mac_biba.c (105606) | mac_biba.c (105634) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 105606 2002-10-21 04:15:40Z rwatson $ | 37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 105634 2002-10-21 16:35:54Z rwatson $ |
38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 91 unchanged lines hidden (view full) --- 137 138 if (mac_biba != NULL) 139 free(mac_biba, M_MACBIBA); 140 else 141 atomic_add_int(&destroyed_not_inited, 1); 142} 143 144static int | 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 91 unchanged lines hidden (view full) --- 137 138 if (mac_biba != NULL) 139 free(mac_biba, M_MACBIBA); 140 else 141 atomic_add_int(&destroyed_not_inited, 1); 142} 143 144static int |
145biba_atmostflags(struct mac_biba *mac_biba, int flags) 146{ 147 148 if ((mac_biba->mb_flags & flags) != mac_biba->mb_flags) 149 return (EINVAL); 150 return (0); 151} 152 153static int |
|
145mac_biba_dominate_element(struct mac_biba_element *a, 146 struct mac_biba_element *b) 147{ 148 149 switch(a->mbe_type) { 150 case MAC_BIBA_TYPE_EQUAL: 151 case MAC_BIBA_TYPE_HIGH: 152 return (1); --- 92 unchanged lines hidden (view full) --- 245 ("mac_biba_equal_single: a not single")); 246 KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, 247 ("mac_biba_equal_single: b not single")); 248 249 return (mac_biba_equal_element(&a->mb_single, &b->mb_single)); 250} 251 252static int | 154mac_biba_dominate_element(struct mac_biba_element *a, 155 struct mac_biba_element *b) 156{ 157 158 switch(a->mbe_type) { 159 case MAC_BIBA_TYPE_EQUAL: 160 case MAC_BIBA_TYPE_HIGH: 161 return (1); --- 92 unchanged lines hidden (view full) --- 254 ("mac_biba_equal_single: a not single")); 255 KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, 256 ("mac_biba_equal_single: b not single")); 257 258 return (mac_biba_equal_element(&a->mb_single, &b->mb_single)); 259} 260 261static int |
262mac_biba_contains_equal(struct mac_biba *mac_biba) 263{ 264 265 if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) 266 if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) 267 return (1); 268 269 if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) { 270 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL) 271 return (1); 272 if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 273 return (1); 274 } 275 276 return (0); 277} 278 279static int 280mac_biba_subject_equal_ok(struct mac_biba *mac_biba) 281{ 282 283 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) == 284 MAC_BIBA_FLAGS_BOTH, 285 ("mac_biba_subject_equal_ok: subject doesn't have both labels")); 286 287 /* If the single is EQUAL, it's ok. */ 288 if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL) 289 return (0); 290 291 /* If either range endpoint is EQUAL, it's ok. */ 292 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL || 293 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 294 return (0); 295 296 /* If the range is low-high, it's ok. */ 297 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW && 298 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH) 299 return (0); 300 301 /* It's not ok. */ 302 return (EPERM); 303} 304 305static int |
|
253mac_biba_valid(struct mac_biba *mac_biba) 254{ 255 256 if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) { 257 switch (mac_biba->mb_single.mbe_type) { 258 case MAC_BIBA_TYPE_GRADE: 259 break; 260 --- 763 unchanged lines hidden (view full) --- 1024 return (0); 1025 return (EACCES); 1026} 1027 1028static int 1029mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1030{ 1031 struct mac_biba *subj, *new; | 306mac_biba_valid(struct mac_biba *mac_biba) 307{ 308 309 if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) { 310 switch (mac_biba->mb_single.mbe_type) { 311 case MAC_BIBA_TYPE_GRADE: 312 break; 313 --- 763 unchanged lines hidden (view full) --- 1077 return (0); 1078 return (EACCES); 1079} 1080 1081static int 1082mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1083{ 1084 struct mac_biba *subj, *new; |
1085 int error; |
|
1032 1033 subj = SLOT(&cred->cr_label); 1034 new = SLOT(newlabel); 1035 | 1086 1087 subj = SLOT(&cred->cr_label); 1088 new = SLOT(newlabel); 1089 |
1036 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) 1037 return (EINVAL); 1038 | |
1039 /* | 1090 /* |
1040 * XXX: Allow processes with root privilege to set labels outside 1041 * their range, so suid things like "su" work. This WILL go away 1042 * when we figure out the 'correct' solution... | 1091 * If there is a Biba label update for the credential, it may 1092 * be an update of the single, range, or both. |
1043 */ | 1093 */ |
1044 if (!suser_cred(cred, 0)) 1045 return (0); | 1094 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); 1095 if (error) 1096 return (error); |
1046 1047 /* | 1097 1098 /* |
1048 * The new single must be in the old range. | 1099 * If the Biba label is to be changed, authorize as appropriate. |
1049 */ | 1100 */ |
1050 if (!mac_biba_single_in_range(new, subj)) 1051 return (EPERM); | 1101 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { 1102 /* 1103 * To change the Biba single label on a credential, the 1104 * new single label must be in the current range. 1105 */ 1106 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE && 1107 !mac_biba_single_in_range(new, subj)) 1108 return (EPERM); |
1052 | 1109 |
1053 /* 1054 * The new range must be in the old range. 1055 */ 1056 if (!mac_biba_range_in_range(new, subj)) 1057 return (EPERM); | 1110 /* 1111 * To change the Biba range on a credential, the new 1112 * range label must be in the current range. 1113 */ 1114 if (new->mb_flags & MAC_BIBA_FLAG_RANGE && 1115 !mac_biba_range_in_range(new, subj)) 1116 return (EPERM); |
1058 | 1117 |
1059 /* 1060 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. 1061 */ | 1118 /* 1119 * To have EQUAL in any component of the new credential 1120 * Biba label, the subject must already have EQUAL in 1121 * their label. 1122 */ 1123 if (mac_biba_contains_equal(new)) { 1124 error = mac_biba_subject_equal_ok(subj); 1125 if (error) 1126 return (error); 1127 } |
1062 | 1128 |
1129 /* 1130 * XXXMAC: Additional consistency tests regarding the 1131 * single and range of the new label might be performed 1132 * here. 1133 */ 1134 } 1135 |
|
1063 return (0); 1064} 1065 1066static int 1067mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) 1068{ 1069 struct mac_biba *subj, *obj; 1070 --- 10 unchanged lines hidden (view full) --- 1081 return (0); 1082} 1083 1084static int 1085mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1086 struct label *ifnetlabel, struct label *newlabel) 1087{ 1088 struct mac_biba *subj, *new; | 1136 return (0); 1137} 1138 1139static int 1140mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) 1141{ 1142 struct mac_biba *subj, *obj; 1143 --- 10 unchanged lines hidden (view full) --- 1154 return (0); 1155} 1156 1157static int 1158mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1159 struct label *ifnetlabel, struct label *newlabel) 1160{ 1161 struct mac_biba *subj, *new; |
1162 int error; |
|
1089 1090 subj = SLOT(&cred->cr_label); 1091 new = SLOT(newlabel); 1092 | 1163 1164 subj = SLOT(&cred->cr_label); 1165 new = SLOT(newlabel); 1166 |
1093 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH) 1094 return (EINVAL); | 1167 /* 1168 * If there is a Biba label update for the interface, it may 1169 * be an update of the single, range, or both. 1170 */ 1171 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); 1172 if (error) 1173 return (error); |
1095 | 1174 |
1096 return (suser_cred(cred, 0)); | 1175 /* 1176 * If the Biba label is to be changed, authorize as appropriate. 1177 */ 1178 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { 1179 /* 1180 * Rely on the traditional superuser status for the Biba 1181 * interface relabel requirements. XXXMAC: This will go 1182 * away. 1183 */ 1184 error = suser_cred(cred, 0); 1185 if (error) 1186 return (EPERM); 1187 1188 /* 1189 * XXXMAC: Additional consistency tests regarding the single 1190 * and the range of the new label might be performed here. 1191 */ 1192 } 1193 1194 return (0); |
1097} 1098 1099static int 1100mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1101 struct mbuf *m, struct label *mbuflabel) 1102{ 1103 struct mac_biba *p, *i; 1104 --- 73 unchanged lines hidden (view full) --- 1178 return (0); 1179} 1180 1181static int 1182mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 1183 struct label *pipelabel, struct label *newlabel) 1184{ 1185 struct mac_biba *subj, *obj, *new; | 1195} 1196 1197static int 1198mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1199 struct mbuf *m, struct label *mbuflabel) 1200{ 1201 struct mac_biba *p, *i; 1202 --- 73 unchanged lines hidden (view full) --- 1276 return (0); 1277} 1278 1279static int 1280mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 1281 struct label *pipelabel, struct label *newlabel) 1282{ 1283 struct mac_biba *subj, *obj, *new; |
1284 int error; |
|
1186 1187 new = SLOT(newlabel); 1188 subj = SLOT(&cred->cr_label); 1189 obj = SLOT(pipelabel); 1190 | 1285 1286 new = SLOT(newlabel); 1287 subj = SLOT(&cred->cr_label); 1288 obj = SLOT(pipelabel); 1289 |
1191 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) 1192 return (EINVAL); 1193 | |
1194 /* | 1290 /* |
1195 * To relabel a pipe, the old pipe label must be in the subject 1196 * range. | 1291 * If there is a Biba label update for a pipe, it must be a 1292 * single update. |
1197 */ | 1293 */ |
1198 if (!mac_biba_single_in_range(obj, subj)) 1199 return (EPERM); | 1294 error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); 1295 if (error) 1296 return (error); |
1200 1201 /* | 1297 1298 /* |
1202 * To relabel a pipe, the new pipe label must be in the subject 1203 * range. | 1299 * To perform a relabel of a pipe (Biba label or not), Biba must 1300 * authorize the relabel. |
1204 */ | 1301 */ |
1205 if (!mac_biba_single_in_range(new, subj)) | 1302 if (!mac_biba_single_in_range(obj, subj)) |
1206 return (EPERM); 1207 1208 /* | 1303 return (EPERM); 1304 1305 /* |
1209 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. | 1306 * If the Biba label is to be changed, authorize as appropriate. |
1210 */ | 1307 */ |
1308 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) { 1309 /* 1310 * To change the Biba label on a pipe, the new pipe label 1311 * must be in the subject range. 1312 */ 1313 if (!mac_biba_single_in_range(new, subj)) 1314 return (EPERM); |
|
1211 | 1315 |
1316 /* 1317 * To change the Biba label on a pipe to be EQUAL, the 1318 * subject must have appropriate privilege. 1319 */ 1320 if (mac_biba_contains_equal(new)) { 1321 error = mac_biba_subject_equal_ok(subj); 1322 if (error) 1323 return (error); 1324 } 1325 } 1326 |
|
1212 return (0); 1213} 1214 1215static int 1216mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 1217 struct label *pipelabel) 1218{ 1219 struct mac_biba *subj, *obj; --- 103 unchanged lines hidden (view full) --- 1323 return (mac_biba_equal_single(p, s) ? 0 : EACCES); 1324} 1325 1326static int 1327mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket, 1328 struct label *socketlabel, struct label *newlabel) 1329{ 1330 struct mac_biba *subj, *obj, *new; | 1327 return (0); 1328} 1329 1330static int 1331mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 1332 struct label *pipelabel) 1333{ 1334 struct mac_biba *subj, *obj; --- 103 unchanged lines hidden (view full) --- 1438 return (mac_biba_equal_single(p, s) ? 0 : EACCES); 1439} 1440 1441static int 1442mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket, 1443 struct label *socketlabel, struct label *newlabel) 1444{ 1445 struct mac_biba *subj, *obj, *new; |
1446 int error; |
|
1331 1332 new = SLOT(newlabel); 1333 subj = SLOT(&cred->cr_label); 1334 obj = SLOT(socketlabel); 1335 | 1447 1448 new = SLOT(newlabel); 1449 subj = SLOT(&cred->cr_label); 1450 obj = SLOT(socketlabel); 1451 |
1336 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) 1337 return (EINVAL); 1338 | |
1339 /* | 1452 /* |
1340 * To relabel a socket, the old socket label must be in the subject 1341 * range. | 1453 * If there is a Biba label update for the socket, it may be 1454 * an update of single. |
1342 */ | 1455 */ |
1343 if (!mac_biba_single_in_range(obj, subj)) 1344 return (EPERM); | 1456 error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); 1457 if (error) 1458 return (error); |
1345 1346 /* | 1459 1460 /* |
1347 * To relabel a socket, the new socket label must be in the subject | 1461 * To relabel a socket, the old socket single must be in the subject |
1348 * range. 1349 */ | 1462 * range. 1463 */ |
1350 if (!mac_biba_single_in_range(new, subj)) | 1464 if (!mac_biba_single_in_range(obj, subj)) |
1351 return (EPERM); 1352 1353 /* | 1465 return (EPERM); 1466 1467 /* |
1354 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. | 1468 * If the Biba label is to be changed, authorize as appropriate. |
1355 */ | 1469 */ |
1470 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) { 1471 /* 1472 * To relabel a socket, the new socket single must be in 1473 * the subject range. 1474 */ 1475 if (!mac_biba_single_in_range(new, subj)) 1476 return (EPERM); |
|
1356 | 1477 |
1478 /* 1479 * To change the Biba label on the socket to contain EQUAL, 1480 * the subject must have appropriate privilege. 1481 */ 1482 if (mac_biba_contains_equal(new)) { 1483 error = mac_biba_subject_equal_ok(subj); 1484 if (error) 1485 return (error); 1486 } 1487 } 1488 |
|
1357 return (0); 1358} 1359 1360static int 1361mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, 1362 struct label *socketlabel) 1363{ 1364 struct mac_biba *subj, *obj; --- 332 unchanged lines hidden (view full) --- 1697 return (0); 1698} 1699 1700static int 1701mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1702 struct label *vnodelabel, struct label *newlabel) 1703{ 1704 struct mac_biba *old, *new, *subj; | 1489 return (0); 1490} 1491 1492static int 1493mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, 1494 struct label *socketlabel) 1495{ 1496 struct mac_biba *subj, *obj; --- 332 unchanged lines hidden (view full) --- 1829 return (0); 1830} 1831 1832static int 1833mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1834 struct label *vnodelabel, struct label *newlabel) 1835{ 1836 struct mac_biba *old, *new, *subj; |
1837 int error; |
|
1705 1706 old = SLOT(vnodelabel); 1707 new = SLOT(newlabel); 1708 subj = SLOT(&cred->cr_label); 1709 | 1838 1839 old = SLOT(vnodelabel); 1840 new = SLOT(newlabel); 1841 subj = SLOT(&cred->cr_label); 1842 |
1710 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) 1711 return (EINVAL); 1712 | |
1713 /* | 1843 /* |
1714 * To relabel a vnode, the old vnode label must be in the subject 1715 * range. | 1844 * If there is a Biba label update for the vnode, it must be a 1845 * single label. |
1716 */ | 1846 */ |
1717 if (!mac_biba_single_in_range(old, subj)) 1718 return (EPERM); | 1847 error = biba_atmostflags(new, MAC_BIBA_FLAG_SINGLE); 1848 if (error) 1849 return (error); |
1719 1720 /* | 1850 1851 /* |
1721 * To relabel a vnode, the new vnode label must be in the subject 1722 * range. | 1852 * To perform a relabel of the vnode (Biba label or not), Biba must 1853 * authorize the relabel. |
1723 */ | 1854 */ |
1724 if (!mac_biba_single_in_range(new, subj)) | 1855 if (!mac_biba_single_in_range(old, subj)) |
1725 return (EPERM); 1726 1727 /* | 1856 return (EPERM); 1857 1858 /* |
1728 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL. | 1859 * If the Biba label is to be changed, authorize as appropriate. |
1729 */ | 1860 */ |
1861 if (new->mb_flags & MAC_BIBA_FLAG_SINGLE) { 1862 /* 1863 * To change the Biba label on a vnode, the new vnode label 1864 * must be in the subject range. 1865 */ 1866 if (!mac_biba_single_in_range(new, subj)) 1867 return (EPERM); |
|
1730 | 1868 |
1731 return (suser_cred(cred, 0)); | 1869 /* 1870 * To change the Biba label on the vnode to be EQUAL, 1871 * the subject must have appropriate privilege. 1872 */ 1873 if (mac_biba_contains_equal(new)) { 1874 error = mac_biba_subject_equal_ok(subj); 1875 if (error) 1876 return (error); 1877 } 1878 } 1879 1880 return (0); |
1732} 1733 1734static int 1735mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1736 struct label *dlabel, struct vnode *vp, struct label *label, 1737 struct componentname *cnp) 1738{ 1739 struct mac_biba *subj, *obj; --- 452 unchanged lines hidden --- | 1881} 1882 1883static int 1884mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1885 struct label *dlabel, struct vnode *vp, struct label *label, 1886 struct componentname *cnp) 1887{ 1888 struct mac_biba *subj, *obj; --- 452 unchanged lines hidden --- |