strat9_kernel/

capability.rs

//! Capability-based Security System
//!
//! Implements a capability-based security model for Strat9-OS.
//! All kernel resources are accessed through unforgeable tokens (capabilities).

use crate::{
    ipc::{self, MultiHandleResource},
    process::TaskId,
    sync::SpinLock,
    vfs,
};
use alloc::{collections::BTreeMap, vec::Vec};
use core::sync::atomic::{AtomicU64, AtomicUsize, Ordering};

/// Unique identifier for a capability
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct CapId(u64);

/// Key for per-resource refcounting: (resource_type, resource_ptr)
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
struct ResourceKey(ResourceType, usize);

impl CapId {
    /// Generate a new unique capability ID
    pub fn new() -> Self {
        static NEXT_ID: AtomicU64 = AtomicU64::new(0);
        CapId(NEXT_ID.fetch_add(1, Ordering::SeqCst))
    }

    /// Convert a raw u64 into a CapId (used for syscall handles).
    pub fn from_raw(raw: u64) -> Self {
        CapId(raw)
    }

    /// Get the raw u64 value (for syscall return values).
    pub fn as_u64(self) -> u64 {
        self.0
    }
}

/// Types of kernel resources that can be accessed via capabilities
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum ResourceType {
    MemoryRegion,
    IoPortRange,
    InterruptLine,
    IpcPort,
    /// A typed MPMC sync-channel (SyncChan), accessed via SYS_CHAN_* syscalls.
    Channel,
    /// Shared-memory ring buffer for bulk IPC (SYS_IPC_RING_*).
    SharedRing,
    /// POSIX-like counting semaphore (SYS_SEM_*).
    Semaphore,
    Device,
    AddressSpace,
    Silo,
    Module,
    File,
    Nic,
    FileSystem,
    Console,
    Keyboard,
    Volume,
    Namespace,
}

/// Permissions associated with a capability
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct CapPermissions {
    pub read: bool,
    pub write: bool,
    pub execute: bool,
    /// Allow granting this capability to other processes
    pub grant: bool,
    /// Allow revoking this capability
    pub revoke: bool,
}

impl CapPermissions {
    /// Create permissions with all rights disabled
    pub const fn none() -> Self {
        CapPermissions {
            read: false,
            write: false,
            execute: false,
            grant: false,
            revoke: false,
        }
    }

    /// Create permissions with read and write rights
    pub const fn read_write() -> Self {
        CapPermissions {
            read: true,
            write: true,
            execute: false,
            grant: false,
            revoke: false,
        }
    }

    /// Create permissions with all rights enabled
    pub const fn all() -> Self {
        CapPermissions {
            read: true,
            write: true,
            execute: true,
            grant: true,
            revoke: true,
        }
    }
}

/// A capability token that grants access to a kernel resource
#[derive(Debug, Clone)]
pub struct Capability {
    /// Unique identifier for this capability
    pub id: CapId,
    /// Type of resource this capability grants access to
    pub resource_type: ResourceType,
    /// Permissions associated with this capability
    pub permissions: CapPermissions,
    /// Reference to the actual resource (opaque to prevent direct access)
    pub resource: usize, // Actually a pointer to the resource, cast to usize
}

/// Table of capabilities for a process
pub struct CapabilityTable {
    /// Mapping from capability ID to capability
    capabilities: BTreeMap<CapId, Capability>,
}

impl Clone for CapabilityTable {
    /// Performs the clone operation.
    fn clone(&self) -> Self {
        Self {
            capabilities: self.capabilities.clone(),
        }
    }
}

impl CapabilityTable {
    /// Create a new empty capability table
    pub fn new() -> Self {
        CapabilityTable {
            capabilities: BTreeMap::new(),
        }
    }

    /// Insert a capability into the table
    pub fn insert(&mut self, cap: Capability) -> CapId {
        let id = cap.id;
        get_capability_manager().register_capability(cap.clone());
        self.capabilities.insert(id, cap);
        id
    }

    /// Remove a capability from the table
    pub fn remove(&mut self, id: CapId) -> Option<Capability> {
        let removed = self.capabilities.remove(&id);
        if removed.is_some() {
            let _ = get_capability_manager().revoke_capability(id);
        }
        removed
    }

    /// Get a reference to a capability (no permission check).
    pub fn get(&self, id: CapId) -> Option<&Capability> {
        self.capabilities.get(&id)
    }

    /// Revoke all capabilities in this table and clear it.
    /// Does not allocate memory.
    pub fn revoke_all(&mut self) {
        let capabilities = self.take_all();
        for capability in &capabilities {
            release_capability(capability, None);
        }
    }

    /// Removes and returns every capability in this table.
    pub fn take_all(&mut self) -> Vec<Capability> {
        core::mem::take(&mut self.capabilities)
            .into_values()
            .collect()
    }

    /// Check whether any capability of the given resource type has required permissions.
    pub fn has_resource_type_with_permissions(
        &self,
        resource_type: ResourceType,
        required: CapPermissions,
    ) -> bool {
        self.capabilities.values().any(|cap| {
            cap.resource_type == resource_type
                && (!required.read || cap.permissions.read)
                && (!required.write || cap.permissions.write)
                && (!required.execute || cap.permissions.execute)
                && (!required.grant || cap.permissions.grant)
                && (!required.revoke || cap.permissions.revoke)
        })
    }

    /// Check whether a specific resource has required permissions.
    pub fn has_resource_with_permissions(
        &self,
        resource_type: ResourceType,
        resource: usize,
        required: CapPermissions,
    ) -> bool {
        self.capabilities.values().any(|cap| {
            cap.resource_type == resource_type
                && cap.resource == resource
                && (!required.read || cap.permissions.read)
                && (!required.write || cap.permissions.write)
                && (!required.execute || cap.permissions.execute)
                && (!required.grant || cap.permissions.grant)
                && (!required.revoke || cap.permissions.revoke)
        })
    }

    /// Get a reference to a capability if it exists and has the required permissions
    pub fn get_with_permissions(&self, id: CapId, required: CapPermissions) -> Option<&Capability> {
        self.capabilities.get(&id).filter(|cap| {
            // Check if the capability has all required permissions
            (!required.read || cap.permissions.read)
                && (!required.write || cap.permissions.write)
                && (!required.execute || cap.permissions.execute)
                && (!required.grant || cap.permissions.grant)
                && (!required.revoke || cap.permissions.revoke)
        })
    }

    /// Get a mutable reference to a capability if it exists and has the required permissions
    pub fn get_mut_with_permissions(
        &mut self,
        id: CapId,
        required: CapPermissions,
    ) -> Option<&mut Capability> {
        if let Some(cap) = self.capabilities.get_mut(&id) {
            // Check if the capability has all required permissions
            if (!required.read || cap.permissions.read)
                && (!required.write || cap.permissions.write)
                && (!required.execute || cap.permissions.execute)
                && (!required.grant || cap.permissions.grant)
                && (!required.revoke || cap.permissions.revoke)
            {
                Some(cap)
            } else {
                None
            }
        } else {
            None
        }
    }

    /// Duplicate a capability (grant permission required)
    pub fn duplicate(&mut self, id: CapId) -> Option<Capability> {
        if let Some(cap) = self.capabilities.get(&id) {
            if cap.permissions.grant {
                // Create a new capability with the same properties
                Some(Capability {
                    id: CapId::new(),
                    resource_type: cap.resource_type,
                    permissions: cap.permissions,
                    resource: cap.resource,
                })
            } else {
                None
            }
        } else {
            None
        }
    }
}

/// Global capability manager
pub struct CapabilityManager {
    /// All capabilities in the system
    all_capabilities: SpinLock<BTreeMap<CapId, Capability>>,
    /// Per-resource refcounts for O(1) capability counting (no full-table scan)
    resource_refcounts: SpinLock<BTreeMap<ResourceKey, AtomicUsize>>,
}

impl CapabilityManager {
    /// Create a new capability manager
    pub fn new() -> Self {
        CapabilityManager {
            all_capabilities: SpinLock::new(BTreeMap::new()),
            resource_refcounts: SpinLock::new(BTreeMap::new()),
        }
    }

    /// Register a new resource and return a capability to access it
    pub fn create_capability(
        &self,
        resource_type: ResourceType,
        resource: usize,
        permissions: CapPermissions,
    ) -> Capability {
        let cap = Capability {
            id: CapId::new(),
            resource_type,
            permissions,
            resource,
        };

        self.all_capabilities.lock().insert(cap.id, cap.clone());
        self.increment_resource_refcount(resource_type, resource);
        cap
    }

    /// Register an already-created capability in the global table.
    pub fn register_capability(&self, cap: Capability) {
        let key = ResourceKey(cap.resource_type, cap.resource);
        self.all_capabilities.lock().insert(cap.id, cap);
        self.increment_resource_refcount_key(&key);
    }

    /// Revoke a capability (removes it from the global table)
    pub fn revoke_capability(&self, id: CapId) -> Option<Capability> {
        let removed = {
            let mut caps = self.all_capabilities.lock();
            caps.remove(&id)
        };
        if let Some(ref cap) = removed {
            let key = ResourceKey(cap.resource_type, cap.resource);
            self.decrement_resource_refcount(&key);
        }
        removed
    }

    /// Count remaining capabilities that still reference the same resource.
    /// O(1) lookup via per-resource refcount : no full-table scan.
    pub fn resource_capability_count(&self, resource_type: ResourceType, resource: usize) -> usize {
        let key = ResourceKey(resource_type, resource);
        self.resource_refcounts
            .lock()
            .get(&key)
            .map(|rc| rc.load(Ordering::Relaxed))
            .unwrap_or(0)
    }

    // -- Internal refcount helpers --

    fn increment_resource_refcount(&self, resource_type: ResourceType, resource: usize) {
        let key = ResourceKey(resource_type, resource);
        self.increment_resource_refcount_key(&key);
    }

    fn increment_resource_refcount_key(&self, key: &ResourceKey) {
        let mut refcounts = self.resource_refcounts.lock();
        let entry = refcounts.entry(*key).or_insert_with(|| AtomicUsize::new(0));
        entry.fetch_add(1, Ordering::Relaxed);
    }

    fn decrement_resource_refcount(&self, key: &ResourceKey) {
        let mut refcounts = self.resource_refcounts.lock();
        // Check and remove under the same lock acquisition to avoid the TOCTOU
        // window where another thread could increment the refcount between the
        // `drop` and the second `lock().remove()`.
        let should_remove = if let Some(rc) = refcounts.get(key) {
            rc.fetch_sub(1, Ordering::Relaxed) == 1
        } else {
            false
        };
        if should_remove {
            refcounts.remove(key);
        }
    }
}

use spin::Once;

static CAPABILITY_MANAGER: Once<CapabilityManager> = Once::new();

/// Get a reference to the global capability manager
pub fn get_capability_manager() -> &'static CapabilityManager {
    CAPABILITY_MANAGER.call_once(CapabilityManager::new)
}

/// Releases a capability and cleans up the underlying resource.
pub fn release_capability(cap: &Capability, owner_task: Option<TaskId>) {
    let _ = get_capability_manager().revoke_capability(cap.id);
    let remaining_caps =
        get_capability_manager().resource_capability_count(cap.resource_type, cap.resource);

    let shared_resource = match cap.resource_type {
        ResourceType::SharedRing => Some(MultiHandleResource::SharedRing(ipc::RingId::from_u64(
            cap.resource as u64,
        ))),
        ResourceType::Semaphore => Some(MultiHandleResource::Semaphore(ipc::SemId::from_u64(
            cap.resource as u64,
        ))),
        ResourceType::Channel => Some(MultiHandleResource::Channel(ipc::ChanId::from_u64(
            cap.resource as u64,
        ))),
        ResourceType::IpcPort => Some(MultiHandleResource::IpcPort {
            id: ipc::PortId::from_u64(cap.resource as u64),
            owner: owner_task,
        }),
        _ => None,
    };

    if let Some(resource) = shared_resource {
        if remaining_caps == 0 {
            let _ = resource.destroy();
        }
        return;
    }

    match cap.resource_type {
        ResourceType::File => {
            if let Ok(fd) = u32::try_from(cap.resource) {
                let _ = vfs::close(fd);
            }
        }
        ResourceType::MemoryRegion => {
            let _ =
                crate::memory::memory_region_registry().release_handle(cap.resource as u64, cap.id);
        }
        _ => {}
    }
}