1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2011-2023 Juniper Networks, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/cdefs.h> 30 31 #include "opt_capsicum.h" 32 #include "opt_mac.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/capsicum.h> 37 #include <sys/eventhandler.h> 38 #include <sys/fcntl.h> 39 #include <sys/file.h> 40 #include <sys/filedesc.h> 41 #include <sys/imgact.h> 42 #include <sys/jail.h> 43 #include <sys/kernel.h> 44 #include <sys/mac.h> 45 #include <sys/mount.h> 46 #include <sys/namei.h> 47 #include <sys/priv.h> 48 #include <sys/proc.h> 49 #include <sys/sbuf.h> 50 #include <sys/stat.h> 51 #include <sys/sysctl.h> 52 #include <sys/vnode.h> 53 #ifdef COMPAT_FREEBSD32 54 #include <sys/sysent.h> 55 #include <sys/stdint.h> 56 #include <sys/abi_compat.h> 57 #endif 58 #include <fs/nullfs/null.h> 59 #include <security/mac/mac_framework.h> 60 #include <security/mac/mac_policy.h> 61 62 #include "mac_veriexec.h" 63 #include "mac_veriexec_internal.h" 64 65 #define SLOT(l) \ 66 mac_label_get((l), mac_veriexec_slot) 67 #define SLOT_SET(l, v) \ 68 mac_label_set((l), mac_veriexec_slot, (v)) 69 70 #ifdef MAC_DEBUG 71 #define MAC_VERIEXEC_DBG(_lvl, _fmt, ...) \ 72 do { \ 73 VERIEXEC_DEBUG((_lvl), (MAC_VERIEXEC_FULLNAME ": " _fmt \ 74 "\n", ##__VA_ARGS__)); \ 75 } while(0) 76 #else 77 #define MAC_VERIEXEC_DBG(_lvl, _fmt, ...) 78 #endif 79 80 static int sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS); 81 static int sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS); 82 static struct mac_policy_ops mac_veriexec_ops; 83 84 SYSCTL_DECL(_security_mac); 85 86 SYSCTL_NODE(_security_mac, OID_AUTO, veriexec, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 87 "MAC/veriexec policy controls"); 88 89 int mac_veriexec_debug; 90 SYSCTL_INT(_security_mac_veriexec, OID_AUTO, debug, CTLFLAG_RW, 91 &mac_veriexec_debug, 0, "Debug level"); 92 93 static int mac_veriexec_state; 94 SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, state, 95 CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_NEEDGIANT, 96 0, 0, sysctl_mac_veriexec_state, "A", 97 "Verified execution subsystem state"); 98 99 SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db, 100 CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_SKIP | CTLFLAG_NEEDGIANT, 101 0, 0, sysctl_mac_veriexec_db, 102 "A", "Verified execution fingerprint database"); 103 104 105 static int mac_veriexec_slot; 106 107 static int mac_veriexec_block_unlink; 108 109 MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data"); 110 111 /** 112 * @internal 113 * @brief Handler for security.mac.veriexec.db sysctl 114 * 115 * Display a human-readable form of the current fingerprint database. 116 */ 117 static int 118 sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS) 119 { 120 struct sbuf sb; 121 int error; 122 123 error = sysctl_wire_old_buffer(req, 0); 124 if (error != 0) 125 return (error); 126 127 sbuf_new_for_sysctl(&sb, NULL, 1024, req); 128 mac_veriexec_metadata_print_db(&sb); 129 error = sbuf_finish(&sb); 130 sbuf_delete(&sb); 131 132 return (error); 133 } 134 135 /** 136 * @internal 137 * @brief Generate human-readable output about the current verified execution 138 * state. 139 * 140 * @param sbp sbuf to write output to 141 */ 142 static void 143 mac_veriexec_print_state(struct sbuf *sbp) 144 { 145 146 if (mac_veriexec_state & VERIEXEC_STATE_INACTIVE) 147 sbuf_printf(sbp, "inactive "); 148 if (mac_veriexec_state & VERIEXEC_STATE_LOADED) 149 sbuf_printf(sbp, "loaded "); 150 if (mac_veriexec_state & VERIEXEC_STATE_ACTIVE) 151 sbuf_printf(sbp, "active "); 152 if (mac_veriexec_state & VERIEXEC_STATE_ENFORCE) 153 sbuf_printf(sbp, "enforce "); 154 if (mac_veriexec_state & VERIEXEC_STATE_LOCKED) 155 sbuf_printf(sbp, "locked "); 156 if (mac_veriexec_state != 0) 157 sbuf_trim(sbp); 158 } 159 160 /** 161 * @internal 162 * @brief Handler for security.mac.veriexec.state sysctl 163 * 164 * Display a human-readable form of the current verified execution subsystem 165 * state. 166 */ 167 static int 168 sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS) 169 { 170 struct sbuf sb; 171 int error; 172 173 sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND); 174 mac_veriexec_print_state(&sb); 175 sbuf_finish(&sb); 176 177 error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb)); 178 sbuf_delete(&sb); 179 return (error); 180 } 181 182 /** 183 * @internal 184 * @brief Event handler called when a virtual file system is mounted. 185 * 186 * We need to record the file system identifier in the MAC per-policy slot 187 * assigned to veriexec, so we have a key to use in order to reference the 188 * mount point in the meta-data store. 189 * 190 * @param arg unused argument 191 * @param mp mount point that is being mounted 192 * @param fsrootvp vnode of the file system root 193 * @param td calling thread 194 */ 195 static void 196 mac_veriexec_vfs_mounted(void *arg __unused, struct mount *mp, 197 struct vnode *fsrootvp, struct thread *td) 198 { 199 struct vattr va; 200 int error; 201 202 error = VOP_GETATTR(fsrootvp, &va, td->td_ucred); 203 if (error) 204 return; 205 206 SLOT_SET(mp->mnt_label, va.va_fsid); 207 #ifdef MAC_DEBUG 208 MAC_VERIEXEC_DBG(3, "set fsid to %ju for mount %p", 209 (uintmax_t)va.va_fsid, mp); 210 #endif 211 } 212 213 /** 214 * @internal 215 * @brief Event handler called when a virtual file system is unmounted. 216 * 217 * If we recorded a file system identifier in the MAC per-policy slot assigned 218 * to veriexec, then we need to tell the meta-data store to clean up. 219 * 220 * @param arg unused argument 221 * @param mp mount point that is being unmounted 222 * @param td calling thread 223 */ 224 static void 225 mac_veriexec_vfs_unmounted(void *arg __unused, struct mount *mp, 226 struct thread *td) 227 { 228 dev_t fsid; 229 230 fsid = SLOT(mp->mnt_label); 231 if (fsid) { 232 MAC_VERIEXEC_DBG(3, "fsid %ju, cleaning up mount", 233 (uintmax_t)fsid); 234 mac_veriexec_metadata_unmounted(fsid, td); 235 } 236 } 237 238 /** 239 * @internal 240 * @brief The mount point is being initialized, set the value in the MAC 241 * per-policy slot for veriexec to zero. 242 * 243 * @note A value of zero in this slot indicates no file system identifier 244 * is assigned. 245 * 246 * @param label the label that is being initialized 247 */ 248 static void 249 mac_veriexec_mount_init_label(struct label *label) 250 { 251 252 SLOT_SET(label, 0); 253 } 254 255 /** 256 * @internal 257 * @brief The mount-point is being destroyed, reset the value in the MAC 258 * per-policy slot for veriexec back to zero. 259 * 260 * @note A value of zero in this slot indicates no file system identifier 261 * is assigned. 262 * 263 * @param label the label that is being destroyed 264 */ 265 static void 266 mac_veriexec_mount_destroy_label(struct label *label) 267 { 268 269 SLOT_SET(label, 0); 270 } 271 272 /** 273 * @internal 274 * @brief The vnode label is being initialized, set the value in the MAC 275 * per-policy slot for veriexec to @c FINGERPRINT_INVALID 276 * 277 * @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid. 278 * 279 * @param label the label that is being initialized 280 */ 281 static void 282 mac_veriexec_vnode_init_label(struct label *label) 283 { 284 285 SLOT_SET(label, FINGERPRINT_INVALID); 286 } 287 288 /** 289 * @internal 290 * @brief The vnode label is being destroyed, reset the value in the MAC 291 * per-policy slot for veriexec back to @c FINGERPRINT_INVALID 292 * 293 * @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid. 294 * 295 * @param label the label that is being destroyed 296 */ 297 static void 298 mac_veriexec_vnode_destroy_label(struct label *label) 299 { 300 301 SLOT_SET(label, FINGERPRINT_INVALID); 302 } 303 304 /** 305 * @internal 306 * @brief Copy the value in the MAC per-policy slot assigned to veriexec from 307 * the @p src label to the @p dest label 308 */ 309 static void 310 mac_veriexec_copy_label(struct label *src, struct label *dest) 311 { 312 313 SLOT_SET(dest, SLOT(src)); 314 } 315 316 /** 317 * @internal 318 * @brief Check if the requested process can be debugged 319 * 320 * @param cred credentials to use 321 * @param p process to debug 322 * 323 * @return 0 if debugging is allowed, otherwise an error code. 324 */ 325 static int 326 mac_veriexec_proc_check_debug(struct ucred *cred, struct proc *p) 327 { 328 int error, flags; 329 330 /* If we are not enforcing veriexec, nothing for us to check */ 331 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 332 return (0); 333 334 error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0); 335 if (error != 0) 336 return (0); 337 338 error = (flags & (VERIEXEC_NOTRACE|VERIEXEC_TRUSTED)) ? EACCES : 0; 339 MAC_VERIEXEC_DBG(4, "%s flags=%#x error=%d", __func__, flags, error); 340 341 return (error); 342 } 343 344 /** 345 * @internal 346 * @brief A KLD load has been requested and needs to be validated. 347 * 348 * @param cred credentials to use 349 * @param vp vnode of the KLD that has been requested 350 * @param vlabel vnode label assigned to the vnode 351 * 352 * @return 0 if the KLD load is allowed, otherwise an error code. 353 */ 354 static int 355 mac_veriexec_kld_check_load(struct ucred *cred, struct vnode *vp, 356 struct label *vlabel) 357 { 358 struct vattr va; 359 struct thread *td = curthread; 360 fingerprint_status_t status; 361 int error; 362 363 /* 364 * If we are not actively enforcing, allow it 365 */ 366 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 367 return (0); 368 369 /* Get vnode attributes */ 370 error = VOP_GETATTR(vp, &va, cred); 371 if (error) 372 return (error); 373 374 /* 375 * Fetch the fingerprint status for the vnode 376 * (starting with files first) 377 */ 378 error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td, 379 VERIEXEC_FILES_FIRST); 380 if (error && error != EAUTH) 381 return (error); 382 383 /* 384 * By now we should have status... 385 */ 386 status = mac_veriexec_get_fingerprint_status(vp); 387 switch (status) { 388 case FINGERPRINT_FILE: 389 case FINGERPRINT_VALID: 390 case FINGERPRINT_INDIRECT: 391 if (error) 392 return (error); 393 break; 394 default: 395 /* 396 * kldload should fail unless there is a valid fingerprint 397 * registered. 398 */ 399 MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev %ju, " 400 "file %ju.%ju\n", status, (uintmax_t)va.va_fsid, 401 (uintmax_t)va.va_fileid, (uintmax_t)va.va_gen); 402 return (EAUTH); 403 } 404 405 /* Everything is good, allow the KLD to be loaded */ 406 return (0); 407 } 408 409 /** 410 * @internal 411 * @brief Check privileges that veriexec needs to be concerned about. 412 * 413 * The following privileges are checked by this function: 414 * - PRIV_KMEM_WRITE\n 415 * Check if writes to /dev/mem and /dev/kmem are allowed\n 416 * (Only trusted processes are allowed) 417 * - PRIV_VERIEXEC_CONTROL\n 418 * Check if manipulating veriexec is allowed\n 419 * (only trusted processes are allowed) 420 * 421 * @param cred credentials to use 422 * @param priv privilege to check 423 * 424 * @return 0 if the privilege is allowed, error code otherwise. 425 */ 426 static int 427 mac_veriexec_priv_check(struct ucred *cred, int priv) 428 { 429 int error; 430 431 /* If we are not enforcing veriexec, nothing for us to check */ 432 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 433 return (0); 434 435 error = 0; 436 switch (priv) { 437 case PRIV_KMEM_WRITE: 438 case PRIV_VERIEXEC_CONTROL: 439 /* 440 * Do not allow writing to memory or manipulating veriexec, 441 * unless trusted 442 */ 443 if (mac_veriexec_proc_is_trusted(cred, curproc) == 0 && 444 mac_priv_grant(cred, priv) != 0) 445 error = EPERM; 446 MAC_VERIEXEC_DBG(4, "%s priv=%d error=%d", __func__, priv, 447 error); 448 break; 449 default: 450 break; 451 } 452 return (error); 453 } 454 455 /** 456 * @internal 457 * @brief Check if the requested sysctl should be allowed 458 * 459 * @param cred credentials to use 460 * @param oidp sysctl OID 461 * @param arg1 first sysctl argument 462 * @param arg2 second sysctl argument 463 * @param req sysctl request information 464 * 465 * @return 0 if the sysctl should be allowed, otherwise an error code. 466 */ 467 static int 468 mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp, 469 void *arg1, int arg2, struct sysctl_req *req) 470 { 471 struct sysctl_oid *oid; 472 473 /* If we are not enforcing veriexec, nothing for us to check */ 474 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 475 return (0); 476 477 oid = oidp; 478 if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { 479 return (EPERM); /* XXX call mac_veriexec_priv_check? */ 480 } 481 return 0; 482 } 483 484 /** 485 * @internal 486 * @brief A program is being executed and needs to be validated. 487 * 488 * @param cred credentials to use 489 * @param vp vnode of the program that is being executed 490 * @param label vnode label assigned to the vnode 491 * @param imgp parameters for the image to be executed 492 * @param execlabel optional exec label 493 * 494 * @return 0 if the program should be allowed to execute, otherwise an error 495 * code. 496 */ 497 static int 498 mac_veriexec_vnode_check_exec(struct ucred *cred __unused, 499 struct vnode *vp __unused, struct label *label __unused, 500 struct image_params *imgp, struct label *execlabel __unused) 501 { 502 struct thread *td = curthread; 503 int error; 504 505 error = mac_veriexec_fingerprint_check_image(imgp, 0, td); 506 return (error); 507 } 508 509 /** 510 * @brief Check fingerprint for the specified vnode and validate it 511 * 512 * @param cred credentials to use 513 * @param vp vnode of the file 514 * @param accmode access mode to check (read, write, append, create, 515 * verify, etc.) 516 * 517 * @return 0 if the file validated, otherwise an error code. 518 */ 519 static int 520 mac_veriexec_check_vp(struct ucred *cred, struct vnode *vp, accmode_t accmode) 521 { 522 struct vattr va; 523 struct thread *td = curthread; 524 fingerprint_status_t status; 525 int error; 526 527 /* Get vnode attributes */ 528 error = VOP_GETATTR(vp, &va, cred); 529 if (error) 530 return (error); 531 532 /* Get the fingerprint status for the file */ 533 error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td, 534 VERIEXEC_FILES_FIRST); 535 if (error && error != EAUTH) 536 return (error); 537 538 /* 539 * By now we should have status... 540 */ 541 status = mac_veriexec_get_fingerprint_status(vp); 542 if (accmode & VWRITE) { 543 /* 544 * If file has a fingerprint then deny the write request, 545 * otherwise invalidate the status so we don't keep checking 546 * for the file having a fingerprint. 547 */ 548 switch (status) { 549 case FINGERPRINT_FILE: 550 case FINGERPRINT_VALID: 551 case FINGERPRINT_INDIRECT: 552 MAC_VERIEXEC_DBG(2, 553 "attempted write to fingerprinted file for dev " 554 "%ju, file %ju.%ju\n", (uintmax_t)va.va_fsid, 555 (uintmax_t)va.va_fileid, (uintmax_t)va.va_gen); 556 return (EPERM); 557 default: 558 break; 559 } 560 } 561 if (accmode & VVERIFY) { 562 switch (status) { 563 case FINGERPRINT_FILE: 564 case FINGERPRINT_VALID: 565 case FINGERPRINT_INDIRECT: 566 if (error) 567 return (error); 568 break; 569 default: 570 /* Allow for overriding verification requirement */ 571 if (mac_priv_grant(cred, PRIV_VERIEXEC_NOVERIFY) == 0) 572 return (0); 573 /* 574 * Caller wants open to fail unless there is a valid 575 * fingerprint registered. 576 */ 577 MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev " 578 "%ju, file %ju.%ju\n", status, 579 (uintmax_t)va.va_fsid, (uintmax_t)va.va_fileid, 580 (uintmax_t)va.va_gen); 581 return (EAUTH); 582 } 583 } 584 return (0); 585 } 586 587 /** 588 * @brief Opening a file has been requested and may need to be validated. 589 * 590 * @param cred credentials to use 591 * @param vp vnode of the file to open 592 * @param label vnode label assigned to the vnode 593 * @param accmode access mode to use for opening the file (read, write, 594 * append, create, verify, etc.) 595 * 596 * @return 0 if opening the file should be allowed, otherwise an error code. 597 */ 598 static int 599 mac_veriexec_vnode_check_open(struct ucred *cred, struct vnode *vp, 600 struct label *label __unused, accmode_t accmode) 601 { 602 int error; 603 604 /* 605 * Look for the file on the fingerprint lists iff it has not been seen 606 * before. 607 */ 608 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 609 return (0); 610 611 error = mac_veriexec_check_vp(cred, vp, accmode); 612 return (error); 613 } 614 615 /** 616 * @brief Unlink on a file has been requested and may need to be validated. 617 * 618 * @param cred credentials to use 619 * @param dvp parent directory for file vnode vp 620 * @param dlabel vnode label assigned to the directory vnode 621 * @param vp vnode of the file to unlink 622 * @param label vnode label assigned to the vnode 623 * @param cnp component name for vp 624 * 625 * 626 * @return 0 if opening the file should be allowed, otherwise an error code. 627 */ 628 static int 629 mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused, 630 struct label *dvplabel __unused, struct vnode *vp, 631 struct label *label __unused, struct componentname *cnp __unused) 632 { 633 int error; 634 635 /* 636 * Look for the file on the fingerprint lists iff it has not been seen 637 * before. 638 */ 639 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 640 return (0); 641 642 error = mac_veriexec_check_vp(cred, vp, VVERIFY); 643 if (error == 0) { 644 /* 645 * The target is verified, so disallow replacement. 646 */ 647 MAC_VERIEXEC_DBG(2, 648 "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid); 649 650 return (EAUTH); 651 } 652 return (0); 653 } 654 655 /** 656 * @brief Rename the file has been requested and may need to be validated. 657 * 658 * @param cred credentials to use 659 * @param dvp parent directory for file vnode vp 660 * @param dlabel vnode label assigned to the directory vnode 661 * @param vp vnode of the file to rename 662 * @param label vnode label assigned to the vnode 663 * @param cnp component name for vp 664 * 665 * 666 * @return 0 if opening the file should be allowed, otherwise an error code. 667 */ 668 static int 669 mac_veriexec_vnode_check_rename_from(struct ucred *cred, 670 struct vnode *dvp __unused, struct label *dvplabel __unused, 671 struct vnode *vp, struct label *label __unused, 672 struct componentname *cnp __unused) 673 { 674 int error; 675 676 /* 677 * Look for the file on the fingerprint lists iff it has not been seen 678 * before. 679 */ 680 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 681 return (0); 682 683 error = mac_veriexec_check_vp(cred, vp, VVERIFY); 684 if (error == 0) { 685 /* 686 * The target is verified, so disallow replacement. 687 */ 688 MAC_VERIEXEC_DBG(2, 689 "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid); 690 return (EAUTH); 691 } 692 return (0); 693 } 694 695 696 /** 697 * @brief Rename to file into the directory (overwrite the file name) has been 698 * requested and may need to be validated. 699 * 700 * @param cred credentials to use 701 * @param dvp parent directory for file vnode vp 702 * @param dlabel vnode label assigned to the directory vnode 703 * @param vp vnode of the overwritten file 704 * @param label vnode label assigned to the vnode 705 * @param samedir 1 if the source and destination directories are the same 706 * @param cnp component name for vp 707 * 708 * 709 * @return 0 if opening the file should be allowed, otherwise an error code. 710 */ 711 static int 712 mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unused, 713 struct label *dvplabel __unused, struct vnode *vp, 714 struct label *label __unused, int samedir __unused, 715 struct componentname *cnp __unused) 716 { 717 int error; 718 /* 719 * If there is no existing file to overwrite, vp and label will be 720 * NULL. 721 */ 722 if (vp == NULL) 723 return (0); 724 725 /* 726 * Look for the file on the fingerprint lists iff it has not been seen 727 * before. 728 */ 729 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 730 return (0); 731 732 error = mac_veriexec_check_vp(cred, vp, VVERIFY); 733 if (error == 0) { 734 /* 735 * The target is verified, so disallow replacement. 736 */ 737 MAC_VERIEXEC_DBG(2, 738 "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid); 739 return (EAUTH); 740 } 741 return (0); 742 } 743 744 745 /** 746 * @brief Check mode changes on file to ensure they should be allowed. 747 * 748 * We cannot allow chmod of SUID or SGID on verified files. 749 * 750 * @param cred credentials to use 751 * @param vp vnode of the file to open 752 * @param label vnode label assigned to the vnode 753 * @param mode mode flags to set 754 * 755 * @return 0 if the mode change should be allowed, EAUTH otherwise. 756 */ 757 static int 758 mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 759 struct label *label __unused, mode_t mode) 760 { 761 int error; 762 763 if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0) 764 return (0); 765 766 /* 767 * Prohibit chmod of verified set-[gu]id file. 768 */ 769 error = mac_veriexec_check_vp(cred, vp, VVERIFY); 770 if (error == EAUTH) /* target not verified */ 771 return (0); 772 if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0) 773 return (EAUTH); 774 775 return (0); 776 } 777 778 /** 779 * @internal 780 * @brief Initialize the mac_veriexec MAC policy 781 * 782 * @param mpc MAC policy configuration 783 */ 784 static void 785 mac_veriexec_init(struct mac_policy_conf *mpc __unused) 786 { 787 /* Initialize state */ 788 mac_veriexec_state = VERIEXEC_STATE_INACTIVE; 789 790 /* Initialize meta-data storage */ 791 mac_veriexec_metadata_init(); 792 793 /* Initialize fingerprint ops */ 794 mac_veriexec_fingerprint_init(); 795 796 /* Register event handlers */ 797 EVENTHANDLER_REGISTER(vfs_mounted, mac_veriexec_vfs_mounted, NULL, 798 EVENTHANDLER_PRI_FIRST); 799 EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL, 800 EVENTHANDLER_PRI_LAST); 801 802 /* Fetch tunable value in kernel env and define a corresponding read-only sysctl */ 803 mac_veriexec_block_unlink = 0; 804 TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink); 805 SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, 806 CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection"); 807 808 /* Check if unlink control is activated via tunable value */ 809 if (!mac_veriexec_block_unlink) 810 mac_veriexec_ops.mpo_vnode_check_unlink = NULL; 811 } 812 813 #ifdef COMPAT_FREEBSD32 814 struct mac_veriexec_syscall_params32 { 815 char fp_type[VERIEXEC_FPTYPELEN]; 816 unsigned char fingerprint[MAXFINGERPRINTLEN]; 817 char label[MAXLABELLEN]; 818 uint32_t labellen; 819 unsigned char flags; 820 }; 821 822 struct mac_veriexec_syscall_params_args32 { 823 union { 824 pid_t pid; 825 uint32_t filename; 826 } u; /* input only */ 827 uint32_t params; /* result */ 828 }; 829 #endif 830 831 /** 832 * @internal 833 * @brief MAC policy-specific syscall for mac_veriexec 834 * 835 * The following syscalls are implemented: 836 * - @c MAC_VERIEXEC_CHECK_SYSCALL 837 * Check if the file referenced by a file descriptor has a fingerprint 838 * registered in the meta-data store. 839 * 840 * @param td calling thread 841 * @param call system call number 842 * @param arg arugments to the syscall 843 * 844 * @return 0 on success, otherwise an error code. 845 */ 846 static int 847 mac_veriexec_syscall(struct thread *td, int call, void *arg) 848 { 849 struct image_params img; 850 struct nameidata nd; 851 cap_rights_t rights; 852 struct vattr va; 853 struct file *fp; 854 struct mac_veriexec_syscall_params_args pargs; 855 struct mac_veriexec_syscall_params result; 856 #ifdef COMPAT_FREEBSD32 857 struct mac_veriexec_syscall_params_args32 pargs32; 858 struct mac_veriexec_syscall_params32 result32; 859 #endif 860 struct mac_veriexec_file_info *ip; 861 struct proc *proc; 862 struct vnode *textvp; 863 int error, flags, proc_locked; 864 865 nd.ni_vp = NULL; 866 proc_locked = 0; 867 textvp = NULL; 868 switch (call) { 869 case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL: 870 case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL: 871 #ifdef COMPAT_FREEBSD32 872 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { 873 error = copyin(arg, &pargs32, sizeof(pargs32)); 874 if (error) 875 return error; 876 bzero(&pargs, sizeof(pargs)); 877 switch (call) { 878 case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL: 879 CP(pargs32, pargs, u.pid); 880 break; 881 case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL: 882 PTRIN_CP(pargs32, pargs, u.filename); 883 break; 884 } 885 PTRIN_CP(pargs32, pargs, params); 886 } else 887 #endif 888 error = copyin(arg, &pargs, sizeof(pargs)); 889 if (error) 890 return error; 891 break; 892 } 893 894 switch (call) { 895 case MAC_VERIEXEC_CHECK_FD_SYSCALL: 896 /* Get the vnode associated with the file descriptor passed */ 897 error = getvnode(td, (uintptr_t) arg, 898 cap_rights_init_one(&rights, CAP_READ), &fp); 899 if (error) 900 return (error); 901 if (fp->f_type != DTYPE_VNODE) { 902 MAC_VERIEXEC_DBG(3, "MAC_VERIEXEC_CHECK_SYSCALL: " 903 "file is not vnode type (type=0x%x)", 904 fp->f_type); 905 error = EINVAL; 906 goto cleanup_file; 907 } 908 909 /* 910 * setup the bits of image_params that are used by 911 * mac_veriexec_check_fingerprint(). 912 */ 913 bzero(&img, sizeof(img)); 914 img.proc = td->td_proc; 915 img.vp = fp->f_vnode; 916 img.attr = &va; 917 918 /* 919 * Get vnode attributes 920 * (need to obtain a lock on the vnode first) 921 */ 922 vn_lock(img.vp, LK_EXCLUSIVE | LK_RETRY); 923 error = VOP_GETATTR(fp->f_vnode, &va, td->td_ucred); 924 if (error) 925 goto check_done; 926 927 MAC_VERIEXEC_DBG(2, "mac_veriexec_fingerprint_check_image: " 928 "va_mode=%o, check_files=%d\n", va.va_mode, 929 ((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0)); 930 error = mac_veriexec_fingerprint_check_image(&img, 931 ((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0), td); 932 check_done: 933 /* Release the lock we obtained earlier */ 934 VOP_UNLOCK(img.vp); 935 cleanup_file: 936 fdrop(fp, td); 937 break; 938 case MAC_VERIEXEC_CHECK_PATH_SYSCALL: 939 /* Look up the path to get the vnode */ 940 NDINIT(&nd, LOOKUP, 941 FOLLOW | LOCKLEAF | LOCKSHARED | AUDITVNODE1, 942 UIO_USERSPACE, arg); 943 flags = FREAD; 944 error = vn_open(&nd, &flags, 0, NULL); 945 if (error != 0) 946 break; 947 NDFREE_PNBUF(&nd); 948 949 /* Check the fingerprint status of the vnode */ 950 error = mac_veriexec_check_vp(td->td_ucred, nd.ni_vp, VVERIFY); 951 /* nd.ni_vp cleaned up below */ 952 break; 953 case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL: 954 if (pargs.u.pid == 0 || pargs.u.pid == curproc->p_pid) { 955 proc = curproc; 956 } else { 957 proc = pfind(pargs.u.pid); 958 if (proc == NULL) 959 return (EINVAL); 960 proc_locked = 1; 961 } 962 textvp = proc->p_textvp; 963 /* FALLTHROUGH */ 964 case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL: 965 if (textvp == NULL) { 966 /* Look up the path to get the vnode */ 967 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1, 968 UIO_USERSPACE, pargs.u.filename); 969 flags = FREAD; 970 error = vn_open(&nd, &flags, 0, NULL); 971 if (error != 0) 972 break; 973 974 NDFREE_PNBUF(&nd); 975 textvp = nd.ni_vp; 976 } 977 error = VOP_GETATTR(textvp, &va, curproc->p_ucred); 978 if (proc_locked) 979 PROC_UNLOCK(proc); 980 if (error != 0) 981 break; 982 983 error = mac_veriexec_metadata_get_file_info(va.va_fsid, 984 va.va_fileid, va.va_gen, NULL, &ip, FALSE); 985 if (error != 0) 986 break; 987 988 #ifdef COMPAT_FREEBSD32 989 if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) { 990 bzero(&result32, sizeof(result32)); 991 result32.flags = ip->flags; 992 strlcpy(result32.fp_type, ip->ops->type, sizeof(result32.fp_type)); 993 result.labellen = ip->labellen; 994 CP(result, result32, labellen); 995 if (ip->labellen > 0) 996 strlcpy(result32.label, ip->label, sizeof(result32.label)); 997 result32.label[result.labellen] = '\0'; 998 memcpy(result32.fingerprint, ip->fingerprint, 999 ip->ops->digest_len); 1000 1001 error = copyout(&result32, pargs.params, sizeof(result32)); 1002 break; /* yes */ 1003 } 1004 #endif 1005 bzero(&result, sizeof(result)); 1006 result.flags = ip->flags; 1007 strlcpy(result.fp_type, ip->ops->type, sizeof(result.fp_type)); 1008 result.labellen = ip->labellen; 1009 if (ip->labellen > 0) 1010 strlcpy(result.label, ip->label, sizeof(result.label)); 1011 result.label[result.labellen] = '\0'; 1012 memcpy(result.fingerprint, ip->fingerprint, 1013 ip->ops->digest_len); 1014 1015 error = copyout(&result, pargs.params, sizeof(result)); 1016 break; 1017 default: 1018 error = EOPNOTSUPP; 1019 } 1020 if (nd.ni_vp != NULL) { 1021 VOP_UNLOCK(nd.ni_vp); 1022 vn_close(nd.ni_vp, FREAD, td->td_ucred, td); 1023 } 1024 return (error); 1025 } 1026 1027 static struct mac_policy_ops mac_veriexec_ops = 1028 { 1029 .mpo_init = mac_veriexec_init, 1030 .mpo_kld_check_load = mac_veriexec_kld_check_load, 1031 .mpo_mount_destroy_label = mac_veriexec_mount_destroy_label, 1032 .mpo_mount_init_label = mac_veriexec_mount_init_label, 1033 .mpo_priv_check = mac_veriexec_priv_check, 1034 .mpo_proc_check_debug = mac_veriexec_proc_check_debug, 1035 .mpo_syscall = mac_veriexec_syscall, 1036 .mpo_system_check_sysctl = mac_veriexec_sysctl_check, 1037 .mpo_vnode_check_exec = mac_veriexec_vnode_check_exec, 1038 .mpo_vnode_check_open = mac_veriexec_vnode_check_open, 1039 .mpo_vnode_check_unlink = mac_veriexec_vnode_check_unlink, 1040 .mpo_vnode_check_rename_to = mac_veriexec_vnode_check_rename_to, 1041 .mpo_vnode_check_rename_from = mac_veriexec_vnode_check_rename_from, 1042 .mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode, 1043 .mpo_vnode_copy_label = mac_veriexec_copy_label, 1044 .mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label, 1045 .mpo_vnode_init_label = mac_veriexec_vnode_init_label, 1046 }; 1047 1048 MAC_POLICY_SET(&mac_veriexec_ops, mac_veriexec, MAC_VERIEXEC_FULLNAME, 1049 MPC_LOADTIME_FLAG_NOTLATE, &mac_veriexec_slot); 1050 MODULE_VERSION(mac_veriexec, MAC_VERIEXEC_VERSION); 1051 1052 static struct vnode * 1053 mac_veriexec_bottom_vnode(struct vnode *vp) 1054 { 1055 struct vnode *ldvp = NULL; 1056 1057 /* 1058 * XXX This code is bogus. nullfs is not the only stacking 1059 * filesystem. Less bogus code would add a VOP to reach bottom 1060 * vnode and would not make assumptions how to get there. 1061 */ 1062 if (vp->v_mount != NULL && 1063 strcmp(vp->v_mount->mnt_vfc->vfc_name, "nullfs") == 0) 1064 ldvp = NULLVPTOLOWERVP(vp); 1065 return (ldvp); 1066 } 1067 1068 /** 1069 * @brief Get the fingerprint status set on a vnode. 1070 * 1071 * @param vp vnode to obtain fingerprint status from 1072 * 1073 * @return Fingerprint status assigned to the vnode. 1074 */ 1075 fingerprint_status_t 1076 mac_veriexec_get_fingerprint_status(struct vnode *vp) 1077 { 1078 fingerprint_status_t fps; 1079 struct vnode *ldvp; 1080 1081 fps = SLOT(vp->v_label); 1082 switch (fps) { 1083 case FINGERPRINT_VALID: 1084 case FINGERPRINT_INDIRECT: 1085 case FINGERPRINT_FILE: 1086 break; 1087 default: 1088 /* we may need to recurse */ 1089 ldvp = mac_veriexec_bottom_vnode(vp); 1090 if (ldvp != NULL) 1091 return mac_veriexec_get_fingerprint_status(ldvp); 1092 break; 1093 } 1094 return fps; 1095 } 1096 1097 /** 1098 * @brief Get the current verified execution subsystem state. 1099 * 1100 * @return Current set of verified execution subsystem state flags. 1101 */ 1102 int 1103 mac_veriexec_get_state(void) 1104 { 1105 1106 return (mac_veriexec_state); 1107 } 1108 1109 /** 1110 * @brief Determine if the verified execution subsystem state has specific 1111 * flags set. 1112 * 1113 * @param state mask of flags to check 1114 * 1115 * @return State flags set within the masked bits 1116 */ 1117 int 1118 mac_veriexec_in_state(int state) 1119 { 1120 1121 return (mac_veriexec_state & state); 1122 } 1123 1124 /** 1125 * @brief Set the fingerprint status for a vnode 1126 * 1127 * Fingerprint status is stored in the MAC per-policy slot assigned to 1128 * mac_veriexec. 1129 * 1130 * @param vp vnode to store the fingerprint status on 1131 * @param fp_status fingerprint status to store 1132 */ 1133 void 1134 mac_veriexec_set_fingerprint_status(struct vnode *vp, 1135 fingerprint_status_t fp_status) 1136 { 1137 struct vnode *ldvp; 1138 1139 /* recurse until we find the real storage */ 1140 ldvp = mac_veriexec_bottom_vnode(vp); 1141 if (ldvp != NULL) { 1142 mac_veriexec_set_fingerprint_status(ldvp, fp_status); 1143 return; 1144 } 1145 SLOT_SET(vp->v_label, fp_status); 1146 } 1147 1148 /** 1149 * @brief Set verified execution subsystem state flags 1150 * 1151 * @note Flags can only be added to the current state, not removed. 1152 * 1153 * @param state state flags to add to the current state 1154 */ 1155 void 1156 mac_veriexec_set_state(int state) 1157 { 1158 1159 mac_veriexec_state |= state; 1160 } 1161 1162 /** 1163 * @brief Determine if the process is trusted 1164 * 1165 * @param cred credentials to use 1166 * @param p the process in question 1167 * 1168 * @return 1 if the process is trusted, otherwise 0. 1169 */ 1170 int 1171 mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p) 1172 { 1173 int already_locked, error, flags; 1174 1175 /* Make sure we lock the process if we do not already have the lock */ 1176 already_locked = PROC_LOCKED(p); 1177 if (!already_locked) 1178 PROC_LOCK(p); 1179 1180 error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0); 1181 1182 /* Unlock the process if we locked it previously */ 1183 if (!already_locked) 1184 PROC_UNLOCK(p); 1185 1186 /* Any errors, deny access */ 1187 if (error != 0) 1188 return (0); 1189 1190 /* Check that the trusted flag is set */ 1191 return ((flags & VERIEXEC_TRUSTED) == VERIEXEC_TRUSTED); 1192 } 1193