1100894Srwatson/*- 2189503Srwatson * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson 3100894Srwatson * Copyright (c) 2001 Ilmar S. Habibulin 4126097Srwatson * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 5145147Srwatson * Copyright (c) 2005 Samy Al Bahra 6172930Srwatson * Copyright (c) 2006 SPARTA, Inc. 7182063Srwatson * Copyright (c) 2008 Apple Inc. 8100894Srwatson * All rights reserved. 9100894Srwatson * 10100894Srwatson * This software was developed by Robert Watson and Ilmar Habibulin for the 11100894Srwatson * TrustedBSD Project. 12100894Srwatson * 13106392Srwatson * This software was developed for the FreeBSD Project in part by Network 14106392Srwatson * Associates Laboratories, the Security Research Division of Network 15106392Srwatson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 16106392Srwatson * as part of the DARPA CHATS research program. 17100894Srwatson * 18172930Srwatson * This software was enhanced by SPARTA ISSO under SPAWAR contract 19172930Srwatson * N66001-04-C-6019 ("SEFOS"). 20172930Srwatson * 21189503Srwatson * This software was developed at the University of Cambridge Computer 22189503Srwatson * Laboratory with support from a grant from Google, Inc. 23189503Srwatson * 24100894Srwatson * Redistribution and use in source and binary forms, with or without 25100894Srwatson * modification, are permitted provided that the following conditions 26100894Srwatson * are met: 27100894Srwatson * 1. Redistributions of source code must retain the above copyright 28100894Srwatson * notice, this list of conditions and the following disclaimer. 29100894Srwatson * 2. Redistributions in binary form must reproduce the above copyright 30100894Srwatson * notice, this list of conditions and the following disclaimer in the 31100894Srwatson * documentation and/or other materials provided with the distribution. 32100894Srwatson * 33100894Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 34100894Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 35100894Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 36100894Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 37100894Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 38100894Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 39100894Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 40100894Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 41100894Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 42100894Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 43100894Srwatson * SUCH DAMAGE. 44100894Srwatson */ 45116182Sobrien 46116182Sobrien#include <sys/cdefs.h> 47116182Sobrien__FBSDID("$FreeBSD$"); 48116182Sobrien 49189503Srwatson#include "opt_kdtrace.h" 50100894Srwatson#include "opt_mac.h" 51101173Srwatson 52100894Srwatson#include <sys/param.h> 53106856Srwatson#include <sys/condvar.h> 54106468Srwatson#include <sys/imgact.h> 55100979Srwatson#include <sys/kernel.h> 56100979Srwatson#include <sys/lock.h> 57102949Sbde#include <sys/malloc.h> 58100979Srwatson#include <sys/mutex.h> 59100979Srwatson#include <sys/mac.h> 60100979Srwatson#include <sys/proc.h> 61116701Srwatson#include <sys/sbuf.h> 62189503Srwatson#include <sys/sdt.h> 63100979Srwatson#include <sys/systm.h> 64100979Srwatson#include <sys/vnode.h> 65100979Srwatson#include <sys/mount.h> 66100979Srwatson#include <sys/file.h> 67100979Srwatson#include <sys/namei.h> 68100979Srwatson#include <sys/sysctl.h> 69100894Srwatson 70100979Srwatson#include <vm/vm.h> 71100979Srwatson#include <vm/pmap.h> 72100979Srwatson#include <vm/vm_map.h> 73100979Srwatson#include <vm/vm_object.h> 74100979Srwatson 75163606Srwatson#include <security/mac/mac_framework.h> 76121361Srwatson#include <security/mac/mac_internal.h> 77165469Srwatson#include <security/mac/mac_policy.h> 78100979Srwatson 79122524Srwatsonstruct label * 80122524Srwatsonmac_cred_label_alloc(void) 81104521Srwatson{ 82122524Srwatson struct label *label; 83104521Srwatson 84122524Srwatson label = mac_labelzone_alloc(M_WAITOK); 85191731Srwatson MAC_POLICY_PERFORM(cred_init_label, label); 86122524Srwatson return (label); 87104521Srwatson} 88104521Srwatson 89104521Srwatsonvoid 90172930Srwatsonmac_cred_init(struct ucred *cred) 91105694Srwatson{ 92105694Srwatson 93182063Srwatson if (mac_labeled & MPC_OBJECT_CRED) 94182063Srwatson cred->cr_label = mac_cred_label_alloc(); 95182063Srwatson else 96182063Srwatson cred->cr_label = NULL; 97105694Srwatson} 98105694Srwatson 99105694Srwatsonvoid 100122524Srwatsonmac_cred_label_free(struct label *label) 101104521Srwatson{ 102104521Srwatson 103191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label); 104122524Srwatson mac_labelzone_free(label); 105104521Srwatson} 106104521Srwatson 107104521Srwatsonvoid 108172930Srwatsonmac_cred_destroy(struct ucred *cred) 109105694Srwatson{ 110105694Srwatson 111182063Srwatson if (cred->cr_label != NULL) { 112182063Srwatson mac_cred_label_free(cred->cr_label); 113182063Srwatson cred->cr_label = NULL; 114182063Srwatson } 115105694Srwatson} 116105694Srwatson 117184407Srwatson/* 118184407Srwatson * When a thread becomes an NFS server daemon, its credential may need to be 119184407Srwatson * updated to reflect this so that policies can recognize when file system 120184407Srwatson * operations originate from the network. 121184407Srwatson * 122184407Srwatson * At some point, it would be desirable if the credential used for each NFS 123184407Srwatson * RPC could be set based on the RPC context (i.e., source system, etc) to 124184407Srwatson * provide more fine-grained access control. 125184407Srwatson */ 126184407Srwatsonvoid 127184407Srwatsonmac_cred_associate_nfsd(struct ucred *cred) 128105694Srwatson{ 129104522Srwatson 130191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred); 131104522Srwatson} 132104522Srwatson 133104522Srwatson/* 134165425Srwatson * Initialize MAC label for the first kernel process, from which other kernel 135165425Srwatson * processes and threads are spawned. 136104522Srwatson */ 137104521Srwatsonvoid 138184407Srwatsonmac_cred_create_swapper(struct ucred *cred) 139104522Srwatson{ 140104522Srwatson 141191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred); 142104522Srwatson} 143104522Srwatson 144104522Srwatson/* 145104522Srwatson * Initialize MAC label for the first userland process, from which other 146104522Srwatson * userland processes and threads are spawned. 147104522Srwatson */ 148104522Srwatsonvoid 149184407Srwatsonmac_cred_create_init(struct ucred *cred) 150104522Srwatson{ 151104522Srwatson 152191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred); 153104522Srwatson} 154104522Srwatson 155184407Srwatsonint 156184407Srwatsonmac_cred_externalize_label(struct label *label, char *elements, 157184407Srwatson char *outbuf, size_t outbuflen) 158172957Srwatson{ 159184407Srwatson int error; 160172957Srwatson 161191731Srwatson MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); 162184407Srwatson 163184407Srwatson return (error); 164172957Srwatson} 165172957Srwatson 166184407Srwatsonint 167184407Srwatsonmac_cred_internalize_label(struct label *label, char *string) 168184407Srwatson{ 169184407Srwatson int error; 170184407Srwatson 171191731Srwatson MAC_POLICY_INTERNALIZE(cred, label, string); 172184407Srwatson 173184407Srwatson return (error); 174184407Srwatson} 175184407Srwatson 176104522Srwatson/* 177104522Srwatson * When a new process is created, its label must be initialized. Generally, 178165425Srwatson * this involves inheritence from the parent process, modulo possible deltas. 179165425Srwatson * This function allows that processing to take place. 180104522Srwatson */ 181104522Srwatsonvoid 182172930Srwatsonmac_cred_copy(struct ucred *src, struct ucred *dest) 183104522Srwatson{ 184104522Srwatson 185191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, 186191731Srwatson dest->cr_label); 187104522Srwatson} 188104522Srwatson 189100979Srwatson/* 190100979Srwatson * When the subject's label changes, it may require revocation of privilege 191100979Srwatson * to mapped objects. This can't be done on-the-fly later with a unified 192100979Srwatson * buffer cache. 193100979Srwatson */ 194121361Srwatsonvoid 195172930Srwatsonmac_cred_relabel(struct ucred *cred, struct label *newlabel) 196100979Srwatson{ 197100979Srwatson 198191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); 199100979Srwatson} 200100979Srwatson 201189503SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *", 202189503Srwatson "struct label *"); 203189503Srwatson 204100979Srwatsonint 205172930Srwatsonmac_cred_check_relabel(struct ucred *cred, struct label *newlabel) 206100979Srwatson{ 207100979Srwatson int error; 208100979Srwatson 209191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel); 210189503Srwatson MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel); 211100979Srwatson 212100979Srwatson return (error); 213100979Srwatson} 214100979Srwatson 215189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t"); 216189529Srwatson 217189529Srwatsonint 218189529Srwatsonmac_cred_check_setuid(struct ucred *cred, uid_t uid) 219189529Srwatson{ 220189529Srwatson int error; 221189529Srwatson 222191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid); 223189529Srwatson MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); 224189529Srwatson 225189529Srwatson return (error); 226189529Srwatson} 227189529Srwatson 228189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t"); 229189529Srwatson 230189529Srwatsonint 231189529Srwatsonmac_cred_check_seteuid(struct ucred *cred, uid_t euid) 232189529Srwatson{ 233189529Srwatson int error; 234189529Srwatson 235191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid); 236189529Srwatson MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); 237189529Srwatson 238189529Srwatson return (error); 239189529Srwatson} 240189529Srwatson 241189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t"); 242189529Srwatson 243189529Srwatsonint 244189529Srwatsonmac_cred_check_setgid(struct ucred *cred, gid_t gid) 245189529Srwatson{ 246189529Srwatson int error; 247189529Srwatson 248191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid); 249189529Srwatson MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); 250189529Srwatson 251189529Srwatson return (error); 252189529Srwatson} 253189529Srwatson 254189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t"); 255189529Srwatson 256189529Srwatsonint 257189529Srwatsonmac_cred_check_setegid(struct ucred *cred, gid_t egid) 258189529Srwatson{ 259189529Srwatson int error; 260189529Srwatson 261191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid); 262189529Srwatson MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); 263189529Srwatson 264189529Srwatson return (error); 265189529Srwatson} 266189529Srwatson 267189529SrwatsonMAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int", 268189529Srwatson "gid_t *"); 269189529Srwatson 270189529Srwatsonint 271189529Srwatsonmac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) 272189529Srwatson{ 273189529Srwatson int error; 274189529Srwatson 275191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset); 276189529Srwatson MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); 277189529Srwatson 278189529Srwatson return (error); 279189529Srwatson} 280189529Srwatson 281189529SrwatsonMAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t", 282189529Srwatson "uid_t"); 283189529Srwatson 284189529Srwatsonint 285189529Srwatsonmac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 286189529Srwatson{ 287189529Srwatson int error; 288189529Srwatson 289191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid); 290189529Srwatson MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); 291189529Srwatson 292189529Srwatson return (error); 293189529Srwatson} 294189529Srwatson 295189529SrwatsonMAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t", 296189529Srwatson "gid_t"); 297189529Srwatson 298189529Srwatsonint 299189529Srwatsonmac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 300189529Srwatson{ 301189529Srwatson int error; 302189529Srwatson 303191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid); 304189529Srwatson MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); 305189529Srwatson 306189529Srwatson return (error); 307189529Srwatson} 308189529Srwatson 309189529SrwatsonMAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t", 310189529Srwatson "uid_t", "uid_t"); 311189529Srwatson 312189529Srwatsonint 313189529Srwatsonmac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 314189529Srwatson uid_t suid) 315189529Srwatson{ 316189529Srwatson int error; 317189529Srwatson 318191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid); 319189529Srwatson MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, 320189529Srwatson suid); 321189529Srwatson 322189529Srwatson return (error); 323189529Srwatson} 324189529Srwatson 325189529SrwatsonMAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t", 326189529Srwatson "gid_t", "gid_t"); 327189529Srwatson 328189529Srwatsonint 329189529Srwatsonmac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 330189529Srwatson gid_t sgid) 331189529Srwatson{ 332189529Srwatson int error; 333189529Srwatson 334191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid); 335189529Srwatson MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, 336189529Srwatson sgid); 337189529Srwatson 338189529Srwatson return (error); 339189529Srwatson} 340189529Srwatson 341189503SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", 342189503Srwatson "struct ucred *"); 343189503Srwatson 344100979Srwatsonint 345172930Srwatsonmac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 346100979Srwatson{ 347100979Srwatson int error; 348100979Srwatson 349191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2); 350189503Srwatson MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2); 351100979Srwatson 352100979Srwatson return (error); 353100979Srwatson} 354