Page MenuHomeFreeBSD

copy_file_range: fix capabilities premissions
ClosedPublic

Authored by oshogbo on Sep 24 2023, 8:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Dec 4, 6:54 PM
Unknown Object (File)
Thu, Nov 28, 8:58 PM
Unknown Object (File)
Nov 11 2024, 8:15 PM
Unknown Object (File)
Oct 21 2024, 9:35 AM
Unknown Object (File)
Oct 8 2024, 6:33 AM
Unknown Object (File)
Sep 22 2024, 11:31 PM
Unknown Object (File)
Sep 22 2024, 11:26 PM
Unknown Object (File)
Sep 22 2024, 11:22 PM
Subscribers

Details

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

oshogbo created this revision.
oshogbo created this object with visibility "secteam (Project)".
oshogbo changed the visibility from "secteam (Project)" to "Custom Policy".

It looks like it should be permitted without CAP_SEEK if inoffp/outoffp is NULL?
I think you can commit the bin/cat change now.

Yea, I guess you are right when copy_file_range has offset NULLed it behaves more like read/write then pread/pwrite.

Ensure that copy_file_range(2), like pread(2)/pwrite(2), requires the CAP_SEEK capability due to its offset argument.
This alignment prevents unauthorized file offset manipulations by processes.

It should require CAP_SEEK only when given a non-NULL offset. Both of these cases appear to be using it with NULL offsets. I think it would be a POLA violation for it to unconditionally require CAP_SEEK and it would also make it far less usable in Capsicum applications.

sys/kern/vfs_syscalls.c
4905 ↗(On Diff #127742)
incap = inoffp != NULL ? &cap_read_rights : &cap_pread_rights;

or even inline the expression into fget_XXX() call arg, avoiding single-use local

This looks like it fixes the capsicum bits. I believe we're still missing correct auditing events. In kern_{read,write}*, these are handled in dofile{read,write} but, since copy_file_range bypasses these calls, they need to be added explicitly.

This looks like it fixes the capsicum bits. I believe we're still missing correct auditing events.

I think it's OK to follow up with a second commit for those.

kib added inline comments.
sys/kern/vfs_syscalls.c
4903 ↗(On Diff #127769)
4915 ↗(On Diff #127769)
This revision is now accepted and ready to land.Sep 25 2023, 2:19 PM
theraven added inline comments.
sys/kern/vfs_syscalls.c
4903 ↗(On Diff #127769)

Do you really think removing these brackets increases readability? It's obvious to me what the first version does. The second requires me to skip around the line to and mentally parse the code to find the end of the argument.

sys/kern/vfs_syscalls.c
4903 ↗(On Diff #127769)

Yes.

Also it fixes half of the style bug.

Capsicum-related syscall changes from 2014 on, for reference:
af93fea71038 timerfd: Move implementation from linux compat to sys
4a69fc16a583 Add membarrier(2)
61194e9852e6 Add kqueue1() syscall
52a1d90c8bfe Allow posix_fadvise in capability mode
77b2c2f81451 Add sched_getcpu()
0dc332bff200 Add fspacectl(2), vn_deallocate(9) and VOP_DEALLOCATE(9)
022ca2fc7fe0 Add aio_writev and aio_readv
7a202823aa54 Expose eventfd in the native API/ABI using a new __specialfd syscall
bdfe61e05e52 Permit cpuset_(get|set)domain() in capability mode.
472ced39efb5 Implement a close_range(2) syscall
e953765f1579 Allow getloginclass in capability mode
9cdfb2d69a52 Allow fdatasync in capability mode
146fc63fce9b Add a way to manage thread signal mask using shared word, instead of syscall.
20f7057685cd Add a shm_open2 syscall to support upcoming memfd_create
d05b53e0baee Add sysctlbyname system call
f30f7b987015 Enable copy_file_range(2) in capability mode.
a1304030b815 Introduce funlinkat syscall
82560231d322 capsicum: allow ppoll(2) in capability mode
0362ec1e8e80 getrandom(2) should not be restricted in capability mode.
5532aa9bb414 allow posix_fallocate in capability mode
f299c47b52b7 Allow cpuset_{get,set}affinity in capabilities mode
rG:2205e0d1bd28 Add futimens and utimensat system calls.
rG:c297f0e4972 Allow sigwait(2) in capabilities mode.

Capsicum-related syscall changes from 2014 on, for reference:

A quick look at the ones of these that I'd expect to require audit events and capsicum does appear to contain them.

The code changes look ok to me.

contrib/capsicum-test/copy_file_range.cc
156 ↗(On Diff #127769)

It would also be good to check that CAP_READ and CAP_WRITE are honored, i.e., check

EXPECT_NOTCAPABLE(copy_file_range(fd_out, NULL, fd_in, NULL, 8, 0));

I think all of your tests are verifying checks for CAP_SEEK.

contrib/capsicum-test/makefile
2 ↗(On Diff #127769)

I believe you also need to update tests/sys/capsicum/Makefile, otherwise the new file won't be built. This makefile is upstream's (which is effectively dead now...?) and doesn't get used by our build system, for better or worse.

oshogbo changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 28 2023, 1:49 PM
This revision was automatically updated to reflect the committed changes.