1 /*-
2 * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
3 * Copyright (c) 2006 SPARTA, Inc.
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project by Network
7 * Associates Laboratories, the Security Research Division of Network
8 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
9 * as part of the DARPA CHATS research program.
10 *
11 * This software was enhanced by SPARTA ISSO under SPAWAR contract
12 * N66001-04-C-6019 ("SEFOS").
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 /*
37 * Developed by the TrustedBSD Project.
38 *
39 * Administratively limit access to local UDP/TCP ports for binding purposes.
40 * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow
41 * specific uids and gids to bind specific ports for specific purposes,
42 * while not opening the door to any user replacing an "official" service
43 * while you're restarting it. This only affects ports explicitly bound by
44 * the user process (either for listen/outgoing socket for TCP, or send/
45 * receive for UDP). This module will not limit ports bound implicitly for
46 * out-going connections where the process hasn't explicitly selected a port:
47 * these are automatically selected by the IP stack.
48 *
49 * To use this module, security.mac.enforce_socket must be enabled, and you
50 * will probably want to twiddle the net.inet sysctl listed above. Then use
51 * sysctl(8) to modify the rules string:
52 *
53 * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
54 *
55 * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) and
56 * 79 (finger). User names and group names can't be used directly because
57 * the kernel only knows about uids and gids.
58 */
59
60 #include <sys/param.h>
61 #include <sys/domain.h>
62 #include <sys/kernel.h>
63 #include <sys/lock.h>
64 #include <sys/malloc.h>
65 #include <sys/module.h>
66 #include <sys/mutex.h>
67 #include <sys/priv.h>
68 #include <sys/proc.h>
69 #include <sys/protosw.h>
70 #include <sys/queue.h>
71 #include <sys/systm.h>
72 #include <sys/sbuf.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/sysctl.h>
76
77 #include <netinet/in.h>
78 #include <netinet/in_pcb.h>
79
80 #include <security/mac/mac_policy.h>
81
82 SYSCTL_DECL(_security_mac);
83
84 static SYSCTL_NODE(_security_mac, OID_AUTO, portacl,
85 CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
86 "TrustedBSD mac_portacl policy controls");
87
88 static int portacl_enabled = 1;
89 SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RWTUN,
90 &portacl_enabled, 0, "Enforce portacl policy");
91
92 static int portacl_suser_exempt = 1;
93 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RWTUN,
94 &portacl_suser_exempt, 0, "Privilege permits binding of any port");
95
96 static int portacl_autoport_exempt = 1;
97 SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RWTUN,
98 &portacl_autoport_exempt, 0, "Allow automatic allocation through "
99 "binding port 0 if not IP_PORTRANGELOW");
100
101 static int portacl_port_high = 1023;
102 SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RWTUN,
103 &portacl_port_high, 0, "Highest port to enforce for");
104
105 static MALLOC_DEFINE(M_PORTACL, "portacl_rule", "Rules for mac_portacl");
106
107 #define MAC_RULE_STRING_LEN 1024
108
109 #define RULE_GID 1
110 #define RULE_UID 2
111 #define RULE_PROTO_TCP 1
112 #define RULE_PROTO_UDP 2
113 struct rule {
114 id_t r_id;
115 int r_idtype;
116 u_int16_t r_port;
117 int r_protocol;
118
119 TAILQ_ENTRY(rule) r_entries;
120 };
121
122 #define GID_STRING "gid"
123 #define TCP_STRING "tcp"
124 #define UID_STRING "uid"
125 #define UDP_STRING "udp"
126
127 /*
128 * Text format for the rule string is that a rule consists of a
129 * comma-separated list of elements. Each element is in the form
130 * idtype:id:protocol:portnumber, and constitutes granting of permission
131 * for the specified binding.
132 */
133
134 static struct mtx rule_mtx;
135 static TAILQ_HEAD(rulehead, rule) rule_head;
136 static char rule_string[MAC_RULE_STRING_LEN];
137
138 static void
toast_rules(struct rulehead * head)139 toast_rules(struct rulehead *head)
140 {
141 struct rule *rule;
142
143 while ((rule = TAILQ_FIRST(head)) != NULL) {
144 TAILQ_REMOVE(head, rule, r_entries);
145 free(rule, M_PORTACL);
146 }
147 }
148
149 /*
150 * Note that there is an inherent race condition in the unload of modules
151 * and access via sysctl.
152 */
153 static void
destroy(struct mac_policy_conf * mpc)154 destroy(struct mac_policy_conf *mpc)
155 {
156
157 mtx_destroy(&rule_mtx);
158 toast_rules(&rule_head);
159 }
160
161 static void
init(struct mac_policy_conf * mpc)162 init(struct mac_policy_conf *mpc)
163 {
164
165 mtx_init(&rule_mtx, "rule_mtx", NULL, MTX_DEF);
166 TAILQ_INIT(&rule_head);
167 }
168
169 /*
170 * Note: parsing routines are destructive on the passed string.
171 */
172 static int
parse_rule_element(char * element,struct rule ** rule)173 parse_rule_element(char *element, struct rule **rule)
174 {
175 char *idtype, *id, *protocol, *portnumber, *p;
176 struct rule *new;
177 int error;
178
179 error = 0;
180 new = malloc(sizeof(*new), M_PORTACL, M_ZERO | M_WAITOK);
181
182 idtype = strsep(&element, ":");
183 if (idtype == NULL) {
184 error = EINVAL;
185 goto out;
186 }
187 id = strsep(&element, ":");
188 if (id == NULL) {
189 error = EINVAL;
190 goto out;
191 }
192 new->r_id = strtol(id, &p, 10);
193 if (*p != '\0') {
194 error = EINVAL;
195 goto out;
196 }
197 if (strcmp(idtype, UID_STRING) == 0)
198 new->r_idtype = RULE_UID;
199 else if (strcmp(idtype, GID_STRING) == 0)
200 new->r_idtype = RULE_GID;
201 else {
202 error = EINVAL;
203 goto out;
204 }
205 protocol = strsep(&element, ":");
206 if (protocol == NULL) {
207 error = EINVAL;
208 goto out;
209 }
210 if (strcmp(protocol, TCP_STRING) == 0)
211 new->r_protocol = RULE_PROTO_TCP;
212 else if (strcmp(protocol, UDP_STRING) == 0)
213 new->r_protocol = RULE_PROTO_UDP;
214 else {
215 error = EINVAL;
216 goto out;
217 }
218 portnumber = element;
219 if (portnumber == NULL) {
220 error = EINVAL;
221 goto out;
222 }
223 new->r_port = strtol(portnumber, &p, 10);
224 if (*p != '\0') {
225 error = EINVAL;
226 goto out;
227 }
228
229 out:
230 if (error != 0) {
231 free(new, M_PORTACL);
232 *rule = NULL;
233 } else
234 *rule = new;
235 return (error);
236 }
237
238 static int
parse_rules(char * string,struct rulehead * head)239 parse_rules(char *string, struct rulehead *head)
240 {
241 struct rule *new;
242 char *element;
243 int error;
244
245 error = 0;
246 while ((element = strsep(&string, ",")) != NULL) {
247 if (strlen(element) == 0)
248 continue;
249 error = parse_rule_element(element, &new);
250 if (error)
251 goto out;
252 TAILQ_INSERT_TAIL(head, new, r_entries);
253 }
254 out:
255 if (error != 0)
256 toast_rules(head);
257 return (error);
258 }
259
260 /*
261 * rule_printf() and rules_to_string() are unused currently because they rely
262 * on sbufs with auto-extension, which may sleep while holding a mutex.
263 * Instead, the non-canonical user-generated rule string is returned to the
264 * user when the rules are queried, which is faster anyway.
265 */
266 #if 0
267 static void
268 rule_printf(struct sbuf *sb, struct rule *rule)
269 {
270 const char *idtype, *protocol;
271
272 switch(rule->r_idtype) {
273 case RULE_GID:
274 idtype = GID_STRING;
275 break;
276 case RULE_UID:
277 idtype = UID_STRING;
278 break;
279 default:
280 panic("rule_printf: unknown idtype (%d)\n", rule->r_idtype);
281 }
282
283 switch (rule->r_protocol) {
284 case RULE_PROTO_TCP:
285 protocol = TCP_STRING;
286 break;
287 case RULE_PROTO_UDP:
288 protocol = UDP_STRING;
289 break;
290 default:
291 panic("rule_printf: unknown protocol (%d)\n",
292 rule->r_protocol);
293 }
294 sbuf_printf(sb, "%s:%jd:%s:%d", idtype, (intmax_t)rule->r_id,
295 protocol, rule->r_port);
296 }
297
298 static char *
299 rules_to_string(void)
300 {
301 struct rule *rule;
302 struct sbuf *sb;
303 int needcomma;
304 char *temp;
305
306 sb = sbuf_new_auto();
307 needcomma = 0;
308 mtx_lock(&rule_mtx);
309 for (rule = TAILQ_FIRST(&rule_head); rule != NULL;
310 rule = TAILQ_NEXT(rule, r_entries)) {
311 if (!needcomma)
312 needcomma = 1;
313 else
314 sbuf_printf(sb, ",");
315 rule_printf(sb, rule);
316 }
317 mtx_unlock(&rule_mtx);
318 sbuf_finish(sb);
319 temp = strdup(sbuf_data(sb), M_PORTACL);
320 sbuf_delete(sb);
321 return (temp);
322 }
323 #endif
324
325 /*
326 * Note: due to races, there is not a single serializable order
327 * between parallel calls to the sysctl.
328 */
329 static int
sysctl_rules(SYSCTL_HANDLER_ARGS)330 sysctl_rules(SYSCTL_HANDLER_ARGS)
331 {
332 char *string, *copy_string, *new_string;
333 struct rulehead head, save_head;
334 int error;
335
336 new_string = NULL;
337 if (req->newptr != NULL) {
338 new_string = malloc(MAC_RULE_STRING_LEN, M_PORTACL,
339 M_WAITOK | M_ZERO);
340 mtx_lock(&rule_mtx);
341 strcpy(new_string, rule_string);
342 mtx_unlock(&rule_mtx);
343 string = new_string;
344 } else
345 string = rule_string;
346
347 error = sysctl_handle_string(oidp, string, MAC_RULE_STRING_LEN, req);
348 if (error)
349 goto out;
350
351 if (req->newptr != NULL) {
352 copy_string = strdup(string, M_PORTACL);
353 TAILQ_INIT(&head);
354 error = parse_rules(copy_string, &head);
355 free(copy_string, M_PORTACL);
356 if (error)
357 goto out;
358
359 TAILQ_INIT(&save_head);
360 mtx_lock(&rule_mtx);
361 TAILQ_CONCAT(&save_head, &rule_head, r_entries);
362 TAILQ_CONCAT(&rule_head, &head, r_entries);
363 strcpy(rule_string, string);
364 mtx_unlock(&rule_mtx);
365 toast_rules(&save_head);
366 }
367 out:
368 if (new_string != NULL)
369 free(new_string, M_PORTACL);
370 return (error);
371 }
372
373 SYSCTL_PROC(_security_mac_portacl, OID_AUTO, rules,
374 CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_MPSAFE,
375 0, 0, sysctl_rules, "A",
376 "Rules");
377
378 static int
rules_check(struct ucred * cred,int family,int type,u_int16_t port)379 rules_check(struct ucred *cred, int family, int type, u_int16_t port)
380 {
381 struct rule *rule;
382 int error;
383
384 #if 0
385 printf("Check requested for euid %d, family %d, type %d, port %d\n",
386 cred->cr_uid, family, type, port);
387 #endif
388
389 if (port > portacl_port_high)
390 return (0);
391
392 error = EPERM;
393 mtx_lock(&rule_mtx);
394 for (rule = TAILQ_FIRST(&rule_head);
395 rule != NULL;
396 rule = TAILQ_NEXT(rule, r_entries)) {
397 if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP)
398 continue;
399 if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP)
400 continue;
401 if (port != rule->r_port)
402 continue;
403 if (rule->r_idtype == RULE_UID) {
404 if (cred->cr_uid == rule->r_id) {
405 error = 0;
406 break;
407 }
408 } else if (rule->r_idtype == RULE_GID) {
409 if (cred->cr_gid == rule->r_id) {
410 error = 0;
411 break;
412 } else if (groupmember(rule->r_id, cred)) {
413 error = 0;
414 break;
415 }
416 } else
417 panic("rules_check: unknown rule type %d",
418 rule->r_idtype);
419 }
420 mtx_unlock(&rule_mtx);
421
422 if (error != 0 && portacl_suser_exempt != 0)
423 error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT);
424
425 return (error);
426 }
427
428 /*
429 * Note, this only limits the ability to explicitly bind a port, it
430 * doesn't limit implicitly bound ports for outgoing connections where
431 * the source port is left up to the IP stack to determine automatically.
432 */
433 static int
socket_check_bind(struct ucred * cred,struct socket * so,struct label * solabel,struct sockaddr * sa)434 socket_check_bind(struct ucred *cred, struct socket *so,
435 struct label *solabel, struct sockaddr *sa)
436 {
437 struct sockaddr_in *sin;
438 struct inpcb *inp;
439 int family, type;
440 u_int16_t port;
441
442 /* Only run if we are enabled. */
443 if (portacl_enabled == 0)
444 return (0);
445
446 /* Only interested in IPv4 and IPv6 sockets. */
447 if (so->so_proto->pr_domain->dom_family != PF_INET &&
448 so->so_proto->pr_domain->dom_family != PF_INET6)
449 return (0);
450
451 /* Currently, we don't attempt to deal with SOCK_RAW, etc. */
452 if (so->so_type != SOCK_DGRAM &&
453 so->so_type != SOCK_STREAM)
454 return (0);
455
456 /* Reject addresses we don't understand; fail closed. */
457 if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6)
458 return (EINVAL);
459
460 family = so->so_proto->pr_domain->dom_family;
461 type = so->so_type;
462 sin = (struct sockaddr_in *) sa;
463 port = ntohs(sin->sin_port);
464
465 /*
466 * Sockets are frequently bound with a specific IP address but a port
467 * number of '0' to request automatic port allocation. This is often
468 * desirable as long as IP_PORTRANGELOW isn't set, which might permit
469 * automatic allocation of a "privileged" port. The autoport exempt
470 * flag exempts port 0 allocation from rule checking as long as a low
471 * port isn't required.
472 */
473 if (portacl_autoport_exempt && port == 0) {
474 inp = sotoinpcb(so);
475 if ((inp->inp_flags & INP_LOWPORT) == 0)
476 return (0);
477 }
478
479 return (rules_check(cred, family, type, port));
480 }
481
482 static struct mac_policy_ops portacl_ops =
483 {
484 .mpo_destroy = destroy,
485 .mpo_init = init,
486 .mpo_socket_check_bind = socket_check_bind,
487 };
488
489 MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl",
490 MPC_LOADTIME_FLAG_UNLOADOK, NULL);
491 MODULE_VERSION(mac_portacl, 1);
492