mac_ifoff.c revision 101099
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, 9 * the Security Research Division of Network Associates, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The names of the authors may not be used to endorse or promote 22 * products derived from this software without specific prior written 23 * permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * $FreeBSD: head/sys/security/mac_ifoff/mac_ifoff.c 101099 2002-07-31 18:07:45Z rwatson $ 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Limit access to interfaces until they are specifically administratively 43 * enabled. Prevents protocol stack-driven packet leakage in unsafe 44 * environments. 45 */ 46 47#include <sys/types.h> 48#include <sys/param.h> 49#include <sys/conf.h> 50#include <sys/kernel.h> 51#include <sys/mac.h> 52#include <sys/mount.h> 53#include <sys/proc.h> 54#include <sys/systm.h> 55#include <sys/sysproto.h> 56#include <sys/sysent.h> 57#include <sys/vnode.h> 58#include <sys/file.h> 59#include <sys/socket.h> 60#include <sys/socketvar.h> 61#include <sys/sysctl.h> 62 63#include <net/bpfdesc.h> 64#include <net/if.h> 65#include <net/if_types.h> 66#include <net/if_var.h> 67 68#include <vm/vm.h> 69 70#include <sys/mac_policy.h> 71 72SYSCTL_DECL(_security_mac); 73 74SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0, 75 "TrustedBSD mac_ifoff policy controls"); 76 77static int mac_ifoff_enabled = 1; 78SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_ifoff_enabled, 0, "Enforce ifoff policy"); 80TUNABLE_INT("security.mac.ifoff.enabled", &mac_ifoff_enabled); 81 82static int mac_ifoff_lo_enabled = 1; 83SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW, 84 &mac_ifoff_lo_enabled, 0, "Enable loopback interfaces"); 85TUNABLE_INT("security.mac.ifoff.lo_enabled", &mac_ifoff_lo_enabled); 86 87static int mac_ifoff_other_enabled = 0; 88SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW, 89 &mac_ifoff_other_enabled, 0, "Enable other interfaces"); 90TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled); 91 92static int mac_ifoff_bpfrecv_enabled = 0; 93SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, 94 &mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface " 95 "is disabled"); 96TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled); 97 98static int 99check_ifnet_outgoing(struct ifnet *ifnet) 100{ 101 102 if (!mac_ifoff_enabled) 103 return (0); 104 105 if (mac_ifoff_lo_enabled && ifnet->if_type == IFT_LOOP) 106 return (0); 107 108 if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP) 109 return (0); 110 111 return (EPERM); 112} 113 114static int 115check_ifnet_incoming(struct ifnet *ifnet, int viabpf) 116{ 117 if (!mac_ifoff_enabled) 118 return (0); 119 120 if (mac_ifoff_lo_enabled && ifnet->if_type == IFT_LOOP) 121 return (0); 122 123 if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP) 124 return (0); 125 126 if (viabpf && mac_ifoff_bpfrecv_enabled) 127 return (0); 128 129 return (EPERM); 130} 131 132static int 133mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 134 struct ifnet *ifnet, struct label *ifnetlabel) 135{ 136 137 return (check_ifnet_incoming(ifnet, 1)); 138} 139 140static int 141mac_ifoff_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 142 struct mbuf *m, struct label *mbuflabel) 143{ 144 145 return (check_ifnet_outgoing(ifnet)); 146} 147 148static int 149mac_ifoff_check_socket_receive(struct socket *so, struct label *socketlabel, 150 struct mbuf *m, struct label *mbuflabel) 151{ 152 153 if (m->m_flags & M_PKTHDR) { 154 if (m->m_pkthdr.rcvif != NULL) 155 return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); 156 } 157 158 return (0); 159} 160 161static struct mac_policy_op_entry mac_ifoff_ops[] = 162{ 163 { MAC_CHECK_BPFDESC_RECEIVE, 164 (macop_t)mac_ifoff_check_bpfdesc_receive }, 165 { MAC_CHECK_IFNET_TRANSMIT, 166 (macop_t)mac_ifoff_check_ifnet_transmit }, 167 { MAC_CHECK_SOCKET_RECEIVE, 168 (macop_t)mac_ifoff_check_socket_receive }, 169 { MAC_OP_LAST, NULL } 170}; 171 172MAC_POLICY_SET(mac_ifoff_ops, trustedbsd_mac_ifoff, "TrustedBSD MAC/ifoff", 173 MPC_LOADTIME_FLAG_UNLOADOK, NULL); 174