1100894Srwatson/*- 2189503Srwatson * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson 3100894Srwatson * Copyright (c) 2001 Ilmar S. Habibulin 4126097Srwatson * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 5145147Srwatson * Copyright (c) 2005 Samy Al Bahra 6172930Srwatson * Copyright (c) 2006 SPARTA, Inc. 7182063Srwatson * Copyright (c) 2008 Apple Inc. 8100894Srwatson * All rights reserved. 9100894Srwatson * 10100894Srwatson * This software was developed by Robert Watson and Ilmar Habibulin for the 11100894Srwatson * TrustedBSD Project. 12100894Srwatson * 13106392Srwatson * This software was developed for the FreeBSD Project in part by Network 14106392Srwatson * Associates Laboratories, the Security Research Division of Network 15106392Srwatson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 16106392Srwatson * as part of the DARPA CHATS research program. 17100894Srwatson * 18172930Srwatson * This software was enhanced by SPARTA ISSO under SPAWAR contract 19172930Srwatson * N66001-04-C-6019 ("SEFOS"). 20172930Srwatson * 21189503Srwatson * This software was developed at the University of Cambridge Computer 22189503Srwatson * Laboratory with support from a grant from Google, Inc. 23189503Srwatson * 24100894Srwatson * Redistribution and use in source and binary forms, with or without 25100894Srwatson * modification, are permitted provided that the following conditions 26100894Srwatson * are met: 27100894Srwatson * 1. Redistributions of source code must retain the above copyright 28100894Srwatson * notice, this list of conditions and the following disclaimer. 29100894Srwatson * 2. Redistributions in binary form must reproduce the above copyright 30100894Srwatson * notice, this list of conditions and the following disclaimer in the 31100894Srwatson * documentation and/or other materials provided with the distribution. 32100894Srwatson * 33100894Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 34100894Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 35100894Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 36100894Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 37100894Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 38100894Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 39100894Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 40100894Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 41100894Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 42100894Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 43100894Srwatson * SUCH DAMAGE. 44100894Srwatson */ 45116182Sobrien 46116182Sobrien#include <sys/cdefs.h> 47116182Sobrien__FBSDID("$FreeBSD$"); 48116182Sobrien 49100894Srwatson#include "opt_mac.h" 50101173Srwatson 51100894Srwatson#include <sys/param.h> 52106856Srwatson#include <sys/condvar.h> 53106468Srwatson#include <sys/imgact.h> 54100979Srwatson#include <sys/kernel.h> 55100979Srwatson#include <sys/lock.h> 56102949Sbde#include <sys/malloc.h> 57100979Srwatson#include <sys/mutex.h> 58100979Srwatson#include <sys/mac.h> 59100979Srwatson#include <sys/proc.h> 60116701Srwatson#include <sys/sbuf.h> 61189503Srwatson#include <sys/sdt.h> 62100979Srwatson#include <sys/systm.h> 63100979Srwatson#include <sys/vnode.h> 64100979Srwatson#include <sys/mount.h> 65100979Srwatson#include <sys/file.h> 66100979Srwatson#include <sys/namei.h> 67100979Srwatson#include <sys/sysctl.h> 68100894Srwatson 69100979Srwatson#include <vm/vm.h> 70100979Srwatson#include <vm/pmap.h> 71100979Srwatson#include <vm/vm_map.h> 72100979Srwatson#include <vm/vm_object.h> 73100979Srwatson 74163606Srwatson#include <security/mac/mac_framework.h> 75121361Srwatson#include <security/mac/mac_internal.h> 76165469Srwatson#include <security/mac/mac_policy.h> 77100979Srwatson 78122524Srwatsonstruct label * 79122524Srwatsonmac_cred_label_alloc(void) 80104521Srwatson{ 81122524Srwatson struct label *label; 82104521Srwatson 83122524Srwatson label = mac_labelzone_alloc(M_WAITOK); 84191731Srwatson MAC_POLICY_PERFORM(cred_init_label, label); 85122524Srwatson return (label); 86104521Srwatson} 87104521Srwatson 88104521Srwatsonvoid 89172930Srwatsonmac_cred_init(struct ucred *cred) 90105694Srwatson{ 91105694Srwatson 92182063Srwatson if (mac_labeled & MPC_OBJECT_CRED) 93182063Srwatson cred->cr_label = mac_cred_label_alloc(); 94182063Srwatson else 95182063Srwatson cred->cr_label = NULL; 96105694Srwatson} 97105694Srwatson 98105694Srwatsonvoid 99122524Srwatsonmac_cred_label_free(struct label *label) 100104521Srwatson{ 101104521Srwatson 102191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label); 103122524Srwatson mac_labelzone_free(label); 104104521Srwatson} 105104521Srwatson 106104521Srwatsonvoid 107172930Srwatsonmac_cred_destroy(struct ucred *cred) 108105694Srwatson{ 109105694Srwatson 110182063Srwatson if (cred->cr_label != NULL) { 111182063Srwatson mac_cred_label_free(cred->cr_label); 112182063Srwatson cred->cr_label = NULL; 113182063Srwatson } 114105694Srwatson} 115105694Srwatson 116184407Srwatson/* 117184407Srwatson * When a thread becomes an NFS server daemon, its credential may need to be 118184407Srwatson * updated to reflect this so that policies can recognize when file system 119184407Srwatson * operations originate from the network. 120184407Srwatson * 121184407Srwatson * At some point, it would be desirable if the credential used for each NFS 122184407Srwatson * RPC could be set based on the RPC context (i.e., source system, etc) to 123184407Srwatson * provide more fine-grained access control. 124184407Srwatson */ 125184407Srwatsonvoid 126184407Srwatsonmac_cred_associate_nfsd(struct ucred *cred) 127105694Srwatson{ 128104522Srwatson 129191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred); 130104522Srwatson} 131104522Srwatson 132104522Srwatson/* 133165425Srwatson * Initialize MAC label for the first kernel process, from which other kernel 134165425Srwatson * processes and threads are spawned. 135104522Srwatson */ 136104521Srwatsonvoid 137184407Srwatsonmac_cred_create_swapper(struct ucred *cred) 138104522Srwatson{ 139104522Srwatson 140191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred); 141104522Srwatson} 142104522Srwatson 143104522Srwatson/* 144104522Srwatson * Initialize MAC label for the first userland process, from which other 145104522Srwatson * userland processes and threads are spawned. 146104522Srwatson */ 147104522Srwatsonvoid 148184407Srwatsonmac_cred_create_init(struct ucred *cred) 149104522Srwatson{ 150104522Srwatson 151191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred); 152104522Srwatson} 153104522Srwatson 154184407Srwatsonint 155184407Srwatsonmac_cred_externalize_label(struct label *label, char *elements, 156184407Srwatson char *outbuf, size_t outbuflen) 157172957Srwatson{ 158184407Srwatson int error; 159172957Srwatson 160191731Srwatson MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); 161184407Srwatson 162184407Srwatson return (error); 163172957Srwatson} 164172957Srwatson 165184407Srwatsonint 166184407Srwatsonmac_cred_internalize_label(struct label *label, char *string) 167184407Srwatson{ 168184407Srwatson int error; 169184407Srwatson 170191731Srwatson MAC_POLICY_INTERNALIZE(cred, label, string); 171184407Srwatson 172184407Srwatson return (error); 173184407Srwatson} 174184407Srwatson 175104522Srwatson/* 176104522Srwatson * When a new process is created, its label must be initialized. Generally, 177299187Spfg * this involves inheritance from the parent process, modulo possible deltas. 178165425Srwatson * This function allows that processing to take place. 179104522Srwatson */ 180104522Srwatsonvoid 181172930Srwatsonmac_cred_copy(struct ucred *src, struct ucred *dest) 182104522Srwatson{ 183104522Srwatson 184191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, 185191731Srwatson dest->cr_label); 186104522Srwatson} 187104522Srwatson 188100979Srwatson/* 189100979Srwatson * When the subject's label changes, it may require revocation of privilege 190100979Srwatson * to mapped objects. This can't be done on-the-fly later with a unified 191100979Srwatson * buffer cache. 192100979Srwatson */ 193121361Srwatsonvoid 194172930Srwatsonmac_cred_relabel(struct ucred *cred, struct label *newlabel) 195100979Srwatson{ 196100979Srwatson 197191731Srwatson MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); 198100979Srwatson} 199100979Srwatson 200189503SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *", 201189503Srwatson "struct label *"); 202189503Srwatson 203100979Srwatsonint 204172930Srwatsonmac_cred_check_relabel(struct ucred *cred, struct label *newlabel) 205100979Srwatson{ 206100979Srwatson int error; 207100979Srwatson 208191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel); 209189503Srwatson MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel); 210100979Srwatson 211100979Srwatson return (error); 212100979Srwatson} 213100979Srwatson 214189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t"); 215189529Srwatson 216189529Srwatsonint 217189529Srwatsonmac_cred_check_setuid(struct ucred *cred, uid_t uid) 218189529Srwatson{ 219189529Srwatson int error; 220189529Srwatson 221191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid); 222189529Srwatson MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); 223189529Srwatson 224189529Srwatson return (error); 225189529Srwatson} 226189529Srwatson 227189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t"); 228189529Srwatson 229189529Srwatsonint 230189529Srwatsonmac_cred_check_seteuid(struct ucred *cred, uid_t euid) 231189529Srwatson{ 232189529Srwatson int error; 233189529Srwatson 234191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid); 235189529Srwatson MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); 236189529Srwatson 237189529Srwatson return (error); 238189529Srwatson} 239189529Srwatson 240189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t"); 241189529Srwatson 242189529Srwatsonint 243189529Srwatsonmac_cred_check_setgid(struct ucred *cred, gid_t gid) 244189529Srwatson{ 245189529Srwatson int error; 246189529Srwatson 247191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid); 248189529Srwatson MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); 249189529Srwatson 250189529Srwatson return (error); 251189529Srwatson} 252189529Srwatson 253189529SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t"); 254189529Srwatson 255189529Srwatsonint 256189529Srwatsonmac_cred_check_setegid(struct ucred *cred, gid_t egid) 257189529Srwatson{ 258189529Srwatson int error; 259189529Srwatson 260191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid); 261189529Srwatson MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); 262189529Srwatson 263189529Srwatson return (error); 264189529Srwatson} 265189529Srwatson 266189529SrwatsonMAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int", 267189529Srwatson "gid_t *"); 268189529Srwatson 269189529Srwatsonint 270189529Srwatsonmac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) 271189529Srwatson{ 272189529Srwatson int error; 273189529Srwatson 274191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset); 275189529Srwatson MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); 276189529Srwatson 277189529Srwatson return (error); 278189529Srwatson} 279189529Srwatson 280189529SrwatsonMAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t", 281189529Srwatson "uid_t"); 282189529Srwatson 283189529Srwatsonint 284189529Srwatsonmac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 285189529Srwatson{ 286189529Srwatson int error; 287189529Srwatson 288191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid); 289189529Srwatson MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); 290189529Srwatson 291189529Srwatson return (error); 292189529Srwatson} 293189529Srwatson 294189529SrwatsonMAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t", 295189529Srwatson "gid_t"); 296189529Srwatson 297189529Srwatsonint 298189529Srwatsonmac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 299189529Srwatson{ 300189529Srwatson int error; 301189529Srwatson 302191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid); 303189529Srwatson MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); 304189529Srwatson 305189529Srwatson return (error); 306189529Srwatson} 307189529Srwatson 308189529SrwatsonMAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t", 309189529Srwatson "uid_t", "uid_t"); 310189529Srwatson 311189529Srwatsonint 312189529Srwatsonmac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 313189529Srwatson uid_t suid) 314189529Srwatson{ 315189529Srwatson int error; 316189529Srwatson 317191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid); 318189529Srwatson MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, 319189529Srwatson suid); 320189529Srwatson 321189529Srwatson return (error); 322189529Srwatson} 323189529Srwatson 324189529SrwatsonMAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t", 325189529Srwatson "gid_t", "gid_t"); 326189529Srwatson 327189529Srwatsonint 328189529Srwatsonmac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 329189529Srwatson gid_t sgid) 330189529Srwatson{ 331189529Srwatson int error; 332189529Srwatson 333191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid); 334189529Srwatson MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, 335189529Srwatson sgid); 336189529Srwatson 337189529Srwatson return (error); 338189529Srwatson} 339189529Srwatson 340189503SrwatsonMAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", 341189503Srwatson "struct ucred *"); 342189503Srwatson 343100979Srwatsonint 344172930Srwatsonmac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 345100979Srwatson{ 346100979Srwatson int error; 347100979Srwatson 348191731Srwatson MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2); 349189503Srwatson MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2); 350100979Srwatson 351100979Srwatson return (error); 352100979Srwatson} 353