1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2002 Networks Associates Technology, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by Network 10 * Associates Laboratories, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12 * as part of the DARPA CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * $FreeBSD$ 39 */ 40 41 /* 42 * Developed by the TrustedBSD Project. 43 * 44 * Prevent processes owned by a particular uid from seeing various transient 45 * kernel objects associated with other uids. 46 */ 47 48 #include <sys/param.h> 49 #include <sys/kernel.h> 50 #include <sys/module.h> 51 #include <sys/priv.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/socket.h> 55 #include <sys/socketvar.h> 56 #include <sys/sysctl.h> 57 58 #include <net/route.h> 59 #include <netinet/in.h> 60 #include <netinet/in_pcb.h> 61 62 #include <security/mac/mac_policy.h> 63 64 SYSCTL_DECL(_security_mac); 65 66 static SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0, 67 "TrustedBSD mac_seeotheruids policy controls"); 68 69 static int seeotheruids_enabled = 1; 70 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW, 71 &seeotheruids_enabled, 0, "Enforce seeotheruids policy"); 72 73 /* 74 * Exception: allow credentials to be aware of other credentials with the 75 * same primary gid. 76 */ 77 static int primarygroup_enabled = 0; 78 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, primarygroup_enabled, 79 CTLFLAG_RW, &primarygroup_enabled, 0, "Make an exception for credentials " 80 "with the same real primary group id"); 81 82 /* 83 * Exception: allow the root user to be aware of other credentials by virtue 84 * of privilege. 85 */ 86 static int suser_privileged = 1; 87 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged, 88 CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser"); 89 90 /* 91 * Exception: allow processes with a specific gid to be exempt from the 92 * policy. One sysctl enables this functionality; the other sets the 93 * exempt gid. 94 */ 95 static int specificgid_enabled = 0; 96 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid_enabled, 97 CTLFLAG_RW, &specificgid_enabled, 0, "Make an exception for credentials " 98 "with a specific gid as their real primary group id or group set"); 99 100 static gid_t specificgid = 0; 101 SYSCTL_UINT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW, 102 &specificgid, 0, "Specific gid to be exempt from seeotheruids policy"); 103 104 static int 105 seeotheruids_check(struct ucred *cr1, struct ucred *cr2) 106 { 107 108 if (!seeotheruids_enabled) 109 return (0); 110 111 if (primarygroup_enabled) { 112 if (cr1->cr_rgid == cr2->cr_rgid) 113 return (0); 114 } 115 116 if (specificgid_enabled) { 117 if (cr1->cr_rgid == specificgid || 118 groupmember(specificgid, cr1)) 119 return (0); 120 } 121 122 if (cr1->cr_ruid == cr2->cr_ruid) 123 return (0); 124 125 if (suser_privileged) { 126 if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS) == 0) 127 return (0); 128 } 129 130 return (ESRCH); 131 } 132 133 static int 134 seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p) 135 { 136 137 return (seeotheruids_check(cred, p->p_ucred)); 138 } 139 140 static int 141 seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p) 142 { 143 144 return (seeotheruids_check(cred, p->p_ucred)); 145 } 146 147 static int 148 seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p, 149 int signum) 150 { 151 152 return (seeotheruids_check(cred, p->p_ucred)); 153 } 154 155 static int 156 seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 157 { 158 159 return (seeotheruids_check(cr1, cr2)); 160 } 161 162 static int 163 seeotheruids_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, 164 struct label *inplabel) 165 { 166 167 return (seeotheruids_check(cred, inp->inp_cred)); 168 } 169 170 static int 171 seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, 172 struct label *solabel) 173 { 174 175 return (seeotheruids_check(cred, so->so_cred)); 176 } 177 178 static struct mac_policy_ops seeotheruids_ops = 179 { 180 .mpo_proc_check_debug = seeotheruids_proc_check_debug, 181 .mpo_proc_check_sched = seeotheruids_proc_check_sched, 182 .mpo_proc_check_signal = seeotheruids_proc_check_signal, 183 .mpo_cred_check_visible = seeotheruids_cred_check_visible, 184 .mpo_inpcb_check_visible = seeotheruids_inpcb_check_visible, 185 .mpo_socket_check_visible = seeotheruids_socket_check_visible, 186 }; 187 188 MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids, 189 "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 190