xref: /freebsd/sys/security/mac_bsdextended/mac_bsdextended.c (revision 0f7f3352c8bc463607912e2463d13e52d44a4cae)
1 /*-
2  * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
3  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
4  * Copyright (c) 2005 Tom Rhodes
5  * Copyright (c) 2006 SPARTA, Inc.
6  * All rights reserved.
7  *
8  * This software was developed by Robert Watson for the TrustedBSD Project.
9  * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
10  *
11  * This software was developed for the FreeBSD Project in part by Network
12  * Associates Laboratories, the Security Research Division of Network
13  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
14  * as part of the DARPA CHATS research program.
15  *
16  * This software was enhanced by SPARTA ISSO under SPAWAR contract
17  * N66001-04-C-6019 ("SEFOS").
18  *
19  * Redistribution and use in source and binary forms, with or without
20  * modification, are permitted provided that the following conditions
21  * are met:
22  * 1. Redistributions of source code must retain the above copyright
23  *    notice, this list of conditions and the following disclaimer.
24  * 2. Redistributions in binary form must reproduce the above copyright
25  *    notice, this list of conditions and the following disclaimer in the
26  *    documentation and/or other materials provided with the distribution.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38  * SUCH DAMAGE.
39  *
40  * $FreeBSD$
41  */
42 
43 /*
44  * Developed by the TrustedBSD Project.
45  *
46  * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
47  * firewall-like rules regarding users and file system objects.
48  */
49 
50 #include <sys/param.h>
51 #include <sys/acl.h>
52 #include <sys/kernel.h>
53 #include <sys/jail.h>
54 #include <sys/lock.h>
55 #include <sys/malloc.h>
56 #include <sys/module.h>
57 #include <sys/mount.h>
58 #include <sys/mutex.h>
59 #include <sys/priv.h>
60 #include <sys/proc.h>
61 #include <sys/systm.h>
62 #include <sys/vnode.h>
63 #include <sys/sysctl.h>
64 #include <sys/syslog.h>
65 #include <sys/stat.h>
66 
67 #include <security/mac/mac_policy.h>
68 #include <security/mac_bsdextended/mac_bsdextended.h>
69 #include <security/mac_bsdextended/ugidfw_internal.h>
70 
71 static struct mtx ugidfw_mtx;
72 
73 SYSCTL_DECL(_security_mac);
74 
75 static SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
76     "TrustedBSD extended BSD MAC policy controls");
77 
78 static int	ugidfw_enabled = 1;
79 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RWTUN,
80     &ugidfw_enabled, 0, "Enforce extended BSD policy");
81 
82 static MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended",
83     "BSD Extended MAC rule");
84 
85 #define	MAC_BSDEXTENDED_MAXRULES	250
86 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
87 static int rule_count = 0;
88 static int rule_slots = 0;
89 static int rule_version = MB_VERSION;
90 
91 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
92     &rule_count, 0, "Number of defined rules\n");
93 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
94     &rule_slots, 0, "Number of used rule slots\n");
95 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
96     &rule_version, 0, "Version number for API\n");
97 
98 /*
99  * This is just used for logging purposes, eventually we would like to log
100  * much more then failed requests.
101  */
102 static int ugidfw_logging;
103 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
104     &ugidfw_logging, 0, "Log failed authorization requests");
105 
106 /*
107  * This tunable is here for compatibility.  It will allow the user to switch
108  * between the new mode (first rule matches) and the old functionality (all
109  * rules match).
110  */
111 static int ugidfw_firstmatch_enabled;
112 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
113     CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
114     "Disable/enable match first rule functionality");
115 
116 static int
117 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
118 {
119 
120 	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
121 		return (EINVAL);
122 	if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
123 		return (EINVAL);
124 	if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
125 		return (EINVAL);
126 	if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
127 		return (EINVAL);
128 	if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
129 	    (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
130 		return (EINVAL);
131 	if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
132 		return (EINVAL);
133 	return (0);
134 }
135 
136 static int
137 sysctl_rule(SYSCTL_HANDLER_ARGS)
138 {
139 	struct mac_bsdextended_rule temprule, *ruleptr;
140 	u_int namelen;
141 	int error, index, *name;
142 
143 	error = 0;
144 	name = (int *)arg1;
145 	namelen = arg2;
146 	if (namelen != 1)
147 		return (EINVAL);
148 	index = name[0];
149         if (index >= MAC_BSDEXTENDED_MAXRULES)
150 		return (ENOENT);
151 
152 	ruleptr = NULL;
153 	if (req->newptr && req->newlen != 0) {
154 		error = SYSCTL_IN(req, &temprule, sizeof(temprule));
155 		if (error)
156 			return (error);
157 		ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
158 		    M_WAITOK | M_ZERO);
159 	}
160 
161 	mtx_lock(&ugidfw_mtx);
162 	if (req->oldptr) {
163 		if (index < 0 || index > rule_slots + 1) {
164 			error = ENOENT;
165 			goto out;
166 		}
167 		if (rules[index] == NULL) {
168 			error = ENOENT;
169 			goto out;
170 		}
171 		temprule = *rules[index];
172 	}
173 	if (req->newptr && req->newlen == 0) {
174 		KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
175 		ruleptr = rules[index];
176 		if (ruleptr == NULL) {
177 			error = ENOENT;
178 			goto out;
179 		}
180 		rule_count--;
181 		rules[index] = NULL;
182 	} else if (req->newptr) {
183 		error = ugidfw_rule_valid(&temprule);
184 		if (error)
185 			goto out;
186 		if (rules[index] == NULL) {
187 			*ruleptr = temprule;
188 			rules[index] = ruleptr;
189 			ruleptr = NULL;
190 			if (index + 1 > rule_slots)
191 				rule_slots = index + 1;
192 			rule_count++;
193 		} else
194 			*rules[index] = temprule;
195 	}
196 out:
197 	mtx_unlock(&ugidfw_mtx);
198 	if (ruleptr != NULL)
199 		free(ruleptr, M_MACBSDEXTENDED);
200 	if (req->oldptr && error == 0)
201 		error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
202 	return (error);
203 }
204 
205 static SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
206     CTLFLAG_MPSAFE | CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
207 
208 static void
209 ugidfw_init(struct mac_policy_conf *mpc)
210 {
211 
212 	mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
213 }
214 
215 static void
216 ugidfw_destroy(struct mac_policy_conf *mpc)
217 {
218 	int i;
219 
220 	for (i = 0; i < MAC_BSDEXTENDED_MAXRULES; i++) {
221 		if (rules[i] != NULL)
222 			free(rules[i], M_MACBSDEXTENDED);
223 	}
224 	mtx_destroy(&ugidfw_mtx);
225 }
226 
227 static int
228 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
229     struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
230 {
231 	int mac_granted, match, priv_granted;
232 	int i;
233 
234 	/*
235 	 * Is there a subject match?
236 	 */
237 	mtx_assert(&ugidfw_mtx, MA_OWNED);
238 	if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
239 		match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
240 		    cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
241 		    (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
242 		    cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
243 		    (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
244 		    cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
245 		if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
246 			match = !match;
247 		if (!match)
248 			return (0);
249 	}
250 
251 	if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
252 		match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
253 		    cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
254 		    (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
255 		    cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
256 		if (!match) {
257 			for (i = 0; i < cred->cr_ngroups; i++) {
258 				if (cred->cr_groups[i]
259 				    <= rule->mbr_subject.mbs_gid_max &&
260 				    cred->cr_groups[i]
261 				    >= rule->mbr_subject.mbs_gid_min) {
262 					match = 1;
263 					break;
264 				}
265 			}
266 		}
267 		if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
268 			match = !match;
269 		if (!match)
270 			return (0);
271 	}
272 
273 	if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
274 		match =
275 		    (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
276 		if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
277 			match = !match;
278 		if (!match)
279 			return (0);
280 	}
281 
282 	/*
283 	 * Is there an object match?
284 	 */
285 	if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
286 		match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
287 		    vap->va_uid >= rule->mbr_object.mbo_uid_min);
288 		if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
289 			match = !match;
290 		if (!match)
291 			return (0);
292 	}
293 
294 	if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
295 		match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
296 		    vap->va_gid >= rule->mbr_object.mbo_gid_min);
297 		if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
298 			match = !match;
299 		if (!match)
300 			return (0);
301 	}
302 
303 	if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
304 		match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
305 		    &(rule->mbr_object.mbo_fsid),
306 		    sizeof(rule->mbr_object.mbo_fsid)) == 0);
307 		if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
308 			match = !match;
309 		if (!match)
310 			return (0);
311 	}
312 
313 	if (rule->mbr_object.mbo_flags & MBO_SUID) {
314 		match = (vap->va_mode & S_ISUID);
315 		if (rule->mbr_object.mbo_neg & MBO_SUID)
316 			match = !match;
317 		if (!match)
318 			return (0);
319 	}
320 
321 	if (rule->mbr_object.mbo_flags & MBO_SGID) {
322 		match = (vap->va_mode & S_ISGID);
323 		if (rule->mbr_object.mbo_neg & MBO_SGID)
324 			match = !match;
325 		if (!match)
326 			return (0);
327 	}
328 
329 	if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
330 		match = (vap->va_uid == cred->cr_uid ||
331 		    vap->va_uid == cred->cr_ruid ||
332 		    vap->va_uid == cred->cr_svuid);
333 		if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
334 			match = !match;
335 		if (!match)
336 			return (0);
337 	}
338 
339 	if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
340 		match = (groupmember(vap->va_gid, cred) ||
341 		    vap->va_gid == cred->cr_rgid ||
342 		    vap->va_gid == cred->cr_svgid);
343 		if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
344 			match = !match;
345 		if (!match)
346 			return (0);
347 	}
348 
349 	if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
350 		switch (vap->va_type) {
351 		case VREG:
352 			match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
353 			break;
354 		case VDIR:
355 			match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
356 			break;
357 		case VBLK:
358 			match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
359 			break;
360 		case VCHR:
361 			match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
362 			break;
363 		case VLNK:
364 			match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
365 			break;
366 		case VSOCK:
367 			match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
368 			break;
369 		case VFIFO:
370 			match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
371 			break;
372 		default:
373 			match = 0;
374 		}
375 		if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
376 			match = !match;
377 		if (!match)
378 			return (0);
379 	}
380 
381 	/*
382 	 * MBI_APPEND should not be here as it should get converted to
383 	 * MBI_WRITE.
384 	 */
385 	priv_granted = 0;
386 	mac_granted = rule->mbr_mode;
387 	if ((acc_mode & MBI_ADMIN) && (mac_granted & MBI_ADMIN) == 0 &&
388 	    priv_check_cred(cred, PRIV_VFS_ADMIN, 0) == 0)
389 		priv_granted |= MBI_ADMIN;
390 	if ((acc_mode & MBI_EXEC) && (mac_granted & MBI_EXEC) == 0 &&
391 	    priv_check_cred(cred, (vap->va_type == VDIR) ? PRIV_VFS_LOOKUP :
392 	    PRIV_VFS_EXEC, 0) == 0)
393 		priv_granted |= MBI_EXEC;
394 	if ((acc_mode & MBI_READ) && (mac_granted & MBI_READ) == 0 &&
395 	    priv_check_cred(cred, PRIV_VFS_READ, 0) == 0)
396 		priv_granted |= MBI_READ;
397 	if ((acc_mode & MBI_STAT) && (mac_granted & MBI_STAT) == 0 &&
398 	    priv_check_cred(cred, PRIV_VFS_STAT, 0) == 0)
399 		priv_granted |= MBI_STAT;
400 	if ((acc_mode & MBI_WRITE) && (mac_granted & MBI_WRITE) == 0 &&
401 	    priv_check_cred(cred, PRIV_VFS_WRITE, 0) == 0)
402 		priv_granted |= MBI_WRITE;
403 	/*
404 	 * Is the access permitted?
405 	 */
406 	if (((mac_granted | priv_granted) & acc_mode) != acc_mode) {
407 		if (ugidfw_logging)
408 			log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
409 			    " on %d:%d failed. \n", cred->cr_ruid,
410 			    cred->cr_rgid, acc_mode, vap->va_uid,
411 			    vap->va_gid);
412 		return (EACCES);
413 	}
414 
415 	/*
416 	 * If the rule matched, permits access, and first match is enabled,
417 	 * return success.
418 	 */
419 	if (ugidfw_firstmatch_enabled)
420 		return (EJUSTRETURN);
421 	else
422 		return (0);
423 }
424 
425 int
426 ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
427     int acc_mode)
428 {
429 	int error, i;
430 
431 	/*
432 	 * Since we do not separately handle append, map append to write.
433 	 */
434 	if (acc_mode & MBI_APPEND) {
435 		acc_mode &= ~MBI_APPEND;
436 		acc_mode |= MBI_WRITE;
437 	}
438 	mtx_lock(&ugidfw_mtx);
439 	for (i = 0; i < rule_slots; i++) {
440 		if (rules[i] == NULL)
441 			continue;
442 		error = ugidfw_rulecheck(rules[i], cred,
443 		    vp, vap, acc_mode);
444 		if (error == EJUSTRETURN)
445 			break;
446 		if (error) {
447 			mtx_unlock(&ugidfw_mtx);
448 			return (error);
449 		}
450 	}
451 	mtx_unlock(&ugidfw_mtx);
452 	return (0);
453 }
454 
455 int
456 ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
457 {
458 	int error;
459 	struct vattr vap;
460 
461 	if (!ugidfw_enabled)
462 		return (0);
463 	error = VOP_GETATTR(vp, &vap, cred);
464 	if (error)
465 		return (error);
466 	return (ugidfw_check(cred, vp, &vap, acc_mode));
467 }
468 
469 int
470 ugidfw_accmode2mbi(accmode_t accmode)
471 {
472 	int mbi;
473 
474 	mbi = 0;
475 	if (accmode & VEXEC)
476 		mbi |= MBI_EXEC;
477 	if (accmode & VWRITE)
478 		mbi |= MBI_WRITE;
479 	if (accmode & VREAD)
480 		mbi |= MBI_READ;
481 	if (accmode & VADMIN_PERMS)
482 		mbi |= MBI_ADMIN;
483 	if (accmode & VSTAT_PERMS)
484 		mbi |= MBI_STAT;
485 	if (accmode & VAPPEND)
486 		mbi |= MBI_APPEND;
487 	return (mbi);
488 }
489 
490 static struct mac_policy_ops ugidfw_ops =
491 {
492 	.mpo_destroy = ugidfw_destroy,
493 	.mpo_init = ugidfw_init,
494 	.mpo_system_check_acct = ugidfw_system_check_acct,
495 	.mpo_system_check_auditctl = ugidfw_system_check_auditctl,
496 	.mpo_system_check_swapon = ugidfw_system_check_swapon,
497 	.mpo_vnode_check_access = ugidfw_vnode_check_access,
498 	.mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
499 	.mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
500 	.mpo_vnode_check_create = ugidfw_check_create_vnode,
501 	.mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
502 	.mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
503 	.mpo_vnode_check_exec = ugidfw_vnode_check_exec,
504 	.mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
505 	.mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
506 	.mpo_vnode_check_link = ugidfw_vnode_check_link,
507 	.mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
508 	.mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
509 	.mpo_vnode_check_open = ugidfw_vnode_check_open,
510 	.mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
511 	.mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
512 	.mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
513 	.mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
514 	.mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
515 	.mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
516 	.mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
517 	.mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
518 	.mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
519 	.mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
520 	.mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
521 	.mpo_vnode_check_stat = ugidfw_vnode_check_stat,
522 	.mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
523 };
524 
525 MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
526     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
527