scoutos / prex-0.9.0 / usr / server / fs / vfs / vfs_security.c @ 03e9c04a
History | View | Annotate | Download (6.25 KB)
| 1 | 03e9c04a | Brad Neuman | /*-
|
|---|---|---|---|
| 2 | * Copyright (c) 2007, Kohsuke Ohtani All rights reserved.
|
||
| 3 | *
|
||
| 4 | * Redistribution and use in source and binary forms, with or without
|
||
| 5 | * modification, are permitted provided that the following conditions
|
||
| 6 | * are met:
|
||
| 7 | * 1. Redistributions of source code must retain the above copyright
|
||
| 8 | * notice, this list of conditions and the following disclaimer.
|
||
| 9 | * 2. Redistributions in binary form must reproduce the above copyright
|
||
| 10 | * notice, this list of conditions and the following disclaimer in the
|
||
| 11 | * documentation and/or other materials provided with the distribution.
|
||
| 12 | * 3. Neither the name of the author nor the names of any co-contributors
|
||
| 13 | * may be used to endorse or promote products derived from this software
|
||
| 14 | * without specific prior written permission.
|
||
| 15 | *
|
||
| 16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||
| 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
| 18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
| 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||
| 20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
| 21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||
| 22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||
| 23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
| 24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||
| 25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||
| 26 | * SUCH DAMAGE.
|
||
| 27 | */
|
||
| 28 | |||
| 29 | /*
|
||
| 30 | * vfs_security.c - Routines to check security permission.
|
||
| 31 | */
|
||
| 32 | |||
| 33 | /**
|
||
| 34 | * General Design:
|
||
| 35 | *
|
||
| 36 | * Prex supports the file access permission based on the path
|
||
| 37 | * name. It means that the applications can access to only
|
||
| 38 | * certain area of the file system.
|
||
| 39 | *
|
||
| 40 | * The file system has the following structure:
|
||
| 41 | *
|
||
| 42 | * /boot
|
||
| 43 | *
|
||
| 44 | * This directory contains the server executable files and
|
||
| 45 | * the system files required for OS boot. Reading this
|
||
| 46 | * directory is allowed only to the server process which has
|
||
| 47 | * CAP_SYSFILES capability. Nobody can write to this
|
||
| 48 | * directory at any time.
|
||
| 49 | *
|
||
| 50 | * /bin
|
||
| 51 | *
|
||
| 52 | * This directory contains the trusted applications. This
|
||
| 53 | * is read-only directory for normal processes, and
|
||
| 54 | * CAP_SYSFILES is required to write files to it. In typical
|
||
| 55 | * case, a software installer has right to copy the
|
||
| 56 | * executable files to this directory.
|
||
| 57 | *
|
||
| 58 | * /etc
|
||
| 59 | *
|
||
| 60 | * This directory contains the various configuration files.
|
||
| 61 | * This is read-only for normal processes, and CAP_SYSFILES
|
||
| 62 | * is required to modify /etc. The system configurator has
|
||
| 63 | * responsible to modify the contents in /etc.
|
||
| 64 | *
|
||
| 65 | * /private
|
||
| 66 | *
|
||
| 67 | * This is the restricted system area and is inaccessible to
|
||
| 68 | * the normal processes. It contains private user data like
|
||
| 69 | * address book or calendar entries. CAP_USERFILES
|
||
| 70 | * capability is required to access to the /private
|
||
| 71 | * contents. The PIM application will have CAP_USERFILES.
|
||
| 72 | *
|
||
| 73 | * /all the rest
|
||
| 74 | *
|
||
| 75 | * Access to all the other directories is unrestricted.
|
||
| 76 | *
|
||
| 77 | *
|
||
| 78 | * <Directories and required capabilities>
|
||
| 79 | *
|
||
| 80 | * Directory Read Write Execute
|
||
| 81 | * --------- ------------- ------------- --------------
|
||
| 82 | * /boot CAP_SYSFILES Not Allowed Any
|
||
| 83 | *
|
||
| 84 | * /bin Any CAP_SYSFILES Any
|
||
| 85 | *
|
||
| 86 | * /etc Any CAP_SYSFILES Not Allowed
|
||
| 87 | *
|
||
| 88 | * /private CAP_USERFILES CAP_USERFILES Not Allowed
|
||
| 89 | *
|
||
| 90 | * /other Any Any Not Allowed
|
||
| 91 | *
|
||
| 92 | */
|
||
| 93 | |||
| 94 | #include <sys/prex.h> |
||
| 95 | #include <sys/list.h> |
||
| 96 | #include <sys/fcntl.h> |
||
| 97 | |||
| 98 | #include <limits.h> |
||
| 99 | #include <stdlib.h> |
||
| 100 | #include <string.h> |
||
| 101 | #include <stdio.h> |
||
| 102 | #include <errno.h> |
||
| 103 | |||
| 104 | #include "vfs.h" |
||
| 105 | |||
| 106 | #define ACC_NG -1 /* access is not allowed */ |
||
| 107 | #define ACC_OK 0 /* access is allowed */ |
||
| 108 | |||
| 109 | /*
|
||
| 110 | * Capability mapping for path and file access
|
||
| 111 | */
|
||
| 112 | struct fscap_map {
|
||
| 113 | char *path; /* directory name */ |
||
| 114 | size_t len; /* length of directory name */
|
||
| 115 | int cap_read; /* required capability to read */ |
||
| 116 | int cap_write; /* required capability to write */ |
||
| 117 | int cap_exec; /* required capability to execute */ |
||
| 118 | }; |
||
| 119 | |||
| 120 | /*
|
||
| 121 | * Capability mapping table
|
||
| 122 | */
|
||
| 123 | static const struct fscap_map fscap_table[] = |
||
| 124 | {
|
||
| 125 | /* path len read write execute */
|
||
| 126 | /* ----------- --- -------------- -------------- ------------- */
|
||
| 127 | { "/boot/", 6, CAP_SYSFILES, ACC_NG, ACC_OK },
|
||
| 128 | { "/bin/", 5, ACC_OK, CAP_SYSFILES, ACC_OK },
|
||
| 129 | { "/etc/", 5, ACC_OK, CAP_SYSFILES, ACC_NG },
|
||
| 130 | { "/private/", 9, CAP_USERFILES, CAP_USERFILES, ACC_NG },
|
||
| 131 | { NULL, 0, 0, 0, 0 },
|
||
| 132 | }; |
||
| 133 | |||
| 134 | |||
| 135 | /*
|
||
| 136 | * Return true if the task has specified capability.
|
||
| 137 | */
|
||
| 138 | static int |
||
| 139 | capable(task_t task, cap_t cap) |
||
| 140 | {
|
||
| 141 | |||
| 142 | if (cap == ACC_OK)
|
||
| 143 | return 1; |
||
| 144 | |||
| 145 | if (cap == ACC_NG)
|
||
| 146 | return 0; |
||
| 147 | |||
| 148 | if (task_chkcap(task, cap) != 0) { |
||
| 149 | /* No capability */
|
||
| 150 | return 0; |
||
| 151 | } |
||
| 152 | return 1; |
||
| 153 | } |
||
| 154 | |||
| 155 | /*
|
||
| 156 | * Check if the task has capability to access the file.
|
||
| 157 | * Return 0 if it has capability.
|
||
| 158 | */
|
||
| 159 | int
|
||
| 160 | sec_file_permission(task_t task, char *path, int acc) |
||
| 161 | {
|
||
| 162 | const struct fscap_map *map; |
||
| 163 | int found = 0; |
||
| 164 | int error = 0; |
||
| 165 | |||
| 166 | if (acc == 0) |
||
| 167 | return 0; |
||
| 168 | |||
| 169 | /*
|
||
| 170 | * Look up capability mapping table.
|
||
| 171 | */
|
||
| 172 | map = &fscap_table[0];
|
||
| 173 | while (map->path != NULL) { |
||
| 174 | if (!strncmp(path, map->path, map->len)) {
|
||
| 175 | found = 1;
|
||
| 176 | break;
|
||
| 177 | } |
||
| 178 | map++; |
||
| 179 | } |
||
| 180 | |||
| 181 | if (found) {
|
||
| 182 | /*
|
||
| 183 | * File under known directory.
|
||
| 184 | */
|
||
| 185 | if (acc & VREAD) {
|
||
| 186 | if (!capable(task, map->cap_read))
|
||
| 187 | error = EACCES; |
||
| 188 | } |
||
| 189 | if (acc & VWRITE) {
|
||
| 190 | if (!capable(task, map->cap_write))
|
||
| 191 | error = EACCES; |
||
| 192 | } |
||
| 193 | DPRINTF(VFSDB_CAP, |
||
| 194 | ("sec_file_permission: known directory "
|
||
| 195 | "path=%s read=%x write=%x execute=%d\n",
|
||
| 196 | path, map->cap_read, map->cap_write, map->cap_exec)); |
||
| 197 | } |
||
| 198 | |||
| 199 | if (error != 0) { |
||
| 200 | DPRINTF(VFSDB_CAP, |
||
| 201 | ("sec_file_permission: no capability for %02x "
|
||
| 202 | "task=%08x path=%s\n",
|
||
| 203 | acc, task, path)); |
||
| 204 | } |
||
| 205 | return error;
|
||
| 206 | } |
||
| 207 | |||
| 208 | /*
|
||
| 209 | * Check if the file is executable.
|
||
| 210 | */
|
||
| 211 | int
|
||
| 212 | sec_vnode_permission(char *path)
|
||
| 213 | {
|
||
| 214 | const struct fscap_map *map; |
||
| 215 | int found = 0; |
||
| 216 | |||
| 217 | /*
|
||
| 218 | * Look up capability mapping table.
|
||
| 219 | */
|
||
| 220 | map = &fscap_table[0];
|
||
| 221 | while (map->path != NULL) { |
||
| 222 | if (!strncmp(path, map->path, map->len)) {
|
||
| 223 | found = 1;
|
||
| 224 | break;
|
||
| 225 | } |
||
| 226 | map++; |
||
| 227 | } |
||
| 228 | |||
| 229 | /*
|
||
| 230 | * We allow the file execution only with the file
|
||
| 231 | * under specific directories.
|
||
| 232 | */
|
||
| 233 | if ((found == 1) && (map->cap_exec == ACC_OK)) { |
||
| 234 | return 0; |
||
| 235 | } |
||
| 236 | return EACCES;
|
||
| 237 | } |