1 | /* $NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $ */ |
2 | /*- |
3 | * Copyright (c) 2011 Elad Efrat <elad@NetBSD.org> |
4 | * All rights reserved. |
5 | * |
6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions |
8 | * are met: |
9 | * 1. Redistributions of source code must retain the above copyright |
10 | * notice, this list of conditions and the following disclaimer. |
11 | * 2. Redistributions in binary form must reproduce the above copyright |
12 | * notice, this list of conditions and the following disclaimer in the |
13 | * documentation and/or other materials provided with the distribution. |
14 | * 3. The name of the author may not be used to endorse or promote products |
15 | * derived from this software without specific prior written permission. |
16 | * |
17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
18 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
19 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
20 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
21 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
22 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
23 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
24 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
25 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
26 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
27 | */ |
28 | |
29 | #include <sys/cdefs.h> |
30 | __KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $" ); |
31 | |
32 | #include <sys/types.h> |
33 | #include <sys/param.h> |
34 | #include <sys/kauth.h> |
35 | |
36 | #include <sys/mount.h> |
37 | #include <sys/vnode.h> |
38 | #include <sys/socketvar.h> |
39 | #include <sys/sysctl.h> |
40 | #include <sys/proc.h> |
41 | #include <sys/module.h> |
42 | |
43 | #include <secmodel/secmodel.h> |
44 | #include <secmodel/extensions/extensions.h> |
45 | |
46 | MODULE(MODULE_CLASS_SECMODEL, extensions, NULL); |
47 | |
48 | static int dovfsusermount; |
49 | static int curtain; |
50 | static int user_set_cpu_affinity; |
51 | |
52 | static kauth_listener_t l_system, l_process, l_network; |
53 | |
54 | static secmodel_t extensions_sm; |
55 | static struct sysctllog *extensions_sysctl_log; |
56 | |
57 | static void secmodel_extensions_init(void); |
58 | static void secmodel_extensions_start(void); |
59 | static void secmodel_extensions_stop(void); |
60 | |
61 | static void sysctl_security_extensions_setup(struct sysctllog **); |
62 | static int sysctl_extensions_user_handler(SYSCTLFN_PROTO); |
63 | static int sysctl_extensions_curtain_handler(SYSCTLFN_PROTO); |
64 | static bool is_securelevel_above(int); |
65 | |
66 | static int secmodel_extensions_system_cb(kauth_cred_t, kauth_action_t, |
67 | void *, void *, void *, void *, void *); |
68 | static int secmodel_extensions_process_cb(kauth_cred_t, kauth_action_t, |
69 | void *, void *, void *, void *, void *); |
70 | static int secmodel_extensions_network_cb(kauth_cred_t, kauth_action_t, |
71 | void *, void *, void *, void *, void *); |
72 | |
73 | static void |
74 | sysctl_security_extensions_setup(struct sysctllog **clog) |
75 | { |
76 | const struct sysctlnode *rnode, *rnode2; |
77 | |
78 | sysctl_createv(clog, 0, NULL, &rnode, |
79 | CTLFLAG_PERMANENT, |
80 | CTLTYPE_NODE, "models" , NULL, |
81 | NULL, 0, NULL, 0, |
82 | CTL_SECURITY, CTL_CREATE, CTL_EOL); |
83 | |
84 | /* Compatibility: security.models.bsd44 */ |
85 | rnode2 = rnode; |
86 | sysctl_createv(clog, 0, &rnode2, &rnode2, |
87 | CTLFLAG_PERMANENT, |
88 | CTLTYPE_NODE, "bsd44" , NULL, |
89 | NULL, 0, NULL, 0, |
90 | CTL_CREATE, CTL_EOL); |
91 | |
92 | /* Compatibility: security.models.bsd44.curtain */ |
93 | sysctl_createv(clog, 0, &rnode2, NULL, |
94 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
95 | CTLTYPE_INT, "curtain" , |
96 | SYSCTL_DESCR("Curtain information about objects to " \ |
97 | "users not owning them." ), |
98 | sysctl_extensions_curtain_handler, 0, &curtain, 0, |
99 | CTL_CREATE, CTL_EOL); |
100 | |
101 | sysctl_createv(clog, 0, &rnode, &rnode, |
102 | CTLFLAG_PERMANENT, |
103 | CTLTYPE_NODE, "extensions" , NULL, |
104 | NULL, 0, NULL, 0, |
105 | CTL_CREATE, CTL_EOL); |
106 | |
107 | sysctl_createv(clog, 0, &rnode, NULL, |
108 | CTLFLAG_PERMANENT, |
109 | CTLTYPE_STRING, "name" , NULL, |
110 | NULL, 0, __UNCONST(SECMODEL_EXTENSIONS_NAME), 0, |
111 | CTL_CREATE, CTL_EOL); |
112 | |
113 | sysctl_createv(clog, 0, &rnode, NULL, |
114 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
115 | CTLTYPE_INT, "usermount" , |
116 | SYSCTL_DESCR("Whether unprivileged users may mount " |
117 | "filesystems" ), |
118 | sysctl_extensions_user_handler, 0, &dovfsusermount, 0, |
119 | CTL_CREATE, CTL_EOL); |
120 | |
121 | sysctl_createv(clog, 0, &rnode, NULL, |
122 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
123 | CTLTYPE_INT, "curtain" , |
124 | SYSCTL_DESCR("Curtain information about objects to " \ |
125 | "users not owning them." ), |
126 | sysctl_extensions_curtain_handler, 0, &curtain, 0, |
127 | CTL_CREATE, CTL_EOL); |
128 | |
129 | sysctl_createv(clog, 0, &rnode, NULL, |
130 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
131 | CTLTYPE_INT, "user_set_cpu_affinity" , |
132 | SYSCTL_DESCR("Whether unprivileged users may control " \ |
133 | "CPU affinity." ), |
134 | sysctl_extensions_user_handler, 0, |
135 | &user_set_cpu_affinity, 0, |
136 | CTL_CREATE, CTL_EOL); |
137 | |
138 | /* Compatibility: vfs.generic.usermount */ |
139 | sysctl_createv(clog, 0, NULL, NULL, |
140 | CTLFLAG_PERMANENT, |
141 | CTLTYPE_NODE, "generic" , |
142 | SYSCTL_DESCR("Non-specific vfs related information" ), |
143 | NULL, 0, NULL, 0, |
144 | CTL_VFS, VFS_GENERIC, CTL_EOL); |
145 | |
146 | sysctl_createv(clog, 0, NULL, NULL, |
147 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
148 | CTLTYPE_INT, "usermount" , |
149 | SYSCTL_DESCR("Whether unprivileged users may mount " |
150 | "filesystems" ), |
151 | sysctl_extensions_user_handler, 0, &dovfsusermount, 0, |
152 | CTL_VFS, VFS_GENERIC, VFS_USERMOUNT, CTL_EOL); |
153 | |
154 | /* Compatibility: security.curtain */ |
155 | sysctl_createv(clog, 0, NULL, NULL, |
156 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
157 | CTLTYPE_INT, "curtain" , |
158 | SYSCTL_DESCR("Curtain information about objects to " \ |
159 | "users not owning them." ), |
160 | sysctl_extensions_curtain_handler, 0, &curtain, 0, |
161 | CTL_SECURITY, CTL_CREATE, CTL_EOL); |
162 | } |
163 | |
164 | static int |
165 | sysctl_extensions_curtain_handler(SYSCTLFN_ARGS) |
166 | { |
167 | struct sysctlnode node; |
168 | int val, error; |
169 | |
170 | val = *(int *)rnode->sysctl_data; |
171 | |
172 | node = *rnode; |
173 | node.sysctl_data = &val; |
174 | |
175 | error = sysctl_lookup(SYSCTLFN_CALL(&node)); |
176 | if (error || newp == NULL) |
177 | return error; |
178 | |
179 | /* shortcut */ |
180 | if (val == *(int *)rnode->sysctl_data) |
181 | return 0; |
182 | |
183 | /* curtain cannot be disabled when securelevel is above 0 */ |
184 | if (val == 0 && is_securelevel_above(0)) { |
185 | return EPERM; |
186 | } |
187 | |
188 | *(int *)rnode->sysctl_data = val; |
189 | return 0; |
190 | } |
191 | |
192 | /* |
193 | * Generic sysctl extensions handler for user mount and set CPU affinity |
194 | * rights. Checks the following conditions: |
195 | * - setting value to 0 is always permitted (decrease user rights) |
196 | * - setting value != 0 is not permitted when securelevel is above 0 (increase |
197 | * user rights). |
198 | */ |
199 | static int |
200 | sysctl_extensions_user_handler(SYSCTLFN_ARGS) |
201 | { |
202 | struct sysctlnode node; |
203 | int val, error; |
204 | |
205 | val = *(int *)rnode->sysctl_data; |
206 | |
207 | node = *rnode; |
208 | node.sysctl_data = &val; |
209 | |
210 | error = sysctl_lookup(SYSCTLFN_CALL(&node)); |
211 | if (error || newp == NULL) |
212 | return error; |
213 | |
214 | /* shortcut */ |
215 | if (val == *(int *)rnode->sysctl_data) |
216 | return 0; |
217 | |
218 | /* we cannot grant more rights to users when securelevel is above 0 */ |
219 | if (val != 0 && is_securelevel_above(0)) { |
220 | return EPERM; |
221 | } |
222 | |
223 | *(int *)rnode->sysctl_data = val; |
224 | return 0; |
225 | } |
226 | |
227 | /* |
228 | * Query secmodel_securelevel(9) to know whether securelevel is strictly |
229 | * above 'level' or not. |
230 | * Returns true if it is, false otherwise (when securelevel is absent or |
231 | * securelevel is at or below 'level'). |
232 | */ |
233 | static bool |
234 | is_securelevel_above(int level) |
235 | { |
236 | bool above; |
237 | int error; |
238 | |
239 | error = secmodel_eval("org.netbsd.secmodel.securelevel" , |
240 | "is-securelevel-above" , KAUTH_ARG(level), &above); |
241 | if (error == 0 && above) |
242 | return true; |
243 | else |
244 | return false; |
245 | } |
246 | |
247 | static void |
248 | secmodel_extensions_init(void) |
249 | { |
250 | |
251 | curtain = 0; |
252 | user_set_cpu_affinity = 0; |
253 | } |
254 | |
255 | static void |
256 | secmodel_extensions_start(void) |
257 | { |
258 | |
259 | l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, |
260 | secmodel_extensions_system_cb, NULL); |
261 | l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, |
262 | secmodel_extensions_process_cb, NULL); |
263 | l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, |
264 | secmodel_extensions_network_cb, NULL); |
265 | } |
266 | |
267 | static void |
268 | secmodel_extensions_stop(void) |
269 | { |
270 | |
271 | kauth_unlisten_scope(l_system); |
272 | kauth_unlisten_scope(l_process); |
273 | kauth_unlisten_scope(l_network); |
274 | } |
275 | |
276 | static int |
277 | extensions_modcmd(modcmd_t cmd, void *arg) |
278 | { |
279 | int error = 0; |
280 | |
281 | switch (cmd) { |
282 | case MODULE_CMD_INIT: |
283 | error = secmodel_register(&extensions_sm, |
284 | SECMODEL_EXTENSIONS_ID, SECMODEL_EXTENSIONS_NAME, |
285 | NULL, NULL, NULL); |
286 | if (error != 0) |
287 | printf("extensions_modcmd::init: secmodel_register " |
288 | "returned %d\n" , error); |
289 | |
290 | secmodel_extensions_init(); |
291 | secmodel_extensions_start(); |
292 | sysctl_security_extensions_setup(&extensions_sysctl_log); |
293 | break; |
294 | |
295 | case MODULE_CMD_FINI: |
296 | sysctl_teardown(&extensions_sysctl_log); |
297 | secmodel_extensions_stop(); |
298 | |
299 | error = secmodel_deregister(extensions_sm); |
300 | if (error != 0) |
301 | printf("extensions_modcmd::fini: secmodel_deregister " |
302 | "returned %d\n" , error); |
303 | |
304 | break; |
305 | |
306 | case MODULE_CMD_AUTOUNLOAD: |
307 | error = EPERM; |
308 | break; |
309 | |
310 | default: |
311 | error = ENOTTY; |
312 | break; |
313 | } |
314 | |
315 | return (error); |
316 | } |
317 | |
318 | static int |
319 | secmodel_extensions_system_cb(kauth_cred_t cred, kauth_action_t action, |
320 | void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) |
321 | { |
322 | vnode_t *vp; |
323 | struct vattr va; |
324 | struct mount *mp; |
325 | u_long flags; |
326 | int result; |
327 | enum kauth_system_req req; |
328 | int error; |
329 | |
330 | req = (enum kauth_system_req)arg0; |
331 | result = KAUTH_RESULT_DEFER; |
332 | |
333 | switch (action) { |
334 | case KAUTH_SYSTEM_MOUNT: |
335 | if (dovfsusermount == 0) |
336 | break; |
337 | switch (req) { |
338 | case KAUTH_REQ_SYSTEM_MOUNT_NEW: |
339 | vp = (vnode_t *)arg1; |
340 | mp = vp->v_mount; |
341 | flags = (u_long)arg2; |
342 | |
343 | /* |
344 | * Ensure that the user owns the directory onto which |
345 | * the mount is attempted. |
346 | */ |
347 | vn_lock(vp, LK_SHARED | LK_RETRY); |
348 | error = VOP_GETATTR(vp, &va, cred); |
349 | VOP_UNLOCK(vp); |
350 | if (error) |
351 | break; |
352 | |
353 | if (va.va_uid != kauth_cred_geteuid(cred)) |
354 | break; |
355 | |
356 | error = usermount_common_policy(mp, flags); |
357 | if (error) |
358 | break; |
359 | |
360 | result = KAUTH_RESULT_ALLOW; |
361 | |
362 | break; |
363 | |
364 | case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT: |
365 | mp = arg1; |
366 | |
367 | /* Must own the mount. */ |
368 | if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred)) |
369 | result = KAUTH_RESULT_ALLOW; |
370 | |
371 | break; |
372 | |
373 | case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: |
374 | mp = arg1; |
375 | flags = (u_long)arg2; |
376 | |
377 | /* Must own the mount. */ |
378 | if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) && |
379 | usermount_common_policy(mp, flags) == 0) |
380 | result = KAUTH_RESULT_ALLOW; |
381 | |
382 | break; |
383 | |
384 | default: |
385 | break; |
386 | } |
387 | break; |
388 | |
389 | default: |
390 | break; |
391 | } |
392 | |
393 | return (result); |
394 | } |
395 | |
396 | static int |
397 | secmodel_extensions_process_cb(kauth_cred_t cred, kauth_action_t action, |
398 | void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) |
399 | { |
400 | int result; |
401 | enum kauth_process_req req; |
402 | |
403 | result = KAUTH_RESULT_DEFER; |
404 | req = (enum kauth_process_req)arg1; |
405 | |
406 | switch (action) { |
407 | case KAUTH_PROCESS_CANSEE: |
408 | switch (req) { |
409 | case KAUTH_REQ_PROCESS_CANSEE_ARGS: |
410 | case KAUTH_REQ_PROCESS_CANSEE_ENTRY: |
411 | case KAUTH_REQ_PROCESS_CANSEE_OPENFILES: |
412 | if (curtain != 0) { |
413 | struct proc *p = arg0; |
414 | |
415 | /* |
416 | * Only process' owner and root can see |
417 | * through curtain |
418 | */ |
419 | if (!kauth_cred_uidmatch(cred, p->p_cred)) { |
420 | int error; |
421 | bool isroot = false; |
422 | |
423 | error = secmodel_eval( |
424 | "org.netbsd.secmodel.suser" , |
425 | "is-root" , cred, &isroot); |
426 | if (error == 0 && !isroot) |
427 | result = KAUTH_RESULT_DENY; |
428 | } |
429 | } |
430 | |
431 | break; |
432 | |
433 | default: |
434 | break; |
435 | } |
436 | |
437 | break; |
438 | |
439 | case KAUTH_PROCESS_SCHEDULER_SETAFFINITY: |
440 | if (user_set_cpu_affinity != 0) { |
441 | struct proc *p = arg0; |
442 | |
443 | if (kauth_cred_uidmatch(cred, p->p_cred)) |
444 | result = KAUTH_RESULT_ALLOW; |
445 | } |
446 | break; |
447 | |
448 | default: |
449 | break; |
450 | } |
451 | |
452 | return (result); |
453 | } |
454 | |
455 | static int |
456 | secmodel_extensions_network_cb(kauth_cred_t cred, kauth_action_t action, |
457 | void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) |
458 | { |
459 | int result; |
460 | enum kauth_network_req req; |
461 | |
462 | result = KAUTH_RESULT_DEFER; |
463 | req = (enum kauth_network_req)arg0; |
464 | |
465 | if (action != KAUTH_NETWORK_SOCKET || |
466 | req != KAUTH_REQ_NETWORK_SOCKET_CANSEE) |
467 | return result; |
468 | |
469 | if (curtain != 0) { |
470 | struct socket *so = (struct socket *)arg1; |
471 | |
472 | if (__predict_false(so == NULL || so->so_cred == NULL)) |
473 | return KAUTH_RESULT_DENY; |
474 | |
475 | if (!kauth_cred_uidmatch(cred, so->so_cred)) { |
476 | int error; |
477 | bool isroot = false; |
478 | |
479 | error = secmodel_eval("org.netbsd.secmodel.suser" , |
480 | "is-root" , cred, &isroot); |
481 | if (error == 0 && !isroot) |
482 | result = KAUTH_RESULT_DENY; |
483 | } |
484 | } |
485 | |
486 | return (result); |
487 | } |
488 | |