1 /*-
2 * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
3 * All rights reserved.
4 *
5 * This software was developed for the FreeBSD Project by Network
6 * Associates Laboratories, the Security Research Division of Network
7 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
8 * as part of the DARPA CHATS research program.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 *
31 * $FreeBSD: releng/6.2/sys/security/mac_portacl/mac_portacl.c 163363 2006-10-15 07:02:26Z rwatson $
32 */
33
34 /*
35 * Developed by the TrustedBSD Project.
36 *
37 * Administratively limit access to local UDP/TCP ports for binding purposes.
38 * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow
39 * specific uids and gids to bind specific ports for specific purposes,
40 * while not opening the door to any user replacing an "official" service
41 * while you're restarting it. This only affects ports explicitly bound by
42 * the user process (either for listen/outgoing socket for TCP, or send/
43 * receive for UDP). This module will not limit ports bound implicitly for
44 * out-going connections where the process hasn't explicitly selected a port:
45 * these are automatically selected by the IP stack.
46 *
47 * To use this module, security.mac.enforce_socket must be enabled, and
48 * you will probably want to twiddle the net.inet sysctl listed above.
49 * Then use sysctl(8) to modify the rules string:
50 *
51 * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
52 *
53 * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http)
54 * and 79 (finger). User names and group names can't be used directly
55 * because the kernel only knows about uids and gids.
56 */
57
58 #include <sys/types.h>
59 #include <sys/param.h>
60 #include <sys/conf.h>
61 #include <sys/domain.h>
62 #include <sys/kernel.h>
63 #include <sys/libkern.h>
64 #include <sys/lock.h>
65 #include <sys/mac.h>
66 #include <sys/malloc.h>
67 #include <sys/mount.h>
68 #include <sys/mutex.h>
69 #include <sys/proc.h>
70 #include <sys/protosw.h>
71 #include <sys/queue.h>
72 #include <sys/systm.h>
73 #include <sys/sysproto.h>
74 #include <sys/sysent.h>
75 #include <sys/file.h>
76 #include <sys/sbuf.h>
77 #include <sys/socket.h>
78 #include <sys/socketvar.h>
79 #include <sys/sysctl.h>
80
81 #include <netinet/in.h>
82 #include <netinet/in_pcb.h>
83
84 #include <vm/vm.h>
85
86 #include <sys/mac_policy.h>
87
88 SYSCTL_DECL(_security_mac);
89
90 SYSCTL_NODE(_security_mac, OID_AUTO, portacl, CTLFLAG_RW, 0,
91 "TrustedBSD mac_portacl policy controls");
92
93 static int mac_portacl_enabled = 1;
94 SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RW,
95 &mac_portacl_enabled, 0, "Enforce portacl policy");
96 TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled);
97
98 static int mac_portacl_suser_exempt = 1;
99 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
100 &mac_portacl_suser_exempt, 0, "Privilege permits binding of any port");
101 TUNABLE_INT("security.mac.portacl.suser_exempt",
102 &mac_portacl_suser_exempt);
103
104 static int mac_portacl_autoport_exempt = 1;
105 SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RW,
106 &mac_portacl_autoport_exempt, 0, "Allow automatic allocation through "
107 "binding port 0 if not IP_PORTRANGELOW");
108 TUNABLE_INT("security.mac.portacl.autoport_exempt",
109 &mac_portacl_autoport_exempt);
110
111 static int mac_portacl_port_high = 1023;
112 SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW,
113 &mac_portacl_port_high, 0, "Highest port to enforce for");
114 TUNABLE_INT("security.mac.portacl.port_high", &mac_portacl_port_high);
115
116 MALLOC_DEFINE(M_PORTACL, "portacl rule", "Rules for mac_portacl");
117
118 #define MAC_RULE_STRING_LEN 1024
119
120 #define RULE_GID 1
121 #define RULE_UID 2
122 #define RULE_PROTO_TCP 1
123 #define RULE_PROTO_UDP 2
124 struct rule {
125 id_t r_id;
126 int r_idtype;
127 u_int16_t r_port;
128 int r_protocol;
129
130 TAILQ_ENTRY(rule) r_entries;
131 };
132
133 #define GID_STRING "gid"
134 #define TCP_STRING "tcp"
135 #define UID_STRING "uid"
136 #define UDP_STRING "udp"
137
138 /*
139 * Text format for the rule string is that a rule consists of a
140 * comma-seperated list of elements. Each element is in the form
141 * idtype:id:protocol:portnumber, and constitutes granting of permission
142 * for the specified binding.
143 */
144
145 static struct mtx rule_mtx;
146 static TAILQ_HEAD(rulehead, rule) rule_head;
147 static char rule_string[MAC_RULE_STRING_LEN];
148
149 static void
150 toast_rules(struct rulehead *head)
151 {
152 struct rule *rule;
153
154 while ((rule = TAILQ_FIRST(head)) != NULL) {
155 TAILQ_REMOVE(head, rule, r_entries);
156 free(rule, M_PORTACL);
157 }
158 }
159
160 /*
161 * Note that there is an inherent race condition in the unload of modules
162 * and access via sysctl.
163 */
164 static void
165 destroy(struct mac_policy_conf *mpc)
166 {
167
168 mtx_destroy(&rule_mtx);
169 toast_rules(&rule_head);
170 }
171
172 static void
173 init(struct mac_policy_conf *mpc)
174 {
175
176 mtx_init(&rule_mtx, "rule_mtx", NULL, MTX_DEF);
177 TAILQ_INIT(&rule_head);
178 }
179
180 /*
181 * Note: parsing routines are destructive on the passed string.
182 */
183 static int
184 parse_rule_element(char *element, struct rule **rule)
185 {
186 char *idtype, *id, *protocol, *portnumber, *p;
187 struct rule *new;
188 int error;
189
190 error = 0;
191 new = malloc(sizeof(*new), M_PORTACL, M_ZERO | M_WAITOK);
192
193 idtype = strsep(&element, ":");
194 if (idtype == NULL) {
195 error = EINVAL;
196 goto out;
197 }
198 id = strsep(&element, ":");
199 if (id == NULL) {
200 error = EINVAL;
201 goto out;
202 }
203 new->r_id = strtol(id, &p, 10);
204 if (*p != '\0') {
205 error = EINVAL;
206 goto out;
207 }
208 if (strcmp(idtype, UID_STRING) == 0)
209 new->r_idtype = RULE_UID;
210 else if (strcmp(idtype, GID_STRING) == 0)
211 new->r_idtype = RULE_GID;
212 else {
213 error = EINVAL;
214 goto out;
215 }
216 protocol = strsep(&element, ":");
217 if (protocol == NULL) {
218 error = EINVAL;
219 goto out;
220 }
221 if (strcmp(protocol, TCP_STRING) == 0)
222 new->r_protocol = RULE_PROTO_TCP;
223 else if (strcmp(protocol, UDP_STRING) == 0)
224 new->r_protocol = RULE_PROTO_UDP;
225 else {
226 error = EINVAL;
227 goto out;
228 }
229 portnumber = element;
230 if (portnumber == NULL) {
231 error = EINVAL;
232 goto out;
233 }
234 new->r_port = strtol(portnumber, &p, 10);
235 if (*p != '\0') {
236 error = EINVAL;
237 goto out;
238 }
239
240 out:
241 if (error != 0) {
242 free(new, M_PORTACL);
243 *rule = NULL;
244 } else
245 *rule = new;
246 return (error);
247 }
248
249 static int
250 parse_rules(char *string, struct rulehead *head)
251 {
252 struct rule *new;
253 char *element;
254 int error;
255
256 error = 0;
257 while ((element = strsep(&string, ",")) != NULL) {
258 if (strlen(element) == 0)
259 continue;
260 error = parse_rule_element(element, &new);
261 if (error)
262 goto out;
263 TAILQ_INSERT_TAIL(head, new, r_entries);
264 }
265 out:
266 if (error != 0)
267 toast_rules(head);
268 return (error);
269 }
270
271 /*
272 * rule_printf() and rules_to_string() are unused currently because they rely
273 * on sbufs with auto-extension, which may sleep while holding a mutex.
274 * Instead, the non-canonical user-generated rule string is returned to the
275 * user when the rules are queried, which is faster anyway.
276 */
277 #if 0
278 static void
279 rule_printf(struct sbuf *sb, struct rule *rule)
280 {
281 const char *idtype, *protocol;
282
283 switch(rule->r_idtype) {
284 case RULE_GID:
285 idtype = GID_STRING;
286 break;
287 case RULE_UID:
288 idtype = UID_STRING;
289 break;
290 default:
291 panic("rule_printf: unknown idtype (%d)\n", rule->r_idtype);
292 }
293
294 switch (rule->r_protocol) {
295 case RULE_PROTO_TCP:
296 protocol = TCP_STRING;
297 break;
298 case RULE_PROTO_UDP:
299 protocol = UDP_STRING;
300 break;
301 default:
302 panic("rule_printf: unknown protocol (%d)\n",
303 rule->r_protocol);
304 }
305 sbuf_printf(sb, "%s:%jd:%s:%d", idtype, (intmax_t)rule->r_id,
306 protocol, rule->r_port);
307 }
308
309 static char *
310 rules_to_string(void)
311 {
312 struct rule *rule;
313 struct sbuf *sb;
314 int needcomma;
315 char *temp;
316
317 sb = sbuf_new(NULL, NULL, 0, SBUF_AUTOEXTEND);
318 needcomma = 0;
319 mtx_lock(&rule_mtx);
320 for (rule = TAILQ_FIRST(&rule_head); rule != NULL;
321 rule = TAILQ_NEXT(rule, r_entries)) {
322 if (!needcomma)
323 needcomma = 1;
324 else
325 sbuf_printf(sb, ",");
326 rule_printf(sb, rule);
327 }
328 mtx_unlock(&rule_mtx);
329 sbuf_finish(sb);
330 temp = strdup(sbuf_data(sb), M_PORTACL);
331 sbuf_delete(sb);
332 return (temp);
333 }
334 #endif
335
336 /*
337 * Note: due to races, there is not a single serializable order
338 * between parallel calls to the sysctl.
339 */
340 static int
341 sysctl_rules(SYSCTL_HANDLER_ARGS)
342 {
343 char *string, *copy_string, *new_string;
344 struct rulehead head, save_head;
345 int error;
346
347 new_string = NULL;
348 if (req->newptr == NULL) {
349 new_string = malloc(MAC_RULE_STRING_LEN, M_PORTACL,
350 M_WAITOK | M_ZERO);
351 strcpy(new_string, rule_string);
352 string = new_string;
353 } else
354 string = rule_string;
355
356 error = sysctl_handle_string(oidp, string, MAC_RULE_STRING_LEN, req);
357 if (error)
358 goto out;
359
360 if (req->newptr != NULL) {
361 copy_string = strdup(string, M_PORTACL);
362 TAILQ_INIT(&head);
363 error = parse_rules(copy_string, &head);
364 free(copy_string, M_PORTACL);
365 if (error)
366 goto out;
367
368 TAILQ_INIT(&save_head);
369 mtx_lock(&rule_mtx);
370 TAILQ_CONCAT(&save_head, &rule_head, r_entries);
371 TAILQ_CONCAT(&rule_head, &head, r_entries);
372 strcpy(rule_string, string);
373 mtx_unlock(&rule_mtx);
374 toast_rules(&save_head);
375 }
376 out:
377 if (new_string != NULL)
378 free(new_string, M_PORTACL);
379 return (error);
380 }
381
382 SYSCTL_PROC(_security_mac_portacl, OID_AUTO, rules,
383 CTLTYPE_STRING|CTLFLAG_RW, 0, 0, sysctl_rules, "A", "Rules");
384
385 static int
386 rules_check(struct ucred *cred, int family, int type, u_int16_t port)
387 {
388 struct rule *rule;
389 int error;
390
391 #if 0
392 printf("Check requested for euid %d, family %d, type %d, port %d\n",
393 cred->cr_uid, family, type, port);
394 #endif
395
396 if (port > mac_portacl_port_high)
397 return (0);
398
399 error = EPERM;
400 mtx_lock(&rule_mtx);
401 for (rule = TAILQ_FIRST(&rule_head);
402 rule != NULL;
403 rule = TAILQ_NEXT(rule, r_entries)) {
404 if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP)
405 continue;
406 if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP)
407 continue;
408 if (port != rule->r_port)
409 continue;
410 if (rule->r_idtype == RULE_UID) {
411 if (cred->cr_uid == rule->r_id) {
412 error = 0;
413 break;
414 }
415 } else if (rule->r_idtype == RULE_GID) {
416 if (cred->cr_gid == rule->r_id) {
417 error = 0;
418 break;
419 } else if (groupmember(rule->r_id, cred)) {
420 error = 0;
421 break;
422 }
423 } else
424 panic("rules_check: unknown rule type %d",
425 rule->r_idtype);
426 }
427 mtx_unlock(&rule_mtx);
428
429 if (error != 0 && mac_portacl_suser_exempt != 0)
430 error = suser_cred(cred, SUSER_ALLOWJAIL);
431
432 return (error);
433 }
434
435 /*
436 * Note, this only limits the ability to explicitly bind a port, it
437 * doesn't limit implicitly bound ports for outgoing connections where
438 * the source port is left up to the IP stack to determine automatically.
439 */
440 static int
441 check_socket_bind(struct ucred *cred, struct socket *so,
442 struct label *socketlabel, struct sockaddr *sockaddr)
443 {
444 struct sockaddr_in *sin;
445 struct inpcb *inp;
446 int family, type;
447 u_int16_t port;
448
449 /* Only run if we are enabled. */
450 if (mac_portacl_enabled == 0)
451 return (0);
452
453 /* Only interested in IPv4 and IPv6 sockets. */
454 if (so->so_proto->pr_domain->dom_family != PF_INET &&
455 so->so_proto->pr_domain->dom_family != PF_INET6)
456 return (0);
457
458 /* Currently, we don't attempt to deal with SOCK_RAW, etc. */
459 if (so->so_type != SOCK_DGRAM &&
460 so->so_type != SOCK_STREAM)
461 return (0);
462
463 /* Reject addresses we don't understand; fail closed. */
464 if (sockaddr->sa_family != AF_INET &&
465 sockaddr->sa_family != AF_INET6)
466 return (EINVAL);
467
468 family = so->so_proto->pr_domain->dom_family;
469 type = so->so_type;
470 sin = (struct sockaddr_in *) sockaddr;
471 port = ntohs(sin->sin_port);
472
473 /*
474 * Sockets are frequently bound with a specific IP address but a port
475 * number of '' to request automatic port allocation. This is often
476 * desirable as long as IP_PORTRANGELOW isn't set, which might permit
477 * automatic allocation of a "privileged" port. The autoport exempt
478 * flag exempts port 0 allocation from rule checking as long as a low
479 * port isn't required.
480 */
481 if (mac_portacl_autoport_exempt && port == 0) {
482 inp = sotoinpcb(so);
483 if ((inp->inp_flags & INP_LOWPORT) == 0)
484 return (0);
485 }
486
487 return (rules_check(cred, family, type, port));
488 }
489
490 static struct mac_policy_ops mac_portacl_ops =
491 {
492 .mpo_destroy = destroy,
493 .mpo_init = init,
494 .mpo_check_socket_bind = check_socket_bind,
495 };
496
497 MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl,
498 "TrustedBSD MAC/portacl", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
Cache object: 80c162d29f74b0c31294d45e0651fadf
|