comments.Sep 25 2023, 4:50 PM
sys/kern/vfs_syscalls.c
4903 ↗(On Diff #127769)

Yes.

Also it fixes half of the style bug.

emaste added a comment.Sep 26 2023, 9:48 PM

Capsicum-related syscall changes from 2014 on, for reference:
af93fea71038 timerfd: Move implementation from linux compat to sys
4a69fc16a583 Add membarrier(2)
61194e9852e6 Add kqueue1() syscall
52a1d90c8bfe Allow posix_fadvise in capability mode
77b2c2f81451 Add sched_getcpu()
0dc332bff200 Add fspacectl(2), vn_deallocate(9) and VOP_DEALLOCATE(9)
022ca2fc7fe0 Add aio_writev and aio_readv
7a202823aa54 Expose eventfd in the native API/ABI using a new __specialfd syscall
bdfe61e05e52 Permit cpuset_(get|set)domain() in capability mode.
472ced39efb5 Implement a close_range(2) syscall
e953765f1579 Allow getloginclass in capability mode
9cdfb2d69a52 Allow fdatasync in capability mode
146fc63fce9b Add a way to manage thread signal mask using shared word, instead of syscall.
20f7057685cd Add a shm_open2 syscall to support upcoming memfd_create
d05b53e0baee Add sysctlbyname system call
f30f7b987015 Enable copy_file_range(2) in capability mode.
a1304030b815 Introduce funlinkat syscall
82560231d322 capsicum: allow ppoll(2) in capability mode
0362ec1e8e80 getrandom(2) should not be restricted in capability mode.
5532aa9bb414 allow posix_fallocate in capability mode
f299c47b52b7 Allow cpuset_{get,set}affinity in capabilities mode
rG:2205e0d1bd28 Add futimens and utimensat system calls.
rG:c297f0e4972 Allow sigwait(2) in capabilities mode.

theraven added a comment.Sep 27 2023, 8:21 AM

Capsicum-related syscall changes from 2014 on, for reference:

A quick look at the ones of these that I'd expect to require audit events and capsicum does appear to contain them.

markj added a subscriber: markj.Sep 27 2023, 11:30 AM

The code changes look ok to me.

contrib/capsicum-test/copy_file_range.cc
156 ↗(On Diff #127769)

It would also be good to check that CAP_READ and CAP_WRITE are honored, i.e., check

EXPECT_NOTCAPABLE(copy_file_range(fd_out, NULL, fd_in, NULL, 8, 0));

I think all of your tests are verifying checks for CAP_SEEK.

contrib/capsicum-test/makefile
2 ↗(On Diff #127769)

I believe you also need to update tests/sys/capsicum/Makefile, otherwise the new file won't be built. This makefile is upstream's (which is effectively dead now...?) and doesn't get used by our build system, for better or worse.

oshogbo marked 7 inline comments as done.Sep 28 2023, 1:45 PM
oshogbo changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 28 2023, 1:49 PM
Herald added a subscriber: jonathan. · View Herald TranscriptSep 28 2023, 1:49 PM
Closed by commit rG64c6327738fc: cat: add CAP_SEEK capability (authored by oshogbo). · Explain WhySep 28 2023, 2:07 PM
This revision was automatically updated to reflect the committed changes.
oshogbo added a commit: rG64c6327738fc: cat: add CAP_SEEK capability.
Herald added a subscriber: imp. · View Herald TranscriptSep 28 2023, 2:07 PM
oshogbo added a commit: rG15a51d3abaef: copy_file_range: require CAP_SEEK capability.Sep 28 2023, 2:07 PM
oshogbo added a commit: rG62d3f57c22ee: capsicum: add tests for copy_file_range.
oshogbo added a commit: rG87d68b131ef6: copy_file_range: require CAP_SEEK capability.Oct 2 2023, 8:16 AM
oshogbo added a commit: rG857ce53d1d46: copy_file_range: require CAP_SEEK capability.
emaste added a commit: rG3f0ce63828dc: copy_file_range: require CAP_SEEK capability.Oct 2 2023, 4:03 PM
gordon added a commit: rG2d23f6c33431: copy_file_range: require CAP_SEEK capability.Oct 3 2023, 10:15 PM
emaste added a commit: rG5f527dbe41b8: cat: add CAP_SEEK capability.Mar 22 2024, 1:35 PM
emaste added a commit: rG1abd98ecf9e3: cat: add CAP_SEEK capability.Mar 22 2024, 1:37 PM

Revision Contents
Changeset List

PathSize
bin/
cat/
2 lines

Diff 127906

View Options

bin/cat/cat.c

Loading...