xref: /netbsd-src/sys/secmodel/extensions/secmodel_extensions.c (revision 946379e7b37692fc43f68eb0d1c10daa0a7f3b6c) 
1 /* $NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $ */
2 /*-
3  * Copyright (c) 2011 Elad Efrat <elad@NetBSD.org>
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  * 3. The name of the author may not be used to endorse or promote products
15  *    derived from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $");
31 
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/kauth.h>
35 
36 #include <sys/mount.h>
37 #include <sys/vnode.h>
38 #include <sys/socketvar.h>
39 #include <sys/sysctl.h>
40 #include <sys/proc.h>
41 #include <sys/module.h>
42 
43 #include <secmodel/secmodel.h>
44 #include <secmodel/extensions/extensions.h>
45 
46 MODULE(MODULE_CLASS_SECMODEL, extensions, NULL);
47 
48 static int dovfsusermount;
49 static int curtain;
50 static int user_set_cpu_affinity;
51 
52 static kauth_listener_t l_system, l_process, l_network;
53 
54 static secmodel_t extensions_sm;
55 static struct sysctllog *extensions_sysctl_log;
56 
57 static void secmodel_extensions_init(void);
58 static void secmodel_extensions_start(void);
59 static void secmodel_extensions_stop(void);
60 
61 static void sysctl_security_extensions_setup(struct sysctllog **);
62 static int  sysctl_extensions_user_handler(SYSCTLFN_PROTO);
63 static int  sysctl_extensions_curtain_handler(SYSCTLFN_PROTO);
64 static bool is_securelevel_above(int);
65 
66 static int secmodel_extensions_system_cb(kauth_cred_t, kauth_action_t,
67     void *, void *, void *, void *, void *);
68 static int secmodel_extensions_process_cb(kauth_cred_t, kauth_action_t,
69     void *, void *, void *, void *, void *);
70 static int secmodel_extensions_network_cb(kauth_cred_t, kauth_action_t,
71     void *, void *, void *, void *, void *);
72 
73 static void
74 sysctl_security_extensions_setup(struct sysctllog **clog)
75 {
76 	const struct sysctlnode *rnode, *rnode2;
77 
78 	sysctl_createv(clog, 0, NULL, &rnode,
79 		       CTLFLAG_PERMANENT,
80 		       CTLTYPE_NODE, "models", NULL,
81 		       NULL, 0, NULL, 0,
82 		       CTL_SECURITY, CTL_CREATE, CTL_EOL);
83 
84 	/* Compatibility: security.models.bsd44 */
85 	rnode2 = rnode;
86 	sysctl_createv(clog, 0, &rnode2, &rnode2,
87 		       CTLFLAG_PERMANENT,
88 		       CTLTYPE_NODE, "bsd44", NULL,
89 		       NULL, 0, NULL, 0,
90 		       CTL_CREATE, CTL_EOL);
91 
92         /* Compatibility: security.models.bsd44.curtain */
93 	sysctl_createv(clog, 0, &rnode2, NULL,
94 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
95 		       CTLTYPE_INT, "curtain",
96 		       SYSCTL_DESCR("Curtain information about objects to "\
97 		       		    "users not owning them."),
98 		       sysctl_extensions_curtain_handler, 0, &curtain, 0,
99 		       CTL_CREATE, CTL_EOL);
100 
101 	sysctl_createv(clog, 0, &rnode, &rnode,
102 		       CTLFLAG_PERMANENT,
103 		       CTLTYPE_NODE, "extensions", NULL,
104 		       NULL, 0, NULL, 0,
105 		       CTL_CREATE, CTL_EOL);
106 
107 	sysctl_createv(clog, 0, &rnode, NULL,
108 		       CTLFLAG_PERMANENT,
109 		       CTLTYPE_STRING, "name", NULL,
110 		       NULL, 0, __UNCONST(SECMODEL_EXTENSIONS_NAME), 0,
111 		       CTL_CREATE, CTL_EOL);
112 
113 	sysctl_createv(clog, 0, &rnode, NULL,
114 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
115 		       CTLTYPE_INT, "usermount",
116 		       SYSCTL_DESCR("Whether unprivileged users may mount "
117 				    "filesystems"),
118 		       sysctl_extensions_user_handler, 0, &dovfsusermount, 0,
119 		       CTL_CREATE, CTL_EOL);
120 
121 	sysctl_createv(clog, 0, &rnode, NULL,
122 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
123 		       CTLTYPE_INT, "curtain",
124 		       SYSCTL_DESCR("Curtain information about objects to "\
125 		       		    "users not owning them."),
126 		       sysctl_extensions_curtain_handler, 0, &curtain, 0,
127 		       CTL_CREATE, CTL_EOL);
128 
129 	sysctl_createv(clog, 0, &rnode, NULL,
130 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
131 		       CTLTYPE_INT, "user_set_cpu_affinity",
132 		       SYSCTL_DESCR("Whether unprivileged users may control "\
133 		       		    "CPU affinity."),
134 		       sysctl_extensions_user_handler, 0,
135 		       &user_set_cpu_affinity, 0,
136 		       CTL_CREATE, CTL_EOL);
137 
138 	/* Compatibility: vfs.generic.usermount */
139 	sysctl_createv(clog, 0, NULL, NULL,
140 		       CTLFLAG_PERMANENT,
141 		       CTLTYPE_NODE, "generic",
142 		       SYSCTL_DESCR("Non-specific vfs related information"),
143 		       NULL, 0, NULL, 0,
144 		       CTL_VFS, VFS_GENERIC, CTL_EOL);
145 
146 	sysctl_createv(clog, 0, NULL, NULL,
147 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
148 		       CTLTYPE_INT, "usermount",
149 		       SYSCTL_DESCR("Whether unprivileged users may mount "
150 				    "filesystems"),
151 		       sysctl_extensions_user_handler, 0, &dovfsusermount, 0,
152 		       CTL_VFS, VFS_GENERIC, VFS_USERMOUNT, CTL_EOL);
153 
154 	/* Compatibility: security.curtain */
155 	sysctl_createv(clog, 0, NULL, NULL,
156 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
157 		       CTLTYPE_INT, "curtain",
158 		       SYSCTL_DESCR("Curtain information about objects to "\
159 		       		    "users not owning them."),
160 		       sysctl_extensions_curtain_handler, 0, &curtain, 0,
161 		       CTL_SECURITY, CTL_CREATE, CTL_EOL);
162 }
163 
164 static int
165 sysctl_extensions_curtain_handler(SYSCTLFN_ARGS)
166 {
167 	struct sysctlnode node;
168 	int val, error;
169 
170 	val = *(int *)rnode->sysctl_data;
171 
172 	node = *rnode;
173 	node.sysctl_data = &val;
174 
175 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
176 	if (error || newp == NULL)
177 		return error;
178 
179 	/* shortcut */
180 	if (val == *(int *)rnode->sysctl_data)
181 		return 0;
182 
183 	/* curtain cannot be disabled when securelevel is above 0 */
184 	if (val == 0 && is_securelevel_above(0)) {
185 		return EPERM;
186 	}
187 
188 	*(int *)rnode->sysctl_data = val;
189 	return 0;
190 }
191 
192 /*
193  * Generic sysctl extensions handler for user mount and set CPU affinity
194  * rights. Checks the following conditions:
195  * - setting value to 0 is always permitted (decrease user rights)
196  * - setting value != 0 is not permitted when securelevel is above 0 (increase
197  *   user rights).
198  */
199 static int
200 sysctl_extensions_user_handler(SYSCTLFN_ARGS)
201 {
202 	struct sysctlnode node;
203 	int val, error;
204 
205 	val = *(int *)rnode->sysctl_data;
206 
207 	node = *rnode;
208 	node.sysctl_data = &val;
209 
210 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
211 	if (error || newp == NULL)
212 		return error;
213 
214 	/* shortcut */
215 	if (val == *(int *)rnode->sysctl_data)
216 		return 0;
217 
218 	/* we cannot grant more rights to users when securelevel is above 0 */
219 	if (val != 0 && is_securelevel_above(0)) {
220 		return EPERM;
221 	}
222 
223 	*(int *)rnode->sysctl_data = val;
224 	return 0;
225 }
226 
227 /*
228  * Query secmodel_securelevel(9) to know whether securelevel is strictly
229  * above 'level' or not.
230  * Returns true if it is, false otherwise (when securelevel is absent or
231  * securelevel is at or below 'level').
232  */
233 static bool
234 is_securelevel_above(int level)
235 {
236 	bool above;
237 	int error;
238 
239 	error = secmodel_eval("org.netbsd.secmodel.securelevel",
240 	    "is-securelevel-above", KAUTH_ARG(level), &above);
241 	if (error == 0 && above)
242 		return true;
243 	else
244 		return false;
245 }
246 
247 static void
248 secmodel_extensions_init(void)
249 {
250 
251 	curtain = 0;
252 	user_set_cpu_affinity = 0;
253 }
254 
255 static void
256 secmodel_extensions_start(void)
257 {
258 
259 	l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
260 	    secmodel_extensions_system_cb, NULL);
261 	l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
262 	    secmodel_extensions_process_cb, NULL);
263 	l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
264 	    secmodel_extensions_network_cb, NULL);
265 }
266 
267 static void
268 secmodel_extensions_stop(void)
269 {
270 
271 	kauth_unlisten_scope(l_system);
272 	kauth_unlisten_scope(l_process);
273 	kauth_unlisten_scope(l_network);
274 }
275 
276 static int
277 extensions_modcmd(modcmd_t cmd, void *arg)
278 {
279 	int error = 0;
280 
281 	switch (cmd) {
282 	case MODULE_CMD_INIT:
283 		error = secmodel_register(&extensions_sm,
284 		    SECMODEL_EXTENSIONS_ID, SECMODEL_EXTENSIONS_NAME,
285 		    NULL, NULL, NULL);
286 		if (error != 0)
287 			printf("extensions_modcmd::init: secmodel_register "
288 			    "returned %d\n", error);
289 
290 		secmodel_extensions_init();
291 		secmodel_extensions_start();
292 		sysctl_security_extensions_setup(&extensions_sysctl_log);
293 		break;
294 
295 	case MODULE_CMD_FINI:
296 		sysctl_teardown(&extensions_sysctl_log);
297 		secmodel_extensions_stop();
298 
299 		error = secmodel_deregister(extensions_sm);
300 		if (error != 0)
301 			printf("extensions_modcmd::fini: secmodel_deregister "
302 			    "returned %d\n", error);
303 
304 		break;
305 
306 	case MODULE_CMD_AUTOUNLOAD:
307 		error = EPERM;
308 		break;
309 
310 	default:
311 		error = ENOTTY;
312 		break;
313 	}
314 
315 	return (error);
316 }
317 
318 static int
319 secmodel_extensions_system_cb(kauth_cred_t cred, kauth_action_t action,
320     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
321 {
322 	vnode_t *vp;
323 	struct vattr va;
324 	struct mount *mp;
325 	u_long flags;
326 	int result;
327 	enum kauth_system_req req;
328 	int error;
329 
330 	req = (enum kauth_system_req)arg0;
331 	result = KAUTH_RESULT_DEFER;
332 
333 	switch (action) {
334 	case KAUTH_SYSTEM_MOUNT:
335 		if (dovfsusermount == 0)
336 			break;
337 		switch (req) {
338 		case KAUTH_REQ_SYSTEM_MOUNT_NEW:
339 			vp = (vnode_t *)arg1;
340 			mp = vp->v_mount;
341 			flags = (u_long)arg2;
342 
343 			/*
344 			 * Ensure that the user owns the directory onto which
345 			 * the mount is attempted.
346 			 */
347 			vn_lock(vp, LK_SHARED | LK_RETRY);
348 			error = VOP_GETATTR(vp, &va, cred);
349 			VOP_UNLOCK(vp);
350 			if (error)
351 				break;
352 
353 			if (va.va_uid != kauth_cred_geteuid(cred))
354 				break;
355 
356 			error = usermount_common_policy(mp, flags);
357 			if (error)
358 				break;
359 
360 			result = KAUTH_RESULT_ALLOW;
361 
362 			break;
363 
364 		case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT:
365 			mp = arg1;
366 
367 			/* Must own the mount. */
368 			if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred))
369 				result = KAUTH_RESULT_ALLOW;
370 
371 			break;
372 
373 		case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
374 			mp = arg1;
375 			flags = (u_long)arg2;
376 
377 			/* Must own the mount. */
378 			if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) &&
379 				usermount_common_policy(mp, flags) == 0)
380 				result = KAUTH_RESULT_ALLOW;
381 
382 			break;
383 
384 		default:
385 			break;
386 		}
387 		break;
388 
389 	default:
390 		break;
391 	}
392 
393 	return (result);
394 }
395 
396 static int
397 secmodel_extensions_process_cb(kauth_cred_t cred, kauth_action_t action,
398     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
399 {
400 	int result;
401 	enum kauth_process_req req;
402 
403 	result = KAUTH_RESULT_DEFER;
404 	req = (enum kauth_process_req)arg1;
405 
406 	switch (action) {
407 	case KAUTH_PROCESS_CANSEE:
408 		switch (req) {
409 		case KAUTH_REQ_PROCESS_CANSEE_ARGS:
410 		case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
411 		case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
412 			if (curtain != 0) {
413 				struct proc *p = arg0;
414 
415 				/*
416 				 * Only process' owner and root can see
417 				 * through curtain
418 				 */
419 				if (!kauth_cred_uidmatch(cred, p->p_cred)) {
420 					int error;
421 					bool isroot = false;
422 
423 					error = secmodel_eval(
424 					    "org.netbsd.secmodel.suser",
425 					    "is-root", cred, &isroot);
426 					if (error == 0 && !isroot)
427 						result = KAUTH_RESULT_DENY;
428 				}
429 			}
430 
431 			break;
432 
433 		default:
434 			break;
435 		}
436 
437 		break;
438 
439 	case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
440 		if (user_set_cpu_affinity != 0) {
441 			struct proc *p = arg0;
442 
443 			if (kauth_cred_uidmatch(cred, p->p_cred))
444 				result = KAUTH_RESULT_ALLOW;
445 		}
446 		break;
447 
448 	default:
449 		break;
450 	}
451 
452 	return (result);
453 }
454 
455 static int
456 secmodel_extensions_network_cb(kauth_cred_t cred, kauth_action_t action,
457     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
458 {
459 	int result;
460 	enum kauth_network_req req;
461 
462 	result = KAUTH_RESULT_DEFER;
463 	req = (enum kauth_network_req)arg0;
464 
465 	if (action != KAUTH_NETWORK_SOCKET ||
466 	    req != KAUTH_REQ_NETWORK_SOCKET_CANSEE)
467 		return result;
468 
469 	if (curtain != 0) {
470 		struct socket *so = (struct socket *)arg1;
471 
472 		if (__predict_false(so == NULL || so->so_cred == NULL))
473 			return KAUTH_RESULT_DENY;
474 
475 		if (!kauth_cred_uidmatch(cred, so->so_cred)) {
476 			int error;
477 			bool isroot = false;
478 
479 			error = secmodel_eval("org.netbsd.secmodel.suser",
480 			    "is-root", cred, &isroot);
481 			if (error == 0 && !isroot)
482 				result = KAUTH_RESULT_DENY;
483 		}
484 	}
485 
486 	return (result);
487 }
488