Add a way to restrict permissions on cap duplication.

2023-11-02 22:12:55 -07:00 · 2023-11-02 22:12:55 -07:00 · f31652b981
parent 7dd10a3e53
commit f31652b981
10 changed files with 15 additions and 15 deletions
--- a/lib/mammoth/src/endpoint_server.cpp
+++ b/lib/mammoth/src/endpoint_server.cpp
@ -9,8 +9,7 @@ void EndpointServerThreadBootstrap(void* endpoint_server) {

 glcr::ErrorOr<glcr::UniquePtr<EndpointClient>> EndpointServer::CreateClient() {
  uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_cap_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_cap_, ~(kZionPerm_Read), &client_cap));
  return EndpointClient::AdoptEndpoint(client_cap);
 }

--- a/lib/mammoth/src/port_server.cpp
+++ b/lib/mammoth/src/port_server.cpp
@ -13,9 +13,8 @@ PortServer PortServer::AdoptCap(z_cap_t cap) { return PortServer(cap); }
 PortServer::PortServer(z_cap_t port_cap) : port_cap_(port_cap) {}

 glcr::ErrorOr<PortClient> PortServer::CreateClient() {
-  // FIXME: Restrict permissions.
  z_cap_t new_port;
-  RET_ERR(ZCapDuplicate(port_cap_, &new_port));
+  RET_ERR(ZCapDuplicate(port_cap_, ~(kZionPerm_Read), &new_port));
  return PortClient::AdoptPort(new_port);
 }

--- a/sys/denali/lib/denali/denali.yunq.server.cpp
+++ b/sys/denali/lib/denali/denali.yunq.server.cpp
@ -31,8 +31,7 @@ void DenaliServerBaseThreadBootstrap(void* server_base) {

 glcr::ErrorOr<DenaliClient> DenaliServerBase::CreateClient() {
  uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
  return DenaliClient(client_cap);
 }

--- a/sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp
+++ b/sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp
@ -31,8 +31,7 @@ void VFSServerBaseThreadBootstrap(void* server_base) {

 glcr::ErrorOr<VFSClient> VFSServerBase::CreateClient() {
  uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
  return VFSClient(client_cap);
 }

--- a/sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp
+++ b/sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp
@ -31,8 +31,7 @@ void YellowstoneServerBaseThreadBootstrap(void* server_base) {

 glcr::ErrorOr<YellowstoneClient> YellowstoneServerBase::CreateClient() {
  uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
  return YellowstoneClient(client_cap);
 }

--- a/sys/yellowstone/yellowstone_server.cpp
+++ b/sys/yellowstone/yellowstone_server.cpp
@ -60,7 +60,7 @@ glcr::ErrorCode YellowstoneServer::HandleGetAhciInfo(const Empty&,
 glcr::ErrorCode YellowstoneServer::HandleGetDenali(const Empty&,
                                                   DenaliInfo& info) {
  z_cap_t new_denali;
-  check(ZCapDuplicate(denali_cap_, &new_denali));
+  check(ZCapDuplicate(denali_cap_, kZionPerm_All, &new_denali));
  info.set_denali_endpoint(new_denali);
  info.set_device_id(device_id_);
  info.set_lba_offset(lba_offset_);
--- a/yunq/server.cpp.jinja
+++ b/yunq/server.cpp.jinja
@ -31,8 +31,7 @@ void {{interface.name}}ServerBaseThreadBootstrap(void* server_base) {

 glcr::ErrorOr<{{interface.name}}Client> {{interface.name}}ServerBase::CreateClient() {
  uint64_t client_cap;
-  // FIXME: Restrict permissions to send-only here.
-  RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
+  RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
  return {{interface.name}}Client(client_cap);
 }

--- a/zion/include/zcall.h
+++ b/zion/include/zcall.h
@ -55,7 +55,7 @@ SYS5(ReplyPortSend, z_cap_t, reply_port_cap, uint64_t, num_bytes, const void*,
 SYS5(ReplyPortRecv, z_cap_t, reply_port_cap, uint64_t*, num_bytes, void*, data,
     uint64_t*, num_caps, z_cap_t*, caps);

-SYS2(CapDuplicate, z_cap_t, cap_in, z_cap_t*, cap_out);
+SYS3(CapDuplicate, z_cap_t, cap_in, z_perm_t, perm_mask, z_cap_t*, cap_out);

 SYS1(MutexCreate, z_cap_t*, mutex_cap);
 SYS1(MutexLock, z_cap_t, mutex_cap);
--- a/zion/include/ztypes.h
+++ b/zion/include/ztypes.h
@ -67,6 +67,7 @@ const uint64_t kZionDebug = 0x1'0000;
 * ------------------------------*/

 typedef uint64_t z_cap_t;
+typedef uint64_t z_perm_t;

 const uint64_t kZionInvalidCapability = 0x0;

@ -87,6 +88,9 @@ const uint64_t kZionPerm_SpawnThread = 0x200;
 const uint64_t kZionPerm_Lock = 0x100;
 const uint64_t kZionPerm_Release = 0x200;

+const z_perm_t kZionPerm_None = 0;
+const z_perm_t kZionPerm_All = -1;
+
 /* ------------------------------
 * Process Init Types
 *
--- a/zion/syscall/capability.cpp
+++ b/zion/syscall/capability.cpp
@ -13,6 +13,8 @@ z_err_t CapDuplicate(ZCapDuplicateReq* req) {
  if (!(cap->permissions() & kZionPerm_Duplicate)) {
    return glcr::CAP_PERMISSION_DENIED;
  }
-  *req->cap_out = proc.AddExistingCapability(cap);
+
+  *req->cap_out = proc.AddNewCapability(cap->raw_obj(),
+                                        cap->permissions() & req->perm_mask);
  return glcr::OK;
 }