mac_cred.c revision 121361
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by Network 11 * Associates Laboratories, the Security Research Division of Network 12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 13 * as part of the DARPA CHATS research program. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> 38__FBSDID("$FreeBSD: head/sys/security/mac/mac_process.c 121361 2003-10-22 20:02:04Z rwatson $"); 39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/condvar.h> 44#include <sys/imgact.h> 45#include <sys/kernel.h> 46#include <sys/lock.h> 47#include <sys/malloc.h> 48#include <sys/mutex.h> 49#include <sys/mac.h> 50#include <sys/proc.h> 51#include <sys/sbuf.h> 52#include <sys/systm.h> 53#include <sys/vnode.h> 54#include <sys/mount.h> 55#include <sys/file.h> 56#include <sys/namei.h> 57#include <sys/sysctl.h> 58 59#include <vm/vm.h> 60#include <vm/pmap.h> 61#include <vm/vm_map.h> 62#include <vm/vm_object.h> 63 64#include <sys/mac_policy.h> 65 66#include <security/mac/mac_internal.h> 67 68int mac_enforce_process = 1; 69SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, 70 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); 71TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); 72 73int mac_enforce_vm = 1; 74SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, 75 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); 76TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); 77 78static int mac_mmap_revocation = 1; 79SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, 80 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 81 "relabel"); 82 83static int mac_mmap_revocation_via_cow = 0; 84SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 85 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 86 "copy-on-write semantics, or by removing all write access"); 87 88#ifdef MAC_DEBUG 89static unsigned int nmaccreds, nmacprocs; 90SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, 91 &nmaccreds, 0, "number of ucreds in use"); 92SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, 93 &nmacprocs, 0, "number of procs in use"); 94#endif 95 96static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 97 struct ucred *cred, struct vm_map *map); 98 99void 100mac_init_cred_label(struct label *label) 101{ 102 103 mac_init_label(label); 104 MAC_PERFORM(init_cred_label, label); 105 MAC_DEBUG_COUNTER_INC(&nmaccreds); 106} 107 108void 109mac_init_cred(struct ucred *cred) 110{ 111 112 mac_init_cred_label(&cred->cr_label); 113} 114 115void 116mac_init_proc(struct proc *p) 117{ 118 119 mac_init_label(&p->p_label); 120 MAC_PERFORM(init_proc_label, &p->p_label); 121 MAC_DEBUG_COUNTER_INC(&nmacprocs); 122} 123 124void 125mac_destroy_cred_label(struct label *label) 126{ 127 128 MAC_PERFORM(destroy_cred_label, label); 129 mac_destroy_label(label); 130 MAC_DEBUG_COUNTER_DEC(&nmaccreds); 131} 132 133void 134mac_destroy_cred(struct ucred *cred) 135{ 136 137 mac_destroy_cred_label(&cred->cr_label); 138} 139 140void 141mac_destroy_proc(struct proc *p) 142{ 143 144 MAC_PERFORM(destroy_proc_label, &p->p_label); 145 mac_destroy_label(&p->p_label); 146 MAC_DEBUG_COUNTER_DEC(&nmacprocs); 147} 148 149int 150mac_externalize_cred_label(struct label *label, char *elements, 151 char *outbuf, size_t outbuflen, int flags) 152{ 153 int error; 154 155 MAC_EXTERNALIZE(cred_label, label, elements, outbuf, outbuflen); 156 157 return (error); 158} 159 160int 161mac_internalize_cred_label(struct label *label, char *string) 162{ 163 int error; 164 165 MAC_INTERNALIZE(cred_label, label, string); 166 167 return (error); 168} 169 170/* 171 * Initialize MAC label for the first kernel process, from which other 172 * kernel processes and threads are spawned. 173 */ 174void 175mac_create_proc0(struct ucred *cred) 176{ 177 178 MAC_PERFORM(create_proc0, cred); 179} 180 181/* 182 * Initialize MAC label for the first userland process, from which other 183 * userland processes and threads are spawned. 184 */ 185void 186mac_create_proc1(struct ucred *cred) 187{ 188 189 MAC_PERFORM(create_proc1, cred); 190} 191 192void 193mac_thread_userret(struct thread *td) 194{ 195 196 MAC_PERFORM(thread_userret, td); 197} 198 199/* 200 * When a new process is created, its label must be initialized. Generally, 201 * this involves inheritence from the parent process, modulo possible 202 * deltas. This function allows that processing to take place. 203 */ 204void 205mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) 206{ 207 208 MAC_PERFORM(create_cred, parent_cred, child_cred); 209} 210 211int 212mac_execve_enter(struct image_params *imgp, struct mac *mac_p, 213 struct label *execlabelstorage) 214{ 215 struct mac mac; 216 char *buffer; 217 int error; 218 219 if (mac_p == NULL) 220 return (0); 221 222 error = copyin(mac_p, &mac, sizeof(mac)); 223 if (error) 224 return (error); 225 226 error = mac_check_structmac_consistent(&mac); 227 if (error) 228 return (error); 229 230 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 231 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 232 if (error) { 233 free(buffer, M_MACTEMP); 234 return (error); 235 } 236 237 mac_init_cred_label(execlabelstorage); 238 error = mac_internalize_cred_label(execlabelstorage, buffer); 239 free(buffer, M_MACTEMP); 240 if (error) { 241 mac_destroy_cred_label(execlabelstorage); 242 return (error); 243 } 244 imgp->execlabel = execlabelstorage; 245 return (0); 246} 247 248void 249mac_execve_exit(struct image_params *imgp) 250{ 251 if (imgp->execlabel != NULL) 252 mac_destroy_cred_label(imgp->execlabel); 253} 254 255/* 256 * When relabeling a process, call out to the policies for the maximum 257 * permission allowed for each object type we know about in its 258 * memory space, and revoke access (in the least surprising ways we 259 * know) when necessary. The process lock is not held here. 260 */ 261void 262mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) 263{ 264 265 /* XXX freeze all other threads */ 266 mac_cred_mmapped_drop_perms_recurse(td, cred, 267 &td->td_proc->p_vmspace->vm_map); 268 /* XXX allow other threads to continue */ 269} 270 271static __inline const char * 272prot2str(vm_prot_t prot) 273{ 274 275 switch (prot & VM_PROT_ALL) { 276 case VM_PROT_READ: 277 return ("r--"); 278 case VM_PROT_READ | VM_PROT_WRITE: 279 return ("rw-"); 280 case VM_PROT_READ | VM_PROT_EXECUTE: 281 return ("r-x"); 282 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: 283 return ("rwx"); 284 case VM_PROT_WRITE: 285 return ("-w-"); 286 case VM_PROT_EXECUTE: 287 return ("--x"); 288 case VM_PROT_WRITE | VM_PROT_EXECUTE: 289 return ("-wx"); 290 default: 291 return ("---"); 292 } 293} 294 295static void 296mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, 297 struct vm_map *map) 298{ 299 struct vm_map_entry *vme; 300 int result; 301 vm_prot_t revokeperms; 302 vm_object_t object; 303 vm_ooffset_t offset; 304 struct vnode *vp; 305 306 if (!mac_mmap_revocation) 307 return; 308 309 vm_map_lock_read(map); 310 for (vme = map->header.next; vme != &map->header; vme = vme->next) { 311 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { 312 mac_cred_mmapped_drop_perms_recurse(td, cred, 313 vme->object.sub_map); 314 continue; 315 } 316 /* 317 * Skip over entries that obviously are not shared. 318 */ 319 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || 320 !vme->max_protection) 321 continue; 322 /* 323 * Drill down to the deepest backing object. 324 */ 325 offset = vme->offset; 326 object = vme->object.vm_object; 327 if (object == NULL) 328 continue; 329 while (object->backing_object != NULL) { 330 object = object->backing_object; 331 offset += object->backing_object_offset; 332 } 333 /* 334 * At the moment, vm_maps and objects aren't considered 335 * by the MAC system, so only things with backing by a 336 * normal object (read: vnodes) are checked. 337 */ 338 if (object->type != OBJT_VNODE) 339 continue; 340 vp = (struct vnode *)object->handle; 341 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 342 result = vme->max_protection; 343 mac_check_vnode_mmap_downgrade(cred, vp, &result); 344 VOP_UNLOCK(vp, 0, td); 345 /* 346 * Find out what maximum protection we may be allowing 347 * now but a policy needs to get removed. 348 */ 349 revokeperms = vme->max_protection & ~result; 350 if (!revokeperms) 351 continue; 352 printf("pid %ld: revoking %s perms from %#lx:%ld " 353 "(max %s/cur %s)\n", (long)td->td_proc->p_pid, 354 prot2str(revokeperms), (u_long)vme->start, 355 (long)(vme->end - vme->start), 356 prot2str(vme->max_protection), prot2str(vme->protection)); 357 vm_map_lock_upgrade(map); 358 /* 359 * This is the really simple case: if a map has more 360 * max_protection than is allowed, but it's not being 361 * actually used (that is, the current protection is 362 * still allowed), we can just wipe it out and do 363 * nothing more. 364 */ 365 if ((vme->protection & revokeperms) == 0) { 366 vme->max_protection -= revokeperms; 367 } else { 368 if (revokeperms & VM_PROT_WRITE) { 369 /* 370 * In the more complicated case, flush out all 371 * pending changes to the object then turn it 372 * copy-on-write. 373 */ 374 vm_object_reference(object); 375 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 376 VM_OBJECT_LOCK(object); 377 vm_object_page_clean(object, 378 OFF_TO_IDX(offset), 379 OFF_TO_IDX(offset + vme->end - vme->start + 380 PAGE_MASK), 381 OBJPC_SYNC); 382 VM_OBJECT_UNLOCK(object); 383 VOP_UNLOCK(vp, 0, td); 384 vm_object_deallocate(object); 385 /* 386 * Why bother if there's no read permissions 387 * anymore? For the rest, we need to leave 388 * the write permissions on for COW, or 389 * remove them entirely if configured to. 390 */ 391 if (!mac_mmap_revocation_via_cow) { 392 vme->max_protection &= ~VM_PROT_WRITE; 393 vme->protection &= ~VM_PROT_WRITE; 394 } if ((revokeperms & VM_PROT_READ) == 0) 395 vme->eflags |= MAP_ENTRY_COW | 396 MAP_ENTRY_NEEDS_COPY; 397 } 398 if (revokeperms & VM_PROT_EXECUTE) { 399 vme->max_protection &= ~VM_PROT_EXECUTE; 400 vme->protection &= ~VM_PROT_EXECUTE; 401 } 402 if (revokeperms & VM_PROT_READ) { 403 vme->max_protection = 0; 404 vme->protection = 0; 405 } 406 pmap_protect(map->pmap, vme->start, vme->end, 407 vme->protection & ~revokeperms); 408 vm_map_simplify_entry(map, vme); 409 } 410 vm_map_lock_downgrade(map); 411 } 412 vm_map_unlock_read(map); 413} 414 415/* 416 * When the subject's label changes, it may require revocation of privilege 417 * to mapped objects. This can't be done on-the-fly later with a unified 418 * buffer cache. 419 */ 420void 421mac_relabel_cred(struct ucred *cred, struct label *newlabel) 422{ 423 424 MAC_PERFORM(relabel_cred, cred, newlabel); 425} 426 427int 428mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) 429{ 430 int error; 431 432 MAC_CHECK(check_cred_relabel, cred, newlabel); 433 434 return (error); 435} 436 437int 438mac_check_cred_visible(struct ucred *u1, struct ucred *u2) 439{ 440 int error; 441 442 if (!mac_enforce_process) 443 return (0); 444 445 MAC_CHECK(check_cred_visible, u1, u2); 446 447 return (error); 448} 449 450int 451mac_check_proc_debug(struct ucred *cred, struct proc *proc) 452{ 453 int error; 454 455 PROC_LOCK_ASSERT(proc, MA_OWNED); 456 457 if (!mac_enforce_process) 458 return (0); 459 460 MAC_CHECK(check_proc_debug, cred, proc); 461 462 return (error); 463} 464 465int 466mac_check_proc_sched(struct ucred *cred, struct proc *proc) 467{ 468 int error; 469 470 PROC_LOCK_ASSERT(proc, MA_OWNED); 471 472 if (!mac_enforce_process) 473 return (0); 474 475 MAC_CHECK(check_proc_sched, cred, proc); 476 477 return (error); 478} 479 480int 481mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 482{ 483 int error; 484 485 PROC_LOCK_ASSERT(proc, MA_OWNED); 486 487 if (!mac_enforce_process) 488 return (0); 489 490 MAC_CHECK(check_proc_signal, cred, proc, signum); 491 492 return (error); 493} 494