xref: /netbsd-src/sys/secmodel/keylock/secmodel_keylock.c (revision a5847cc334d9a7029f6352b847e9e8d71a0f9e0c) 
1 /* $NetBSD: secmodel_keylock.c,v 1.5 2009/10/19 08:20:21 cegger Exp $ */
2 /*-
3  * Copyright (c) 2009 Marc Balmer <marc@msys.ch>
4  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. The name of the author may not be used to endorse or promote products
16  *    derived from this software without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 /*
31  * This file contains kauth(9) listeners needed to implement an experimental
32  * keylock based security scheme.
33  *
34  * The position of the keylock is a system-global indication on what
35  * operations are allowed or not. It affects all users, including root.
36  *
37  * Rules:
38  *
39  * - If the number of possible keylock positions is 0, assume there is no
40  *   keylock present, do not dissallow any action, i.e. do nothing
41  *
42  * - If the number of possible keylock positions is greater than 0, but the
43  *   current lock position is 0, assume tampering with the lock and forbid
44  *   all actions.
45  *
46  * - If the lock is in the lowest position, assume the system is locked and
47  *   forbid most actions.
48  *
49  * - If the lock is in the highest position, assume the system to be open and
50  *   forbid nothing.
51  *
52  * - If the security.models.keylock.order sysctl is set to a value != 0,
53  *   reverse this order.
54  */
55 
56 #include <sys/cdefs.h>
57 __KERNEL_RCSID(0, "$NetBSD: secmodel_keylock.c,v 1.5 2009/10/19 08:20:21 cegger Exp $");
58 
59 #include <sys/types.h>
60 #include <sys/param.h>
61 #include <sys/kauth.h>
62 
63 #include <sys/conf.h>
64 #include <sys/mount.h>
65 #include <sys/sysctl.h>
66 #include <sys/vnode.h>
67 #include <sys/timevar.h>
68 
69 #include <dev/keylock.h>
70 
71 #include <miscfs/specfs/specdev.h>
72 
73 #include <secmodel/keylock/keylock.h>
74 
75 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device;
76 
77 SYSCTL_SETUP(sysctl_security_keylock_setup,
78     "sysctl security keylock setup")
79 {
80 	const struct sysctlnode *rnode;
81 
82 	sysctl_createv(clog, 0, NULL, &rnode,
83 		       CTLFLAG_PERMANENT,
84 		       CTLTYPE_NODE, "security", NULL,
85 		       NULL, 0, NULL, 0,
86 		       CTL_SECURITY, CTL_EOL);
87 
88 	sysctl_createv(clog, 0, &rnode, &rnode,
89 		       CTLFLAG_PERMANENT,
90 		       CTLTYPE_NODE, "models", NULL,
91 		       NULL, 0, NULL, 0,
92 		       CTL_CREATE, CTL_EOL);
93 
94 	sysctl_createv(clog, 0, &rnode, &rnode,
95 		       CTLFLAG_PERMANENT,
96 		       CTLTYPE_NODE, "keylock",
97 		       SYSCTL_DESCR("Keylock security model"),
98 		       NULL, 0, NULL, 0,
99 		       CTL_CREATE, CTL_EOL);
100 
101 	sysctl_createv(clog, 0, &rnode, NULL,
102 		       CTLFLAG_PERMANENT,
103 		       CTLTYPE_STRING, "name", NULL,
104 		       NULL, 0, __UNCONST("Keylock"), 0,
105 		       CTL_CREATE, CTL_EOL);
106 }
107 
108 void
109 secmodel_keylock_init(void)
110 {
111 }
112 
113 void
114 secmodel_keylock_start(void)
115 {
116 	l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
117 	    secmodel_keylock_system_cb, NULL);
118 	l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
119 	    secmodel_keylock_process_cb, NULL);
120 	l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
121 	    secmodel_keylock_network_cb, NULL);
122 	l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
123 	    secmodel_keylock_machdep_cb, NULL);
124 	l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
125 	    secmodel_keylock_device_cb, NULL);
126 }
127 
128 void
129 secmodel_keylock_stop(void)
130 {
131 	kauth_unlisten_scope(l_system);
132 	kauth_unlisten_scope(l_process);
133 	kauth_unlisten_scope(l_network);
134 	kauth_unlisten_scope(l_machdep);
135 	kauth_unlisten_scope(l_device);
136 }
137 
138 /*
139  * kauth(9) listener
140  *
141  * Security model: Multi-position keylock
142  * Scope: System
143  * Responsibility: Keylock
144  */
145 int
146 secmodel_keylock_system_cb(kauth_cred_t cred,
147     kauth_action_t action, void *cookie, void *arg0, void *arg1,
148     void *arg2, void *arg3)
149 {
150 	int result;
151 	enum kauth_system_req req;
152 	int kstate;
153 
154 	kstate = keylock_state();
155 	if (kstate == KEYLOCK_ABSENT)
156 		return KAUTH_RESULT_DEFER;
157 	else if (kstate == KEYLOCK_TAMPER)
158 		return KAUTH_RESULT_DENY;
159 
160 	result = KAUTH_RESULT_DEFER;
161 	req = (enum kauth_system_req)arg0;
162 
163 	switch (action) {
164 	case KAUTH_SYSTEM_CHSYSFLAGS:
165 		if (kstate == KEYLOCK_CLOSE)
166 			result = KAUTH_RESULT_DENY;
167 		break;
168 
169 	case KAUTH_SYSTEM_TIME:
170 		switch (req) {
171 		case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
172 			if (kstate == KEYLOCK_CLOSE)
173 				result = KAUTH_RESULT_DENY;
174 			break;
175 
176 		case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {
177 			struct timespec *ts = arg1;
178 			struct timespec *delta = arg2;
179 
180 			if (keylock_position() > 1 && time_wraps(ts, delta))
181 				result = KAUTH_RESULT_DENY;
182 			break;
183 		}
184 		default:
185 			break;
186 		}
187 		break;
188 
189 	case KAUTH_SYSTEM_MODULE:
190 		if (kstate == KEYLOCK_CLOSE)
191 			result = KAUTH_RESULT_DENY;
192 		break;
193 
194 	case KAUTH_SYSTEM_MOUNT:
195 		switch (req) {
196 		case KAUTH_REQ_SYSTEM_MOUNT_NEW:
197 			if (kstate == KEYLOCK_CLOSE)
198 				result = KAUTH_RESULT_DENY;
199 
200 			break;
201 
202 		case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
203 			if (kstate == KEYLOCK_CLOSE) {
204 				struct mount *mp = arg1;
205 				u_long flags = (u_long)arg2;
206 
207 				/*
208 				 * Can only degrade from read/write to
209 				 * read-only.
210 				 */
211 				if (flags != (mp->mnt_flag | MNT_RDONLY |
212 				    MNT_RELOAD | MNT_FORCE | MNT_UPDATE))
213 					result = KAUTH_RESULT_DENY;
214 			}
215 			break;
216 		default:
217 			break;
218 		}
219 
220 		break;
221 
222 	case KAUTH_SYSTEM_SYSCTL:
223 		switch (req) {
224 		case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
225 		case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
226 		case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
227 			if (kstate == KEYLOCK_CLOSE)
228 				result = KAUTH_RESULT_DENY;
229 			break;
230 		default:
231 			break;
232 		}
233 		break;
234 
235 	case KAUTH_SYSTEM_SETIDCORE:
236 		if (kstate == KEYLOCK_CLOSE)
237 			result = KAUTH_RESULT_DENY;
238 		break;
239 
240 	case KAUTH_SYSTEM_DEBUG:
241 		switch (req) {
242 		case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
243 			if (kstate == KEYLOCK_CLOSE)
244 				result = KAUTH_RESULT_DENY;
245 			break;
246 		default:
247 			break;
248 		}
249 		break;
250 	}
251 
252 	return result;
253 }
254 
255 /*
256  * kauth(9) listener
257  *
258  * Security model: Multi-position keylock
259  * Scope: Process
260  * Responsibility: Keylock
261  */
262 int
263 secmodel_keylock_process_cb(kauth_cred_t cred,
264     kauth_action_t action, void *cookie, void *arg0,
265     void *arg1, void *arg2, void *arg3)
266 {
267 	struct proc *p;
268 	int result, kstate;
269 
270 	kstate = keylock_state();
271 	if (kstate == KEYLOCK_ABSENT)
272 		return KAUTH_RESULT_DEFER;
273 	else if (kstate == KEYLOCK_TAMPER)
274 		return KAUTH_RESULT_DENY;
275 
276 	result = KAUTH_RESULT_DEFER;
277 	p = arg0;
278 
279 	switch (action) {
280 	case KAUTH_PROCESS_PROCFS: {
281 		enum kauth_process_req req;
282 
283 		req = (enum kauth_process_req)arg2;
284 		switch (req) {
285 		case KAUTH_REQ_PROCESS_PROCFS_READ:
286 			break;
287 
288 		case KAUTH_REQ_PROCESS_PROCFS_RW:
289 		case KAUTH_REQ_PROCESS_PROCFS_WRITE:
290 			if ((p == initproc) && (kstate != KEYLOCK_OPEN))
291 				result = KAUTH_RESULT_DENY;
292 
293 			break;
294 		default:
295 			break;
296 		}
297 
298 		break;
299 		}
300 
301 	case KAUTH_PROCESS_PTRACE:
302 		if ((p == initproc) && (kstate != KEYLOCK_OPEN))
303 			result = KAUTH_RESULT_DENY;
304 
305 		break;
306 
307 	case KAUTH_PROCESS_CORENAME:
308 		if (kstate == KEYLOCK_CLOSE)
309 			result = KAUTH_RESULT_DENY;
310 		break;
311 	}
312 	return result;
313 }
314 
315 /*
316  * kauth(9) listener
317  *
318  * Security model: Multi-position keylock
319  * Scope: Network
320  * Responsibility: Keylock
321  */
322 int
323 secmodel_keylock_network_cb(kauth_cred_t cred,
324     kauth_action_t action, void *cookie, void *arg0,
325     void *arg1, void *arg2, void *arg3)
326 {
327 	int result, kstate;
328 	enum kauth_network_req req;
329 
330 	kstate = keylock_state();
331 	if (kstate == KEYLOCK_ABSENT)
332 		return KAUTH_RESULT_DEFER;
333 	else if (kstate == KEYLOCK_TAMPER)
334 		return KAUTH_RESULT_DENY;
335 
336 	result = KAUTH_RESULT_DEFER;
337 	req = (enum kauth_network_req)arg0;
338 
339 	switch (action) {
340 	case KAUTH_NETWORK_FIREWALL:
341 		switch (req) {
342 		case KAUTH_REQ_NETWORK_FIREWALL_FW:
343 		case KAUTH_REQ_NETWORK_FIREWALL_NAT:
344 			if (kstate == KEYLOCK_CLOSE)
345 				result = KAUTH_RESULT_DENY;
346 			break;
347 
348 		default:
349 			break;
350 		}
351 		break;
352 
353 	case KAUTH_NETWORK_FORWSRCRT:
354 		if (kstate != KEYLOCK_OPEN)
355 			result = KAUTH_RESULT_DENY;
356 		break;
357 	}
358 
359 	return result;
360 }
361 
362 /*
363  * kauth(9) listener
364  *
365  * Security model: Multi-position keylock
366  * Scope: Machdep
367  * Responsibility: Keylock
368  */
369 int
370 secmodel_keylock_machdep_cb(kauth_cred_t cred,
371     kauth_action_t action, void *cookie, void *arg0,
372     void *arg1, void *arg2, void *arg3)
373 {
374         int result, kstate;
375 
376 	kstate = keylock_state();
377 	if (kstate == KEYLOCK_ABSENT)
378 		return KAUTH_RESULT_DEFER;
379 	else if (kstate == KEYLOCK_TAMPER)
380 		return KAUTH_RESULT_DENY;
381 
382         result = KAUTH_RESULT_DEFER;
383 
384         switch (action) {
385 	case KAUTH_MACHDEP_IOPERM_SET:
386 	case KAUTH_MACHDEP_IOPL:
387 		if (kstate != KEYLOCK_OPEN)
388 			result = KAUTH_RESULT_DENY;
389 		break;
390 
391 	case KAUTH_MACHDEP_UNMANAGEDMEM:
392 		if (kstate != KEYLOCK_OPEN)
393 			result = KAUTH_RESULT_DENY;
394 		break;
395 	}
396 
397 	return result;
398 }
399 
400 /*
401  * kauth(9) listener
402  *
403  * Security model: Multi-position keylock
404  * Scope: Device
405  * Responsibility: Keylock
406  */
407 int
408 secmodel_keylock_device_cb(kauth_cred_t cred,
409     kauth_action_t action, void *cookie, void *arg0,
410     void *arg1, void *arg2, void *arg3)
411 {
412 	int result, kstate, error;
413 
414 	kstate = keylock_state();
415 	if (kstate == KEYLOCK_ABSENT)
416 		return KAUTH_RESULT_DEFER;
417 	else if (kstate == KEYLOCK_TAMPER)
418 		return KAUTH_RESULT_DENY;
419 
420 	result = KAUTH_RESULT_DEFER;
421 
422 	switch (action) {
423 	case KAUTH_DEVICE_RAWIO_SPEC: {
424 		struct vnode *vp;
425 		enum kauth_device_req req;
426 
427 		req = (enum kauth_device_req)arg0;
428 		vp = arg1;
429 
430 		KASSERT(vp != NULL);
431 
432 		/* Handle /dev/mem and /dev/kmem. */
433 		if (iskmemvp(vp)) {
434 			switch (req) {
435 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
436 				break;
437 
438 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
439 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
440 				if (kstate != KEYLOCK_OPEN)
441 					result = KAUTH_RESULT_DENY;
442 				break;
443 			default:
444 				break;
445 			}
446 			break;
447 		}
448 
449 		switch (req) {
450 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
451 			break;
452 
453 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
454 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
455 			error = rawdev_mounted(vp, NULL);
456 
457 			if (error == EINVAL)
458 				break;
459 
460 			if (error && (kstate != KEYLOCK_OPEN))
461 				break;
462 
463 			if (kstate == KEYLOCK_CLOSE)
464 				result = KAUTH_RESULT_DENY;
465 
466 			break;
467 		default:
468 			break;
469 		}
470 		break;
471 		}
472 
473 	case KAUTH_DEVICE_RAWIO_PASSTHRU:
474 		if (kstate != KEYLOCK_OPEN) {
475 			u_long bits;
476 
477 			bits = (u_long)arg0;
478 
479 			KASSERT(bits != 0);
480 			KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL)
481 			    == 0);
482 
483 			if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF)
484 				result = KAUTH_RESULT_DENY;
485 		}
486 		break;
487 
488 	case KAUTH_DEVICE_GPIO_PINSET:
489 		if (kstate != KEYLOCK_OPEN)
490 			result = KAUTH_RESULT_DENY;
491 		break;
492 	default:
493 		break;
494 	}
495 	return result;
496 }
497