1 /*- 2 * Copyright (c) 1999-2002, 2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. 6 * Copyright (c) 2008 Apple Inc. 7 * All rights reserved. 8 * 9 * This software was developed by Robert Watson and Ilmar Habibulin for the 10 * TrustedBSD Project. 11 * 12 * This software was developed for the FreeBSD Project in part by McAfee 13 * Research, the Technology Research Division of Network Associates, Inc. 14 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 15 * DARPA CHATS research program. 16 * 17 * This software was enhanced by SPARTA ISSO under SPAWAR contract 18 * N66001-04-C-6019 ("SEFOS"). 19 * 20 * This software was developed at the University of Cambridge Computer 21 * Laboratory with support from a grant from Google, Inc. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the above copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 35 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45 #include <sys/cdefs.h> 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/kernel.h> 50 #include <sys/lock.h> 51 #include <sys/malloc.h> 52 #include <sys/mutex.h> 53 #include <sys/mac.h> 54 #include <sys/sbuf.h> 55 #include <sys/sdt.h> 56 #include <sys/systm.h> 57 #include <sys/mount.h> 58 #include <sys/file.h> 59 #include <sys/namei.h> 60 #include <sys/protosw.h> 61 #include <sys/socket.h> 62 #include <sys/socketvar.h> 63 #include <sys/sysctl.h> 64 65 #include <net/bpfdesc.h> 66 #include <net/if.h> 67 #include <net/if_var.h> 68 69 #include <netinet/in.h> 70 #include <netinet/in_pcb.h> 71 #include <netinet/ip_var.h> 72 73 #include <security/mac/mac_framework.h> 74 #include <security/mac/mac_internal.h> 75 #include <security/mac/mac_policy.h> 76 77 /* 78 * Currently, sockets hold two labels: the label of the socket itself, and a 79 * peer label, which may be used by policies to hold a copy of the label of 80 * any remote endpoint. 81 * 82 * Possibly, this peer label should be maintained at the protocol layer 83 * (inpcb, unpcb, etc), as this would allow protocol-aware code to maintain 84 * the label consistently. For example, it might be copied live from a 85 * remote socket for UNIX domain sockets rather than keeping a local copy on 86 * this endpoint, but be cached and updated based on packets received for 87 * TCP/IP. 88 * 89 * Unlike with many other object types, the lock protecting MAC labels on 90 * sockets (the socket lock) is not frequently held at the points in code 91 * where socket-related checks are called. The MAC Framework acquires the 92 * lock over some entry points in order to enforce atomicity (such as label 93 * copies) but in other cases the policy modules will have to acquire the 94 * lock themselves if they use labels. This approach (a) avoids lock 95 * acquisitions when policies don't require labels and (b) solves a number of 96 * potential lock order issues when multiple sockets are used in the same 97 * entry point. 98 */ 99 100 struct label * 101 mac_socket_label_alloc(int flag) 102 { 103 struct label *label; 104 int error; 105 106 label = mac_labelzone_alloc(flag); 107 if (label == NULL) 108 return (NULL); 109 110 if (flag & M_WAITOK) 111 MAC_POLICY_CHECK(socket_init_label, label, flag); 112 else 113 MAC_POLICY_CHECK_NOSLEEP(socket_init_label, label, flag); 114 if (error) { 115 MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label); 116 mac_labelzone_free(label); 117 return (NULL); 118 } 119 return (label); 120 } 121 122 static struct label * 123 mac_socketpeer_label_alloc(int flag) 124 { 125 struct label *label; 126 int error; 127 128 label = mac_labelzone_alloc(flag); 129 if (label == NULL) 130 return (NULL); 131 132 if (flag & M_WAITOK) 133 MAC_POLICY_CHECK(socketpeer_init_label, label, flag); 134 else 135 MAC_POLICY_CHECK_NOSLEEP(socketpeer_init_label, label, flag); 136 if (error) { 137 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label); 138 mac_labelzone_free(label); 139 return (NULL); 140 } 141 return (label); 142 } 143 144 int 145 mac_socket_init(struct socket *so, int flag) 146 { 147 148 if (mac_labeled & MPC_OBJECT_SOCKET) { 149 so->so_label = mac_socket_label_alloc(flag); 150 if (so->so_label == NULL) 151 return (ENOMEM); 152 so->so_peerlabel = mac_socketpeer_label_alloc(flag); 153 if (so->so_peerlabel == NULL) { 154 mac_socket_label_free(so->so_label); 155 so->so_label = NULL; 156 return (ENOMEM); 157 } 158 } else { 159 so->so_label = NULL; 160 so->so_peerlabel = NULL; 161 } 162 return (0); 163 } 164 165 void 166 mac_socket_label_free(struct label *label) 167 { 168 169 MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label); 170 mac_labelzone_free(label); 171 } 172 173 void 174 mac_socketpeer_label_free(struct label *label) 175 { 176 177 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label); 178 mac_labelzone_free(label); 179 } 180 181 void 182 mac_socket_destroy(struct socket *so) 183 { 184 185 if (so->so_label != NULL) { 186 mac_socket_label_free(so->so_label); 187 so->so_label = NULL; 188 if (!SOLISTENING(so)) { 189 mac_socketpeer_label_free(so->so_peerlabel); 190 so->so_peerlabel = NULL; 191 } 192 } 193 } 194 195 void 196 mac_socket_copy_label(struct label *src, struct label *dest) 197 { 198 199 MAC_POLICY_PERFORM_NOSLEEP(socket_copy_label, src, dest); 200 } 201 202 int 203 mac_socket_externalize_label(struct label *label, char *elements, 204 char *outbuf, size_t outbuflen) 205 { 206 int error; 207 208 MAC_POLICY_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); 209 210 return (error); 211 } 212 213 static int 214 mac_socketpeer_externalize_label(struct label *label, char *elements, 215 char *outbuf, size_t outbuflen) 216 { 217 int error; 218 219 MAC_POLICY_EXTERNALIZE(socketpeer, label, elements, outbuf, 220 outbuflen); 221 222 return (error); 223 } 224 225 int 226 mac_socket_internalize_label(struct label *label, char *string) 227 { 228 int error; 229 230 MAC_POLICY_INTERNALIZE(socket, label, string); 231 232 return (error); 233 } 234 235 void 236 mac_socket_create(struct ucred *cred, struct socket *so) 237 { 238 239 MAC_POLICY_PERFORM_NOSLEEP(socket_create, cred, so, so->so_label); 240 } 241 242 void 243 mac_socket_newconn(struct socket *oldso, struct socket *newso) 244 { 245 246 MAC_POLICY_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label, 247 newso, newso->so_label); 248 } 249 250 static void 251 mac_socket_relabel(struct ucred *cred, struct socket *so, 252 struct label *newlabel) 253 { 254 255 SOCK_LOCK_ASSERT(so); 256 257 MAC_POLICY_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label, 258 newlabel); 259 } 260 261 void 262 mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so) 263 { 264 struct label *label; 265 266 if (mac_policy_count == 0) 267 return; 268 269 label = mac_mbuf_to_label(m); 270 271 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so, 272 so->so_peerlabel); 273 } 274 275 void 276 mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso) 277 { 278 279 if (mac_policy_count == 0) 280 return; 281 282 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso, 283 oldso->so_label, newso, newso->so_peerlabel); 284 } 285 286 void 287 mac_socket_create_mbuf(struct socket *so, struct mbuf *m) 288 { 289 struct label *label; 290 291 if (mac_policy_count == 0) 292 return; 293 294 label = mac_mbuf_to_label(m); 295 296 MAC_POLICY_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m, 297 label); 298 } 299 300 MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *", 301 "struct socket *"); 302 303 int 304 mac_socket_check_accept(struct ucred *cred, struct socket *so) 305 { 306 int error; 307 308 MAC_POLICY_CHECK_NOSLEEP(socket_check_accept, cred, so, 309 so->so_label); 310 MAC_CHECK_PROBE2(socket_check_accept, error, cred, so); 311 312 return (error); 313 } 314 315 MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *", 316 "struct socket *", "struct sockaddr *"); 317 318 int 319 mac_socket_check_bind(struct ucred *cred, struct socket *so, 320 struct sockaddr *sa) 321 { 322 int error; 323 324 MAC_POLICY_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label, 325 sa); 326 MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa); 327 328 return (error); 329 } 330 331 MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *", 332 "struct socket *", "struct sockaddr *"); 333 334 int 335 mac_socket_check_connect(struct ucred *cred, struct socket *so, 336 struct sockaddr *sa) 337 { 338 int error; 339 340 MAC_POLICY_CHECK_NOSLEEP(socket_check_connect, cred, so, 341 so->so_label, sa); 342 MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa); 343 344 return (error); 345 } 346 347 MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int", 348 "int"); 349 350 int 351 mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) 352 { 353 int error; 354 355 MAC_POLICY_CHECK_NOSLEEP(socket_check_create, cred, domain, type, 356 proto); 357 MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type, 358 proto); 359 360 return (error); 361 } 362 363 MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *", 364 "struct mbuf *"); 365 366 int 367 mac_socket_check_deliver(struct socket *so, struct mbuf *m) 368 { 369 struct label *label; 370 int error; 371 372 if (mac_policy_count == 0) 373 return (0); 374 375 label = mac_mbuf_to_label(m); 376 377 MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m, 378 label); 379 MAC_CHECK_PROBE2(socket_check_deliver, error, so, m); 380 381 return (error); 382 } 383 384 MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *", 385 "struct socket *"); 386 387 int 388 mac_socket_check_listen(struct ucred *cred, struct socket *so) 389 { 390 int error; 391 392 MAC_POLICY_CHECK_NOSLEEP(socket_check_listen, cred, so, 393 so->so_label); 394 MAC_CHECK_PROBE2(socket_check_listen, error, cred, so); 395 396 return (error); 397 } 398 399 MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *", 400 "struct socket *"); 401 402 int 403 mac_socket_check_poll(struct ucred *cred, struct socket *so) 404 { 405 int error; 406 407 MAC_POLICY_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label); 408 MAC_CHECK_PROBE2(socket_check_poll, error, cred, so); 409 410 return (error); 411 } 412 413 MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *", 414 "struct socket *"); 415 416 int 417 mac_socket_check_receive(struct ucred *cred, struct socket *so) 418 { 419 int error; 420 421 MAC_POLICY_CHECK_NOSLEEP(socket_check_receive, cred, so, 422 so->so_label); 423 MAC_CHECK_PROBE2(socket_check_receive, error, cred, so); 424 425 return (error); 426 } 427 428 MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *", 429 "struct socket *", "struct label *"); 430 431 static int 432 mac_socket_check_relabel(struct ucred *cred, struct socket *so, 433 struct label *newlabel) 434 { 435 int error; 436 437 SOCK_LOCK_ASSERT(so); 438 439 MAC_POLICY_CHECK_NOSLEEP(socket_check_relabel, cred, so, 440 so->so_label, newlabel); 441 MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel); 442 443 return (error); 444 } 445 446 MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *", 447 "struct socket *"); 448 449 int 450 mac_socket_check_send(struct ucred *cred, struct socket *so) 451 { 452 int error; 453 454 MAC_POLICY_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label); 455 MAC_CHECK_PROBE2(socket_check_send, error, cred, so); 456 457 return (error); 458 } 459 460 MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *", 461 "struct socket *"); 462 463 int 464 mac_socket_check_stat(struct ucred *cred, struct socket *so) 465 { 466 int error; 467 468 MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label); 469 MAC_CHECK_PROBE2(socket_check_stat, error, cred, so); 470 471 return (error); 472 } 473 474 MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *", 475 "struct socket *"); 476 477 int 478 mac_socket_check_visible(struct ucred *cred, struct socket *so) 479 { 480 int error; 481 482 MAC_POLICY_CHECK_NOSLEEP(socket_check_visible, cred, so, 483 so->so_label); 484 MAC_CHECK_PROBE2(socket_check_visible, error, cred, so); 485 486 return (error); 487 } 488 489 int 490 mac_socket_label_set(struct ucred *cred, struct socket *so, 491 struct label *label) 492 { 493 int error; 494 495 /* 496 * We acquire the socket lock when we perform the test and set, but 497 * have to release it as the pcb code needs to acquire the pcb lock, 498 * which will precede the socket lock in the lock order. However, 499 * this is fine, as any race will simply result in the inpcb being 500 * refreshed twice, but still consistently, as the inpcb code will 501 * acquire the socket lock before refreshing, holding both locks. 502 */ 503 SOCK_LOCK(so); 504 error = mac_socket_check_relabel(cred, so, label); 505 if (error) { 506 SOCK_UNLOCK(so); 507 return (error); 508 } 509 510 mac_socket_relabel(cred, so, label); 511 SOCK_UNLOCK(so); 512 513 /* 514 * If the protocol has expressed interest in socket layer changes, 515 * such as if it needs to propagate changes to a cached pcb label 516 * from the socket, notify it of the label change while holding the 517 * socket lock. 518 */ 519 if (so->so_proto->pr_sosetlabel != NULL) 520 so->so_proto->pr_sosetlabel(so); 521 522 return (0); 523 } 524 525 int 526 mac_setsockopt_label(struct ucred *cred, struct socket *so, 527 const struct mac *mac) 528 { 529 struct label *intlabel; 530 char *buffer; 531 int error; 532 533 if (!(mac_labeled & MPC_OBJECT_SOCKET)) 534 return (EINVAL); 535 536 error = mac_check_structmac_consistent(mac); 537 if (error) 538 return (error); 539 540 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 541 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 542 if (error) { 543 free(buffer, M_MACTEMP); 544 return (error); 545 } 546 547 intlabel = mac_socket_label_alloc(M_WAITOK); 548 error = mac_socket_internalize_label(intlabel, buffer); 549 free(buffer, M_MACTEMP); 550 if (error) 551 goto out; 552 553 error = mac_socket_label_set(cred, so, intlabel); 554 out: 555 mac_socket_label_free(intlabel); 556 return (error); 557 } 558 559 int 560 mac_getsockopt_label(struct ucred *cred, struct socket *so, 561 const struct mac *mac) 562 { 563 char *buffer, *elements; 564 struct label *intlabel; 565 int error; 566 567 if (!(mac_labeled & MPC_OBJECT_SOCKET)) 568 return (EINVAL); 569 570 error = mac_check_structmac_consistent(mac); 571 if (error) 572 return (error); 573 574 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 575 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 576 if (error) { 577 free(elements, M_MACTEMP); 578 return (error); 579 } 580 581 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 582 intlabel = mac_socket_label_alloc(M_WAITOK); 583 SOCK_LOCK(so); 584 mac_socket_copy_label(so->so_label, intlabel); 585 SOCK_UNLOCK(so); 586 error = mac_socket_externalize_label(intlabel, elements, buffer, 587 mac->m_buflen); 588 mac_socket_label_free(intlabel); 589 if (error == 0) 590 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 591 592 free(buffer, M_MACTEMP); 593 free(elements, M_MACTEMP); 594 595 return (error); 596 } 597 598 int 599 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, 600 const struct mac *mac) 601 { 602 char *elements, *buffer; 603 struct label *intlabel; 604 int error; 605 606 if (!(mac_labeled & MPC_OBJECT_SOCKET)) 607 return (EINVAL); 608 609 error = mac_check_structmac_consistent(mac); 610 if (error) 611 return (error); 612 613 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 614 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 615 if (error) { 616 free(elements, M_MACTEMP); 617 return (error); 618 } 619 620 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 621 intlabel = mac_socket_label_alloc(M_WAITOK); 622 SOCK_LOCK(so); 623 if (SOLISTENING(so)) 624 error = EINVAL; 625 else 626 mac_socket_copy_label(so->so_peerlabel, intlabel); 627 SOCK_UNLOCK(so); 628 if (error == 0) { 629 error = mac_socketpeer_externalize_label(intlabel, elements, buffer, 630 mac->m_buflen); 631 } 632 mac_socket_label_free(intlabel); 633 if (error == 0) 634 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 635 636 free(buffer, M_MACTEMP); 637 free(elements, M_MACTEMP); 638 639 return (error); 640 } 641