Add a way to restrict permissions on cap duplication.

This commit is contained in:
Drew Galbraith 2023-11-02 22:12:55 -07:00
parent 7dd10a3e53
commit f31652b981
10 changed files with 15 additions and 15 deletions

View File

@ -9,8 +9,7 @@ void EndpointServerThreadBootstrap(void* endpoint_server) {
glcr::ErrorOr<glcr::UniquePtr<EndpointClient>> EndpointServer::CreateClient() {
uint64_t client_cap;
// FIXME: Restrict permissions to send-only here.
RET_ERR(ZCapDuplicate(endpoint_cap_, &client_cap));
RET_ERR(ZCapDuplicate(endpoint_cap_, ~(kZionPerm_Read), &client_cap));
return EndpointClient::AdoptEndpoint(client_cap);
}

View File

@ -13,9 +13,8 @@ PortServer PortServer::AdoptCap(z_cap_t cap) { return PortServer(cap); }
PortServer::PortServer(z_cap_t port_cap) : port_cap_(port_cap) {}
glcr::ErrorOr<PortClient> PortServer::CreateClient() {
// FIXME: Restrict permissions.
z_cap_t new_port;
RET_ERR(ZCapDuplicate(port_cap_, &new_port));
RET_ERR(ZCapDuplicate(port_cap_, ~(kZionPerm_Read), &new_port));
return PortClient::AdoptPort(new_port);
}

View File

@ -31,8 +31,7 @@ void DenaliServerBaseThreadBootstrap(void* server_base) {
glcr::ErrorOr<DenaliClient> DenaliServerBase::CreateClient() {
uint64_t client_cap;
// FIXME: Restrict permissions to send-only here.
RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
return DenaliClient(client_cap);
}

View File

@ -31,8 +31,7 @@ void VFSServerBaseThreadBootstrap(void* server_base) {
glcr::ErrorOr<VFSClient> VFSServerBase::CreateClient() {
uint64_t client_cap;
// FIXME: Restrict permissions to send-only here.
RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
return VFSClient(client_cap);
}

View File

@ -31,8 +31,7 @@ void YellowstoneServerBaseThreadBootstrap(void* server_base) {
glcr::ErrorOr<YellowstoneClient> YellowstoneServerBase::CreateClient() {
uint64_t client_cap;
// FIXME: Restrict permissions to send-only here.
RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
return YellowstoneClient(client_cap);
}

View File

@ -60,7 +60,7 @@ glcr::ErrorCode YellowstoneServer::HandleGetAhciInfo(const Empty&,
glcr::ErrorCode YellowstoneServer::HandleGetDenali(const Empty&,
DenaliInfo& info) {
z_cap_t new_denali;
check(ZCapDuplicate(denali_cap_, &new_denali));
check(ZCapDuplicate(denali_cap_, kZionPerm_All, &new_denali));
info.set_denali_endpoint(new_denali);
info.set_device_id(device_id_);
info.set_lba_offset(lba_offset_);

View File

@ -31,8 +31,7 @@ void {{interface.name}}ServerBaseThreadBootstrap(void* server_base) {
glcr::ErrorOr<{{interface.name}}Client> {{interface.name}}ServerBase::CreateClient() {
uint64_t client_cap;
// FIXME: Restrict permissions to send-only here.
RET_ERR(ZCapDuplicate(endpoint_, &client_cap));
RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap));
return {{interface.name}}Client(client_cap);
}

View File

@ -55,7 +55,7 @@ SYS5(ReplyPortSend, z_cap_t, reply_port_cap, uint64_t, num_bytes, const void*,
SYS5(ReplyPortRecv, z_cap_t, reply_port_cap, uint64_t*, num_bytes, void*, data,
uint64_t*, num_caps, z_cap_t*, caps);
SYS2(CapDuplicate, z_cap_t, cap_in, z_cap_t*, cap_out);
SYS3(CapDuplicate, z_cap_t, cap_in, z_perm_t, perm_mask, z_cap_t*, cap_out);
SYS1(MutexCreate, z_cap_t*, mutex_cap);
SYS1(MutexLock, z_cap_t, mutex_cap);

View File

@ -67,6 +67,7 @@ const uint64_t kZionDebug = 0x1'0000;
* ------------------------------*/
typedef uint64_t z_cap_t;
typedef uint64_t z_perm_t;
const uint64_t kZionInvalidCapability = 0x0;
@ -87,6 +88,9 @@ const uint64_t kZionPerm_SpawnThread = 0x200;
const uint64_t kZionPerm_Lock = 0x100;
const uint64_t kZionPerm_Release = 0x200;
const z_perm_t kZionPerm_None = 0;
const z_perm_t kZionPerm_All = -1;
/* ------------------------------
* Process Init Types
*

View File

@ -13,6 +13,8 @@ z_err_t CapDuplicate(ZCapDuplicateReq* req) {
if (!(cap->permissions() & kZionPerm_Duplicate)) {
return glcr::CAP_PERMISSION_DENIED;
}
*req->cap_out = proc.AddExistingCapability(cap);
*req->cap_out = proc.AddNewCapability(cap->raw_obj(),
cap->permissions() & req->perm_mask);
return glcr::OK;
}