1 /*- 2 * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 Samy Al Bahra 6 * Copyright (c) 2006 SPARTA, Inc. 7 * Copyright (c) 2008 Apple Inc. 8 * All rights reserved. 9 * 10 * This software was developed by Robert Watson and Ilmar Habibulin for the 11 * TrustedBSD Project. 12 * 13 * This software was developed for the FreeBSD Project in part by Network 14 * Associates Laboratories, the Security Research Division of Network 15 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 16 * as part of the DARPA CHATS research program. 17 * 18 * This software was enhanced by SPARTA ISSO under SPAWAR contract 19 * N66001-04-C-6019 ("SEFOS"). 20 * 21 * This software was developed at the University of Cambridge Computer 22 * Laboratory with support from a grant from Google, Inc. 23 * 24 * Redistribution and use in source and binary forms, with or without 25 * modification, are permitted provided that the following conditions 26 * are met: 27 * 1. Redistributions of source code must retain the above copyright 28 * notice, this list of conditions and the following disclaimer. 29 * 2. Redistributions in binary form must reproduce the above copyright 30 * notice, this list of conditions and the following disclaimer in the 31 * documentation and/or other materials provided with the distribution. 32 * 33 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 34 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 35 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 36 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 37 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 38 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 39 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 40 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 41 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 42 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 43 * SUCH DAMAGE. 44 */ 45 46 #include <sys/cdefs.h> 47 #include "opt_mac.h" 48 49 #include <sys/param.h> 50 #include <sys/condvar.h> 51 #include <sys/imgact.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/mac.h> 57 #include <sys/proc.h> 58 #include <sys/sbuf.h> 59 #include <sys/sdt.h> 60 #include <sys/systm.h> 61 #include <sys/vnode.h> 62 #include <sys/mount.h> 63 #include <sys/file.h> 64 #include <sys/namei.h> 65 #include <sys/sysctl.h> 66 67 #include <vm/vm.h> 68 #include <vm/pmap.h> 69 #include <vm/vm_map.h> 70 #include <vm/vm_object.h> 71 72 #include <security/mac/mac_framework.h> 73 #include <security/mac/mac_internal.h> 74 #include <security/mac/mac_policy.h> 75 76 struct label * 77 mac_cred_label_alloc(void) 78 { 79 struct label *label; 80 81 label = mac_labelzone_alloc(M_WAITOK); 82 MAC_POLICY_PERFORM(cred_init_label, label); 83 return (label); 84 } 85 86 void 87 mac_cred_init(struct ucred *cred) 88 { 89 90 if (mac_labeled & MPC_OBJECT_CRED) 91 cred->cr_label = mac_cred_label_alloc(); 92 else 93 cred->cr_label = NULL; 94 } 95 96 void 97 mac_cred_label_free(struct label *label) 98 { 99 100 MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label); 101 mac_labelzone_free(label); 102 } 103 104 void 105 mac_cred_destroy(struct ucred *cred) 106 { 107 108 if (cred->cr_label != NULL) { 109 mac_cred_label_free(cred->cr_label); 110 cred->cr_label = NULL; 111 } 112 } 113 114 /* 115 * When a thread becomes an NFS server daemon, its credential may need to be 116 * updated to reflect this so that policies can recognize when file system 117 * operations originate from the network. 118 * 119 * At some point, it would be desirable if the credential used for each NFS 120 * RPC could be set based on the RPC context (i.e., source system, etc) to 121 * provide more fine-grained access control. 122 */ 123 void 124 mac_cred_associate_nfsd(struct ucred *cred) 125 { 126 127 MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred); 128 } 129 130 /* 131 * Initialize MAC label for the first kernel process, from which other kernel 132 * processes and threads are spawned. 133 */ 134 void 135 mac_cred_create_swapper(struct ucred *cred) 136 { 137 138 MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred); 139 } 140 141 /* 142 * Initialize MAC label for the first userland process, from which other 143 * userland processes and threads are spawned. 144 */ 145 void 146 mac_cred_create_init(struct ucred *cred) 147 { 148 149 MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred); 150 } 151 152 int 153 mac_cred_externalize_label(struct label *label, char *elements, 154 char *outbuf, size_t outbuflen) 155 { 156 int error; 157 158 MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); 159 160 return (error); 161 } 162 163 int 164 mac_cred_internalize_label(struct label *label, char *string) 165 { 166 int error; 167 168 MAC_POLICY_INTERNALIZE(cred, label, string); 169 170 return (error); 171 } 172 173 /* 174 * When a new process is created, its label must be initialized. Generally, 175 * this involves inheritance from the parent process, modulo possible deltas. 176 * This function allows that processing to take place. 177 */ 178 void 179 mac_cred_copy(struct ucred *src, struct ucred *dest) 180 { 181 182 MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, 183 dest->cr_label); 184 } 185 186 /* 187 * When the subject's label changes, it may require revocation of privilege 188 * to mapped objects. This can't be done on-the-fly later with a unified 189 * buffer cache. 190 */ 191 void 192 mac_cred_relabel(struct ucred *cred, struct label *newlabel) 193 { 194 195 MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); 196 } 197 198 MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *", 199 "struct label *"); 200 201 int 202 mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) 203 { 204 int error; 205 206 MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel); 207 MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel); 208 209 return (error); 210 } 211 212 MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t"); 213 214 int 215 mac_cred_check_setuid(struct ucred *cred, uid_t uid) 216 { 217 int error; 218 219 MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid); 220 MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); 221 222 return (error); 223 } 224 225 MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t"); 226 227 int 228 mac_cred_check_seteuid(struct ucred *cred, uid_t euid) 229 { 230 int error; 231 232 MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid); 233 MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); 234 235 return (error); 236 } 237 238 MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t"); 239 240 int 241 mac_cred_check_setgid(struct ucred *cred, gid_t gid) 242 { 243 int error; 244 245 MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid); 246 MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); 247 248 return (error); 249 } 250 251 MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t"); 252 253 int 254 mac_cred_check_setegid(struct ucred *cred, gid_t egid) 255 { 256 int error; 257 258 MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid); 259 MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); 260 261 return (error); 262 } 263 264 MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int", 265 "gid_t *"); 266 267 int 268 mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) 269 { 270 int error; 271 272 MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset); 273 MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); 274 275 return (error); 276 } 277 278 MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t", 279 "uid_t"); 280 281 int 282 mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 283 { 284 int error; 285 286 MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid); 287 MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); 288 289 return (error); 290 } 291 292 MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t", 293 "gid_t"); 294 295 int 296 mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 297 { 298 int error; 299 300 MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid); 301 MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); 302 303 return (error); 304 } 305 306 MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t", 307 "uid_t", "uid_t"); 308 309 int 310 mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 311 uid_t suid) 312 { 313 int error; 314 315 MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid); 316 MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, 317 suid); 318 319 return (error); 320 } 321 322 MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t", 323 "gid_t", "gid_t"); 324 325 int 326 mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 327 gid_t sgid) 328 { 329 int error; 330 331 MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid); 332 MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, 333 sgid); 334 335 return (error); 336 } 337 338 MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", 339 "struct ucred *"); 340 341 int 342 mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 343 { 344 int error; 345 346 MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2); 347 MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2); 348 349 return (error); 350 } 351