xref: /netbsd-src/sys/secmodel/securelevel/secmodel_securelevel.c (revision 10ad5ffa714ce1a679dcc9dd8159648df2d67b5a) 
1 /* $NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $ */
2 /*-
3  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  * 3. The name of the author may not be used to endorse or promote products
15  *    derived from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /*
30  * This file contains kauth(9) listeners needed to implement the traditional
31  * NetBSD securelevel.
32  *
33  * The securelevel is a system-global indication on what operations are
34  * allowed or not. It affects all users, including root.
35  */
36 
37 #include <sys/cdefs.h>
38 __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $");
39 
40 #ifdef _KERNEL_OPT
41 #include "opt_insecure.h"
42 #endif /* _KERNEL_OPT */
43 
44 #include <sys/types.h>
45 #include <sys/param.h>
46 #include <sys/kauth.h>
47 
48 #include <sys/conf.h>
49 #include <sys/mount.h>
50 #include <sys/sysctl.h>
51 #include <sys/vnode.h>
52 
53 #include <miscfs/specfs/specdev.h>
54 
55 #include <secmodel/securelevel/securelevel.h>
56 
57 static int securelevel;
58 
59 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device;
60 
61 /*
62  * sysctl helper routine for securelevel. ensures that the value
63  * only rises unless the caller has pid 1 (assumed to be init).
64  */
65 int
66 secmodel_securelevel_sysctl(SYSCTLFN_ARGS)
67 {
68 	int newsecurelevel, error;
69 	struct sysctlnode node;
70 
71 	newsecurelevel = securelevel;
72 	node = *rnode;
73 	node.sysctl_data = &newsecurelevel;
74 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
75 	if (error || newp == NULL)
76 		return (error);
77 
78 	if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1)
79 		return (EPERM);
80 
81 	securelevel = newsecurelevel;
82 
83 	return (error);
84 }
85 
86 void
87 secmodel_securelevel_init(void)
88 {
89 #ifdef INSECURE
90 	securelevel = -1;
91 #else
92 	securelevel = 0;
93 #endif /* INSECURE */
94 }
95 
96 SYSCTL_SETUP(sysctl_security_securelevel_setup,
97     "sysctl security securelevel setup")
98 {
99 	/*
100 	 * For compatibility, we create a kern.securelevel variable.
101 	 */
102 	sysctl_createv(clog, 0, NULL, NULL,
103 		       CTLFLAG_PERMANENT,
104 		       CTLTYPE_NODE, "kern", NULL,
105 		       NULL, 0, NULL, 0,
106 		       CTL_KERN, CTL_EOL);
107 
108 	sysctl_createv(clog, 0, NULL, NULL,
109 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
110 		       CTLTYPE_INT, "securelevel",
111 		       SYSCTL_DESCR("System security level"),
112 		       secmodel_securelevel_sysctl, 0, NULL, 0,
113 		       CTL_KERN, KERN_SECURELVL, CTL_EOL);
114 }
115 
116 void
117 secmodel_securelevel_start(void)
118 {
119 	l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
120 	    secmodel_securelevel_system_cb, NULL);
121 	l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
122 	    secmodel_securelevel_process_cb, NULL);
123 	l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
124 	    secmodel_securelevel_network_cb, NULL);
125 	l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
126 	    secmodel_securelevel_machdep_cb, NULL);
127 	l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
128 	    secmodel_securelevel_device_cb, NULL);
129 }
130 
131 #if defined(_LKM)
132 void
133 secmodel_securelevel_stop(void)
134 {
135 	kauth_unlisten_scope(l_system);
136 	kauth_unlisten_scope(l_process);
137 	kauth_unlisten_scope(l_network);
138 	kauth_unlisten_scope(l_machdep);
139 	kauth_unlisten_scope(l_device);
140 }
141 #endif /* _LKM */
142 
143 /*
144  * kauth(9) listener
145  *
146  * Security model: Traditional NetBSD
147  * Scope: System
148  * Responsibility: Securelevel
149  */
150 int
151 secmodel_securelevel_system_cb(kauth_cred_t cred,
152     kauth_action_t action, void *cookie, void *arg0, void *arg1,
153     void *arg2, void *arg3)
154 {
155 	int result;
156 	enum kauth_system_req req;
157 
158 	result = KAUTH_RESULT_DEFER;
159 	req = (enum kauth_system_req)arg0;
160 
161 	switch (action) {
162 	case KAUTH_SYSTEM_CHSYSFLAGS:
163 		if (securelevel > 0)
164 			result = KAUTH_RESULT_DENY;
165 		break;
166 
167 	case KAUTH_SYSTEM_TIME:
168 		switch (req) {
169 		case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
170 			if (securelevel > 0)
171 				result = KAUTH_RESULT_DENY;
172 			break;
173 
174 		case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {
175 			struct timespec *ts = arg1;
176 			struct timespec *delta = arg2;
177 
178 			/*
179 			 * Don't allow the time to be set forward so far it
180 			 * will wrap and become negative, thus allowing an
181 			 * attacker to bypass the next check below.  The
182 			 * cutoff is 1 year before rollover occurs, so even
183 			 * if the attacker uses adjtime(2) to move the time
184 			 * past the cutoff, it will take a very long time
185 			 * to get to the wrap point.
186 			 */
187 			if (securelevel > 1 &&
188 			    ((ts->tv_sec > LLONG_MAX - 365*24*60*60) ||
189 			     (delta->tv_sec < 0 || delta->tv_nsec < 0)))
190 				result = KAUTH_RESULT_DENY;
191 			break;
192 		}
193 
194 		default:
195 			break;
196 		}
197 		break;
198 
199 	case KAUTH_SYSTEM_MODULE:
200 		if (securelevel > 0)
201 			result = KAUTH_RESULT_DENY;
202 		break;
203 
204 	case KAUTH_SYSTEM_MOUNT:
205 		switch (req) {
206 		case KAUTH_REQ_SYSTEM_MOUNT_NEW:
207 			if (securelevel > 1)
208 				result = KAUTH_RESULT_DENY;
209 
210 			break;
211 
212 		case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
213 			if (securelevel > 1) {
214 				struct mount *mp = arg1;
215 				u_long flags = (u_long)arg2;
216 
217 				/* Can only degrade from read/write to read-only. */
218 				if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD |
219 				    MNT_FORCE | MNT_UPDATE))
220 					result = KAUTH_RESULT_DENY;
221 			}
222 
223 			break;
224 
225 		default:
226 			break;
227 		}
228 
229 		break;
230 
231 	case KAUTH_SYSTEM_SYSCTL:
232 		switch (req) {
233 		case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
234 		case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
235 		case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
236 			if (securelevel > 0)
237 				result = KAUTH_RESULT_DENY;
238 			break;
239 
240 		default:
241 			break;
242 		}
243 		break;
244 
245 	case KAUTH_SYSTEM_SETIDCORE:
246 		if (securelevel > 0)
247 			result = KAUTH_RESULT_DENY;
248 		break;
249 
250 	case KAUTH_SYSTEM_DEBUG:
251 		switch (req) {
252 		case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
253 			if (securelevel > 0)
254 				result = KAUTH_RESULT_DENY;
255 			break;
256 
257 		default:
258 			break;
259 		}
260 		break;
261 
262 	default:
263 		break;
264 	}
265 
266 	return (result);
267 }
268 
269 /*
270  * kauth(9) listener
271  *
272  * Security model: Traditional NetBSD
273  * Scope: Process
274  * Responsibility: Securelevel
275  */
276 int
277 secmodel_securelevel_process_cb(kauth_cred_t cred,
278     kauth_action_t action, void *cookie, void *arg0,
279     void *arg1, void *arg2, void *arg3)
280 {
281 	struct proc *p;
282 	int result;
283 
284 	result = KAUTH_RESULT_DEFER;
285 	p = arg0;
286 
287 	switch (action) {
288 	case KAUTH_PROCESS_PROCFS: {
289 		enum kauth_process_req req;
290 
291 		req = (enum kauth_process_req)arg2;
292 		switch (req) {
293 		case KAUTH_REQ_PROCESS_PROCFS_READ:
294 			break;
295 
296 		case KAUTH_REQ_PROCESS_PROCFS_RW:
297 		case KAUTH_REQ_PROCESS_PROCFS_WRITE:
298 			if ((p == initproc) && (securelevel > -1))
299 				result = KAUTH_RESULT_DENY;
300 
301 			break;
302 
303 		default:
304 			break;
305 		}
306 
307 		break;
308 		}
309 
310 	case KAUTH_PROCESS_PTRACE:
311 		if ((p == initproc) && (securelevel >= 0))
312 			result = KAUTH_RESULT_DENY;
313 
314 		break;
315 
316 	case KAUTH_PROCESS_CORENAME:
317 		if (securelevel > 1)
318 			result = KAUTH_RESULT_DENY;
319 		break;
320 
321 	default:
322 		break;
323 	}
324 
325 	return (result);
326 }
327 
328 /*
329  * kauth(9) listener
330  *
331  * Security model: Traditional NetBSD
332  * Scope: Network
333  * Responsibility: Securelevel
334  */
335 int
336 secmodel_securelevel_network_cb(kauth_cred_t cred,
337     kauth_action_t action, void *cookie, void *arg0,
338     void *arg1, void *arg2, void *arg3)
339 {
340 	int result;
341 	enum kauth_network_req req;
342 
343 	result = KAUTH_RESULT_DEFER;
344 	req = (enum kauth_network_req)arg0;
345 
346 	switch (action) {
347 	case KAUTH_NETWORK_FIREWALL:
348 		switch (req) {
349 		case KAUTH_REQ_NETWORK_FIREWALL_FW:
350 		case KAUTH_REQ_NETWORK_FIREWALL_NAT:
351 			if (securelevel > 1)
352 				result = KAUTH_RESULT_DENY;
353 			break;
354 
355 		default:
356 			break;
357 		}
358 		break;
359 
360 	case KAUTH_NETWORK_FORWSRCRT:
361 		if (securelevel > 0)
362 			result = KAUTH_RESULT_DENY;
363 		break;
364 
365 	default:
366 		break;
367 	}
368 
369 	return (result);
370 }
371 
372 /*
373  * kauth(9) listener
374  *
375  * Security model: Traditional NetBSD
376  * Scope: Machdep
377  * Responsibility: Securelevel
378  */
379 int
380 secmodel_securelevel_machdep_cb(kauth_cred_t cred,
381     kauth_action_t action, void *cookie, void *arg0,
382     void *arg1, void *arg2, void *arg3)
383 {
384         int result;
385 
386         result = KAUTH_RESULT_DEFER;
387 
388         switch (action) {
389 	case KAUTH_MACHDEP_IOPERM_SET:
390 	case KAUTH_MACHDEP_IOPL:
391 		if (securelevel > 0)
392 			result = KAUTH_RESULT_DENY;
393 		break;
394 
395 	case KAUTH_MACHDEP_UNMANAGEDMEM:
396 		if (securelevel > 0)
397 			result = KAUTH_RESULT_DENY;
398 		break;
399 
400 	default:
401 		break;
402 	}
403 
404 	return (result);
405 }
406 
407 /*
408  * kauth(9) listener
409  *
410  * Security model: Traditional NetBSD
411  * Scope: Device
412  * Responsibility: Securelevel
413  */
414 int
415 secmodel_securelevel_device_cb(kauth_cred_t cred,
416     kauth_action_t action, void *cookie, void *arg0,
417     void *arg1, void *arg2, void *arg3)
418 {
419 	int result;
420 
421 	result = KAUTH_RESULT_DEFER;
422 
423 	switch (action) {
424 	case KAUTH_DEVICE_RAWIO_SPEC: {
425 		struct vnode *vp, *bvp;
426 		enum kauth_device_req req;
427 		dev_t dev;
428 		int d_type;
429 
430 		req = (enum kauth_device_req)arg0;
431 		vp = arg1;
432 
433 		KASSERT(vp != NULL);
434 
435 		dev = vp->v_rdev;
436 		d_type = D_OTHER;
437 		bvp = NULL;
438 
439 		/* Handle /dev/mem and /dev/kmem. */
440 		if ((vp->v_type == VCHR) && iskmemdev(dev)) {
441 			switch (req) {
442 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
443 				break;
444 
445 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
446 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
447 				if (securelevel > 0)
448 					result = KAUTH_RESULT_DENY;
449 				break;
450 
451 			default:
452 				break;
453 			}
454 
455 			break;
456 		}
457 
458 		switch (req) {
459 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
460 			break;
461 
462 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
463 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
464 			switch (vp->v_type) {
465 			case VCHR: {
466 				const struct cdevsw *cdev;
467 
468 				cdev = cdevsw_lookup(dev);
469 				if (cdev != NULL) {
470 					dev_t blkdev;
471 
472 					blkdev = devsw_chr2blk(dev);
473 					if (blkdev != NODEV) {
474 						vfinddev(blkdev, VBLK, &bvp);
475 						if (bvp != NULL)
476 							d_type = (cdev->d_flag
477 							    & D_TYPEMASK);
478 					}
479 				}
480 
481 				break;
482 				}
483 			case VBLK: {
484 				const struct bdevsw *bdev;
485 
486 				bdev = bdevsw_lookup(dev);
487 				if (bdev != NULL)
488 					d_type = (bdev->d_flag & D_TYPEMASK);
489 
490 				bvp = vp;
491 
492 				break;
493 				}
494 
495 			default:
496 				break;
497 			}
498 
499 			if (d_type != D_DISK)
500 				break;
501 
502 			/*
503 			 * XXX: This is bogus. We should be failing the request
504 			 * XXX: not only if this specific slice is mounted, but
505 			 * XXX: if it's on a disk with any other mounted slice.
506 			 */
507 			if (vfs_mountedon(bvp) && (securelevel > 0))
508 				break;
509 
510 			if (securelevel > 1)
511 				result = KAUTH_RESULT_DENY;
512 
513 			break;
514 
515 		default:
516 			break;
517 		}
518 
519 		break;
520 		}
521 
522 	case KAUTH_DEVICE_RAWIO_PASSTHRU:
523 		if (securelevel > 0) {
524 			u_long bits;
525 
526 			bits = (u_long)arg0;
527 
528 			KASSERT(bits != 0);
529 			KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0);
530 
531 			if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF)
532 				result = KAUTH_RESULT_DENY;
533 		}
534 
535 		break;
536 
537 	case KAUTH_DEVICE_GPIO_PINSET:
538 		if (securelevel > 0)
539 			result = KAUTH_RESULT_DENY;
540 		break;
541 
542 	default:
543 		break;
544 	}
545 
546 	return (result);
547 }
548