/* $NetBSD: secmodel_keylock.c,v 1.1 2009/08/14 21:17:22 mbalmer Exp $ */ /*- * Copyright (c) 2009 Marc Balmer * Copyright (c) 2006 Elad Efrat * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* * This file contains kauth(9) listeners needed to implement an experimental * keylock based security scheme. * * The position of the keylock is a system-global indication on what * operations are allowed or not. It affects all users, including root. * * Rules: * * - If the number of possible keylock positions is 0, assume there is no * keylock present, do not dissallow any action, i.e. do nothing * * - If the number of possible keylock positions is greater than 0, but the * current lock position is 0, assume tampering with the lock and forbid * all actions. * * - If the lock is in the lowest position, assume the system is locked and * forbid most actions. * * - If the lock is in the highest position, assume the system to be open and * forbid nothing. * * - If the security.models.keylock.order sysctl is set to a value != 0, * reverse this order. */ #include __KERNEL_RCSID(0, "$NetBSD: secmodel_keylock.c,v 1.1 2009/08/14 21:17:22 mbalmer Exp $"); #include #include #include #include #include #include #include #include #include #include static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device; SYSCTL_SETUP(sysctl_security_keylock_setup, "sysctl security keylock setup") { const struct sysctlnode *rnode; sysctl_createv(clog, 0, NULL, &rnode, CTLFLAG_PERMANENT, CTLTYPE_NODE, "security", NULL, NULL, 0, NULL, 0, CTL_SECURITY, CTL_EOL); sysctl_createv(clog, 0, &rnode, &rnode, CTLFLAG_PERMANENT, CTLTYPE_NODE, "models", NULL, NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, &rnode, CTLFLAG_PERMANENT, CTLTYPE_NODE, "keylock", SYSCTL_DESCR("Keylock security model"), NULL, 0, NULL, 0, CTL_CREATE, CTL_EOL); sysctl_createv(clog, 0, &rnode, NULL, CTLFLAG_PERMANENT, CTLTYPE_STRING, "name", NULL, NULL, 0, __UNCONST("Keylock"), 0, CTL_CREATE, CTL_EOL); } void secmodel_keylock_init(void) { } void secmodel_keylock_start(void) { l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, secmodel_keylock_system_cb, NULL); l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, secmodel_keylock_process_cb, NULL); l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, secmodel_keylock_network_cb, NULL); l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP, secmodel_keylock_machdep_cb, NULL); l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE, secmodel_keylock_device_cb, NULL); } void secmodel_keylock_stop(void) { kauth_unlisten_scope(l_system); kauth_unlisten_scope(l_process); kauth_unlisten_scope(l_network); kauth_unlisten_scope(l_machdep); kauth_unlisten_scope(l_device); } /* * kauth(9) listener * * Security model: Multi-position keylock * Scope: System * Responsibility: Keylock */ int secmodel_keylock_system_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result; enum kauth_system_req req; int kstate; kstate = keylock_state(); if (kstate == KEYLOCK_ABSENT) return KAUTH_RESULT_DEFER; else if (kstate == KEYLOCK_TAMPER) return KAUTH_RESULT_DENY; result = KAUTH_RESULT_DEFER; req = (enum kauth_system_req)arg0; switch (action) { case KAUTH_SYSTEM_CHSYSFLAGS: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; case KAUTH_SYSTEM_TIME: switch (req) { case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; case KAUTH_REQ_SYSTEM_TIME_SYSTEM: { struct timespec *ts = arg1; struct timespec *delta = arg2; /* * Don't allow the time to be set forward so far it * will wrap and become negative, thus allowing an * attacker to bypass the next check below. The * cutoff is 1 year before rollover occurs, so even * if the attacker uses adjtime(2) to move the time * past the cutoff, it will take a very long time * to get to the wrap point. */ if (keylock_position() > 1 && ((ts->tv_sec > LLONG_MAX - 365*24*60*60) || (delta->tv_sec < 0 || delta->tv_nsec < 0))) result = KAUTH_RESULT_DENY; break; } default: break; } break; case KAUTH_SYSTEM_MODULE: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; case KAUTH_SYSTEM_MOUNT: switch (req) { case KAUTH_REQ_SYSTEM_MOUNT_NEW: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: if (kstate == KEYLOCK_CLOSE) { struct mount *mp = arg1; u_long flags = (u_long)arg2; /* * Can only degrade from read/write to * read-only. */ if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD | MNT_FORCE | MNT_UPDATE)) result = KAUTH_RESULT_DENY; } break; default: break; } break; case KAUTH_SYSTEM_SYSCTL: switch (req) { case KAUTH_REQ_SYSTEM_SYSCTL_ADD: case KAUTH_REQ_SYSTEM_SYSCTL_DELETE: case KAUTH_REQ_SYSTEM_SYSCTL_DESC: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; default: break; } break; case KAUTH_SYSTEM_SETIDCORE: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; case KAUTH_SYSTEM_DEBUG: switch (req) { case KAUTH_REQ_SYSTEM_DEBUG_IPKDB: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; default: break; } break; } return result; } /* * kauth(9) listener * * Security model: Multi-position keylock * Scope: Process * Responsibility: Keylock */ int secmodel_keylock_process_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { struct proc *p; int result, kstate; kstate = keylock_state(); if (kstate == KEYLOCK_ABSENT) return KAUTH_RESULT_DEFER; else if (kstate == KEYLOCK_TAMPER) return KAUTH_RESULT_DENY; result = KAUTH_RESULT_DEFER; p = arg0; switch (action) { case KAUTH_PROCESS_PROCFS: { enum kauth_process_req req; req = (enum kauth_process_req)arg2; switch (req) { case KAUTH_REQ_PROCESS_PROCFS_READ: break; case KAUTH_REQ_PROCESS_PROCFS_RW: case KAUTH_REQ_PROCESS_PROCFS_WRITE: if ((p == initproc) && (kstate != KEYLOCK_OPEN)) result = KAUTH_RESULT_DENY; break; default: break; } break; } case KAUTH_PROCESS_PTRACE: if ((p == initproc) && (kstate != KEYLOCK_OPEN)) result = KAUTH_RESULT_DENY; break; case KAUTH_PROCESS_CORENAME: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; } return result; } /* * kauth(9) listener * * Security model: Multi-position keylock * Scope: Network * Responsibility: Keylock */ int secmodel_keylock_network_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result, kstate; enum kauth_network_req req; kstate = keylock_state(); if (kstate == KEYLOCK_ABSENT) return KAUTH_RESULT_DEFER; else if (kstate == KEYLOCK_TAMPER) return KAUTH_RESULT_DENY; result = KAUTH_RESULT_DEFER; req = (enum kauth_network_req)arg0; switch (action) { case KAUTH_NETWORK_FIREWALL: switch (req) { case KAUTH_REQ_NETWORK_FIREWALL_FW: case KAUTH_REQ_NETWORK_FIREWALL_NAT: if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; default: break; } break; case KAUTH_NETWORK_FORWSRCRT: if (kstate != KEYLOCK_OPEN) result = KAUTH_RESULT_DENY; break; } return result; } /* * kauth(9) listener * * Security model: Multi-position keylock * Scope: Machdep * Responsibility: Keylock */ int secmodel_keylock_machdep_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result, kstate; kstate = keylock_state(); if (kstate == KEYLOCK_ABSENT) return KAUTH_RESULT_DEFER; else if (kstate == KEYLOCK_TAMPER) return KAUTH_RESULT_DENY; result = KAUTH_RESULT_DEFER; switch (action) { case KAUTH_MACHDEP_IOPERM_SET: case KAUTH_MACHDEP_IOPL: if (kstate != KEYLOCK_OPEN) result = KAUTH_RESULT_DENY; break; case KAUTH_MACHDEP_UNMANAGEDMEM: if (kstate != KEYLOCK_OPEN) result = KAUTH_RESULT_DENY; break; } return result; } /* * kauth(9) listener * * Security model: Multi-position keylock * Scope: Device * Responsibility: Keylock */ int secmodel_keylock_device_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) { int result, kstate; kstate = keylock_state(); if (kstate == KEYLOCK_ABSENT) return KAUTH_RESULT_DEFER; else if (kstate == KEYLOCK_TAMPER) return KAUTH_RESULT_DENY; result = KAUTH_RESULT_DEFER; switch (action) { case KAUTH_DEVICE_RAWIO_SPEC: { struct vnode *vp, *bvp; enum kauth_device_req req; dev_t dev; int d_type; req = (enum kauth_device_req)arg0; vp = arg1; KASSERT(vp != NULL); dev = vp->v_rdev; d_type = D_OTHER; bvp = NULL; /* Handle /dev/mem and /dev/kmem. */ if ((vp->v_type == VCHR) && iskmemdev(dev)) { switch (req) { case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: break; case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: if (kstate != KEYLOCK_OPEN) result = KAUTH_RESULT_DENY; break; default: break; } break; } switch (req) { case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: break; case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: switch (vp->v_type) { case VCHR: { const struct cdevsw *cdev; cdev = cdevsw_lookup(dev); if (cdev != NULL) { dev_t blkdev; blkdev = devsw_chr2blk(dev); if (blkdev != NODEV) { vfinddev(blkdev, VBLK, &bvp); if (bvp != NULL) d_type = (cdev->d_flag & D_TYPEMASK); } } break; } case VBLK: { const struct bdevsw *bdev; bdev = bdevsw_lookup(dev); if (bdev != NULL) d_type = (bdev->d_flag & D_TYPEMASK); bvp = vp; break; } default: break; } if (d_type != D_DISK) break; /* * XXX: This is bogus. We should be failing the request * XXX: not only if this specific slice is mounted, but * XXX: if it's on a disk with any other mounted slice. */ if (vfs_mountedon(bvp) && (kstate != KEYLOCK_OPEN)) break; if (kstate == KEYLOCK_CLOSE) result = KAUTH_RESULT_DENY; break; default: break; } break; } case KAUTH_DEVICE_RAWIO_PASSTHRU: if (kstate != KEYLOCK_OPEN) { u_long bits; bits = (u_long)arg0; KASSERT(bits != 0); KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) result = KAUTH_RESULT_DENY; } break; case KAUTH_DEVICE_GPIO_PINSET: if (kstate != KEYLOCK_OPEN) result = KAUTH_RESULT_DENY; break; default: break; } return result; }