xref: /freebsd/sys/security/mac/mac_socket.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*-
2  * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
3  * Copyright (c) 2001 Ilmar S. Habibulin
4  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5  * Copyright (c) 2005-2006 SPARTA, Inc.
6  * Copyright (c) 2008 Apple Inc.
7  * All rights reserved.
8  *
9  * This software was developed by Robert Watson and Ilmar Habibulin for the
10  * TrustedBSD Project.
11  *
12  * This software was developed for the FreeBSD Project in part by McAfee
13  * Research, the Technology Research Division of Network Associates, Inc.
14  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
15  * DARPA CHATS research program.
16  *
17  * This software was enhanced by SPARTA ISSO under SPAWAR contract
18  * N66001-04-C-6019 ("SEFOS").
19  *
20  * This software was developed at the University of Cambridge Computer
21  * Laboratory with support from a grant from Google, Inc.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  *
32  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
33  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
34  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
35  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
36  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
37  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
38  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
40  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
41  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42  * SUCH DAMAGE.
43  */
44 
45 #include <sys/cdefs.h>
46 #include "opt_mac.h"
47 
48 #include <sys/param.h>
49 #include <sys/kernel.h>
50 #include <sys/lock.h>
51 #include <sys/malloc.h>
52 #include <sys/mutex.h>
53 #include <sys/mac.h>
54 #include <sys/sbuf.h>
55 #include <sys/sdt.h>
56 #include <sys/systm.h>
57 #include <sys/mount.h>
58 #include <sys/file.h>
59 #include <sys/namei.h>
60 #include <sys/protosw.h>
61 #include <sys/socket.h>
62 #include <sys/socketvar.h>
63 #include <sys/sysctl.h>
64 
65 #include <net/bpfdesc.h>
66 #include <net/if.h>
67 #include <net/if_var.h>
68 
69 #include <netinet/in.h>
70 #include <netinet/in_pcb.h>
71 #include <netinet/ip_var.h>
72 
73 #include <security/mac/mac_framework.h>
74 #include <security/mac/mac_internal.h>
75 #include <security/mac/mac_policy.h>
76 
77 /*
78  * Currently, sockets hold two labels: the label of the socket itself, and a
79  * peer label, which may be used by policies to hold a copy of the label of
80  * any remote endpoint.
81  *
82  * Possibly, this peer label should be maintained at the protocol layer
83  * (inpcb, unpcb, etc), as this would allow protocol-aware code to maintain
84  * the label consistently.  For example, it might be copied live from a
85  * remote socket for UNIX domain sockets rather than keeping a local copy on
86  * this endpoint, but be cached and updated based on packets received for
87  * TCP/IP.
88  *
89  * Unlike with many other object types, the lock protecting MAC labels on
90  * sockets (the socket lock) is not frequently held at the points in code
91  * where socket-related checks are called.  The MAC Framework acquires the
92  * lock over some entry points in order to enforce atomicity (such as label
93  * copies) but in other cases the policy modules will have to acquire the
94  * lock themselves if they use labels.  This approach (a) avoids lock
95  * acquisitions when policies don't require labels and (b) solves a number of
96  * potential lock order issues when multiple sockets are used in the same
97  * entry point.
98  */
99 
100 struct label *
101 mac_socket_label_alloc(int flag)
102 {
103 	struct label *label;
104 	int error;
105 
106 	label = mac_labelzone_alloc(flag);
107 	if (label == NULL)
108 		return (NULL);
109 
110 	if (flag & M_WAITOK)
111 		MAC_POLICY_CHECK(socket_init_label, label, flag);
112 	else
113 		MAC_POLICY_CHECK_NOSLEEP(socket_init_label, label, flag);
114 	if (error) {
115 		MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label);
116 		mac_labelzone_free(label);
117 		return (NULL);
118 	}
119 	return (label);
120 }
121 
122 static struct label *
123 mac_socketpeer_label_alloc(int flag)
124 {
125 	struct label *label;
126 	int error;
127 
128 	label = mac_labelzone_alloc(flag);
129 	if (label == NULL)
130 		return (NULL);
131 
132 	if (flag & M_WAITOK)
133 		MAC_POLICY_CHECK(socketpeer_init_label, label, flag);
134 	else
135 		MAC_POLICY_CHECK_NOSLEEP(socketpeer_init_label, label, flag);
136 	if (error) {
137 		MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
138 		mac_labelzone_free(label);
139 		return (NULL);
140 	}
141 	return (label);
142 }
143 
144 int
145 mac_socket_init(struct socket *so, int flag)
146 {
147 
148 	if (mac_labeled & MPC_OBJECT_SOCKET) {
149 		so->so_label = mac_socket_label_alloc(flag);
150 		if (so->so_label == NULL)
151 			return (ENOMEM);
152 		so->so_peerlabel = mac_socketpeer_label_alloc(flag);
153 		if (so->so_peerlabel == NULL) {
154 			mac_socket_label_free(so->so_label);
155 			so->so_label = NULL;
156 			return (ENOMEM);
157 		}
158 	} else {
159 		so->so_label = NULL;
160 		so->so_peerlabel = NULL;
161 	}
162 	return (0);
163 }
164 
165 void
166 mac_socket_label_free(struct label *label)
167 {
168 
169 	MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label);
170 	mac_labelzone_free(label);
171 }
172 
173 static void
174 mac_socketpeer_label_free(struct label *label)
175 {
176 
177 	MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
178 	mac_labelzone_free(label);
179 }
180 
181 void
182 mac_socket_destroy(struct socket *so)
183 {
184 
185 	if (so->so_label != NULL) {
186 		mac_socket_label_free(so->so_label);
187 		so->so_label = NULL;
188 		mac_socketpeer_label_free(so->so_peerlabel);
189 		so->so_peerlabel = NULL;
190 	}
191 }
192 
193 void
194 mac_socket_copy_label(struct label *src, struct label *dest)
195 {
196 
197 	MAC_POLICY_PERFORM_NOSLEEP(socket_copy_label, src, dest);
198 }
199 
200 int
201 mac_socket_externalize_label(struct label *label, char *elements,
202     char *outbuf, size_t outbuflen)
203 {
204 	int error;
205 
206 	MAC_POLICY_EXTERNALIZE(socket, label, elements, outbuf, outbuflen);
207 
208 	return (error);
209 }
210 
211 static int
212 mac_socketpeer_externalize_label(struct label *label, char *elements,
213     char *outbuf, size_t outbuflen)
214 {
215 	int error;
216 
217 	MAC_POLICY_EXTERNALIZE(socketpeer, label, elements, outbuf,
218 	    outbuflen);
219 
220 	return (error);
221 }
222 
223 int
224 mac_socket_internalize_label(struct label *label, char *string)
225 {
226 	int error;
227 
228 	MAC_POLICY_INTERNALIZE(socket, label, string);
229 
230 	return (error);
231 }
232 
233 void
234 mac_socket_create(struct ucred *cred, struct socket *so)
235 {
236 
237 	MAC_POLICY_PERFORM_NOSLEEP(socket_create, cred, so, so->so_label);
238 }
239 
240 void
241 mac_socket_newconn(struct socket *oldso, struct socket *newso)
242 {
243 
244 	MAC_POLICY_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label,
245 	    newso, newso->so_label);
246 }
247 
248 static void
249 mac_socket_relabel(struct ucred *cred, struct socket *so,
250     struct label *newlabel)
251 {
252 
253 	SOCK_LOCK_ASSERT(so);
254 
255 	MAC_POLICY_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label,
256 	    newlabel);
257 }
258 
259 void
260 mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so)
261 {
262 	struct label *label;
263 
264 	if (mac_policy_count == 0)
265 		return;
266 
267 	label = mac_mbuf_to_label(m);
268 
269 	MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so,
270 	    so->so_peerlabel);
271 }
272 
273 void
274 mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso)
275 {
276 
277 	if (mac_policy_count == 0)
278 		return;
279 
280 	MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso,
281 	    oldso->so_label, newso, newso->so_peerlabel);
282 }
283 
284 void
285 mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
286 {
287 	struct label *label;
288 
289 	if (mac_policy_count == 0)
290 		return;
291 
292 	label = mac_mbuf_to_label(m);
293 
294 	MAC_POLICY_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m,
295 	    label);
296 }
297 
298 MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *",
299     "struct socket *");
300 
301 int
302 mac_socket_check_accept(struct ucred *cred, struct socket *so)
303 {
304 	int error;
305 
306 	MAC_POLICY_CHECK_NOSLEEP(socket_check_accept, cred, so,
307 	    so->so_label);
308 	MAC_CHECK_PROBE2(socket_check_accept, error, cred, so);
309 
310 	return (error);
311 }
312 
313 MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *",
314     "struct socket *", "struct sockaddr *");
315 
316 int
317 mac_socket_check_bind(struct ucred *cred, struct socket *so,
318     struct sockaddr *sa)
319 {
320 	int error;
321 
322 	MAC_POLICY_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label,
323 	    sa);
324 	MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa);
325 
326 	return (error);
327 }
328 
329 MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *",
330     "struct socket *", "struct sockaddr *");
331 
332 int
333 mac_socket_check_connect(struct ucred *cred, struct socket *so,
334     struct sockaddr *sa)
335 {
336 	int error;
337 
338 	MAC_POLICY_CHECK_NOSLEEP(socket_check_connect, cred, so,
339 	    so->so_label, sa);
340 	MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa);
341 
342 	return (error);
343 }
344 
345 MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int",
346     "int");
347 
348 int
349 mac_socket_check_create(struct ucred *cred, int domain, int type, int proto)
350 {
351 	int error;
352 
353 	MAC_POLICY_CHECK_NOSLEEP(socket_check_create, cred, domain, type,
354 	    proto);
355 	MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type,
356 	    proto);
357 
358 	return (error);
359 }
360 
361 MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *",
362     "struct mbuf *");
363 
364 int
365 mac_socket_check_deliver(struct socket *so, struct mbuf *m)
366 {
367 	struct label *label;
368 	int error;
369 
370 	if (mac_policy_count == 0)
371 		return (0);
372 
373 	label = mac_mbuf_to_label(m);
374 
375 	MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m,
376 	    label);
377 	MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
378 
379 	return (error);
380 }
381 
382 MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *",
383     "struct socket *");
384 
385 int
386 mac_socket_check_listen(struct ucred *cred, struct socket *so)
387 {
388 	int error;
389 
390 	MAC_POLICY_CHECK_NOSLEEP(socket_check_listen, cred, so,
391 	    so->so_label);
392 	MAC_CHECK_PROBE2(socket_check_listen, error, cred, so);
393 
394 	return (error);
395 }
396 
397 MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *",
398     "struct socket *");
399 
400 int
401 mac_socket_check_poll(struct ucred *cred, struct socket *so)
402 {
403 	int error;
404 
405 	MAC_POLICY_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label);
406 	MAC_CHECK_PROBE2(socket_check_poll, error, cred, so);
407 
408 	return (error);
409 }
410 
411 MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *",
412     "struct socket *");
413 
414 int
415 mac_socket_check_receive(struct ucred *cred, struct socket *so)
416 {
417 	int error;
418 
419 	MAC_POLICY_CHECK_NOSLEEP(socket_check_receive, cred, so,
420 	    so->so_label);
421 	MAC_CHECK_PROBE2(socket_check_receive, error, cred, so);
422 
423 	return (error);
424 }
425 
426 MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *",
427     "struct socket *", "struct label *");
428 
429 static int
430 mac_socket_check_relabel(struct ucred *cred, struct socket *so,
431     struct label *newlabel)
432 {
433 	int error;
434 
435 	SOCK_LOCK_ASSERT(so);
436 
437 	MAC_POLICY_CHECK_NOSLEEP(socket_check_relabel, cred, so,
438 	    so->so_label, newlabel);
439 	MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel);
440 
441 	return (error);
442 }
443 
444 MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *",
445     "struct socket *");
446 
447 int
448 mac_socket_check_send(struct ucred *cred, struct socket *so)
449 {
450 	int error;
451 
452 	MAC_POLICY_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label);
453 	MAC_CHECK_PROBE2(socket_check_send, error, cred, so);
454 
455 	return (error);
456 }
457 
458 MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *",
459     "struct socket *");
460 
461 int
462 mac_socket_check_stat(struct ucred *cred, struct socket *so)
463 {
464 	int error;
465 
466 	MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
467 	MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
468 
469 	return (error);
470 }
471 
472 MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *",
473     "struct socket *");
474 
475 int
476 mac_socket_check_visible(struct ucred *cred, struct socket *so)
477 {
478 	int error;
479 
480 	MAC_POLICY_CHECK_NOSLEEP(socket_check_visible, cred, so,
481 	    so->so_label);
482 	MAC_CHECK_PROBE2(socket_check_visible, error, cred, so);
483 
484 	return (error);
485 }
486 
487 int
488 mac_socket_label_set(struct ucred *cred, struct socket *so,
489     struct label *label)
490 {
491 	int error;
492 
493 	/*
494 	 * We acquire the socket lock when we perform the test and set, but
495 	 * have to release it as the pcb code needs to acquire the pcb lock,
496 	 * which will precede the socket lock in the lock order.  However,
497 	 * this is fine, as any race will simply result in the inpcb being
498 	 * refreshed twice, but still consistently, as the inpcb code will
499 	 * acquire the socket lock before refreshing, holding both locks.
500 	 */
501 	SOCK_LOCK(so);
502 	error = mac_socket_check_relabel(cred, so, label);
503 	if (error) {
504 		SOCK_UNLOCK(so);
505 		return (error);
506 	}
507 
508 	mac_socket_relabel(cred, so, label);
509 	SOCK_UNLOCK(so);
510 
511 	/*
512 	 * If the protocol has expressed interest in socket layer changes,
513 	 * such as if it needs to propagate changes to a cached pcb label
514 	 * from the socket, notify it of the label change while holding the
515 	 * socket lock.
516 	 */
517 	if (so->so_proto->pr_sosetlabel != NULL)
518 		so->so_proto->pr_sosetlabel(so);
519 
520 	return (0);
521 }
522 
523 int
524 mac_setsockopt_label(struct ucred *cred, struct socket *so,
525     const struct mac *mac)
526 {
527 	struct label *intlabel;
528 	char *buffer;
529 	int error;
530 
531 	if (!(mac_labeled & MPC_OBJECT_SOCKET))
532 		return (EINVAL);
533 
534 	error = mac_check_structmac_consistent(mac);
535 	if (error)
536 		return (error);
537 
538 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
539 	error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL);
540 	if (error) {
541 		free(buffer, M_MACTEMP);
542 		return (error);
543 	}
544 
545 	intlabel = mac_socket_label_alloc(M_WAITOK);
546 	error = mac_socket_internalize_label(intlabel, buffer);
547 	free(buffer, M_MACTEMP);
548 	if (error)
549 		goto out;
550 
551 	error = mac_socket_label_set(cred, so, intlabel);
552 out:
553 	mac_socket_label_free(intlabel);
554 	return (error);
555 }
556 
557 int
558 mac_getsockopt_label(struct ucred *cred, struct socket *so,
559     const struct mac *mac)
560 {
561 	char *buffer, *elements;
562 	struct label *intlabel;
563 	int error;
564 
565 	if (!(mac_labeled & MPC_OBJECT_SOCKET))
566 		return (EINVAL);
567 
568 	error = mac_check_structmac_consistent(mac);
569 	if (error)
570 		return (error);
571 
572 	elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
573 	error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL);
574 	if (error) {
575 		free(elements, M_MACTEMP);
576 		return (error);
577 	}
578 
579 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
580 	intlabel = mac_socket_label_alloc(M_WAITOK);
581 	SOCK_LOCK(so);
582 	mac_socket_copy_label(so->so_label, intlabel);
583 	SOCK_UNLOCK(so);
584 	error = mac_socket_externalize_label(intlabel, elements, buffer,
585 	    mac->m_buflen);
586 	mac_socket_label_free(intlabel);
587 	if (error == 0)
588 		error = copyout(buffer, mac->m_string, strlen(buffer)+1);
589 
590 	free(buffer, M_MACTEMP);
591 	free(elements, M_MACTEMP);
592 
593 	return (error);
594 }
595 
596 int
597 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
598     const struct mac *mac)
599 {
600 	char *elements, *buffer;
601 	struct label *intlabel;
602 	int error;
603 
604 	if (!(mac_labeled & MPC_OBJECT_SOCKET))
605 		return (EINVAL);
606 
607 	error = mac_check_structmac_consistent(mac);
608 	if (error)
609 		return (error);
610 
611 	elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
612 	error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL);
613 	if (error) {
614 		free(elements, M_MACTEMP);
615 		return (error);
616 	}
617 
618 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
619 	intlabel = mac_socket_label_alloc(M_WAITOK);
620 	SOCK_LOCK(so);
621 	mac_socket_copy_label(so->so_peerlabel, intlabel);
622 	SOCK_UNLOCK(so);
623 	error = mac_socketpeer_externalize_label(intlabel, elements, buffer,
624 	    mac->m_buflen);
625 	mac_socket_label_free(intlabel);
626 	if (error == 0)
627 		error = copyout(buffer, mac->m_string, strlen(buffer)+1);
628 
629 	free(buffer, M_MACTEMP);
630 	free(elements, M_MACTEMP);
631 
632 	return (error);
633 }
634