1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2002 Networks Associates Technology, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by Network 10 * Associates Laboratories, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12 * as part of the DARPA CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * $FreeBSD$ 39 */ 40 41 /* 42 * Developed by the TrustedBSD Project. 43 * 44 * Prevent processes owned by a particular uid from seeing various transient 45 * kernel objects associated with other uids. 46 */ 47 48 #include <sys/param.h> 49 #include <sys/kernel.h> 50 #include <sys/module.h> 51 #include <sys/priv.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/socketvar.h> 55 #include <sys/sysctl.h> 56 57 #include <security/mac/mac_policy.h> 58 59 SYSCTL_DECL(_security_mac); 60 61 SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0, 62 "TrustedBSD mac_seeotheruids policy controls"); 63 64 static int seeotheruids_enabled = 1; 65 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW, 66 &seeotheruids_enabled, 0, "Enforce seeotheruids policy"); 67 68 /* 69 * Exception: allow credentials to be aware of other credentials with the 70 * same primary gid. 71 */ 72 static int primarygroup_enabled = 0; 73 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, primarygroup_enabled, 74 CTLFLAG_RW, &primarygroup_enabled, 0, "Make an exception for credentials " 75 "with the same real primary group id"); 76 77 /* 78 * Exception: allow the root user to be aware of other credentials by virtue 79 * of privilege. 80 */ 81 static int suser_privileged = 1; 82 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged, 83 CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser"); 84 85 /* 86 * Exception: allow processes with a specific gid to be exempt from the 87 * policy. One sysctl enables this functionality; the other sets the 88 * exempt gid. 89 */ 90 static int specificgid_enabled = 0; 91 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid_enabled, 92 CTLFLAG_RW, &specificgid_enabled, 0, "Make an exception for credentials " 93 "with a specific gid as their real primary group id or group set"); 94 95 static gid_t specificgid = 0; 96 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW, 97 &specificgid, 0, "Specific gid to be exempt from seeotheruids policy"); 98 99 static int 100 seeotheruids_check(struct ucred *cr1, struct ucred *cr2) 101 { 102 103 if (!seeotheruids_enabled) 104 return (0); 105 106 if (primarygroup_enabled) { 107 if (cr1->cr_rgid == cr2->cr_rgid) 108 return (0); 109 } 110 111 if (specificgid_enabled) { 112 if (cr1->cr_rgid == specificgid || 113 groupmember(specificgid, cr1)) 114 return (0); 115 } 116 117 if (cr1->cr_ruid == cr2->cr_ruid) 118 return (0); 119 120 if (suser_privileged) { 121 if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, 0) == 0) 122 return (0); 123 } 124 125 return (ESRCH); 126 } 127 128 static int 129 seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p) 130 { 131 132 return (seeotheruids_check(cred, p->p_ucred)); 133 } 134 135 static int 136 seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p) 137 { 138 139 return (seeotheruids_check(cred, p->p_ucred)); 140 } 141 142 static int 143 seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p, 144 int signum) 145 { 146 147 return (seeotheruids_check(cred, p->p_ucred)); 148 } 149 150 static int 151 seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 152 { 153 154 return (seeotheruids_check(cr1, cr2)); 155 } 156 157 static int 158 seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, 159 struct label *solabel) 160 { 161 162 return (seeotheruids_check(cred, so->so_cred)); 163 } 164 165 static struct mac_policy_ops seeotheruids_ops = 166 { 167 .mpo_proc_check_debug = seeotheruids_proc_check_debug, 168 .mpo_proc_check_sched = seeotheruids_proc_check_sched, 169 .mpo_proc_check_signal = seeotheruids_proc_check_signal, 170 .mpo_cred_check_visible = seeotheruids_cred_check_visible, 171 .mpo_socket_check_visible = seeotheruids_socket_check_visible, 172 }; 173 174 MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids, 175 "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 176