1 /*- 2 * Copyright (c) 1999-2002, 2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. 6 * Copyright (c) 2008 Apple Inc. 7 * All rights reserved. 8 * 9 * This software was developed by Robert Watson and Ilmar Habibulin for the 10 * TrustedBSD Project. 11 * 12 * This software was developed for the FreeBSD Project in part by McAfee 13 * Research, the Technology Research Division of Network Associates, Inc. 14 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 15 * DARPA CHATS research program. 16 * 17 * This software was enhanced by SPARTA ISSO under SPAWAR contract 18 * N66001-04-C-6019 ("SEFOS"). 19 * 20 * This software was developed at the University of Cambridge Computer 21 * Laboratory with support from a grant from Google, Inc. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the above copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 35 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45 #include <sys/cdefs.h> 46 #include "opt_mac.h" 47 48 #include <sys/param.h> 49 #include <sys/kernel.h> 50 #include <sys/lock.h> 51 #include <sys/malloc.h> 52 #include <sys/mutex.h> 53 #include <sys/mac.h> 54 #include <sys/sbuf.h> 55 #include <sys/sdt.h> 56 #include <sys/systm.h> 57 #include <sys/mount.h> 58 #include <sys/file.h> 59 #include <sys/namei.h> 60 #include <sys/protosw.h> 61 #include <sys/socket.h> 62 #include <sys/socketvar.h> 63 #include <sys/sysctl.h> 64 65 #include <net/bpfdesc.h> 66 #include <net/if.h> 67 #include <net/if_var.h> 68 69 #include <netinet/in.h> 70 #include <netinet/in_pcb.h> 71 #include <netinet/ip_var.h> 72 73 #include <security/mac/mac_framework.h> 74 #include <security/mac/mac_internal.h> 75 #include <security/mac/mac_policy.h> 76 77 /* 78 * Currently, sockets hold two labels: the label of the socket itself, and a 79 * peer label, which may be used by policies to hold a copy of the label of 80 * any remote endpoint. 81 * 82 * Possibly, this peer label should be maintained at the protocol layer 83 * (inpcb, unpcb, etc), as this would allow protocol-aware code to maintain 84 * the label consistently. For example, it might be copied live from a 85 * remote socket for UNIX domain sockets rather than keeping a local copy on 86 * this endpoint, but be cached and updated based on packets received for 87 * TCP/IP. 88 * 89 * Unlike with many other object types, the lock protecting MAC labels on 90 * sockets (the socket lock) is not frequently held at the points in code 91 * where socket-related checks are called. The MAC Framework acquires the 92 * lock over some entry points in order to enforce atomicity (such as label 93 * copies) but in other cases the policy modules will have to acquire the 94 * lock themselves if they use labels. This approach (a) avoids lock 95 * acquisitions when policies don't require labels and (b) solves a number of 96 * potential lock order issues when multiple sockets are used in the same 97 * entry point. 98 */ 99 100 struct label * 101 mac_socket_label_alloc(int flag) 102 { 103 struct label *label; 104 int error; 105 106 label = mac_labelzone_alloc(flag); 107 if (label == NULL) 108 return (NULL); 109 110 if (flag & M_WAITOK) 111 MAC_POLICY_CHECK(socket_init_label, label, flag); 112 else 113 MAC_POLICY_CHECK_NOSLEEP(socket_init_label, label, flag); 114 if (error) { 115 MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label); 116 mac_labelzone_free(label); 117 return (NULL); 118 } 119 return (label); 120 } 121 122 static struct label * 123 mac_socketpeer_label_alloc(int flag) 124 { 125 struct label *label; 126 int error; 127 128 label = mac_labelzone_alloc(flag); 129 if (label == NULL) 130 return (NULL); 131 132 if (flag & M_WAITOK) 133 MAC_POLICY_CHECK(socketpeer_init_label, label, flag); 134 else 135 MAC_POLICY_CHECK_NOSLEEP(socketpeer_init_label, label, flag); 136 if (error) { 137 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label); 138 mac_labelzone_free(label); 139 return (NULL); 140 } 141 return (label); 142 } 143 144 int 145 mac_socket_init(struct socket *so, int flag) 146 { 147 148 if (mac_labeled & MPC_OBJECT_SOCKET) { 149 so->so_label = mac_socket_label_alloc(flag); 150 if (so->so_label == NULL) 151 return (ENOMEM); 152 so->so_peerlabel = mac_socketpeer_label_alloc(flag); 153 if (so->so_peerlabel == NULL) { 154 mac_socket_label_free(so->so_label); 155 so->so_label = NULL; 156 return (ENOMEM); 157 } 158 } else { 159 so->so_label = NULL; 160 so->so_peerlabel = NULL; 161 } 162 return (0); 163 } 164 165 void 166 mac_socket_label_free(struct label *label) 167 { 168 169 MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label); 170 mac_labelzone_free(label); 171 } 172 173 static void 174 mac_socketpeer_label_free(struct label *label) 175 { 176 177 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label); 178 mac_labelzone_free(label); 179 } 180 181 void 182 mac_socket_destroy(struct socket *so) 183 { 184 185 if (so->so_label != NULL) { 186 mac_socket_label_free(so->so_label); 187 so->so_label = NULL; 188 mac_socketpeer_label_free(so->so_peerlabel); 189 so->so_peerlabel = NULL; 190 } 191 } 192 193 void 194 mac_socket_copy_label(struct label *src, struct label *dest) 195 { 196 197 MAC_POLICY_PERFORM_NOSLEEP(socket_copy_label, src, dest); 198 } 199 200 int 201 mac_socket_externalize_label(struct label *label, char *elements, 202 char *outbuf, size_t outbuflen) 203 { 204 int error; 205 206 MAC_POLICY_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); 207 208 return (error); 209 } 210 211 static int 212 mac_socketpeer_externalize_label(struct label *label, char *elements, 213 char *outbuf, size_t outbuflen) 214 { 215 int error; 216 217 MAC_POLICY_EXTERNALIZE(socketpeer, label, elements, outbuf, 218 outbuflen); 219 220 return (error); 221 } 222 223 int 224 mac_socket_internalize_label(struct label *label, char *string) 225 { 226 int error; 227 228 MAC_POLICY_INTERNALIZE(socket, label, string); 229 230 return (error); 231 } 232 233 void 234 mac_socket_create(struct ucred *cred, struct socket *so) 235 { 236 237 MAC_POLICY_PERFORM_NOSLEEP(socket_create, cred, so, so->so_label); 238 } 239 240 void 241 mac_socket_newconn(struct socket *oldso, struct socket *newso) 242 { 243 244 MAC_POLICY_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label, 245 newso, newso->so_label); 246 } 247 248 static void 249 mac_socket_relabel(struct ucred *cred, struct socket *so, 250 struct label *newlabel) 251 { 252 253 SOCK_LOCK_ASSERT(so); 254 255 MAC_POLICY_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label, 256 newlabel); 257 } 258 259 void 260 mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so) 261 { 262 struct label *label; 263 264 if (mac_policy_count == 0) 265 return; 266 267 label = mac_mbuf_to_label(m); 268 269 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so, 270 so->so_peerlabel); 271 } 272 273 void 274 mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso) 275 { 276 277 if (mac_policy_count == 0) 278 return; 279 280 MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso, 281 oldso->so_label, newso, newso->so_peerlabel); 282 } 283 284 void 285 mac_socket_create_mbuf(struct socket *so, struct mbuf *m) 286 { 287 struct label *label; 288 289 if (mac_policy_count == 0) 290 return; 291 292 label = mac_mbuf_to_label(m); 293 294 MAC_POLICY_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m, 295 label); 296 } 297 298 MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *", 299 "struct socket *"); 300 301 int 302 mac_socket_check_accept(struct ucred *cred, struct socket *so) 303 { 304 int error; 305 306 MAC_POLICY_CHECK_NOSLEEP(socket_check_accept, cred, so, 307 so->so_label); 308 MAC_CHECK_PROBE2(socket_check_accept, error, cred, so); 309 310 return (error); 311 } 312 313 MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *", 314 "struct socket *", "struct sockaddr *"); 315 316 int 317 mac_socket_check_bind(struct ucred *cred, struct socket *so, 318 struct sockaddr *sa) 319 { 320 int error; 321 322 MAC_POLICY_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label, 323 sa); 324 MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa); 325 326 return (error); 327 } 328 329 MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *", 330 "struct socket *", "struct sockaddr *"); 331 332 int 333 mac_socket_check_connect(struct ucred *cred, struct socket *so, 334 struct sockaddr *sa) 335 { 336 int error; 337 338 MAC_POLICY_CHECK_NOSLEEP(socket_check_connect, cred, so, 339 so->so_label, sa); 340 MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa); 341 342 return (error); 343 } 344 345 MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int", 346 "int"); 347 348 int 349 mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) 350 { 351 int error; 352 353 MAC_POLICY_CHECK_NOSLEEP(socket_check_create, cred, domain, type, 354 proto); 355 MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type, 356 proto); 357 358 return (error); 359 } 360 361 MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *", 362 "struct mbuf *"); 363 364 int 365 mac_socket_check_deliver(struct socket *so, struct mbuf *m) 366 { 367 struct label *label; 368 int error; 369 370 if (mac_policy_count == 0) 371 return (0); 372 373 label = mac_mbuf_to_label(m); 374 375 MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m, 376 label); 377 MAC_CHECK_PROBE2(socket_check_deliver, error, so, m); 378 379 return (error); 380 } 381 382 MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *", 383 "struct socket *"); 384 385 int 386 mac_socket_check_listen(struct ucred *cred, struct socket *so) 387 { 388 int error; 389 390 MAC_POLICY_CHECK_NOSLEEP(socket_check_listen, cred, so, 391 so->so_label); 392 MAC_CHECK_PROBE2(socket_check_listen, error, cred, so); 393 394 return (error); 395 } 396 397 MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *", 398 "struct socket *"); 399 400 int 401 mac_socket_check_poll(struct ucred *cred, struct socket *so) 402 { 403 int error; 404 405 MAC_POLICY_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label); 406 MAC_CHECK_PROBE2(socket_check_poll, error, cred, so); 407 408 return (error); 409 } 410 411 MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *", 412 "struct socket *"); 413 414 int 415 mac_socket_check_receive(struct ucred *cred, struct socket *so) 416 { 417 int error; 418 419 MAC_POLICY_CHECK_NOSLEEP(socket_check_receive, cred, so, 420 so->so_label); 421 MAC_CHECK_PROBE2(socket_check_receive, error, cred, so); 422 423 return (error); 424 } 425 426 MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *", 427 "struct socket *", "struct label *"); 428 429 static int 430 mac_socket_check_relabel(struct ucred *cred, struct socket *so, 431 struct label *newlabel) 432 { 433 int error; 434 435 SOCK_LOCK_ASSERT(so); 436 437 MAC_POLICY_CHECK_NOSLEEP(socket_check_relabel, cred, so, 438 so->so_label, newlabel); 439 MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel); 440 441 return (error); 442 } 443 444 MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *", 445 "struct socket *"); 446 447 int 448 mac_socket_check_send(struct ucred *cred, struct socket *so) 449 { 450 int error; 451 452 MAC_POLICY_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label); 453 MAC_CHECK_PROBE2(socket_check_send, error, cred, so); 454 455 return (error); 456 } 457 458 MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *", 459 "struct socket *"); 460 461 int 462 mac_socket_check_stat(struct ucred *cred, struct socket *so) 463 { 464 int error; 465 466 MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label); 467 MAC_CHECK_PROBE2(socket_check_stat, error, cred, so); 468 469 return (error); 470 } 471 472 MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *", 473 "struct socket *"); 474 475 int 476 mac_socket_check_visible(struct ucred *cred, struct socket *so) 477 { 478 int error; 479 480 MAC_POLICY_CHECK_NOSLEEP(socket_check_visible, cred, so, 481 so->so_label); 482 MAC_CHECK_PROBE2(socket_check_visible, error, cred, so); 483 484 return (error); 485 } 486 487 int 488 mac_socket_label_set(struct ucred *cred, struct socket *so, 489 struct label *label) 490 { 491 int error; 492 493 /* 494 * We acquire the socket lock when we perform the test and set, but 495 * have to release it as the pcb code needs to acquire the pcb lock, 496 * which will precede the socket lock in the lock order. However, 497 * this is fine, as any race will simply result in the inpcb being 498 * refreshed twice, but still consistently, as the inpcb code will 499 * acquire the socket lock before refreshing, holding both locks. 500 */ 501 SOCK_LOCK(so); 502 error = mac_socket_check_relabel(cred, so, label); 503 if (error) { 504 SOCK_UNLOCK(so); 505 return (error); 506 } 507 508 mac_socket_relabel(cred, so, label); 509 SOCK_UNLOCK(so); 510 511 /* 512 * If the protocol has expressed interest in socket layer changes, 513 * such as if it needs to propagate changes to a cached pcb label 514 * from the socket, notify it of the label change while holding the 515 * socket lock. 516 */ 517 if (so->so_proto->pr_sosetlabel != NULL) 518 so->so_proto->pr_sosetlabel(so); 519 520 return (0); 521 } 522 523 int 524 mac_setsockopt_label(struct ucred *cred, struct socket *so, 525 const struct mac *mac) 526 { 527 struct label *intlabel; 528 char *buffer; 529 int error; 530 531 if (!(mac_labeled & MPC_OBJECT_SOCKET)) 532 return (EINVAL); 533 534 error = mac_check_structmac_consistent(mac); 535 if (error) 536 return (error); 537 538 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 539 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 540 if (error) { 541 free(buffer, M_MACTEMP); 542 return (error); 543 } 544 545 intlabel = mac_socket_label_alloc(M_WAITOK); 546 error = mac_socket_internalize_label(intlabel, buffer); 547 free(buffer, M_MACTEMP); 548 if (error) 549 goto out; 550 551 error = mac_socket_label_set(cred, so, intlabel); 552 out: 553 mac_socket_label_free(intlabel); 554 return (error); 555 } 556 557 int 558 mac_getsockopt_label(struct ucred *cred, struct socket *so, 559 const struct mac *mac) 560 { 561 char *buffer, *elements; 562 struct label *intlabel; 563 int error; 564 565 if (!(mac_labeled & MPC_OBJECT_SOCKET)) 566 return (EINVAL); 567 568 error = mac_check_structmac_consistent(mac); 569 if (error) 570 return (error); 571 572 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 573 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 574 if (error) { 575 free(elements, M_MACTEMP); 576 return (error); 577 } 578 579 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 580 intlabel = mac_socket_label_alloc(M_WAITOK); 581 SOCK_LOCK(so); 582 mac_socket_copy_label(so->so_label, intlabel); 583 SOCK_UNLOCK(so); 584 error = mac_socket_externalize_label(intlabel, elements, buffer, 585 mac->m_buflen); 586 mac_socket_label_free(intlabel); 587 if (error == 0) 588 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 589 590 free(buffer, M_MACTEMP); 591 free(elements, M_MACTEMP); 592 593 return (error); 594 } 595 596 int 597 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, 598 const struct mac *mac) 599 { 600 char *elements, *buffer; 601 struct label *intlabel; 602 int error; 603 604 if (!(mac_labeled & MPC_OBJECT_SOCKET)) 605 return (EINVAL); 606 607 error = mac_check_structmac_consistent(mac); 608 if (error) 609 return (error); 610 611 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 612 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 613 if (error) { 614 free(elements, M_MACTEMP); 615 return (error); 616 } 617 618 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 619 intlabel = mac_socket_label_alloc(M_WAITOK); 620 SOCK_LOCK(so); 621 mac_socket_copy_label(so->so_peerlabel, intlabel); 622 SOCK_UNLOCK(so); 623 error = mac_socketpeer_externalize_label(intlabel, elements, buffer, 624 mac->m_buflen); 625 mac_socket_label_free(intlabel); 626 if (error == 0) 627 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 628 629 free(buffer, M_MACTEMP); 630 free(elements, M_MACTEMP); 631 632 return (error); 633 } 634