1 /*-
2 * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
4 * Copyright (c) 2005 Tom Rhodes
5 * Copyright (c) 2006 SPARTA, Inc.
6 * All rights reserved.
7 *
8 * This software was developed by Robert Watson for the TrustedBSD Project.
9 * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
10 *
11 * This software was developed for the FreeBSD Project in part by Network
12 * Associates Laboratories, the Security Research Division of Network
13 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
14 * as part of the DARPA CHATS research program.
15 *
16 * This software was enhanced by SPARTA ISSO under SPAWAR contract
17 * N66001-04-C-6019 ("SEFOS").
18 *
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
21 * are met:
22 * 1. Redistributions of source code must retain the above copyright
23 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in the
26 * documentation and/or other materials provided with the distribution.
27 *
28 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 *
40 * $FreeBSD$
41 */
42
43 /*
44 * Developed by the TrustedBSD Project.
45 *
46 * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
47 * firewall-like rules regarding users and file system objects.
48 */
49
50 #include <sys/param.h>
51 #include <sys/acl.h>
52 #include <sys/kernel.h>
53 #include <sys/jail.h>
54 #include <sys/lock.h>
55 #include <sys/malloc.h>
56 #include <sys/module.h>
57 #include <sys/mount.h>
58 #include <sys/mutex.h>
59 #include <sys/priv.h>
60 #include <sys/proc.h>
61 #include <sys/systm.h>
62 #include <sys/vnode.h>
63 #include <sys/sysctl.h>
64 #include <sys/syslog.h>
65 #include <sys/stat.h>
66
67 #include <security/mac/mac_policy.h>
68 #include <security/mac_bsdextended/mac_bsdextended.h>
69 #include <security/mac_bsdextended/ugidfw_internal.h>
70
71 static struct mtx ugidfw_mtx;
72
73 SYSCTL_DECL(_security_mac);
74
75 static SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
76 "TrustedBSD extended BSD MAC policy controls");
77
78 static int ugidfw_enabled = 1;
79 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RWTUN,
80 &ugidfw_enabled, 0, "Enforce extended BSD policy");
81
82 static MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended",
83 "BSD Extended MAC rule");
84
85 #define MAC_BSDEXTENDED_MAXRULES 250
86 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
87 static int rule_count = 0;
88 static int rule_slots = 0;
89 static int rule_version = MB_VERSION;
90
91 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
92 &rule_count, 0, "Number of defined rules\n");
93 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
94 &rule_slots, 0, "Number of used rule slots\n");
95 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
96 &rule_version, 0, "Version number for API\n");
97
98 /*
99 * This is just used for logging purposes, eventually we would like to log
100 * much more then failed requests.
101 */
102 static int ugidfw_logging;
103 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
104 &ugidfw_logging, 0, "Log failed authorization requests");
105
106 /*
107 * This tunable is here for compatibility. It will allow the user to switch
108 * between the new mode (first rule matches) and the old functionality (all
109 * rules match).
110 */
111 static int ugidfw_firstmatch_enabled;
112 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
113 CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
114 "Disable/enable match first rule functionality");
115
116 static int
117 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
118 {
119
120 if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
121 return (EINVAL);
122 if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
123 return (EINVAL);
124 if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
125 return (EINVAL);
126 if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
127 return (EINVAL);
128 if (((rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) != 0) &&
129 (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
130 return (EINVAL);
131 if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
132 return (EINVAL);
133 return (0);
134 }
135
136 static int
137 sysctl_rule(SYSCTL_HANDLER_ARGS)
138 {
139 struct mac_bsdextended_rule temprule, *ruleptr;
140 u_int namelen;
141 int error, index, *name;
142
143 error = 0;
144 name = (int *)arg1;
145 namelen = arg2;
146 if (namelen != 1)
147 return (EINVAL);
148 index = name[0];
149 if (index >= MAC_BSDEXTENDED_MAXRULES)
150 return (ENOENT);
151
152 ruleptr = NULL;
153 if (req->newptr && req->newlen != 0) {
154 error = SYSCTL_IN(req, &temprule, sizeof(temprule));
155 if (error)
156 return (error);
157 ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
158 M_WAITOK | M_ZERO);
159 }
160
161 mtx_lock(&ugidfw_mtx);
162 if (req->oldptr) {
163 if (index < 0 || index > rule_slots + 1) {
164 error = ENOENT;
165 goto out;
166 }
167 if (rules[index] == NULL) {
168 error = ENOENT;
169 goto out;
170 }
171 temprule = *rules[index];
172 }
173 if (req->newptr && req->newlen == 0) {
174 KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
175 ruleptr = rules[index];
176 if (ruleptr == NULL) {
177 error = ENOENT;
178 goto out;
179 }
180 rule_count--;
181 rules[index] = NULL;
182 } else if (req->newptr) {
183 error = ugidfw_rule_valid(&temprule);
184 if (error)
185 goto out;
186 if (rules[index] == NULL) {
187 *ruleptr = temprule;
188 rules[index] = ruleptr;
189 ruleptr = NULL;
190 if (index + 1 > rule_slots)
191 rule_slots = index + 1;
192 rule_count++;
193 } else
194 *rules[index] = temprule;
195 }
196 out:
197 mtx_unlock(&ugidfw_mtx);
198 if (ruleptr != NULL)
199 free(ruleptr, M_MACBSDEXTENDED);
200 if (req->oldptr && error == 0)
201 error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
202 return (error);
203 }
204
205 static SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
206 CTLFLAG_MPSAFE | CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
207
208 static void
209 ugidfw_init(struct mac_policy_conf *mpc)
210 {
211
212 mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
213 }
214
215 static void
216 ugidfw_destroy(struct mac_policy_conf *mpc)
217 {
218 int i;
219
220 for (i = 0; i < MAC_BSDEXTENDED_MAXRULES; i++) {
221 if (rules[i] != NULL)
222 free(rules[i], M_MACBSDEXTENDED);
223 }
224 mtx_destroy(&ugidfw_mtx);
225 }
226
227 static int
228 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
229 struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
230 {
231 int mac_granted, match, priv_granted;
232 int i;
233
234 /*
235 * Is there a subject match?
236 */
237 mtx_assert(&ugidfw_mtx, MA_OWNED);
238 if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
239 match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
240 cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
241 (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
242 cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
243 (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
244 cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
245 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
246 match = !match;
247 if (!match)
248 return (0);
249 }
250
251 if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
252 match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
253 cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
254 (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
255 cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
256 if (!match) {
257 for (i = 0; i < cred->cr_ngroups; i++) {
258 if (cred->cr_groups[i]
259 <= rule->mbr_subject.mbs_gid_max &&
260 cred->cr_groups[i]
261 >= rule->mbr_subject.mbs_gid_min) {
262 match = 1;
263 break;
264 }
265 }
266 }
267 if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
268 match = !match;
269 if (!match)
270 return (0);
271 }
272
273 if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
274 match =
275 (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
276 if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
277 match = !match;
278 if (!match)
279 return (0);
280 }
281
282 /*
283 * Is there an object match?
284 */
285 if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
286 match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
287 vap->va_uid >= rule->mbr_object.mbo_uid_min);
288 if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
289 match = !match;
290 if (!match)
291 return (0);
292 }
293
294 if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
295 match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
296 vap->va_gid >= rule->mbr_object.mbo_gid_min);
297 if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
298 match = !match;
299 if (!match)
300 return (0);
301 }
302
303 if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
304 match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
305 &(rule->mbr_object.mbo_fsid),
306 sizeof(rule->mbr_object.mbo_fsid)) == 0);
307 if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
308 match = !match;
309 if (!match)
310 return (0);
311 }
312
313 if (rule->mbr_object.mbo_flags & MBO_SUID) {
314 match = (vap->va_mode & S_ISUID);
315 if (rule->mbr_object.mbo_neg & MBO_SUID)
316 match = !match;
317 if (!match)
318 return (0);
319 }
320
321 if (rule->mbr_object.mbo_flags & MBO_SGID) {
322 match = (vap->va_mode & S_ISGID);
323 if (rule->mbr_object.mbo_neg & MBO_SGID)
324 match = !match;
325 if (!match)
326 return (0);
327 }
328
329 if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
330 match = (vap->va_uid == cred->cr_uid ||
331 vap->va_uid == cred->cr_ruid ||
332 vap->va_uid == cred->cr_svuid);
333 if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
334 match = !match;
335 if (!match)
336 return (0);
337 }
338
339 if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
340 match = (groupmember(vap->va_gid, cred) ||
341 vap->va_gid == cred->cr_rgid ||
342 vap->va_gid == cred->cr_svgid);
343 if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
344 match = !match;
345 if (!match)
346 return (0);
347 }
348
349 if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
350 switch (vap->va_type) {
351 case VREG:
352 match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
353 break;
354 case VDIR:
355 match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
356 break;
357 case VBLK:
358 match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
359 break;
360 case VCHR:
361 match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
362 break;
363 case VLNK:
364 match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
365 break;
366 case VSOCK:
367 match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
368 break;
369 case VFIFO:
370 match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
371 break;
372 default:
373 match = 0;
374 }
375 if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
376 match = !match;
377 if (!match)
378 return (0);
379 }
380
381 /*
382 * MBI_APPEND should not be here as it should get converted to
383 * MBI_WRITE.
384 */
385 priv_granted = 0;
386 mac_granted = rule->mbr_mode;
387 if ((acc_mode & MBI_ADMIN) && (mac_granted & MBI_ADMIN) == 0 &&
388 priv_check_cred(cred, PRIV_VFS_ADMIN, 0) == 0)
389 priv_granted |= MBI_ADMIN;
390 if ((acc_mode & MBI_EXEC) && (mac_granted & MBI_EXEC) == 0 &&
391 priv_check_cred(cred, (vap->va_type == VDIR) ? PRIV_VFS_LOOKUP :
392 PRIV_VFS_EXEC, 0) == 0)
393 priv_granted |= MBI_EXEC;
394 if ((acc_mode & MBI_READ) && (mac_granted & MBI_READ) == 0 &&
395 priv_check_cred(cred, PRIV_VFS_READ, 0) == 0)
396 priv_granted |= MBI_READ;
397 if ((acc_mode & MBI_STAT) && (mac_granted & MBI_STAT) == 0 &&
398 priv_check_cred(cred, PRIV_VFS_STAT, 0) == 0)
399 priv_granted |= MBI_STAT;
400 if ((acc_mode & MBI_WRITE) && (mac_granted & MBI_WRITE) == 0 &&
401 priv_check_cred(cred, PRIV_VFS_WRITE, 0) == 0)
402 priv_granted |= MBI_WRITE;
403 /*
404 * Is the access permitted?
405 */
406 if (((mac_granted | priv_granted) & acc_mode) != acc_mode) {
407 if (ugidfw_logging)
408 log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
409 " on %d:%d failed. \n", cred->cr_ruid,
410 cred->cr_rgid, acc_mode, vap->va_uid,
411 vap->va_gid);
412 return (EACCES);
413 }
414
415 /*
416 * If the rule matched, permits access, and first match is enabled,
417 * return success.
418 */
419 if (ugidfw_firstmatch_enabled)
420 return (EJUSTRETURN);
421 else
422 return (0);
423 }
424
425 int
426 ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
427 int acc_mode)
428 {
429 int error, i;
430
431 /*
432 * Since we do not separately handle append, map append to write.
433 */
434 if (acc_mode & MBI_APPEND) {
435 acc_mode &= ~MBI_APPEND;
436 acc_mode |= MBI_WRITE;
437 }
438 mtx_lock(&ugidfw_mtx);
439 for (i = 0; i < rule_slots; i++) {
440 if (rules[i] == NULL)
441 continue;
442 error = ugidfw_rulecheck(rules[i], cred,
443 vp, vap, acc_mode);
444 if (error == EJUSTRETURN)
445 break;
446 if (error) {
447 mtx_unlock(&ugidfw_mtx);
448 return (error);
449 }
450 }
451 mtx_unlock(&ugidfw_mtx);
452 return (0);
453 }
454
455 int
456 ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
457 {
458 int error;
459 struct vattr vap;
460
461 if (!ugidfw_enabled)
462 return (0);
463 error = VOP_GETATTR(vp, &vap, cred);
464 if (error)
465 return (error);
466 return (ugidfw_check(cred, vp, &vap, acc_mode));
467 }
468
469 int
470 ugidfw_accmode2mbi(accmode_t accmode)
471 {
472 int mbi;
473
474 mbi = 0;
475 if (accmode & VEXEC)
476 mbi |= MBI_EXEC;
477 if (accmode & VWRITE)
478 mbi |= MBI_WRITE;
479 if (accmode & VREAD)
480 mbi |= MBI_READ;
481 if (accmode & VADMIN_PERMS)
482 mbi |= MBI_ADMIN;
483 if (accmode & VSTAT_PERMS)
484 mbi |= MBI_STAT;
485 if (accmode & VAPPEND)
486 mbi |= MBI_APPEND;
487 return (mbi);
488 }
489
490 static struct mac_policy_ops ugidfw_ops =
491 {
492 .mpo_destroy = ugidfw_destroy,
493 .mpo_init = ugidfw_init,
494 .mpo_system_check_acct = ugidfw_system_check_acct,
495 .mpo_system_check_auditctl = ugidfw_system_check_auditctl,
496 .mpo_system_check_swapon = ugidfw_system_check_swapon,
497 .mpo_vnode_check_access = ugidfw_vnode_check_access,
498 .mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
499 .mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
500 .mpo_vnode_check_create = ugidfw_check_create_vnode,
501 .mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
502 .mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
503 .mpo_vnode_check_exec = ugidfw_vnode_check_exec,
504 .mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
505 .mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
506 .mpo_vnode_check_link = ugidfw_vnode_check_link,
507 .mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
508 .mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
509 .mpo_vnode_check_open = ugidfw_vnode_check_open,
510 .mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
511 .mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
512 .mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
513 .mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
514 .mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
515 .mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
516 .mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
517 .mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
518 .mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
519 .mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
520 .mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
521 .mpo_vnode_check_stat = ugidfw_vnode_check_stat,
522 .mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
523 };
524
525 MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
526 MPC_LOADTIME_FLAG_UNLOADOK, NULL);
Cache object: e7febabe8a1032d500ebff1113b9409b
|