libc-bottom-half/cloudlibc/src/include/sys/capsicum.h

   1 // Copyright (c) 2015-2017 Nuxi, https://nuxi.nl/
   2 //
   3 // Redistribution and use in source and binary forms, with or without
   4 // modification, are permitted provided that the following conditions
   5 // are met:
   6 // 1. Redistributions of source code must retain the above copyright
   7 //    notice, this list of conditions and the following disclaimer.
   8 // 2. Redistributions in binary form must reproduce the above copyright
   9 //    notice, this list of conditions and the following disclaimer in the
  10 //    documentation and/or other materials provided with the distribution.
  11 //
  12 // THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  13 // ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  14 // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  15 // ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  16 // FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  17 // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  18 // OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  19 // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  20 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  21 // OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  22 // SUCH DAMAGE.
  23
  24 // <sys/capsicum.h> - file descriptor access controls
  25 //
  26 // Extensions:
  27 // - CAP_FDATASYNC, CAP_POSIX_FADVISE, CAP_POSIX_FALLOCATE, CAP_READDIR,
  28 //   CAP_READLINKAT:
  29 //   fdatasync(), posix_fadvise(), posix_fallocate(), readdir() and
  30 //   readlink() can be controlled independently in this environment.
  31 // - cap_rights_get_explicit() and cap_rights_limit_explicit():
  32 //   Capabilities are expressed as a pair of base and inheriting rights
  33 //   in this environment.
  34 //
  35 // Features missing:
  36 // - CAP_FCHDIR:
  37 //   Per-process working directory is not available. Use *at() instead.
  38 // - CAP_FCHFLAGS, CAP_CHFLAGSAT, CAP_FCHMOD, CAP_FCHMODAT, CAP_FCHOWN
  39 //   and CAP_FCHOWNAT:
  40 //   Filesystem access control management not available.
  41 // - CAP_FLOCK:
  42 //   File locking not available.
  43 // - CAP_FPATHCONF:
  44 //   TODO(ed): Add.
  45 // - CAP_FSCK:
  46 //   Not applicable to this environment.
  47 // - CAP_FSTATFS:
  48 //   Filesystem-level statistics not available.
  49 // - CAP_ACCEPT, CAP_BIND, CAP_BINDAT, CAP_CONNECT, CAP_CONNECTAT,
  50 //   CAP_GETPEERNAME, CAP_GETSOCKNAME and CAP_LISTEN:
  51 //   Only anonymous, addressless sockets are supported.
  52 // - CAP_KQUEUE, CAP_KQUEUE_CHANGE and CAP_KQUEUE_EVENT:
  53 //   BSD kqueue is not available.
  54 // - CAP_MKFIFOAT:
  55 //   Only anonymous pipes are supported.
  56 // - CAP_MKNODAT:
  57 //   Device nodes cannot be created.
  58 // - CAP_GETSOCKOPT and CAP_SETSOCKOPT:
  59 //   Socket parameters cannot be adjusted.
  60 // - CAP_MAC_*:
  61 //   Mandatory Access Control not available.
  62 // - CAP_SEM_*:
  63 //   Semaphores are not represented as file descriptors.
  64 // - CAP_IOCTL and cap_ioctls_*():
  65 //   ioctl() not available.
  66 // - cap_fcntl_*():
  67 //   fcntl() rights cannot be adjusted granularly.
  68 // - CAP_TTYHOOK:
  69 //   Terminal management is not available.
  70 // - CAP_PDGETPID:
  71 //   Process identifiers are not exposed.
  72 // - CAP_PDKILL:
  73 //   Explicit signal delivery is not supported.
  74 // - CAP_EXTATTR_*:
  75 //   Extended inode attributes not available.
  76 // - CAP_ACL_*:
  77 //   Access Control Lists not available.
  78
  79 #ifndef _SYS_CAPSICUM_H_
  80 #define _SYS_CAPSICUM_H_
  81
  82 #include <_/limits.h>
  83 #include <_/types.h>
  84
  85 typedef __uint64_t __cap_rights_bits_t;
  86 typedef struct {
  87   __cap_rights_bits_t __value;
  88 } cap_rights_t;
  89
  90 #define _CAP_BIT(f) (_UINT64_C(1) << (f))
  91 #define _CAP_SENTINEL _UINT64_C(0)
  92
  93 // General file I/O.
  94 #define CAP_CREATE (_CAP_BIT(10) | _CAP_BIT(14))
  95 #define CAP_FCNTL _CAP_BIT(3)
  96 #define CAP_FDATASYNC _CAP_BIT(0)
  97 #define CAP_FEXECVE _CAP_BIT(32)
  98 #define CAP_FSYNC _CAP_BIT(4)
  99 #define CAP_FTRUNCATE _CAP_BIT(20)
 100 #define CAP_MMAP _CAP_BIT(26)
 101 #define CAP_MMAP_R (CAP_MMAP | CAP_READ)
 102 #define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
 103 #define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
 104 #define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
 105 #define CAP_MMAP_W (CAP_MMAP | CAP_WRITE)
 106 #define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
 107 #define CAP_MMAP_X (CAP_MMAP | _CAP_BIT(27))
 108 #define CAP_POSIX_FADVISE _CAP_BIT(7)    // Extension.
 109 #define CAP_POSIX_FALLOCATE _CAP_BIT(8)  // Extension.
 110 #define CAP_PREAD (CAP_READ | _CAP_BIT(2))
 111 #define CAP_PWRITE (CAP_WRITE | _CAP_BIT(2))
 112 #define CAP_READ _CAP_BIT(1)
 113 #define CAP_READDIR _CAP_BIT(15)  // Extension.
 114 #define CAP_SEEK (CAP_SEEK_TELL | _CAP_BIT(2))
 115 #define CAP_SEEK_TELL _CAP_BIT(5)
 116 #define CAP_WRITE _CAP_BIT(6)
 117
 118 // VFS methods.
 119 #define CAP_FSTAT _CAP_BIT(19)
 120 #define CAP_FSTATAT _CAP_BIT(22)
 121 #define CAP_FUTIMES _CAP_BIT(21)
 122 #define CAP_FUTIMESAT _CAP_BIT(23)
 123 #define CAP_LINKAT_SOURCE _CAP_BIT(12)
 124 #define CAP_LINKAT_TARGET _CAP_BIT(13)
 125 #define CAP_LOOKUP _CAP_BIT(14)
 126 #define CAP_MKDIRAT _CAP_BIT(9)
 127 #define CAP_READLINKAT _CAP_BIT(16)  // Extension.
 128 #define CAP_RENAMEAT_SOURCE _CAP_BIT(17)
 129 #define CAP_RENAMEAT_TARGET _CAP_BIT(18)
 130 #define CAP_SYMLINKAT _CAP_BIT(24)
 131 #define CAP_UNLINKAT _CAP_BIT(25)
 132
 133 // Socket operations.
 134 #define CAP_RECV CAP_READ
 135 #define CAP_SEND CAP_WRITE
 136 #define CAP_SHUTDOWN _CAP_BIT(39)
 137
 138 // Commonly used socket operations.
 139 #define CAP_SOCK_CLIENT (CAP_RECV | CAP_SEND | CAP_SHUTDOWN)
 140 #define CAP_SOCK_SERVER (CAP_RECV | CAP_SEND | CAP_SHUTDOWN)
 141
 142 // Polling.
 143 #define CAP_EVENT _CAP_BIT(28)
 144
 145 // Process descriptors.
 146 #define CAP_PDWAIT _CAP_BIT(30)
 147
 148 #define cap_rights_clear(...) __cap_rights_clear(__VA_ARGS__, _CAP_SENTINEL)
 149 #define cap_rights_init(...) __cap_rights_init(__VA_ARGS__, _CAP_SENTINEL)
 150 #define cap_rights_is_set(...) __cap_rights_is_set(__VA_ARGS__, _CAP_SENTINEL)
 151 #define cap_rights_set(...) __cap_rights_set(__VA_ARGS__, _CAP_SENTINEL)
 152
 153 __BEGIN_DECLS
 154 void CAP_ALL(cap_rights_t *);
 155 void CAP_NONE(cap_rights_t *);
 156 cap_rights_t *__cap_rights_clear(cap_rights_t *, ...);
 157 cap_rights_t *__cap_rights_init(cap_rights_t *, ...);
 158 _Bool __cap_rights_is_set(const cap_rights_t *, ...);
 159 cap_rights_t *__cap_rights_set(cap_rights_t *, ...);
 160 int cap_enter(void);
 161 int cap_getmode(unsigned int *);
 162 _Bool cap_rights_contains(const cap_rights_t *, const cap_rights_t *);
 163 int cap_rights_get(int, cap_rights_t *);
 164 int cap_rights_get_explicit(int, cap_rights_t *, cap_rights_t *);
 165 int cap_rights_limit(int, const cap_rights_t *);
 166 int cap_rights_limit_explicit(int, const cap_rights_t *, const cap_rights_t *);
 167 cap_rights_t *cap_rights_merge(cap_rights_t *, const cap_rights_t *);
 168 cap_rights_t *cap_rights_remove(cap_rights_t *, const cap_rights_t *);
 169 _Bool cap_sandboxed(void);
 170 __END_DECLS
 171
 172 #if _CLOUDLIBC_INLINE_FUNCTIONS
 173 static __inline void _CAP_ALL(cap_rights_t *__rights) {
 174   __rights->__value =
 175       CAP_CREATE | CAP_EVENT | CAP_FCNTL | CAP_FDATASYNC | CAP_FEXECVE |
 176       CAP_FSTAT | CAP_FSTATAT | CAP_FSYNC | CAP_FTRUNCATE | CAP_FUTIMES |
 177       CAP_FUTIMESAT | CAP_LINKAT_SOURCE | CAP_LINKAT_TARGET | CAP_LOOKUP |
 178       CAP_MKDIRAT | CAP_MMAP | CAP_MMAP_X | CAP_PDWAIT | CAP_POSIX_FADVISE |
 179       CAP_POSIX_FALLOCATE | CAP_PREAD | CAP_PWRITE | CAP_READ | CAP_READDIR |
 180       CAP_READLINKAT | CAP_RENAMEAT_SOURCE | CAP_RENAMEAT_TARGET | CAP_SEEK |
 181       CAP_SEEK_TELL | CAP_SHUTDOWN | CAP_SYMLINKAT | CAP_UNLINKAT | CAP_WRITE;
 182 }
 183 #define CAP_ALL(rights) _CAP_ALL(rights)
 184
 185 static __inline void _CAP_NONE(cap_rights_t *__rights) {
 186   __rights->__value = 0;
 187 }
 188 #define CAP_NONE(rights) _CAP_NONE(rights)
 189 #endif
 190
 191 #endif