1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by Network 11 * Associates Laboratories, the Security Research Division of Network 12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 13 * as part of the DARPA CHATS research program. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37 #include <sys/cdefs.h> 38 __FBSDID("$FreeBSD$"); 39 40 #include "opt_mac.h" 41 42 #include <sys/param.h> 43 #include <sys/kernel.h> 44 #include <sys/lock.h> 45 #include <sys/malloc.h> 46 #include <sys/mutex.h> 47 #include <sys/mac.h> 48 #include <sys/sbuf.h> 49 #include <sys/systm.h> 50 #include <sys/mount.h> 51 #include <sys/file.h> 52 #include <sys/namei.h> 53 #include <sys/protosw.h> 54 #include <sys/socket.h> 55 #include <sys/socketvar.h> 56 #include <sys/sysctl.h> 57 58 #include <sys/mac_policy.h> 59 60 #include <net/bpfdesc.h> 61 #include <net/if.h> 62 #include <net/if_var.h> 63 64 #include <security/mac/mac_internal.h> 65 66 /* 67 * mac_enforce_network is used by IPv4 and IPv6 checks, and so must 68 * be non-static for now. 69 */ 70 int mac_enforce_network = 1; 71 SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 72 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 73 TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 74 75 #ifdef MAC_DEBUG 76 static unsigned int nmacbpfdescs, nmacifnets, nmacmbufs; 77 78 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, 79 &nmacbpfdescs, 0, "number of bpfdescs in use"); 80 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 81 &nmacifnets, 0, "number of ifnets in use"); 82 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 83 &nmacmbufs, 0, "number of mbufs in use"); 84 #endif 85 86 /* 87 * XXXRW: struct ifnet locking is incomplete in the network code, so we 88 * use our own global mutex for struct ifnet. Non-ideal, but should help 89 * in the SMP environment. 90 */ 91 static struct mtx mac_ifnet_mtx; 92 MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF); 93 #define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) 94 #define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx) 95 96 struct label * 97 mac_mbuf_to_label(struct mbuf *mbuf) 98 { 99 struct m_tag *tag; 100 struct label *label; 101 102 if (mbuf == NULL) 103 return (NULL); 104 tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); 105 if (tag == NULL) 106 return (NULL); 107 label = (struct label *)(tag+1); 108 return (label); 109 } 110 111 static struct label * 112 mac_bpfdesc_label_alloc(void) 113 { 114 struct label *label; 115 116 label = mac_labelzone_alloc(M_WAITOK); 117 MAC_PERFORM(init_bpfdesc_label, label); 118 MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); 119 return (label); 120 } 121 122 void 123 mac_init_bpfdesc(struct bpf_d *bpf_d) 124 { 125 126 bpf_d->bd_label = mac_bpfdesc_label_alloc(); 127 } 128 129 static struct label * 130 mac_ifnet_label_alloc(void) 131 { 132 struct label *label; 133 134 label = mac_labelzone_alloc(M_WAITOK); 135 MAC_PERFORM(init_ifnet_label, label); 136 MAC_DEBUG_COUNTER_INC(&nmacifnets); 137 return (label); 138 } 139 140 void 141 mac_init_ifnet(struct ifnet *ifp) 142 { 143 144 ifp->if_label = mac_ifnet_label_alloc(); 145 } 146 147 int 148 mac_init_mbuf_tag(struct m_tag *tag, int flag) 149 { 150 struct label *label; 151 int error; 152 153 label = (struct label *) (tag + 1); 154 mac_init_label(label); 155 156 MAC_CHECK(init_mbuf_label, label, flag); 157 if (error) { 158 MAC_PERFORM(destroy_mbuf_label, label); 159 mac_destroy_label(label); 160 } else { 161 MAC_DEBUG_COUNTER_INC(&nmacmbufs); 162 } 163 return (error); 164 } 165 166 int 167 mac_init_mbuf(struct mbuf *m, int flag) 168 { 169 struct m_tag *tag; 170 int error; 171 172 M_ASSERTPKTHDR(m); 173 174 #ifndef MAC_ALWAYS_LABEL_MBUF 175 /* 176 * If conditionally allocating mbuf labels, don't allocate unless 177 * they are required. 178 */ 179 if (!mac_labelmbufs) 180 return (0); 181 #endif 182 tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), 183 flag); 184 if (tag == NULL) 185 return (ENOMEM); 186 error = mac_init_mbuf_tag(tag, flag); 187 if (error) { 188 m_tag_free(tag); 189 return (error); 190 } 191 m_tag_prepend(m, tag); 192 return (0); 193 } 194 195 static void 196 mac_bpfdesc_label_free(struct label *label) 197 { 198 199 MAC_PERFORM(destroy_bpfdesc_label, label); 200 mac_labelzone_free(label); 201 MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); 202 } 203 204 void 205 mac_destroy_bpfdesc(struct bpf_d *bpf_d) 206 { 207 208 mac_bpfdesc_label_free(bpf_d->bd_label); 209 bpf_d->bd_label = NULL; 210 } 211 212 static void 213 mac_ifnet_label_free(struct label *label) 214 { 215 216 MAC_PERFORM(destroy_ifnet_label, label); 217 mac_labelzone_free(label); 218 MAC_DEBUG_COUNTER_DEC(&nmacifnets); 219 } 220 221 void 222 mac_destroy_ifnet(struct ifnet *ifp) 223 { 224 225 mac_ifnet_label_free(ifp->if_label); 226 ifp->if_label = NULL; 227 } 228 229 void 230 mac_destroy_mbuf_tag(struct m_tag *tag) 231 { 232 struct label *label; 233 234 label = (struct label *)(tag+1); 235 236 MAC_PERFORM(destroy_mbuf_label, label); 237 mac_destroy_label(label); 238 MAC_DEBUG_COUNTER_DEC(&nmacmbufs); 239 } 240 241 void 242 mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) 243 { 244 struct label *src_label, *dest_label; 245 246 src_label = (struct label *)(src+1); 247 dest_label = (struct label *)(dest+1); 248 249 /* 250 * mac_init_mbuf_tag() is called on the target tag in 251 * m_tag_copy(), so we don't need to call it here. 252 */ 253 MAC_PERFORM(copy_mbuf_label, src_label, dest_label); 254 } 255 256 void 257 mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to) 258 { 259 struct label *src_label, *dest_label; 260 261 src_label = mac_mbuf_to_label(m_from); 262 dest_label = mac_mbuf_to_label(m_to); 263 264 MAC_PERFORM(copy_mbuf_label, src_label, dest_label); 265 } 266 267 static void 268 mac_copy_ifnet_label(struct label *src, struct label *dest) 269 { 270 271 MAC_PERFORM(copy_ifnet_label, src, dest); 272 } 273 274 static int 275 mac_externalize_ifnet_label(struct label *label, char *elements, 276 char *outbuf, size_t outbuflen) 277 { 278 int error; 279 280 MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); 281 282 return (error); 283 } 284 285 static int 286 mac_internalize_ifnet_label(struct label *label, char *string) 287 { 288 int error; 289 290 MAC_INTERNALIZE(ifnet, label, string); 291 292 return (error); 293 } 294 295 void 296 mac_create_ifnet(struct ifnet *ifnet) 297 { 298 299 MAC_IFNET_LOCK(ifnet); 300 MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); 301 MAC_IFNET_UNLOCK(ifnet); 302 } 303 304 void 305 mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 306 { 307 308 MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); 309 } 310 311 void 312 mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) 313 { 314 struct label *label; 315 316 BPFD_LOCK_ASSERT(bpf_d); 317 318 label = mac_mbuf_to_label(mbuf); 319 320 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf, 321 label); 322 } 323 324 void 325 mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) 326 { 327 struct label *label; 328 329 label = mac_mbuf_to_label(mbuf); 330 331 MAC_IFNET_LOCK(ifnet); 332 MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf, 333 label); 334 MAC_IFNET_UNLOCK(ifnet); 335 } 336 337 void 338 mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) 339 { 340 struct label *label; 341 342 label = mac_mbuf_to_label(mbuf); 343 344 MAC_IFNET_LOCK(ifnet); 345 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf, 346 label); 347 MAC_IFNET_UNLOCK(ifnet); 348 } 349 350 void 351 mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 352 struct mbuf *newmbuf) 353 { 354 struct label *oldmbuflabel, *newmbuflabel; 355 356 oldmbuflabel = mac_mbuf_to_label(oldmbuf); 357 newmbuflabel = mac_mbuf_to_label(newmbuf); 358 359 MAC_IFNET_LOCK(ifnet); 360 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, 361 ifnet, ifnet->if_label, newmbuf, newmbuflabel); 362 MAC_IFNET_UNLOCK(ifnet); 363 } 364 365 void 366 mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) 367 { 368 struct label *oldmbuflabel, *newmbuflabel; 369 370 oldmbuflabel = mac_mbuf_to_label(oldmbuf); 371 newmbuflabel = mac_mbuf_to_label(newmbuf); 372 373 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf, 374 newmbuflabel); 375 } 376 377 int 378 mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) 379 { 380 int error; 381 382 BPFD_LOCK_ASSERT(bpf_d); 383 384 if (!mac_enforce_network) 385 return (0); 386 387 MAC_IFNET_LOCK(ifnet); 388 MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, 389 ifnet->if_label); 390 MAC_IFNET_UNLOCK(ifnet); 391 392 return (error); 393 } 394 395 int 396 mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 397 { 398 struct label *label; 399 int error; 400 401 M_ASSERTPKTHDR(mbuf); 402 403 if (!mac_enforce_network) 404 return (0); 405 406 label = mac_mbuf_to_label(mbuf); 407 408 MAC_IFNET_LOCK(ifnet); 409 MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, 410 label); 411 MAC_IFNET_UNLOCK(ifnet); 412 413 return (error); 414 } 415 416 int 417 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 418 struct ifnet *ifnet) 419 { 420 char *elements, *buffer; 421 struct label *intlabel; 422 struct mac mac; 423 int error; 424 425 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 426 if (error) 427 return (error); 428 429 error = mac_check_structmac_consistent(&mac); 430 if (error) 431 return (error); 432 433 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 434 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 435 if (error) { 436 free(elements, M_MACTEMP); 437 return (error); 438 } 439 440 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 441 intlabel = mac_ifnet_label_alloc(); 442 MAC_IFNET_LOCK(ifnet); 443 mac_copy_ifnet_label(ifnet->if_label, intlabel); 444 MAC_IFNET_UNLOCK(ifnet); 445 error = mac_externalize_ifnet_label(ifnet->if_label, elements, 446 buffer, mac.m_buflen); 447 mac_ifnet_label_free(intlabel); 448 if (error == 0) 449 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 450 451 free(buffer, M_MACTEMP); 452 free(elements, M_MACTEMP); 453 454 return (error); 455 } 456 457 int 458 mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 459 struct ifnet *ifnet) 460 { 461 struct label *intlabel; 462 struct mac mac; 463 char *buffer; 464 int error; 465 466 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 467 if (error) 468 return (error); 469 470 error = mac_check_structmac_consistent(&mac); 471 if (error) 472 return (error); 473 474 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 475 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 476 if (error) { 477 free(buffer, M_MACTEMP); 478 return (error); 479 } 480 481 intlabel = mac_ifnet_label_alloc(); 482 error = mac_internalize_ifnet_label(intlabel, buffer); 483 free(buffer, M_MACTEMP); 484 if (error) { 485 mac_ifnet_label_free(intlabel); 486 return (error); 487 } 488 489 /* 490 * XXX: Note that this is a redundant privilege check, since 491 * policies impose this check themselves if required by the 492 * policy. Eventually, this should go away. 493 */ 494 error = suser_cred(cred, 0); 495 if (error) { 496 mac_ifnet_label_free(intlabel); 497 return (error); 498 } 499 500 MAC_IFNET_LOCK(ifnet); 501 MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, 502 intlabel); 503 if (error) { 504 MAC_IFNET_UNLOCK(ifnet); 505 mac_ifnet_label_free(intlabel); 506 return (error); 507 } 508 509 MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); 510 MAC_IFNET_UNLOCK(ifnet); 511 512 mac_ifnet_label_free(intlabel); 513 return (0); 514 } 515