1 /*- 2 * Copyright (c) 2003 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project by Network 6 * Associates Laboratories, the Security Research Division of Network 7 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 8 * as part of the DARPA CHATS research program. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 /* 35 * Developed by the TrustedBSD Project. 36 * 37 * Administratively limit access to local UDP/TCP ports for binding purposes. 38 * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow 39 * specific uids and gids to bind specific ports for specific purposes, 40 * while not opening the door to any user replacing an "official" service 41 * while you're restarting it. This only affects ports explicitly bound by 42 * the user process (either for listen/outgoing socket for TCP, or send/ 43 * receive for UDP). This module will not limit ports bound implicitly for 44 * out-going connections where the process hasn't explicitly selected a port: 45 * these are automatically selected by the IP stack. 46 * 47 * To use this module, security.mac.enforce_socket must be enabled, and 48 * you will probably want to twiddle the net.inet sysctl listed above. 49 * Then use sysctl(8) to modify the rules string: 50 * 51 * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" 52 * 53 * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) 54 * and 79 (finger). User names and group names can't be used directly 55 * because the kernel only knows about uids and gids. 56 */ 57 58 #include <sys/types.h> 59 #include <sys/param.h> 60 #include <sys/conf.h> 61 #include <sys/domain.h> 62 #include <sys/kernel.h> 63 #include <sys/libkern.h> 64 #include <sys/mac.h> 65 #include <sys/malloc.h> 66 #include <sys/mount.h> 67 #include <sys/proc.h> 68 #include <sys/protosw.h> 69 #include <sys/queue.h> 70 #include <sys/systm.h> 71 #include <sys/sysproto.h> 72 #include <sys/sysent.h> 73 #include <sys/vnode.h> 74 #include <sys/file.h> 75 #include <sys/sbuf.h> 76 #include <sys/socket.h> 77 #include <sys/socketvar.h> 78 #include <sys/sx.h> 79 #include <sys/sysctl.h> 80 81 #include <netinet/in.h> 82 83 #include <vm/vm.h> 84 85 #include <sys/mac_policy.h> 86 87 SYSCTL_DECL(_security_mac); 88 89 SYSCTL_NODE(_security_mac, OID_AUTO, portacl, CTLFLAG_RW, 0, 90 "TrustedBSD mac_portacl policy controls"); 91 92 static int mac_portacl_enabled = 1; 93 SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RW, 94 &mac_portacl_enabled, 0, "Enforce portacl policy"); 95 TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled); 96 97 static int mac_portacl_suser_exempt = 1; 98 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW, 99 &mac_portacl_suser_exempt, 0, "Privilege permits binding of any port"); 100 TUNABLE_INT("security.mac.portacl.suser_exempt", 101 &mac_portacl_suser_exempt); 102 103 static int mac_portacl_port_high = 1023; 104 SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW, 105 &mac_portacl_port_high, 0, "Highest port to enforce for"); 106 TUNABLE_INT("security.mac.portacl.port_high", &mac_portacl_port_high); 107 108 MALLOC_DEFINE(M_PORTACL, "portacl rule", "Rules for mac_portacl"); 109 110 #define MAC_RULE_STRING_LEN 1024 111 112 #define RULE_GID 1 113 #define RULE_UID 2 114 #define RULE_PROTO_TCP 1 115 #define RULE_PROTO_UDP 2 116 struct rule { 117 id_t r_id; 118 int r_idtype; 119 u_int16_t r_port; 120 int r_protocol; 121 122 TAILQ_ENTRY(rule) r_entries; 123 }; 124 125 #define GID_STRING "gid" 126 #define TCP_STRING "tcp" 127 #define UID_STRING "uid" 128 #define UDP_STRING "udp" 129 130 /* 131 * Text format for the rule string is that a rule consists of a 132 * comma-seperated list of elements. Each element is in the form 133 * idtype:id:protocol:portnumber, and constitutes granting of permission 134 * for the specified binding. 135 */ 136 137 static struct sx rule_sx; 138 static TAILQ_HEAD(rulehead, rule) rule_head; 139 static char rule_string[MAC_RULE_STRING_LEN]; 140 141 static void 142 toast_rules(struct rulehead *head) 143 { 144 struct rule *rule; 145 int i; 146 147 i = 0; 148 for (rule = TAILQ_FIRST(head); 149 rule != NULL; 150 rule = TAILQ_NEXT(rule, r_entries)) 151 i++; 152 153 while ((rule = TAILQ_FIRST(head)) != NULL) { 154 TAILQ_REMOVE(head, rule, r_entries); 155 free(rule, M_PORTACL); 156 } 157 } 158 159 /* 160 * Note that there is an inherent race condition in the unload of modules 161 * and access via sysctl. 162 */ 163 static void 164 destroy(struct mac_policy_conf *mpc) 165 { 166 167 sx_destroy(&rule_sx); 168 toast_rules(&rule_head); 169 } 170 171 static void 172 init(struct mac_policy_conf *mpc) 173 { 174 175 sx_init(&rule_sx, "rule_sx"); 176 TAILQ_INIT(&rule_head); 177 } 178 179 /* 180 * Note: parsing routines are destructive on the passed string. 181 */ 182 static int 183 parse_rule_element(char *element, struct rule **rule) 184 { 185 char *idtype, *id, *protocol, *portnumber, *p; 186 struct rule *new; 187 int error; 188 189 error = 0; 190 new = malloc(sizeof(*new), M_PORTACL, M_ZERO | M_WAITOK); 191 192 idtype = strsep(&element, ":"); 193 if (idtype == NULL) { 194 error = EINVAL; 195 goto out; 196 } 197 id = strsep(&element, ":"); 198 if (id == NULL) { 199 error = EINVAL; 200 goto out; 201 } 202 new->r_id = strtol(id, &p, 10); 203 if (*p != '\0') { 204 error = EINVAL; 205 goto out; 206 } 207 if (strcmp(idtype, UID_STRING) == 0) 208 new->r_idtype = RULE_UID; 209 else if (strcmp(idtype, GID_STRING) == 0) 210 new->r_idtype = RULE_GID; 211 else { 212 error = EINVAL; 213 goto out; 214 } 215 protocol = strsep(&element, ":"); 216 if (protocol == NULL) { 217 error = EINVAL; 218 goto out; 219 } 220 if (strcmp(protocol, TCP_STRING) == 0) 221 new->r_protocol = RULE_PROTO_TCP; 222 else if (strcmp(protocol, UDP_STRING) == 0) 223 new->r_protocol = RULE_PROTO_UDP; 224 else { 225 error = EINVAL; 226 goto out; 227 } 228 portnumber = element; 229 if (portnumber == NULL) { 230 error = EINVAL; 231 goto out; 232 } 233 new->r_port = strtol(portnumber, &p, 10); 234 if (*p != '\0') { 235 error = EINVAL; 236 goto out; 237 } 238 239 out: 240 if (error != 0) { 241 free(new, M_PORTACL); 242 *rule = NULL; 243 } else 244 *rule = new; 245 return (error); 246 } 247 248 static int 249 parse_rules(char *string, struct rulehead *head) 250 { 251 struct rule *new; 252 char *element; 253 int error; 254 255 error = 0; 256 while ((element = strsep(&string, ",")) != NULL) { 257 if (strlen(element) == 0) 258 continue; 259 error = parse_rule_element(element, &new); 260 if (error) 261 goto out; 262 TAILQ_INSERT_TAIL(head, new, r_entries); 263 } 264 out: 265 if (error != 0) 266 toast_rules(head); 267 return (error); 268 } 269 270 #if 0 271 static void 272 rule_printf(struct sbuf *sb, struct rule *rule) 273 { 274 const char *idtype, *protocol; 275 276 switch(rule->r_idtype) { 277 case RULE_GID: 278 idtype = GID_STRING; 279 break; 280 case RULE_UID: 281 idtype = UID_STRING; 282 break; 283 default: 284 panic("rule_printf: unknown idtype (%d)\n", rule->r_idtype); 285 } 286 287 switch (rule->r_protocol) { 288 case RULE_PROTO_TCP: 289 protocol = TCP_STRING; 290 break; 291 case RULE_PROTO_UDP: 292 protocol = UDP_STRING; 293 break; 294 default: 295 panic("rule_printf: unknown protocol (%d)\n", 296 rule->r_protocol); 297 } 298 sbuf_printf(sb, "%s:%jd:%s:%d", idtype, (intmax_t)rule->r_id, 299 protocol, rule->r_port); 300 } 301 302 static char * 303 rules_to_string(void) 304 { 305 struct rule *rule; 306 struct sbuf *sb; 307 int needcomma; 308 char *temp; 309 310 sb = sbuf_new(NULL, NULL, 0, SBUF_AUTOEXTEND); 311 needcomma = 0; 312 sx_slock(&rule_sx); 313 for (rule = TAILQ_FIRST(&rule_head); rule != NULL; 314 rule = TAILQ_NEXT(rule, r_entries)) { 315 if (!needcomma) 316 needcomma = 1; 317 else 318 sbuf_printf(sb, ","); 319 rule_printf(sb, rule); 320 } 321 sx_sunlock(&rule_sx); 322 sbuf_finish(sb); 323 temp = strdup(sbuf_data(sb), M_PORTACL); 324 sbuf_delete(sb); 325 return (temp); 326 } 327 #endif 328 329 /* 330 * Note: due to races, there is not a single serializable order 331 * between parallel calls to the sysctl. 332 */ 333 static int 334 sysctl_rules(SYSCTL_HANDLER_ARGS) 335 { 336 char *string, *copy_string, *new_string; 337 struct rulehead head, save_head; 338 struct rule *rule; 339 int error; 340 341 new_string = NULL; 342 if (req->newptr == NULL) { 343 new_string = malloc(MAC_RULE_STRING_LEN, M_PORTACL, 344 M_WAITOK | M_ZERO); 345 strcpy(new_string, rule_string); 346 string = new_string; 347 } else 348 string = rule_string; 349 350 error = sysctl_handle_string(oidp, string, MAC_RULE_STRING_LEN, req); 351 if (error) 352 goto out; 353 354 if (req->newptr != NULL) { 355 copy_string = strdup(string, M_PORTACL); 356 TAILQ_INIT(&head); 357 error = parse_rules(copy_string, &head); 358 free(copy_string, M_PORTACL); 359 if (error) 360 goto out; 361 362 TAILQ_INIT(&save_head); 363 sx_xlock(&rule_sx); 364 /* 365 * XXX: Unfortunately, TAILQ doesn't yet have a supported 366 * assignment operator to copy one queue to another, due 367 * to a self-referential pointer in the tailq header. 368 * For now, do it the old-fashioned way. 369 */ 370 while ((rule = TAILQ_FIRST(&rule_head)) != NULL) { 371 TAILQ_REMOVE(&rule_head, rule, r_entries); 372 TAILQ_INSERT_HEAD(&save_head, rule, r_entries); 373 } 374 while ((rule = TAILQ_FIRST(&head)) != NULL) { 375 TAILQ_REMOVE(&head, rule, r_entries); 376 TAILQ_INSERT_HEAD(&rule_head, rule, r_entries); 377 } 378 strcpy(rule_string, string); 379 sx_xunlock(&rule_sx); 380 toast_rules(&save_head); 381 } 382 out: 383 if (new_string != NULL) 384 free(new_string, M_PORTACL); 385 return (error); 386 } 387 388 SYSCTL_PROC(_security_mac_portacl, OID_AUTO, rules, 389 CTLTYPE_STRING|CTLFLAG_RW, 0, 0, sysctl_rules, "A", "Rules"); 390 391 static int 392 rules_check(struct ucred *cred, int family, int type, u_int16_t port) 393 { 394 struct rule *rule; 395 int error; 396 397 #if 0 398 printf("Check requested for euid %d, family %d, type %d, port %d\n", 399 cred->cr_uid, family, type, port); 400 #endif 401 402 if (port > mac_portacl_port_high) 403 return (0); 404 405 error = EPERM; 406 sx_slock(&rule_sx); 407 for (rule = TAILQ_FIRST(&rule_head); 408 rule != NULL; 409 rule = TAILQ_NEXT(rule, r_entries)) { 410 if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP) 411 continue; 412 if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP) 413 continue; 414 if (port != rule->r_port) 415 continue; 416 if (rule->r_idtype == RULE_UID) { 417 if (cred->cr_uid == rule->r_id) { 418 error = 0; 419 break; 420 } 421 } else if (rule->r_idtype == RULE_GID) { 422 if (cred->cr_gid == rule->r_id) { 423 error = 0; 424 break; 425 } else if (groupmember(rule->r_id, cred)) { 426 error = 0; 427 break; 428 } 429 } else 430 panic("rules_check: unknown rule type %d", 431 rule->r_idtype); 432 } 433 sx_sunlock(&rule_sx); 434 435 if (error != 0 && mac_portacl_suser_exempt != 0) 436 error = suser_cred(cred, 0); 437 438 return (error); 439 } 440 441 /* 442 * Note, this only limits the ability to explicitly bind a port, it 443 * doesn't limit implicitly bound ports for outgoing connections where 444 * the source port is left up to the IP stack to determine automatically. 445 */ 446 static int 447 check_socket_bind(struct ucred *cred, struct socket *so, 448 struct label *socketlabel, struct sockaddr *sockaddr) 449 { 450 struct sockaddr_in *sin; 451 int family, type; 452 u_int16_t port; 453 454 /* Only interested in IPv4 and IPv6 sockets. */ 455 if (so->so_proto->pr_domain->dom_family != PF_INET && 456 so->so_proto->pr_domain->dom_family != PF_INET6) 457 return (0); 458 459 /* Currently, we don't attempt to deal with SOCK_RAW, etc. */ 460 if (so->so_type != SOCK_DGRAM && 461 so->so_type != SOCK_STREAM) 462 return (0); 463 464 /* Reject addresses we don't understand; fail closed. */ 465 if (sockaddr->sa_family != AF_INET && 466 sockaddr->sa_family != AF_INET6) 467 return (EINVAL); 468 469 family = so->so_proto->pr_domain->dom_family; 470 type = so->so_type; 471 sin = (struct sockaddr_in *) sockaddr; 472 port = ntohs(sin->sin_port); 473 474 return (rules_check(cred, family, type, port)); 475 } 476 477 static struct mac_policy_ops mac_portacl_ops = 478 { 479 .mpo_destroy = destroy, 480 .mpo_init = init, 481 .mpo_check_socket_bind = check_socket_bind, 482 }; 483 484 MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl, 485 "TrustedBSD MAC/portacl", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 486