| 1 | /* $NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $ */ |
| 2 | /*- |
| 3 | * Copyright (c) 2011 Elad Efrat <elad@NetBSD.org> |
| 4 | * All rights reserved. |
| 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions |
| 8 | * are met: |
| 9 | * 1. Redistributions of source code must retain the above copyright |
| 10 | * notice, this list of conditions and the following disclaimer. |
| 11 | * 2. Redistributions in binary form must reproduce the above copyright |
| 12 | * notice, this list of conditions and the following disclaimer in the |
| 13 | * documentation and/or other materials provided with the distribution. |
| 14 | * 3. The name of the author may not be used to endorse or promote products |
| 15 | * derived from this software without specific prior written permission. |
| 16 | * |
| 17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
| 18 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 19 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| 20 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
| 21 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 22 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 23 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 24 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 25 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | */ |
| 28 | |
| 29 | #include <sys/cdefs.h> |
| 30 | __KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $" ); |
| 31 | |
| 32 | #include <sys/types.h> |
| 33 | #include <sys/param.h> |
| 34 | #include <sys/kauth.h> |
| 35 | |
| 36 | #include <sys/mount.h> |
| 37 | #include <sys/vnode.h> |
| 38 | #include <sys/socketvar.h> |
| 39 | #include <sys/sysctl.h> |
| 40 | #include <sys/proc.h> |
| 41 | #include <sys/module.h> |
| 42 | |
| 43 | #include <secmodel/secmodel.h> |
| 44 | #include <secmodel/extensions/extensions.h> |
| 45 | |
| 46 | MODULE(MODULE_CLASS_SECMODEL, extensions, NULL); |
| 47 | |
| 48 | static int dovfsusermount; |
| 49 | static int curtain; |
| 50 | static int user_set_cpu_affinity; |
| 51 | |
| 52 | static kauth_listener_t l_system, l_process, l_network; |
| 53 | |
| 54 | static secmodel_t extensions_sm; |
| 55 | static struct sysctllog *extensions_sysctl_log; |
| 56 | |
| 57 | static void secmodel_extensions_init(void); |
| 58 | static void secmodel_extensions_start(void); |
| 59 | static void secmodel_extensions_stop(void); |
| 60 | |
| 61 | static void sysctl_security_extensions_setup(struct sysctllog **); |
| 62 | static int sysctl_extensions_user_handler(SYSCTLFN_PROTO); |
| 63 | static int sysctl_extensions_curtain_handler(SYSCTLFN_PROTO); |
| 64 | static bool is_securelevel_above(int); |
| 65 | |
| 66 | static int secmodel_extensions_system_cb(kauth_cred_t, kauth_action_t, |
| 67 | void *, void *, void *, void *, void *); |
| 68 | static int secmodel_extensions_process_cb(kauth_cred_t, kauth_action_t, |
| 69 | void *, void *, void *, void *, void *); |
| 70 | static int secmodel_extensions_network_cb(kauth_cred_t, kauth_action_t, |
| 71 | void *, void *, void *, void *, void *); |
| 72 | |
| 73 | static void |
| 74 | sysctl_security_extensions_setup(struct sysctllog **clog) |
| 75 | { |
| 76 | const struct sysctlnode *rnode, *rnode2; |
| 77 | |
| 78 | sysctl_createv(clog, 0, NULL, &rnode, |
| 79 | CTLFLAG_PERMANENT, |
| 80 | CTLTYPE_NODE, "models" , NULL, |
| 81 | NULL, 0, NULL, 0, |
| 82 | CTL_SECURITY, CTL_CREATE, CTL_EOL); |
| 83 | |
| 84 | /* Compatibility: security.models.bsd44 */ |
| 85 | rnode2 = rnode; |
| 86 | sysctl_createv(clog, 0, &rnode2, &rnode2, |
| 87 | CTLFLAG_PERMANENT, |
| 88 | CTLTYPE_NODE, "bsd44" , NULL, |
| 89 | NULL, 0, NULL, 0, |
| 90 | CTL_CREATE, CTL_EOL); |
| 91 | |
| 92 | /* Compatibility: security.models.bsd44.curtain */ |
| 93 | sysctl_createv(clog, 0, &rnode2, NULL, |
| 94 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
| 95 | CTLTYPE_INT, "curtain" , |
| 96 | SYSCTL_DESCR("Curtain information about objects to " \ |
| 97 | "users not owning them." ), |
| 98 | sysctl_extensions_curtain_handler, 0, &curtain, 0, |
| 99 | CTL_CREATE, CTL_EOL); |
| 100 | |
| 101 | sysctl_createv(clog, 0, &rnode, &rnode, |
| 102 | CTLFLAG_PERMANENT, |
| 103 | CTLTYPE_NODE, "extensions" , NULL, |
| 104 | NULL, 0, NULL, 0, |
| 105 | CTL_CREATE, CTL_EOL); |
| 106 | |
| 107 | sysctl_createv(clog, 0, &rnode, NULL, |
| 108 | CTLFLAG_PERMANENT, |
| 109 | CTLTYPE_STRING, "name" , NULL, |
| 110 | NULL, 0, __UNCONST(SECMODEL_EXTENSIONS_NAME), 0, |
| 111 | CTL_CREATE, CTL_EOL); |
| 112 | |
| 113 | sysctl_createv(clog, 0, &rnode, NULL, |
| 114 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
| 115 | CTLTYPE_INT, "usermount" , |
| 116 | SYSCTL_DESCR("Whether unprivileged users may mount " |
| 117 | "filesystems" ), |
| 118 | sysctl_extensions_user_handler, 0, &dovfsusermount, 0, |
| 119 | CTL_CREATE, CTL_EOL); |
| 120 | |
| 121 | sysctl_createv(clog, 0, &rnode, NULL, |
| 122 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
| 123 | CTLTYPE_INT, "curtain" , |
| 124 | SYSCTL_DESCR("Curtain information about objects to " \ |
| 125 | "users not owning them." ), |
| 126 | sysctl_extensions_curtain_handler, 0, &curtain, 0, |
| 127 | CTL_CREATE, CTL_EOL); |
| 128 | |
| 129 | sysctl_createv(clog, 0, &rnode, NULL, |
| 130 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
| 131 | CTLTYPE_INT, "user_set_cpu_affinity" , |
| 132 | SYSCTL_DESCR("Whether unprivileged users may control " \ |
| 133 | "CPU affinity." ), |
| 134 | sysctl_extensions_user_handler, 0, |
| 135 | &user_set_cpu_affinity, 0, |
| 136 | CTL_CREATE, CTL_EOL); |
| 137 | |
| 138 | /* Compatibility: vfs.generic.usermount */ |
| 139 | sysctl_createv(clog, 0, NULL, NULL, |
| 140 | CTLFLAG_PERMANENT, |
| 141 | CTLTYPE_NODE, "generic" , |
| 142 | SYSCTL_DESCR("Non-specific vfs related information" ), |
| 143 | NULL, 0, NULL, 0, |
| 144 | CTL_VFS, VFS_GENERIC, CTL_EOL); |
| 145 | |
| 146 | sysctl_createv(clog, 0, NULL, NULL, |
| 147 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
| 148 | CTLTYPE_INT, "usermount" , |
| 149 | SYSCTL_DESCR("Whether unprivileged users may mount " |
| 150 | "filesystems" ), |
| 151 | sysctl_extensions_user_handler, 0, &dovfsusermount, 0, |
| 152 | CTL_VFS, VFS_GENERIC, VFS_USERMOUNT, CTL_EOL); |
| 153 | |
| 154 | /* Compatibility: security.curtain */ |
| 155 | sysctl_createv(clog, 0, NULL, NULL, |
| 156 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
| 157 | CTLTYPE_INT, "curtain" , |
| 158 | SYSCTL_DESCR("Curtain information about objects to " \ |
| 159 | "users not owning them." ), |
| 160 | sysctl_extensions_curtain_handler, 0, &curtain, 0, |
| 161 | CTL_SECURITY, CTL_CREATE, CTL_EOL); |
| 162 | } |
| 163 | |
| 164 | static int |
| 165 | sysctl_extensions_curtain_handler(SYSCTLFN_ARGS) |
| 166 | { |
| 167 | struct sysctlnode node; |
| 168 | int val, error; |
| 169 | |
| 170 | val = *(int *)rnode->sysctl_data; |
| 171 | |
| 172 | node = *rnode; |
| 173 | node.sysctl_data = &val; |
| 174 | |
| 175 | error = sysctl_lookup(SYSCTLFN_CALL(&node)); |
| 176 | if (error || newp == NULL) |
| 177 | return error; |
| 178 | |
| 179 | /* shortcut */ |
| 180 | if (val == *(int *)rnode->sysctl_data) |
| 181 | return 0; |
| 182 | |
| 183 | /* curtain cannot be disabled when securelevel is above 0 */ |
| 184 | if (val == 0 && is_securelevel_above(0)) { |
| 185 | return EPERM; |
| 186 | } |
| 187 | |
| 188 | *(int *)rnode->sysctl_data = val; |
| 189 | return 0; |
| 190 | } |
| 191 | |
| 192 | /* |
| 193 | * Generic sysctl extensions handler for user mount and set CPU affinity |
| 194 | * rights. Checks the following conditions: |
| 195 | * - setting value to 0 is always permitted (decrease user rights) |
| 196 | * - setting value != 0 is not permitted when securelevel is above 0 (increase |
| 197 | * user rights). |
| 198 | */ |
| 199 | static int |
| 200 | sysctl_extensions_user_handler(SYSCTLFN_ARGS) |
| 201 | { |
| 202 | struct sysctlnode node; |
| 203 | int val, error; |
| 204 | |
| 205 | val = *(int *)rnode->sysctl_data; |
| 206 | |
| 207 | node = *rnode; |
| 208 | node.sysctl_data = &val; |
| 209 | |
| 210 | error = sysctl_lookup(SYSCTLFN_CALL(&node)); |
| 211 | if (error || newp == NULL) |
| 212 | return error; |
| 213 | |
| 214 | /* shortcut */ |
| 215 | if (val == *(int *)rnode->sysctl_data) |
| 216 | return 0; |
| 217 | |
| 218 | /* we cannot grant more rights to users when securelevel is above 0 */ |
| 219 | if (val != 0 && is_securelevel_above(0)) { |
| 220 | return EPERM; |
| 221 | } |
| 222 | |
| 223 | *(int *)rnode->sysctl_data = val; |
| 224 | return 0; |
| 225 | } |
| 226 | |
| 227 | /* |
| 228 | * Query secmodel_securelevel(9) to know whether securelevel is strictly |
| 229 | * above 'level' or not. |
| 230 | * Returns true if it is, false otherwise (when securelevel is absent or |
| 231 | * securelevel is at or below 'level'). |
| 232 | */ |
| 233 | static bool |
| 234 | is_securelevel_above(int level) |
| 235 | { |
| 236 | bool above; |
| 237 | int error; |
| 238 | |
| 239 | error = secmodel_eval("org.netbsd.secmodel.securelevel" , |
| 240 | "is-securelevel-above" , KAUTH_ARG(level), &above); |
| 241 | if (error == 0 && above) |
| 242 | return true; |
| 243 | else |
| 244 | return false; |
| 245 | } |
| 246 | |
| 247 | static void |
| 248 | secmodel_extensions_init(void) |
| 249 | { |
| 250 | |
| 251 | curtain = 0; |
| 252 | user_set_cpu_affinity = 0; |
| 253 | } |
| 254 | |
| 255 | static void |
| 256 | secmodel_extensions_start(void) |
| 257 | { |
| 258 | |
| 259 | l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, |
| 260 | secmodel_extensions_system_cb, NULL); |
| 261 | l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, |
| 262 | secmodel_extensions_process_cb, NULL); |
| 263 | l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, |
| 264 | secmodel_extensions_network_cb, NULL); |
| 265 | } |
| 266 | |
| 267 | static void |
| 268 | secmodel_extensions_stop(void) |
| 269 | { |
| 270 | |
| 271 | kauth_unlisten_scope(l_system); |
| 272 | kauth_unlisten_scope(l_process); |
| 273 | kauth_unlisten_scope(l_network); |
| 274 | } |
| 275 | |
| 276 | static int |
| 277 | extensions_modcmd(modcmd_t cmd, void *arg) |
| 278 | { |
| 279 | int error = 0; |
| 280 | |
| 281 | switch (cmd) { |
| 282 | case MODULE_CMD_INIT: |
| 283 | error = secmodel_register(&extensions_sm, |
| 284 | SECMODEL_EXTENSIONS_ID, SECMODEL_EXTENSIONS_NAME, |
| 285 | NULL, NULL, NULL); |
| 286 | if (error != 0) |
| 287 | printf("extensions_modcmd::init: secmodel_register " |
| 288 | "returned %d\n" , error); |
| 289 | |
| 290 | secmodel_extensions_init(); |
| 291 | secmodel_extensions_start(); |
| 292 | sysctl_security_extensions_setup(&extensions_sysctl_log); |
| 293 | break; |
| 294 | |
| 295 | case MODULE_CMD_FINI: |
| 296 | sysctl_teardown(&extensions_sysctl_log); |
| 297 | secmodel_extensions_stop(); |
| 298 | |
| 299 | error = secmodel_deregister(extensions_sm); |
| 300 | if (error != 0) |
| 301 | printf("extensions_modcmd::fini: secmodel_deregister " |
| 302 | "returned %d\n" , error); |
| 303 | |
| 304 | break; |
| 305 | |
| 306 | case MODULE_CMD_AUTOUNLOAD: |
| 307 | error = EPERM; |
| 308 | break; |
| 309 | |
| 310 | default: |
| 311 | error = ENOTTY; |
| 312 | break; |
| 313 | } |
| 314 | |
| 315 | return (error); |
| 316 | } |
| 317 | |
| 318 | static int |
| 319 | secmodel_extensions_system_cb(kauth_cred_t cred, kauth_action_t action, |
| 320 | void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) |
| 321 | { |
| 322 | vnode_t *vp; |
| 323 | struct vattr va; |
| 324 | struct mount *mp; |
| 325 | u_long flags; |
| 326 | int result; |
| 327 | enum kauth_system_req req; |
| 328 | int error; |
| 329 | |
| 330 | req = (enum kauth_system_req)arg0; |
| 331 | result = KAUTH_RESULT_DEFER; |
| 332 | |
| 333 | switch (action) { |
| 334 | case KAUTH_SYSTEM_MOUNT: |
| 335 | if (dovfsusermount == 0) |
| 336 | break; |
| 337 | switch (req) { |
| 338 | case KAUTH_REQ_SYSTEM_MOUNT_NEW: |
| 339 | vp = (vnode_t *)arg1; |
| 340 | mp = vp->v_mount; |
| 341 | flags = (u_long)arg2; |
| 342 | |
| 343 | /* |
| 344 | * Ensure that the user owns the directory onto which |
| 345 | * the mount is attempted. |
| 346 | */ |
| 347 | vn_lock(vp, LK_SHARED | LK_RETRY); |
| 348 | error = VOP_GETATTR(vp, &va, cred); |
| 349 | VOP_UNLOCK(vp); |
| 350 | if (error) |
| 351 | break; |
| 352 | |
| 353 | if (va.va_uid != kauth_cred_geteuid(cred)) |
| 354 | break; |
| 355 | |
| 356 | error = usermount_common_policy(mp, flags); |
| 357 | if (error) |
| 358 | break; |
| 359 | |
| 360 | result = KAUTH_RESULT_ALLOW; |
| 361 | |
| 362 | break; |
| 363 | |
| 364 | case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT: |
| 365 | mp = arg1; |
| 366 | |
| 367 | /* Must own the mount. */ |
| 368 | if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred)) |
| 369 | result = KAUTH_RESULT_ALLOW; |
| 370 | |
| 371 | break; |
| 372 | |
| 373 | case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: |
| 374 | mp = arg1; |
| 375 | flags = (u_long)arg2; |
| 376 | |
| 377 | /* Must own the mount. */ |
| 378 | if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) && |
| 379 | usermount_common_policy(mp, flags) == 0) |
| 380 | result = KAUTH_RESULT_ALLOW; |
| 381 | |
| 382 | break; |
| 383 | |
| 384 | default: |
| 385 | break; |
| 386 | } |
| 387 | break; |
| 388 | |
| 389 | default: |
| 390 | break; |
| 391 | } |
| 392 | |
| 393 | return (result); |
| 394 | } |
| 395 | |
| 396 | static int |
| 397 | secmodel_extensions_process_cb(kauth_cred_t cred, kauth_action_t action, |
| 398 | void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) |
| 399 | { |
| 400 | int result; |
| 401 | enum kauth_process_req req; |
| 402 | |
| 403 | result = KAUTH_RESULT_DEFER; |
| 404 | req = (enum kauth_process_req)arg1; |
| 405 | |
| 406 | switch (action) { |
| 407 | case KAUTH_PROCESS_CANSEE: |
| 408 | switch (req) { |
| 409 | case KAUTH_REQ_PROCESS_CANSEE_ARGS: |
| 410 | case KAUTH_REQ_PROCESS_CANSEE_ENTRY: |
| 411 | case KAUTH_REQ_PROCESS_CANSEE_OPENFILES: |
| 412 | if (curtain != 0) { |
| 413 | struct proc *p = arg0; |
| 414 | |
| 415 | /* |
| 416 | * Only process' owner and root can see |
| 417 | * through curtain |
| 418 | */ |
| 419 | if (!kauth_cred_uidmatch(cred, p->p_cred)) { |
| 420 | int error; |
| 421 | bool isroot = false; |
| 422 | |
| 423 | error = secmodel_eval( |
| 424 | "org.netbsd.secmodel.suser" , |
| 425 | "is-root" , cred, &isroot); |
| 426 | if (error == 0 && !isroot) |
| 427 | result = KAUTH_RESULT_DENY; |
| 428 | } |
| 429 | } |
| 430 | |
| 431 | break; |
| 432 | |
| 433 | default: |
| 434 | break; |
| 435 | } |
| 436 | |
| 437 | break; |
| 438 | |
| 439 | case KAUTH_PROCESS_SCHEDULER_SETAFFINITY: |
| 440 | if (user_set_cpu_affinity != 0) { |
| 441 | struct proc *p = arg0; |
| 442 | |
| 443 | if (kauth_cred_uidmatch(cred, p->p_cred)) |
| 444 | result = KAUTH_RESULT_ALLOW; |
| 445 | } |
| 446 | break; |
| 447 | |
| 448 | default: |
| 449 | break; |
| 450 | } |
| 451 | |
| 452 | return (result); |
| 453 | } |
| 454 | |
| 455 | static int |
| 456 | secmodel_extensions_network_cb(kauth_cred_t cred, kauth_action_t action, |
| 457 | void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) |
| 458 | { |
| 459 | int result; |
| 460 | enum kauth_network_req req; |
| 461 | |
| 462 | result = KAUTH_RESULT_DEFER; |
| 463 | req = (enum kauth_network_req)arg0; |
| 464 | |
| 465 | if (action != KAUTH_NETWORK_SOCKET || |
| 466 | req != KAUTH_REQ_NETWORK_SOCKET_CANSEE) |
| 467 | return result; |
| 468 | |
| 469 | if (curtain != 0) { |
| 470 | struct socket *so = (struct socket *)arg1; |
| 471 | |
| 472 | if (__predict_false(so == NULL || so->so_cred == NULL)) |
| 473 | return KAUTH_RESULT_DENY; |
| 474 | |
| 475 | if (!kauth_cred_uidmatch(cred, so->so_cred)) { |
| 476 | int error; |
| 477 | bool isroot = false; |
| 478 | |
| 479 | error = secmodel_eval("org.netbsd.secmodel.suser" , |
| 480 | "is-root" , cred, &isroot); |
| 481 | if (error == 0 && !isroot) |
| 482 | result = KAUTH_RESULT_DENY; |
| 483 | } |
| 484 | } |
| 485 | |
| 486 | return (result); |
| 487 | } |
| 488 | |