xref: /freebsd/sys/security/mac/mac_socket.c (revision 8957464be7644ab4da9559ab479c9a996fbcbd29) 
1 /*-
2  * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
3  * Copyright (c) 2001 Ilmar S. Habibulin
4  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5  * Copyright (c) 2005-2006 SPARTA, Inc.
6  * Copyright (c) 2008 Apple Inc.
7  * All rights reserved.
8  *
9  * This software was developed by Robert Watson and Ilmar Habibulin for the
10  * TrustedBSD Project.
11  *
12  * This software was developed for the FreeBSD Project in part by McAfee
13  * Research, the Technology Research Division of Network Associates, Inc.
14  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
15  * DARPA CHATS research program.
16  *
17  * This software was enhanced by SPARTA ISSO under SPAWAR contract
18  * N66001-04-C-6019 ("SEFOS").
19  *
20  * This software was developed at the University of Cambridge Computer
21  * Laboratory with support from a grant from Google, Inc.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the above copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  *
32  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
33  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
34  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
35  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
36  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
37  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
38  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
40  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
41  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42  * SUCH DAMAGE.
43  */
44 
45 #include <sys/cdefs.h>
46 __FBSDID("$FreeBSD$");
47 
48 #include "opt_kdtrace.h"
49 #include "opt_mac.h"
50 
51 #include <sys/param.h>
52 #include <sys/kernel.h>
53 #include <sys/lock.h>
54 #include <sys/malloc.h>
55 #include <sys/mutex.h>
56 #include <sys/mac.h>
57 #include <sys/sbuf.h>
58 #include <sys/sdt.h>
59 #include <sys/systm.h>
60 #include <sys/mount.h>
61 #include <sys/file.h>
62 #include <sys/namei.h>
63 #include <sys/protosw.h>
64 #include <sys/socket.h>
65 #include <sys/socketvar.h>
66 #include <sys/sysctl.h>
67 
68 #include <net/bpfdesc.h>
69 #include <net/if.h>
70 #include <net/if_var.h>
71 
72 #include <netinet/in.h>
73 #include <netinet/in_pcb.h>
74 #include <netinet/ip_var.h>
75 
76 #include <security/mac/mac_framework.h>
77 #include <security/mac/mac_internal.h>
78 #include <security/mac/mac_policy.h>
79 
80 /*
81  * Currently, sockets hold two labels: the label of the socket itself, and a
82  * peer label, which may be used by policies to hold a copy of the label of
83  * any remote endpoint.
84  *
85  * Possibly, this peer label should be maintained at the protocol layer
86  * (inpcb, unpcb, etc), as this would allow protocol-aware code to maintain
87  * the label consistently.  For example, it might be copied live from a
88  * remote socket for UNIX domain sockets rather than keeping a local copy on
89  * this endpoint, but be cached and updated based on packets received for
90  * TCP/IP.
91  */
92 
93 struct label *
94 mac_socket_label_alloc(int flag)
95 {
96 	struct label *label;
97 	int error;
98 
99 	label = mac_labelzone_alloc(flag);
100 	if (label == NULL)
101 		return (NULL);
102 
103 	if (flag & M_WAITOK)
104 		MAC_CHECK(socket_init_label, label, flag);
105 	else
106 		MAC_CHECK_NOSLEEP(socket_init_label, label, flag);
107 	if (error) {
108 		MAC_PERFORM_NOSLEEP(socket_destroy_label, label);
109 		mac_labelzone_free(label);
110 		return (NULL);
111 	}
112 	return (label);
113 }
114 
115 static struct label *
116 mac_socketpeer_label_alloc(int flag)
117 {
118 	struct label *label;
119 	int error;
120 
121 	label = mac_labelzone_alloc(flag);
122 	if (label == NULL)
123 		return (NULL);
124 
125 	if (flag & M_WAITOK)
126 		MAC_CHECK(socketpeer_init_label, label, flag);
127 	else
128 		MAC_CHECK_NOSLEEP(socketpeer_init_label, label, flag);
129 	if (error) {
130 		MAC_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
131 		mac_labelzone_free(label);
132 		return (NULL);
133 	}
134 	return (label);
135 }
136 
137 int
138 mac_socket_init(struct socket *so, int flag)
139 {
140 
141 	if (mac_labeled & MPC_OBJECT_SOCKET) {
142 		so->so_label = mac_socket_label_alloc(flag);
143 		if (so->so_label == NULL)
144 			return (ENOMEM);
145 		so->so_peerlabel = mac_socketpeer_label_alloc(flag);
146 		if (so->so_peerlabel == NULL) {
147 			mac_socket_label_free(so->so_label);
148 			so->so_label = NULL;
149 			return (ENOMEM);
150 		}
151 	} else {
152 		so->so_label = NULL;
153 		so->so_peerlabel = NULL;
154 	}
155 	return (0);
156 }
157 
158 void
159 mac_socket_label_free(struct label *label)
160 {
161 
162 	MAC_PERFORM_NOSLEEP(socket_destroy_label, label);
163 	mac_labelzone_free(label);
164 }
165 
166 static void
167 mac_socketpeer_label_free(struct label *label)
168 {
169 
170 	MAC_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
171 	mac_labelzone_free(label);
172 }
173 
174 void
175 mac_socket_destroy(struct socket *so)
176 {
177 
178 	if (so->so_label != NULL) {
179 		mac_socket_label_free(so->so_label);
180 		so->so_label = NULL;
181 		mac_socketpeer_label_free(so->so_peerlabel);
182 		so->so_peerlabel = NULL;
183 	}
184 }
185 
186 void
187 mac_socket_copy_label(struct label *src, struct label *dest)
188 {
189 
190 	MAC_PERFORM_NOSLEEP(socket_copy_label, src, dest);
191 }
192 
193 int
194 mac_socket_externalize_label(struct label *label, char *elements,
195     char *outbuf, size_t outbuflen)
196 {
197 	int error;
198 
199 	MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen);
200 
201 	return (error);
202 }
203 
204 static int
205 mac_socketpeer_externalize_label(struct label *label, char *elements,
206     char *outbuf, size_t outbuflen)
207 {
208 	int error;
209 
210 	MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen);
211 
212 	return (error);
213 }
214 
215 int
216 mac_socket_internalize_label(struct label *label, char *string)
217 {
218 	int error;
219 
220 	MAC_INTERNALIZE(socket, label, string);
221 
222 	return (error);
223 }
224 
225 void
226 mac_socket_create(struct ucred *cred, struct socket *so)
227 {
228 
229 	MAC_PERFORM_NOSLEEP(socket_create, cred, so, so->so_label);
230 }
231 
232 void
233 mac_socket_newconn(struct socket *oldso, struct socket *newso)
234 {
235 
236 	SOCK_LOCK_ASSERT(oldso);
237 
238 	MAC_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label, newso,
239 	    newso->so_label);
240 }
241 
242 static void
243 mac_socket_relabel(struct ucred *cred, struct socket *so,
244     struct label *newlabel)
245 {
246 
247 	SOCK_LOCK_ASSERT(so);
248 
249 	MAC_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label,
250 	    newlabel);
251 }
252 
253 void
254 mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so)
255 {
256 	struct label *label;
257 
258 	SOCK_LOCK_ASSERT(so);
259 
260 	label = mac_mbuf_to_label(m);
261 
262 	MAC_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so,
263 	    so->so_peerlabel);
264 }
265 
266 void
267 mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso)
268 {
269 
270 	/*
271 	 * XXXRW: only hold the socket lock on one at a time, as one socket
272 	 * is the original, and one is the new.  However, it's called in both
273 	 * directions, so we can't assert the lock here currently.
274 	 */
275 	MAC_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso,
276 	    oldso->so_label, newso, newso->so_peerlabel);
277 }
278 
279 void
280 mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
281 {
282 	struct label *label;
283 
284 	SOCK_LOCK_ASSERT(so);
285 
286 	label = mac_mbuf_to_label(m);
287 
288 	MAC_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m, label);
289 }
290 
291 MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *",
292     "struct socket *");
293 
294 int
295 mac_socket_check_accept(struct ucred *cred, struct socket *so)
296 {
297 	int error;
298 
299 	SOCK_LOCK_ASSERT(so);
300 
301 	MAC_CHECK_NOSLEEP(socket_check_accept, cred, so, so->so_label);
302 	MAC_CHECK_PROBE2(socket_check_accept, error, cred, so);
303 
304 	return (error);
305 }
306 
307 MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *",
308     "struct socket *", "struct sockaddr *");
309 
310 int
311 mac_socket_check_bind(struct ucred *cred, struct socket *so,
312     struct sockaddr *sa)
313 {
314 	int error;
315 
316 	SOCK_LOCK_ASSERT(so);
317 
318 	MAC_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label, sa);
319 	MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa);
320 
321 	return (error);
322 }
323 
324 MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *",
325     "struct socket *", "struct sockaddr *");
326 
327 int
328 mac_socket_check_connect(struct ucred *cred, struct socket *so,
329     struct sockaddr *sa)
330 {
331 	int error;
332 
333 	SOCK_LOCK_ASSERT(so);
334 
335 	MAC_CHECK_NOSLEEP(socket_check_connect, cred, so, so->so_label, sa);
336 	MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa);
337 
338 	return (error);
339 }
340 
341 MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int",
342     "int");
343 
344 int
345 mac_socket_check_create(struct ucred *cred, int domain, int type, int proto)
346 {
347 	int error;
348 
349 	MAC_CHECK_NOSLEEP(socket_check_create, cred, domain, type, proto);
350 	MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type,
351 	    proto);
352 
353 	return (error);
354 }
355 
356 MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *",
357     "struct mbuf *");
358 
359 int
360 mac_socket_check_deliver(struct socket *so, struct mbuf *m)
361 {
362 	struct label *label;
363 	int error;
364 
365 	SOCK_LOCK_ASSERT(so);
366 
367 	label = mac_mbuf_to_label(m);
368 
369 	MAC_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m, label);
370 	MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
371 
372 	return (error);
373 }
374 
375 MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *",
376     "struct socket *");
377 
378 int
379 mac_socket_check_listen(struct ucred *cred, struct socket *so)
380 {
381 	int error;
382 
383 	SOCK_LOCK_ASSERT(so);
384 
385 	MAC_CHECK_NOSLEEP(socket_check_listen, cred, so, so->so_label);
386 	MAC_CHECK_PROBE2(socket_check_listen, error, cred, so);
387 
388 	return (error);
389 }
390 
391 MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *",
392     "struct socket *");
393 
394 int
395 mac_socket_check_poll(struct ucred *cred, struct socket *so)
396 {
397 	int error;
398 
399 	SOCK_LOCK_ASSERT(so);
400 
401 	MAC_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label);
402 	MAC_CHECK_PROBE2(socket_check_poll, error, cred, so);
403 
404 	return (error);
405 }
406 
407 MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *",
408     "struct socket *");
409 
410 int
411 mac_socket_check_receive(struct ucred *cred, struct socket *so)
412 {
413 	int error;
414 
415 	SOCK_LOCK_ASSERT(so);
416 
417 	MAC_CHECK_NOSLEEP(socket_check_receive, cred, so, so->so_label);
418 	MAC_CHECK_PROBE2(socket_check_receive, error, cred, so);
419 
420 	return (error);
421 }
422 
423 MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *",
424     "struct socket *", "struct label *");
425 
426 static int
427 mac_socket_check_relabel(struct ucred *cred, struct socket *so,
428     struct label *newlabel)
429 {
430 	int error;
431 
432 	SOCK_LOCK_ASSERT(so);
433 
434 	MAC_CHECK_NOSLEEP(socket_check_relabel, cred, so, so->so_label,
435 	    newlabel);
436 	MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel);
437 
438 	return (error);
439 }
440 
441 MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *",
442     "struct socket *");
443 
444 int
445 mac_socket_check_send(struct ucred *cred, struct socket *so)
446 {
447 	int error;
448 
449 	SOCK_LOCK_ASSERT(so);
450 
451 	MAC_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label);
452 	MAC_CHECK_PROBE2(socket_check_send, error, cred, so);
453 
454 	return (error);
455 }
456 
457 MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *",
458     "struct socket *");
459 
460 int
461 mac_socket_check_stat(struct ucred *cred, struct socket *so)
462 {
463 	int error;
464 
465 	SOCK_LOCK_ASSERT(so);
466 
467 	MAC_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
468 	MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
469 
470 	return (error);
471 }
472 
473 MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *",
474     "struct socket *");
475 
476 int
477 mac_socket_check_visible(struct ucred *cred, struct socket *so)
478 {
479 	int error;
480 
481 	SOCK_LOCK_ASSERT(so);
482 
483 	MAC_CHECK_NOSLEEP(socket_check_visible, cred, so, so->so_label);
484 	MAC_CHECK_PROBE2(socket_check_visible, error, cred, so);
485 
486 	return (error);
487 }
488 
489 int
490 mac_socket_label_set(struct ucred *cred, struct socket *so,
491     struct label *label)
492 {
493 	int error;
494 
495 	/*
496 	 * We acquire the socket lock when we perform the test and set, but
497 	 * have to release it as the pcb code needs to acquire the pcb lock,
498 	 * which will precede the socket lock in the lock order.  However,
499 	 * this is fine, as any race will simply result in the inpcb being
500 	 * refreshed twice, but still consistently, as the inpcb code will
501 	 * acquire the socket lock before refreshing, holding both locks.
502 	 */
503 	SOCK_LOCK(so);
504 	error = mac_socket_check_relabel(cred, so, label);
505 	if (error) {
506 		SOCK_UNLOCK(so);
507 		return (error);
508 	}
509 
510 	mac_socket_relabel(cred, so, label);
511 	SOCK_UNLOCK(so);
512 
513 	/*
514 	 * If the protocol has expressed interest in socket layer changes,
515 	 * such as if it needs to propagate changes to a cached pcb label
516 	 * from the socket, notify it of the label change while holding the
517 	 * socket lock.
518 	 */
519 	if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL)
520 		(so->so_proto->pr_usrreqs->pru_sosetlabel)(so);
521 
522 	return (0);
523 }
524 
525 int
526 mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
527 {
528 	struct label *intlabel;
529 	char *buffer;
530 	int error;
531 
532 	if (!(mac_labeled & MPC_OBJECT_SOCKET))
533 		return (EINVAL);
534 
535 	error = mac_check_structmac_consistent(mac);
536 	if (error)
537 		return (error);
538 
539 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
540 	error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL);
541 	if (error) {
542 		free(buffer, M_MACTEMP);
543 		return (error);
544 	}
545 
546 	intlabel = mac_socket_label_alloc(M_WAITOK);
547 	error = mac_socket_internalize_label(intlabel, buffer);
548 	free(buffer, M_MACTEMP);
549 	if (error)
550 		goto out;
551 
552 	error = mac_socket_label_set(cred, so, intlabel);
553 out:
554 	mac_socket_label_free(intlabel);
555 	return (error);
556 }
557 
558 int
559 mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
560 {
561 	char *buffer, *elements;
562 	struct label *intlabel;
563 	int error;
564 
565 	if (!(mac_labeled & MPC_OBJECT_SOCKET))
566 		return (EINVAL);
567 
568 	error = mac_check_structmac_consistent(mac);
569 	if (error)
570 		return (error);
571 
572 	elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
573 	error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL);
574 	if (error) {
575 		free(elements, M_MACTEMP);
576 		return (error);
577 	}
578 
579 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
580 	intlabel = mac_socket_label_alloc(M_WAITOK);
581 	SOCK_LOCK(so);
582 	mac_socket_copy_label(so->so_label, intlabel);
583 	SOCK_UNLOCK(so);
584 	error = mac_socket_externalize_label(intlabel, elements, buffer,
585 	    mac->m_buflen);
586 	mac_socket_label_free(intlabel);
587 	if (error == 0)
588 		error = copyout(buffer, mac->m_string, strlen(buffer)+1);
589 
590 	free(buffer, M_MACTEMP);
591 	free(elements, M_MACTEMP);
592 
593 	return (error);
594 }
595 
596 int
597 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
598     struct mac *mac)
599 {
600 	char *elements, *buffer;
601 	struct label *intlabel;
602 	int error;
603 
604 	if (!(mac_labeled & MPC_OBJECT_SOCKET))
605 		return (EINVAL);
606 
607 	error = mac_check_structmac_consistent(mac);
608 	if (error)
609 		return (error);
610 
611 	elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK);
612 	error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL);
613 	if (error) {
614 		free(elements, M_MACTEMP);
615 		return (error);
616 	}
617 
618 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
619 	intlabel = mac_socket_label_alloc(M_WAITOK);
620 	SOCK_LOCK(so);
621 	mac_socket_copy_label(so->so_peerlabel, intlabel);
622 	SOCK_UNLOCK(so);
623 	error = mac_socketpeer_externalize_label(intlabel, elements, buffer,
624 	    mac->m_buflen);
625 	mac_socket_label_free(intlabel);
626 	if (error == 0)
627 		error = copyout(buffer, mac->m_string, strlen(buffer)+1);
628 
629 	free(buffer, M_MACTEMP);
630 	free(elements, M_MACTEMP);
631 
632 	return (error);
633 }
634