1 /*- 2 * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. 6 * Copyright (c) 2008-2009 Apple Inc. 7 * All rights reserved. 8 * 9 * This software was developed by Robert Watson and Ilmar Habibulin for the 10 * TrustedBSD Project. 11 * 12 * This software was developed for the FreeBSD Project in part by Network 13 * Associates Laboratories, the Security Research Division of Network 14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 15 * as part of the DARPA CHATS research program. 16 * 17 * This software was enhanced by SPARTA ISSO under SPAWAR contract 18 * N66001-04-C-6019 ("SEFOS"). 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 32 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 39 * SUCH DAMAGE. 40 */ 41 42 /*- 43 * Framework for extensible kernel access control. This file contains core 44 * kernel infrastructure for the TrustedBSD MAC Framework, including policy 45 * registration, versioning, locking, error composition operator, and system 46 * calls. 47 * 48 * The MAC Framework implements three programming interfaces: 49 * 50 * - The kernel MAC interface, defined in mac_framework.h, and invoked 51 * throughout the kernel to request security decisions, notify of security 52 * related events, etc. 53 * 54 * - The MAC policy module interface, defined in mac_policy.h, which is 55 * implemented by MAC policy modules and invoked by the MAC Framework to 56 * forward kernel security requests and notifications to policy modules. 57 * 58 * - The user MAC API, defined in mac.h, which allows user programs to query 59 * and set label state on objects. 60 * 61 * The majority of the MAC Framework implementation may be found in 62 * src/sys/security/mac. Sample policy modules may be found in 63 * src/sys/security/mac_*. 64 */ 65 66 #include "opt_kdtrace.h" 67 #include "opt_mac.h" 68 69 #include <sys/cdefs.h> 70 __FBSDID("$FreeBSD$"); 71 72 #include <sys/param.h> 73 #include <sys/condvar.h> 74 #include <sys/kernel.h> 75 #include <sys/lock.h> 76 #include <sys/mutex.h> 77 #include <sys/mac.h> 78 #include <sys/module.h> 79 #include <sys/sdt.h> 80 #include <sys/systm.h> 81 #include <sys/sysctl.h> 82 83 #include <security/mac/mac_framework.h> 84 #include <security/mac/mac_internal.h> 85 #include <security/mac/mac_policy.h> 86 87 /* 88 * DTrace SDT provider for MAC. 89 */ 90 SDT_PROVIDER_DEFINE(mac); 91 92 SDT_PROBE_DEFINE(mac, kernel, policy, modevent); 93 SDT_PROBE_ARGTYPE(mac, kernel, policy, modevent, 0, "int"); 94 SDT_PROBE_ARGTYPE(mac, kernel, policy, modevent, 1, 95 "struct mac_policy_conf *mpc"); 96 97 SDT_PROBE_DEFINE(mac, kernel, policy, register); 98 SDT_PROBE_ARGTYPE(mac, kernel, policy, register, 0, 99 "struct mac_policy_conf *"); 100 101 SDT_PROBE_DEFINE(mac, kernel, policy, unregister); 102 SDT_PROBE_ARGTYPE(mac, kernel, policy, unregister, 0, 103 "struct mac_policy_conf *"); 104 105 /* 106 * Root sysctl node for all MAC and MAC policy controls. 107 */ 108 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 109 "TrustedBSD MAC policy controls"); 110 111 /* 112 * Declare that the kernel provides MAC support, version 3 (FreeBSD 7.x). 113 * This permits modules to refuse to be loaded if the necessary support isn't 114 * present, even if it's pre-boot. 115 */ 116 MODULE_VERSION(kernel_mac_support, MAC_VERSION); 117 118 static unsigned int mac_version = MAC_VERSION; 119 SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0, 120 ""); 121 122 /* 123 * Labels consist of a indexed set of "slots", which are allocated policies 124 * as required. The MAC Framework maintains a bitmask of slots allocated so 125 * far to prevent reuse. Slots cannot be reused, as the MAC Framework 126 * guarantees that newly allocated slots in labels will be NULL unless 127 * otherwise initialized, and because we do not have a mechanism to garbage 128 * collect slots on policy unload. As labeled policies tend to be statically 129 * loaded during boot, and not frequently unloaded and reloaded, this is not 130 * generally an issue. 131 */ 132 #if MAC_MAX_SLOTS > 32 133 #error "MAC_MAX_SLOTS too large" 134 #endif 135 136 static unsigned int mac_max_slots = MAC_MAX_SLOTS; 137 static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1; 138 SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots, 139 0, ""); 140 141 /* 142 * Has the kernel started generating labeled objects yet? All read/write 143 * access to this variable is serialized during the boot process. Following 144 * the end of serialization, we don't update this flag; no locking. 145 */ 146 static int mac_late = 0; 147 148 /* 149 * Each policy declares a mask of object types requiring labels to be 150 * allocated for them. For convenience, we combine and cache the bitwise or 151 * of the per-policy object flags to track whether we will allocate a label 152 * for an object type at run-time. 153 */ 154 uint64_t mac_labeled; 155 SYSCTL_QUAD(_security_mac, OID_AUTO, labeled, CTLFLAG_RD, &mac_labeled, 0, 156 "Mask of object types being labeled"); 157 158 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); 159 160 /* 161 * mac_static_policy_list holds a list of policy modules that are not loaded 162 * while the system is "live", and cannot be unloaded. These policies can be 163 * invoked without holding the busy count. 164 * 165 * mac_policy_list stores the list of dynamic policies. A busy count is 166 * maintained for the list, stored in mac_policy_busy. The busy count is 167 * protected by mac_policy_mtx; the list may be modified only while the busy 168 * count is 0, requiring that the lock be held to prevent new references to 169 * the list from being acquired. For almost all operations, incrementing the 170 * busy count is sufficient to guarantee consistency, as the list cannot be 171 * modified while the busy count is elevated. For a few special operations 172 * involving a change to the list of active policies, the mtx itself must be 173 * held. A condition variable, mac_policy_cv, is used to signal potential 174 * exclusive consumers that they should try to acquire the lock if a first 175 * attempt at exclusive access fails. 176 * 177 * This design intentionally avoids fairness, and may starve attempts to 178 * acquire an exclusive lock on a busy system. This is required because we 179 * do not ever want acquiring a read reference to perform an unbounded length 180 * sleep. Read references are acquired in ithreads, network isrs, etc, and 181 * any unbounded blocking could lead quickly to deadlock. 182 * 183 * Another reason for never blocking on read references is that the MAC 184 * Framework may recurse: if a policy calls a VOP, for example, this might 185 * lead to vnode life cycle operations (such as init/destroy). 186 * 187 * If the kernel option MAC_STATIC has been compiled in, all locking becomes 188 * a no-op, and the global list of policies is not allowed to change after 189 * early boot. 190 * 191 * XXXRW: Currently, we signal mac_policy_cv every time the framework becomes 192 * unbusy and there is a thread waiting to enter it exclusively. Since it 193 * may take some time before the thread runs, we may issue a lot of signals. 194 * We should instead keep track of the fact that we've signalled, taking into 195 * account that the framework may be busy again by the time the thread runs, 196 * requiring us to re-signal. 197 */ 198 #ifndef MAC_STATIC 199 static struct mtx mac_policy_mtx; 200 static struct cv mac_policy_cv; 201 static int mac_policy_count; 202 static int mac_policy_wait; 203 #endif 204 struct mac_policy_list_head mac_policy_list; 205 struct mac_policy_list_head mac_static_policy_list; 206 207 /* 208 * We manually invoke WITNESS_WARN() to allow Witness to generate warnings 209 * even if we don't end up ever triggering the wait at run-time. The 210 * consumer of the exclusive interface must not hold any locks (other than 211 * potentially Giant) since we may sleep for long (potentially indefinite) 212 * periods of time waiting for the framework to become quiescent so that a 213 * policy list change may be made. 214 */ 215 void 216 mac_policy_grab_exclusive(void) 217 { 218 219 #ifndef MAC_STATIC 220 if (!mac_late) 221 return; 222 223 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 224 "mac_policy_grab_exclusive() at %s:%d", __FILE__, __LINE__); 225 mtx_lock(&mac_policy_mtx); 226 while (mac_policy_count != 0) { 227 mac_policy_wait++; 228 cv_wait(&mac_policy_cv, &mac_policy_mtx); 229 mac_policy_wait--; 230 } 231 #endif 232 } 233 234 void 235 mac_policy_assert_exclusive(void) 236 { 237 238 #ifndef MAC_STATIC 239 if (!mac_late) 240 return; 241 242 mtx_assert(&mac_policy_mtx, MA_OWNED); 243 KASSERT(mac_policy_count == 0, 244 ("mac_policy_assert_exclusive(): not exclusive")); 245 #endif 246 } 247 248 void 249 mac_policy_release_exclusive(void) 250 { 251 #ifndef MAC_STATIC 252 int dowakeup; 253 254 if (!mac_late) 255 return; 256 257 KASSERT(mac_policy_count == 0, 258 ("mac_policy_release_exclusive(): not exclusive")); 259 dowakeup = (mac_policy_wait != 0); 260 mtx_unlock(&mac_policy_mtx); 261 if (dowakeup) 262 cv_signal(&mac_policy_cv); 263 #endif 264 } 265 266 void 267 mac_policy_list_busy(void) 268 { 269 270 #ifndef MAC_STATIC 271 if (!mac_late) 272 return; 273 274 mtx_lock(&mac_policy_mtx); 275 mac_policy_count++; 276 mtx_unlock(&mac_policy_mtx); 277 #endif 278 } 279 280 int 281 mac_policy_list_conditional_busy(void) 282 { 283 #ifndef MAC_STATIC 284 int ret; 285 286 if (!mac_late) 287 return (1); 288 289 mtx_lock(&mac_policy_mtx); 290 if (!LIST_EMPTY(&mac_policy_list)) { 291 mac_policy_count++; 292 ret = 1; 293 } else 294 ret = 0; 295 mtx_unlock(&mac_policy_mtx); 296 return (ret); 297 #else 298 return (1); 299 #endif 300 } 301 302 void 303 mac_policy_list_unbusy(void) 304 { 305 #ifndef MAC_STATIC 306 int dowakeup; 307 308 if (!mac_late) 309 return; 310 311 mtx_lock(&mac_policy_mtx); 312 mac_policy_count--; 313 KASSERT(mac_policy_count >= 0, ("MAC_POLICY_LIST_LOCK")); 314 dowakeup = (mac_policy_count == 0 && mac_policy_wait != 0); 315 mtx_unlock(&mac_policy_mtx); 316 317 if (dowakeup) 318 cv_signal(&mac_policy_cv); 319 #endif 320 } 321 322 /* 323 * Initialize the MAC subsystem, including appropriate SMP locks. 324 */ 325 static void 326 mac_init(void) 327 { 328 329 LIST_INIT(&mac_static_policy_list); 330 LIST_INIT(&mac_policy_list); 331 mac_labelzone_init(); 332 333 #ifndef MAC_STATIC 334 mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); 335 cv_init(&mac_policy_cv, "mac_policy_cv"); 336 #endif 337 } 338 339 /* 340 * For the purposes of modules that want to know if they were loaded "early", 341 * set the mac_late flag once we've processed modules either linked into the 342 * kernel, or loaded before the kernel startup. 343 */ 344 static void 345 mac_late_init(void) 346 { 347 348 mac_late = 1; 349 } 350 351 /* 352 * Given a policy, derive from its set of non-NULL label init methods what 353 * object types the policy is interested in. 354 */ 355 static uint64_t 356 mac_policy_getlabeled(struct mac_policy_conf *mpc) 357 { 358 uint64_t labeled; 359 360 #define MPC_FLAG(method, flag) \ 361 if (mpc->mpc_ops->mpo_ ## method != NULL) \ 362 labeled |= (flag); \ 363 364 labeled = 0; 365 MPC_FLAG(cred_init_label, MPC_OBJECT_CRED); 366 MPC_FLAG(proc_init_label, MPC_OBJECT_PROC); 367 MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE); 368 MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB); 369 MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET); 370 MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS); 371 MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF); 372 MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ); 373 MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET); 374 MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC); 375 MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE); 376 MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT); 377 MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM); 378 MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM); 379 MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG); 380 MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ); 381 MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM); 382 MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM); 383 MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE); 384 MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q); 385 386 #undef MPC_FLAG 387 return (labeled); 388 } 389 390 /* 391 * When policies are loaded or unloaded, walk the list of registered policies 392 * and built mac_labeled, a bitmask representing the union of all objects 393 * requiring labels across all policies. 394 */ 395 static void 396 mac_policy_updateflags(void) 397 { 398 struct mac_policy_conf *mpc; 399 400 mac_policy_assert_exclusive(); 401 402 mac_labeled = 0; 403 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) 404 mac_labeled |= mac_policy_getlabeled(mpc); 405 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) 406 mac_labeled |= mac_policy_getlabeled(mpc); 407 } 408 409 static int 410 mac_policy_register(struct mac_policy_conf *mpc) 411 { 412 struct mac_policy_conf *tmpc; 413 int error, slot, static_entry; 414 415 error = 0; 416 417 /* 418 * We don't technically need exclusive access while !mac_late, but 419 * hold it for assertion consistency. 420 */ 421 mac_policy_grab_exclusive(); 422 423 /* 424 * If the module can potentially be unloaded, or we're loading late, 425 * we have to stick it in the non-static list and pay an extra 426 * performance overhead. Otherwise, we can pay a light locking cost 427 * and stick it in the static list. 428 */ 429 static_entry = (!mac_late && 430 !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK)); 431 432 if (static_entry) { 433 LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { 434 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { 435 error = EEXIST; 436 goto out; 437 } 438 } 439 } else { 440 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { 441 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { 442 error = EEXIST; 443 goto out; 444 } 445 } 446 } 447 if (mpc->mpc_field_off != NULL) { 448 slot = ffs(mac_slot_offsets_free); 449 if (slot == 0) { 450 error = ENOMEM; 451 goto out; 452 } 453 slot--; 454 mac_slot_offsets_free &= ~(1 << slot); 455 *mpc->mpc_field_off = slot; 456 } 457 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; 458 459 /* 460 * If we're loading a MAC module after the framework has initialized, 461 * it has to go into the dynamic list. If we're loading it before 462 * we've finished initializing, it can go into the static list with 463 * weaker locker requirements. 464 */ 465 if (static_entry) 466 LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list); 467 else 468 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); 469 470 /* 471 * Per-policy initialization. Currently, this takes place under the 472 * exclusive lock, so policies must not sleep in their init method. 473 * In the future, we may want to separate "init" from "start", with 474 * "init" occuring without the lock held. Likewise, on tear-down, 475 * breaking out "stop" from "destroy". 476 */ 477 if (mpc->mpc_ops->mpo_init != NULL) 478 (*(mpc->mpc_ops->mpo_init))(mpc); 479 mac_policy_updateflags(); 480 481 SDT_PROBE(mac, kernel, policy, register, mpc, 0, 0, 0, 0); 482 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, 483 mpc->mpc_name); 484 485 out: 486 mac_policy_release_exclusive(); 487 return (error); 488 } 489 490 static int 491 mac_policy_unregister(struct mac_policy_conf *mpc) 492 { 493 494 /* 495 * If we fail the load, we may get a request to unload. Check to see 496 * if we did the run-time registration, and if not, silently succeed. 497 */ 498 mac_policy_grab_exclusive(); 499 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) { 500 mac_policy_release_exclusive(); 501 return (0); 502 } 503 #if 0 504 /* 505 * Don't allow unloading modules with private data. 506 */ 507 if (mpc->mpc_field_off != NULL) { 508 MAC_POLICY_LIST_UNLOCK(); 509 return (EBUSY); 510 } 511 #endif 512 /* 513 * Only allow the unload to proceed if the module is unloadable by 514 * its own definition. 515 */ 516 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) { 517 mac_policy_release_exclusive(); 518 return (EBUSY); 519 } 520 if (mpc->mpc_ops->mpo_destroy != NULL) 521 (*(mpc->mpc_ops->mpo_destroy))(mpc); 522 523 LIST_REMOVE(mpc, mpc_list); 524 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED; 525 mac_policy_updateflags(); 526 527 mac_policy_release_exclusive(); 528 529 SDT_PROBE(mac, kernel, policy, unregister, mpc, 0, 0, 0, 0); 530 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, 531 mpc->mpc_name); 532 533 return (0); 534 } 535 536 /* 537 * Allow MAC policy modules to register during boot, etc. 538 */ 539 int 540 mac_policy_modevent(module_t mod, int type, void *data) 541 { 542 struct mac_policy_conf *mpc; 543 int error; 544 545 error = 0; 546 mpc = (struct mac_policy_conf *) data; 547 548 #ifdef MAC_STATIC 549 if (mac_late) { 550 printf("mac_policy_modevent: MAC_STATIC and late\n"); 551 return (EBUSY); 552 } 553 #endif 554 555 SDT_PROBE(mac, kernel, policy, modevent, type, mpc, 0, 0, 0); 556 switch (type) { 557 case MOD_LOAD: 558 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && 559 mac_late) { 560 printf("mac_policy_modevent: can't load %s policy " 561 "after booting\n", mpc->mpc_name); 562 error = EBUSY; 563 break; 564 } 565 error = mac_policy_register(mpc); 566 break; 567 case MOD_UNLOAD: 568 /* Don't unregister the module if it was never registered. */ 569 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) 570 != 0) 571 error = mac_policy_unregister(mpc); 572 else 573 error = 0; 574 break; 575 default: 576 error = EOPNOTSUPP; 577 break; 578 } 579 580 return (error); 581 } 582 583 /* 584 * Define an error value precedence, and given two arguments, selects the 585 * value with the higher precedence. 586 */ 587 int 588 mac_error_select(int error1, int error2) 589 { 590 591 /* Certain decision-making errors take top priority. */ 592 if (error1 == EDEADLK || error2 == EDEADLK) 593 return (EDEADLK); 594 595 /* Invalid arguments should be reported where possible. */ 596 if (error1 == EINVAL || error2 == EINVAL) 597 return (EINVAL); 598 599 /* Precedence goes to "visibility", with both process and file. */ 600 if (error1 == ESRCH || error2 == ESRCH) 601 return (ESRCH); 602 603 if (error1 == ENOENT || error2 == ENOENT) 604 return (ENOENT); 605 606 /* Precedence goes to DAC/MAC protections. */ 607 if (error1 == EACCES || error2 == EACCES) 608 return (EACCES); 609 610 /* Precedence goes to privilege. */ 611 if (error1 == EPERM || error2 == EPERM) 612 return (EPERM); 613 614 /* Precedence goes to error over success; otherwise, arbitrary. */ 615 if (error1 != 0) 616 return (error1); 617 return (error2); 618 } 619 620 int 621 mac_check_structmac_consistent(struct mac *mac) 622 { 623 624 if (mac->m_buflen < 0 || 625 mac->m_buflen > MAC_MAX_LABEL_BUF_LEN) 626 return (EINVAL); 627 628 return (0); 629 } 630 631 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); 632 SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); 633