1 /*- 2 * Copyright (c) 2003-2004 Networks Associates Technology, Inc. 3 * Copyright (c) 2006 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This software was developed for the FreeBSD Project by Network 7 * Associates Laboratories, the Security Research Division of Network 8 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 9 * as part of the DARPA CHATS research program. 10 * 11 * This software was enhanced by SPARTA ISSO under SPAWAR contract 12 * N66001-04-C-6019 ("SEFOS"). 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 /* 37 * Developed by the TrustedBSD Project. 38 * 39 * Administratively limit access to local UDP/TCP ports for binding purposes. 40 * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow 41 * specific uids and gids to bind specific ports for specific purposes, 42 * while not opening the door to any user replacing an "official" service 43 * while you're restarting it. This only affects ports explicitly bound by 44 * the user process (either for listen/outgoing socket for TCP, or send/ 45 * receive for UDP). This module will not limit ports bound implicitly for 46 * out-going connections where the process hasn't explicitly selected a port: 47 * these are automatically selected by the IP stack. 48 * 49 * To use this module, security.mac.enforce_socket must be enabled, and you 50 * will probably want to twiddle the net.inet sysctl listed above. Then use 51 * sysctl(8) to modify the rules string: 52 * 53 * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" 54 * 55 * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) and 56 * 79 (finger). User names and group names can't be used directly because 57 * the kernel only knows about uids and gids. 58 */ 59 60 #include <sys/param.h> 61 #include <sys/domain.h> 62 #include <sys/kernel.h> 63 #include <sys/lock.h> 64 #include <sys/malloc.h> 65 #include <sys/module.h> 66 #include <sys/mutex.h> 67 #include <sys/priv.h> 68 #include <sys/proc.h> 69 #include <sys/protosw.h> 70 #include <sys/queue.h> 71 #include <sys/systm.h> 72 #include <sys/sbuf.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/sysctl.h> 76 77 #include <netinet/in.h> 78 #include <netinet/in_pcb.h> 79 80 #include <security/mac/mac_policy.h> 81 82 SYSCTL_DECL(_security_mac); 83 84 static SYSCTL_NODE(_security_mac, OID_AUTO, portacl, 85 CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 86 "TrustedBSD mac_portacl policy controls"); 87 88 static int portacl_enabled = 1; 89 SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RWTUN, 90 &portacl_enabled, 0, "Enforce portacl policy"); 91 92 static int portacl_suser_exempt = 1; 93 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RWTUN, 94 &portacl_suser_exempt, 0, "Privilege permits binding of any port"); 95 96 static int portacl_autoport_exempt = 1; 97 SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RWTUN, 98 &portacl_autoport_exempt, 0, "Allow automatic allocation through " 99 "binding port 0 if not IP_PORTRANGELOW"); 100 101 static int portacl_port_high = 1023; 102 SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RWTUN, 103 &portacl_port_high, 0, "Highest port to enforce for"); 104 105 static MALLOC_DEFINE(M_PORTACL, "portacl_rule", "Rules for mac_portacl"); 106 107 #define MAC_RULE_STRING_LEN 1024 108 109 #define RULE_GID 1 110 #define RULE_UID 2 111 #define RULE_PROTO_TCP 1 112 #define RULE_PROTO_UDP 2 113 struct rule { 114 id_t r_id; 115 int r_idtype; 116 u_int16_t r_port; 117 int r_protocol; 118 119 TAILQ_ENTRY(rule) r_entries; 120 }; 121 122 #define GID_STRING "gid" 123 #define TCP_STRING "tcp" 124 #define UID_STRING "uid" 125 #define UDP_STRING "udp" 126 127 /* 128 * Text format for the rule string is that a rule consists of a 129 * comma-separated list of elements. Each element is in the form 130 * idtype:id:protocol:portnumber, and constitutes granting of permission 131 * for the specified binding. 132 */ 133 134 static struct mtx rule_mtx; 135 static TAILQ_HEAD(rulehead, rule) rule_head; 136 static char rule_string[MAC_RULE_STRING_LEN]; 137 138 static void 139 toast_rules(struct rulehead *head) 140 { 141 struct rule *rule; 142 143 while ((rule = TAILQ_FIRST(head)) != NULL) { 144 TAILQ_REMOVE(head, rule, r_entries); 145 free(rule, M_PORTACL); 146 } 147 } 148 149 /* 150 * Note that there is an inherent race condition in the unload of modules 151 * and access via sysctl. 152 */ 153 static void 154 destroy(struct mac_policy_conf *mpc) 155 { 156 157 mtx_destroy(&rule_mtx); 158 toast_rules(&rule_head); 159 } 160 161 static void 162 init(struct mac_policy_conf *mpc) 163 { 164 165 mtx_init(&rule_mtx, "rule_mtx", NULL, MTX_DEF); 166 TAILQ_INIT(&rule_head); 167 } 168 169 /* 170 * Note: parsing routines are destructive on the passed string. 171 */ 172 static int 173 parse_rule_element(char *element, struct rule **rule) 174 { 175 char *idtype, *id, *protocol, *portnumber, *p; 176 struct rule *new; 177 int error; 178 179 error = 0; 180 new = malloc(sizeof(*new), M_PORTACL, M_ZERO | M_WAITOK); 181 182 idtype = strsep(&element, ":"); 183 if (idtype == NULL) { 184 error = EINVAL; 185 goto out; 186 } 187 id = strsep(&element, ":"); 188 if (id == NULL) { 189 error = EINVAL; 190 goto out; 191 } 192 new->r_id = strtol(id, &p, 10); 193 if (*p != '\0') { 194 error = EINVAL; 195 goto out; 196 } 197 if (strcmp(idtype, UID_STRING) == 0) 198 new->r_idtype = RULE_UID; 199 else if (strcmp(idtype, GID_STRING) == 0) 200 new->r_idtype = RULE_GID; 201 else { 202 error = EINVAL; 203 goto out; 204 } 205 protocol = strsep(&element, ":"); 206 if (protocol == NULL) { 207 error = EINVAL; 208 goto out; 209 } 210 if (strcmp(protocol, TCP_STRING) == 0) 211 new->r_protocol = RULE_PROTO_TCP; 212 else if (strcmp(protocol, UDP_STRING) == 0) 213 new->r_protocol = RULE_PROTO_UDP; 214 else { 215 error = EINVAL; 216 goto out; 217 } 218 portnumber = element; 219 if (portnumber == NULL) { 220 error = EINVAL; 221 goto out; 222 } 223 new->r_port = strtol(portnumber, &p, 10); 224 if (*p != '\0') { 225 error = EINVAL; 226 goto out; 227 } 228 229 out: 230 if (error != 0) { 231 free(new, M_PORTACL); 232 *rule = NULL; 233 } else 234 *rule = new; 235 return (error); 236 } 237 238 static int 239 parse_rules(char *string, struct rulehead *head) 240 { 241 struct rule *new; 242 char *element; 243 int error; 244 245 error = 0; 246 while ((element = strsep(&string, ",")) != NULL) { 247 if (strlen(element) == 0) 248 continue; 249 error = parse_rule_element(element, &new); 250 if (error) 251 goto out; 252 TAILQ_INSERT_TAIL(head, new, r_entries); 253 } 254 out: 255 if (error != 0) 256 toast_rules(head); 257 return (error); 258 } 259 260 /* 261 * rule_printf() and rules_to_string() are unused currently because they rely 262 * on sbufs with auto-extension, which may sleep while holding a mutex. 263 * Instead, the non-canonical user-generated rule string is returned to the 264 * user when the rules are queried, which is faster anyway. 265 */ 266 #if 0 267 static void 268 rule_printf(struct sbuf *sb, struct rule *rule) 269 { 270 const char *idtype, *protocol; 271 272 switch(rule->r_idtype) { 273 case RULE_GID: 274 idtype = GID_STRING; 275 break; 276 case RULE_UID: 277 idtype = UID_STRING; 278 break; 279 default: 280 panic("rule_printf: unknown idtype (%d)\n", rule->r_idtype); 281 } 282 283 switch (rule->r_protocol) { 284 case RULE_PROTO_TCP: 285 protocol = TCP_STRING; 286 break; 287 case RULE_PROTO_UDP: 288 protocol = UDP_STRING; 289 break; 290 default: 291 panic("rule_printf: unknown protocol (%d)\n", 292 rule->r_protocol); 293 } 294 sbuf_printf(sb, "%s:%jd:%s:%d", idtype, (intmax_t)rule->r_id, 295 protocol, rule->r_port); 296 } 297 298 static char * 299 rules_to_string(void) 300 { 301 struct rule *rule; 302 struct sbuf *sb; 303 int needcomma; 304 char *temp; 305 306 sb = sbuf_new_auto(); 307 needcomma = 0; 308 mtx_lock(&rule_mtx); 309 for (rule = TAILQ_FIRST(&rule_head); rule != NULL; 310 rule = TAILQ_NEXT(rule, r_entries)) { 311 if (!needcomma) 312 needcomma = 1; 313 else 314 sbuf_printf(sb, ","); 315 rule_printf(sb, rule); 316 } 317 mtx_unlock(&rule_mtx); 318 sbuf_finish(sb); 319 temp = strdup(sbuf_data(sb), M_PORTACL); 320 sbuf_delete(sb); 321 return (temp); 322 } 323 #endif 324 325 /* 326 * Note: due to races, there is not a single serializable order 327 * between parallel calls to the sysctl. 328 */ 329 static int 330 sysctl_rules(SYSCTL_HANDLER_ARGS) 331 { 332 char *string, *copy_string, *new_string; 333 struct rulehead head, save_head; 334 int error; 335 336 new_string = NULL; 337 if (req->newptr != NULL) { 338 new_string = malloc(MAC_RULE_STRING_LEN, M_PORTACL, 339 M_WAITOK | M_ZERO); 340 mtx_lock(&rule_mtx); 341 strcpy(new_string, rule_string); 342 mtx_unlock(&rule_mtx); 343 string = new_string; 344 } else 345 string = rule_string; 346 347 error = sysctl_handle_string(oidp, string, MAC_RULE_STRING_LEN, req); 348 if (error) 349 goto out; 350 351 if (req->newptr != NULL) { 352 copy_string = strdup(string, M_PORTACL); 353 TAILQ_INIT(&head); 354 error = parse_rules(copy_string, &head); 355 free(copy_string, M_PORTACL); 356 if (error) 357 goto out; 358 359 TAILQ_INIT(&save_head); 360 mtx_lock(&rule_mtx); 361 TAILQ_CONCAT(&save_head, &rule_head, r_entries); 362 TAILQ_CONCAT(&rule_head, &head, r_entries); 363 strcpy(rule_string, string); 364 mtx_unlock(&rule_mtx); 365 toast_rules(&save_head); 366 } 367 out: 368 if (new_string != NULL) 369 free(new_string, M_PORTACL); 370 return (error); 371 } 372 373 SYSCTL_PROC(_security_mac_portacl, OID_AUTO, rules, 374 CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_MPSAFE, 375 0, 0, sysctl_rules, "A", 376 "Rules"); 377 378 static int 379 rules_check(struct ucred *cred, int family, int type, u_int16_t port) 380 { 381 struct rule *rule; 382 int error; 383 384 #if 0 385 printf("Check requested for euid %d, family %d, type %d, port %d\n", 386 cred->cr_uid, family, type, port); 387 #endif 388 389 if (port > portacl_port_high) 390 return (0); 391 392 error = EPERM; 393 mtx_lock(&rule_mtx); 394 for (rule = TAILQ_FIRST(&rule_head); 395 rule != NULL; 396 rule = TAILQ_NEXT(rule, r_entries)) { 397 if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP) 398 continue; 399 if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP) 400 continue; 401 if (port != rule->r_port) 402 continue; 403 if (rule->r_idtype == RULE_UID) { 404 if (cred->cr_uid == rule->r_id) { 405 error = 0; 406 break; 407 } 408 } else if (rule->r_idtype == RULE_GID) { 409 if (cred->cr_gid == rule->r_id) { 410 error = 0; 411 break; 412 } else if (groupmember(rule->r_id, cred)) { 413 error = 0; 414 break; 415 } 416 } else 417 panic("rules_check: unknown rule type %d", 418 rule->r_idtype); 419 } 420 mtx_unlock(&rule_mtx); 421 422 if (error != 0 && portacl_suser_exempt != 0) 423 error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT); 424 425 return (error); 426 } 427 428 /* 429 * Note, this only limits the ability to explicitly bind a port, it 430 * doesn't limit implicitly bound ports for outgoing connections where 431 * the source port is left up to the IP stack to determine automatically. 432 */ 433 static int 434 socket_check_bind(struct ucred *cred, struct socket *so, 435 struct label *solabel, struct sockaddr *sa) 436 { 437 struct sockaddr_in *sin; 438 struct inpcb *inp; 439 int family, type; 440 u_int16_t port; 441 442 /* Only run if we are enabled. */ 443 if (portacl_enabled == 0) 444 return (0); 445 446 /* Only interested in IPv4 and IPv6 sockets. */ 447 if (so->so_proto->pr_domain->dom_family != PF_INET && 448 so->so_proto->pr_domain->dom_family != PF_INET6) 449 return (0); 450 451 /* Currently, we don't attempt to deal with SOCK_RAW, etc. */ 452 if (so->so_type != SOCK_DGRAM && 453 so->so_type != SOCK_STREAM) 454 return (0); 455 456 /* Reject addresses we don't understand; fail closed. */ 457 if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6) 458 return (EINVAL); 459 460 family = so->so_proto->pr_domain->dom_family; 461 type = so->so_type; 462 sin = (struct sockaddr_in *) sa; 463 port = ntohs(sin->sin_port); 464 465 /* 466 * Sockets are frequently bound with a specific IP address but a port 467 * number of '0' to request automatic port allocation. This is often 468 * desirable as long as IP_PORTRANGELOW isn't set, which might permit 469 * automatic allocation of a "privileged" port. The autoport exempt 470 * flag exempts port 0 allocation from rule checking as long as a low 471 * port isn't required. 472 */ 473 if (portacl_autoport_exempt && port == 0) { 474 inp = sotoinpcb(so); 475 if ((inp->inp_flags & INP_LOWPORT) == 0) 476 return (0); 477 } 478 479 return (rules_check(cred, family, type, port)); 480 } 481 482 static struct mac_policy_ops portacl_ops = 483 { 484 .mpo_destroy = destroy, 485 .mpo_init = init, 486 .mpo_socket_check_bind = socket_check_bind, 487 }; 488 489 MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl", 490 MPC_LOADTIME_FLAG_UNLOADOK, NULL); 491 MODULE_VERSION(mac_portacl, 1); 492