| mac_ifoff.c (172930) | mac_ifoff.c (172955) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2002 Networks Associates Technology, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * --- 21 unchanged lines hidden (view full) --- 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * | 1/*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2002 Networks Associates Technology, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * --- 21 unchanged lines hidden (view full) --- 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * |
| 38 * $FreeBSD: head/sys/security/mac_ifoff/mac_ifoff.c 172930 2007-10-24 19:04:04Z rwatson $ | 38 * $FreeBSD: head/sys/security/mac_ifoff/mac_ifoff.c 172955 2007-10-25 11:31:11Z rwatson $ |
| 39 */ 40 41/* 42 * Developed by the TrustedBSD Project. | 39 */ 40 41/* 42 * Developed by the TrustedBSD Project. |
| 43 * |
|
| 43 * Limit access to interfaces until they are specifically administratively 44 * enabled. Prevents protocol stack-driven packet leakage in unsafe 45 * environments. 46 */ 47 48#include <sys/param.h> 49#include <sys/kernel.h> 50#include <sys/module.h> --- 5 unchanged lines hidden (view full) --- 56 57#include <security/mac/mac_policy.h> 58 59SYSCTL_DECL(_security_mac); 60 61SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0, 62 "TrustedBSD mac_ifoff policy controls"); 63 | 44 * Limit access to interfaces until they are specifically administratively 45 * enabled. Prevents protocol stack-driven packet leakage in unsafe 46 * environments. 47 */ 48 49#include <sys/param.h> 50#include <sys/kernel.h> 51#include <sys/module.h> --- 5 unchanged lines hidden (view full) --- 57 58#include <security/mac/mac_policy.h> 59 60SYSCTL_DECL(_security_mac); 61 62SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0, 63 "TrustedBSD mac_ifoff policy controls"); 64 |
| 64static int mac_ifoff_enabled = 1; | 65static int ifoff_enabled = 1; |
| 65SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW, | 66SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW, |
| 66 &mac_ifoff_enabled, 0, "Enforce ifoff policy"); 67TUNABLE_INT("security.mac.ifoff.enabled", &mac_ifoff_enabled); | 67 &ifoff_enabled, 0, "Enforce ifoff policy"); 68TUNABLE_INT("security.mac.ifoff.enabled", &ifoff_enabled); |
| 68 | 69 |
| 69static int mac_ifoff_lo_enabled = 1; | 70static int ifoff_lo_enabled = 1; |
| 70SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW, | 71SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW, |
| 71 &mac_ifoff_lo_enabled, 0, "Enable loopback interfaces"); 72TUNABLE_INT("security.mac.ifoff.lo_enabled", &mac_ifoff_lo_enabled); | 72 &ifoff_lo_enabled, 0, "Enable loopback interfaces"); 73TUNABLE_INT("security.mac.ifoff.lo_enabled", &ifoff_lo_enabled); |
| 73 | 74 |
| 74static int mac_ifoff_other_enabled = 0; | 75static int ifoff_other_enabled = 0; |
| 75SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW, | 76SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW, |
| 76 &mac_ifoff_other_enabled, 0, "Enable other interfaces"); 77TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled); | 77 &ifoff_other_enabled, 0, "Enable other interfaces"); 78TUNABLE_INT("security.mac.ifoff.other_enabled", &ifoff_other_enabled); |
| 78 | 79 |
| 79static int mac_ifoff_bpfrecv_enabled = 0; | 80static int ifoff_bpfrecv_enabled = 0; |
| 80SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, | 81SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, |
| 81 &mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface " | 82 &ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface " |
| 82 "is disabled"); | 83 "is disabled"); |
| 83TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled); | 84TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &ifoff_bpfrecv_enabled); |
| 84 85static int 86ifnet_check_outgoing(struct ifnet *ifp) 87{ 88 | 85 86static int 87ifnet_check_outgoing(struct ifnet *ifp) 88{ 89 |
| 89 if (!mac_ifoff_enabled) | 90 if (!ifoff_enabled) |
| 90 return (0); 91 | 91 return (0); 92 |
| 92 if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP) | 93 if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP) |
| 93 return (0); 94 | 94 return (0); 95 |
| 95 if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP) | 96 if (ifoff_other_enabled && ifp->if_type != IFT_LOOP) |
| 96 return (0); 97 98 return (EPERM); 99} 100 101static int 102ifnet_check_incoming(struct ifnet *ifp, int viabpf) 103{ | 97 return (0); 98 99 return (EPERM); 100} 101 102static int 103ifnet_check_incoming(struct ifnet *ifp, int viabpf) 104{ |
| 104 if (!mac_ifoff_enabled) | 105 if (!ifoff_enabled) |
| 105 return (0); 106 | 106 return (0); 107 |
| 107 if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP) | 108 if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP) |
| 108 return (0); 109 | 109 return (0); 110 |
| 110 if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP) | 111 if (ifoff_other_enabled && ifp->if_type != IFT_LOOP) |
| 111 return (0); 112 | 112 return (0); 113 |
| 113 if (viabpf && mac_ifoff_bpfrecv_enabled) | 114 if (viabpf && ifoff_bpfrecv_enabled) |
| 114 return (0); 115 116 return (EPERM); 117} 118 119static int | 115 return (0); 116 117 return (EPERM); 118} 119 120static int |
| 120mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, | 121ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, |
| 121 struct ifnet *ifp, struct label *ifplabel) 122{ 123 124 return (ifnet_check_incoming(ifp, 1)); 125} 126 127static int | 122 struct ifnet *ifp, struct label *ifplabel) 123{ 124 125 return (ifnet_check_incoming(ifp, 1)); 126} 127 128static int |
| 128mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, | 129ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, |
| 129 struct mbuf *m, struct label *mlabel) 130{ 131 132 return (ifnet_check_outgoing(ifp)); 133} 134 135static int | 130 struct mbuf *m, struct label *mlabel) 131{ 132 133 return (ifnet_check_outgoing(ifp)); 134} 135 136static int |
| 136mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, | 137ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, |
| 137 struct mbuf *m, struct label *mlabel) 138{ 139 140 M_ASSERTPKTHDR(m); 141 if (m->m_pkthdr.rcvif != NULL) 142 return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); 143 144 return (0); 145} 146 147static int | 138 struct mbuf *m, struct label *mlabel) 139{ 140 141 M_ASSERTPKTHDR(m); 142 if (m->m_pkthdr.rcvif != NULL) 143 return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); 144 145 return (0); 146} 147 148static int |
| 148mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel, | 149ifoff_socket_check_deliver(struct socket *so, struct label *solabel, |
| 149 struct mbuf *m, struct label *mlabel) 150{ 151 152 M_ASSERTPKTHDR(m); 153 if (m->m_pkthdr.rcvif != NULL) 154 return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); 155 156 return (0); 157} 158 | 150 struct mbuf *m, struct label *mlabel) 151{ 152 153 M_ASSERTPKTHDR(m); 154 if (m->m_pkthdr.rcvif != NULL) 155 return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); 156 157 return (0); 158} 159 |
| 159static struct mac_policy_ops mac_ifoff_ops = | 160static struct mac_policy_ops ifoff_ops = |
| 160{ | 161{ |
| 161 .mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive, 162 .mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit, 163 .mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver, 164 .mpo_socket_check_deliver = mac_ifoff_socket_check_deliver, | 162 .mpo_bpfdesc_check_receive = ifoff_bpfdesc_check_receive, 163 .mpo_ifnet_check_transmit = ifoff_ifnet_check_transmit, 164 .mpo_inpcb_check_deliver = ifoff_inpcb_check_deliver, 165 .mpo_socket_check_deliver = ifoff_socket_check_deliver, |
| 165}; 166 | 166}; 167 |
| 167MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff", | 168MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff", |
| 168 MPC_LOADTIME_FLAG_UNLOADOK, NULL); | 169 MPC_LOADTIME_FLAG_UNLOADOK, NULL); |