1/*- 2 * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 Samy Al Bahra 6 * Copyright (c) 2006 SPARTA, Inc. 7 * Copyright (c) 2008 Apple Inc. 8 * All rights reserved. 9 * 10 * This software was developed by Robert Watson and Ilmar Habibulin for the 11 * TrustedBSD Project. 12 * 13 * This software was developed for the FreeBSD Project in part by Network 14 * Associates Laboratories, the Security Research Division of Network 15 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 16 * as part of the DARPA CHATS research program. 17 * 18 * This software was enhanced by SPARTA ISSO under SPAWAR contract 19 * N66001-04-C-6019 ("SEFOS"). 20 * 21 * This software was developed at the University of Cambridge Computer 22 * Laboratory with support from a grant from Google, Inc. 23 * 24 * Redistribution and use in source and binary forms, with or without 25 * modification, are permitted provided that the following conditions 26 * are met: 27 * 1. Redistributions of source code must retain the above copyright 28 * notice, this list of conditions and the following disclaimer. 29 * 2. Redistributions in binary form must reproduce the above copyright 30 * notice, this list of conditions and the following disclaimer in the 31 * documentation and/or other materials provided with the distribution. 32 * 33 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 34 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 35 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 36 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 37 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 38 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 39 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 40 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 41 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 42 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 43 * SUCH DAMAGE. 44 */ 45 46#include <sys/cdefs.h> 47__FBSDID("$FreeBSD$"); 48 49#include "opt_kdtrace.h" 50#include "opt_mac.h" 51 52#include <sys/param.h> 53#include <sys/condvar.h> 54#include <sys/imgact.h> 55#include <sys/kernel.h> 56#include <sys/lock.h> 57#include <sys/malloc.h> 58#include <sys/mutex.h> 59#include <sys/mac.h> 60#include <sys/proc.h> 61#include <sys/sbuf.h> 62#include <sys/sdt.h> 63#include <sys/systm.h> 64#include <sys/vnode.h> 65#include <sys/mount.h> 66#include <sys/file.h> 67#include <sys/namei.h> 68#include <sys/sysctl.h> 69 70#include <vm/vm.h> 71#include <vm/pmap.h> 72#include <vm/vm_map.h> 73#include <vm/vm_object.h> 74 75#include <security/mac/mac_framework.h> 76#include <security/mac/mac_internal.h> 77#include <security/mac/mac_policy.h> 78 79struct label * 80mac_cred_label_alloc(void) 81{ 82 struct label *label; 83 84 label = mac_labelzone_alloc(M_WAITOK); 85 MAC_POLICY_PERFORM(cred_init_label, label); 86 return (label); 87} 88 89void 90mac_cred_init(struct ucred *cred) 91{ 92 93 if (mac_labeled & MPC_OBJECT_CRED) 94 cred->cr_label = mac_cred_label_alloc(); 95 else 96 cred->cr_label = NULL; 97} 98 99void 100mac_cred_label_free(struct label *label) 101{ 102 103 MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label); 104 mac_labelzone_free(label); 105} 106 107void 108mac_cred_destroy(struct ucred *cred) 109{ 110 111 if (cred->cr_label != NULL) { 112 mac_cred_label_free(cred->cr_label); 113 cred->cr_label = NULL; 114 } 115} 116 117/* 118 * When a thread becomes an NFS server daemon, its credential may need to be 119 * updated to reflect this so that policies can recognize when file system 120 * operations originate from the network. 121 * 122 * At some point, it would be desirable if the credential used for each NFS 123 * RPC could be set based on the RPC context (i.e., source system, etc) to 124 * provide more fine-grained access control. 125 */ 126void 127mac_cred_associate_nfsd(struct ucred *cred) 128{ 129 130 MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred); 131} 132 133/* 134 * Initialize MAC label for the first kernel process, from which other kernel 135 * processes and threads are spawned. 136 */ 137void 138mac_cred_create_swapper(struct ucred *cred) 139{ 140 141 MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred); 142} 143 144/* 145 * Initialize MAC label for the first userland process, from which other 146 * userland processes and threads are spawned. 147 */ 148void 149mac_cred_create_init(struct ucred *cred) 150{ 151 152 MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred); 153} 154 155int 156mac_cred_externalize_label(struct label *label, char *elements, 157 char *outbuf, size_t outbuflen) 158{ 159 int error; 160 161 MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); 162 163 return (error); 164} 165 166int 167mac_cred_internalize_label(struct label *label, char *string) 168{ 169 int error; 170 171 MAC_POLICY_INTERNALIZE(cred, label, string); 172 173 return (error); 174} 175 176/* 177 * When a new process is created, its label must be initialized. Generally, 178 * this involves inheritence from the parent process, modulo possible deltas. 179 * This function allows that processing to take place. 180 */ 181void 182mac_cred_copy(struct ucred *src, struct ucred *dest) 183{ 184 185 MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, 186 dest->cr_label); 187} 188 189/* 190 * When the subject's label changes, it may require revocation of privilege 191 * to mapped objects. This can't be done on-the-fly later with a unified 192 * buffer cache. 193 */ 194void 195mac_cred_relabel(struct ucred *cred, struct label *newlabel) 196{ 197 198 MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); 199} 200 201MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *", 202 "struct label *"); 203 204int 205mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) 206{ 207 int error; 208 209 MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel); 210 MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel); 211 212 return (error); 213} 214 215MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t"); 216 217int 218mac_cred_check_setuid(struct ucred *cred, uid_t uid) 219{ 220 int error; 221 222 MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid); 223 MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); 224 225 return (error); 226} 227 228MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t"); 229 230int 231mac_cred_check_seteuid(struct ucred *cred, uid_t euid) 232{ 233 int error; 234 235 MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid); 236 MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); 237 238 return (error); 239} 240 241MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t"); 242 243int 244mac_cred_check_setgid(struct ucred *cred, gid_t gid) 245{ 246 int error; 247 248 MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid); 249 MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); 250 251 return (error); 252} 253 254MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t"); 255 256int 257mac_cred_check_setegid(struct ucred *cred, gid_t egid) 258{ 259 int error; 260 261 MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid); 262 MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); 263 264 return (error); 265} 266 267MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int", 268 "gid_t *"); 269 270int 271mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) 272{ 273 int error; 274 275 MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset); 276 MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); 277 278 return (error); 279} 280 281MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t", 282 "uid_t"); 283 284int 285mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 286{ 287 int error; 288 289 MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid); 290 MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); 291 292 return (error); 293} 294 295MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t", 296 "gid_t"); 297 298int 299mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 300{ 301 int error; 302 303 MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid); 304 MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); 305 306 return (error); 307} 308 309MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t", 310 "uid_t", "uid_t"); 311 312int 313mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 314 uid_t suid) 315{ 316 int error; 317 318 MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid); 319 MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, 320 suid); 321 322 return (error); 323} 324 325MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t", 326 "gid_t", "gid_t"); 327 328int 329mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 330 gid_t sgid) 331{ 332 int error; 333 334 MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid); 335 MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, 336 sgid); 337 338 return (error); 339} 340 341MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", 342 "struct ucred *"); 343 344int 345mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 346{ 347 int error; 348 349 MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2); 350 MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2); 351 352 return (error); 353} 354