1 /*-
2 * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * Copyright (c) 2005-2006 SPARTA, Inc.
6 * Copyright (c) 2008 Apple Inc.
7 * All rights reserved.
8 *
9 * This software was developed by Robert Watson and Ilmar Habibulin for the
10 * TrustedBSD Project.
11 *
12 * This software was developed for the FreeBSD Project in part by Network
13 * Associates Laboratories, the Security Research Division of Network
14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
15 * as part of the DARPA CHATS research program.
16 *
17 * This software was enhanced by SPARTA ISSO under SPAWAR contract
18 * N66001-04-C-6019 ("SEFOS").
19 *
20 * This software was developed at the University of Cambridge Computer
21 * Laboratory with support from a grant from Google, Inc.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 *
32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
35 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * SUCH DAMAGE.
43 */
44
45 #include <sys/cdefs.h>
46 #include "opt_mac.h"
47
48 #include <sys/param.h>
49 #include <sys/capsicum.h>
50 #include <sys/fcntl.h>
51 #include <sys/kernel.h>
52 #include <sys/lock.h>
53 #include <sys/malloc.h>
54 #include <sys/mutex.h>
55 #include <sys/mac.h>
56 #include <sys/proc.h>
57 #include <sys/systm.h>
58 #include <sys/sysctl.h>
59 #include <sys/sysproto.h>
60 #include <sys/vnode.h>
61 #include <sys/mount.h>
62 #include <sys/file.h>
63 #include <sys/namei.h>
64 #include <sys/socket.h>
65 #include <sys/pipe.h>
66 #include <sys/socketvar.h>
67
68 #include <security/mac/mac_framework.h>
69 #include <security/mac/mac_internal.h>
70 #include <security/mac/mac_policy.h>
71
72 #ifdef MAC
73
74 FEATURE(security_mac, "Mandatory Access Control Framework support");
75
76 static int kern___mac_get_path(struct thread *td, const char *path_p,
77 struct mac *mac_p, int follow);
78 static int kern___mac_set_path(struct thread *td, const char *path_p,
79 struct mac *mac_p, int follow);
80
81 int
sys___mac_get_pid(struct thread * td,struct __mac_get_pid_args * uap)82 sys___mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
83 {
84 char *elements, *buffer;
85 struct mac mac;
86 struct proc *tproc;
87 struct ucred *tcred;
88 int error;
89
90 error = copyin(uap->mac_p, &mac, sizeof(mac));
91 if (error)
92 return (error);
93
94 error = mac_check_structmac_consistent(&mac);
95 if (error)
96 return (error);
97
98 tproc = pfind(uap->pid);
99 if (tproc == NULL)
100 return (ESRCH);
101
102 tcred = NULL; /* Satisfy gcc. */
103 error = p_cansee(td, tproc);
104 if (error == 0)
105 tcred = crhold(tproc->p_ucred);
106 PROC_UNLOCK(tproc);
107 if (error)
108 return (error);
109
110 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
111 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
112 if (error) {
113 free(elements, M_MACTEMP);
114 crfree(tcred);
115 return (error);
116 }
117
118 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
119 error = mac_cred_externalize_label(tcred->cr_label, elements,
120 buffer, mac.m_buflen);
121 if (error == 0)
122 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
123
124 free(buffer, M_MACTEMP);
125 free(elements, M_MACTEMP);
126 crfree(tcred);
127 return (error);
128 }
129
130 int
sys___mac_get_proc(struct thread * td,struct __mac_get_proc_args * uap)131 sys___mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
132 {
133 char *elements, *buffer;
134 struct mac mac;
135 int error;
136
137 error = copyin(uap->mac_p, &mac, sizeof(mac));
138 if (error)
139 return (error);
140
141 error = mac_check_structmac_consistent(&mac);
142 if (error)
143 return (error);
144
145 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
146 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
147 if (error) {
148 free(elements, M_MACTEMP);
149 return (error);
150 }
151
152 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
153 error = mac_cred_externalize_label(td->td_ucred->cr_label,
154 elements, buffer, mac.m_buflen);
155 if (error == 0)
156 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
157
158 free(buffer, M_MACTEMP);
159 free(elements, M_MACTEMP);
160 return (error);
161 }
162
163 int
sys___mac_set_proc(struct thread * td,struct __mac_set_proc_args * uap)164 sys___mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
165 {
166 struct ucred *newcred, *oldcred;
167 struct label *intlabel;
168 struct proc *p;
169 struct mac mac;
170 char *buffer;
171 int error;
172
173 if (!(mac_labeled & MPC_OBJECT_CRED))
174 return (EINVAL);
175
176 error = copyin(uap->mac_p, &mac, sizeof(mac));
177 if (error)
178 return (error);
179
180 error = mac_check_structmac_consistent(&mac);
181 if (error)
182 return (error);
183
184 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
185 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
186 if (error) {
187 free(buffer, M_MACTEMP);
188 return (error);
189 }
190
191 intlabel = mac_cred_label_alloc();
192 error = mac_cred_internalize_label(intlabel, buffer);
193 free(buffer, M_MACTEMP);
194 if (error)
195 goto out;
196
197 newcred = crget();
198
199 p = td->td_proc;
200 PROC_LOCK(p);
201 oldcred = p->p_ucred;
202
203 error = mac_cred_check_relabel(oldcred, intlabel);
204 if (error) {
205 PROC_UNLOCK(p);
206 crfree(newcred);
207 goto out;
208 }
209
210 setsugid(p);
211 crcopy(newcred, oldcred);
212 mac_cred_relabel(newcred, intlabel);
213 proc_set_cred(p, newcred);
214
215 PROC_UNLOCK(p);
216 crfree(oldcred);
217 mac_proc_vm_revoke(td);
218
219 out:
220 mac_cred_label_free(intlabel);
221 return (error);
222 }
223
224 int
sys___mac_get_fd(struct thread * td,struct __mac_get_fd_args * uap)225 sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
226 {
227 char *elements, *buffer;
228 struct label *intlabel;
229 struct file *fp;
230 struct mac mac;
231 struct vnode *vp;
232 struct pipe *pipe;
233 struct socket *so;
234 cap_rights_t rights;
235 int error;
236
237 error = copyin(uap->mac_p, &mac, sizeof(mac));
238 if (error)
239 return (error);
240
241 error = mac_check_structmac_consistent(&mac);
242 if (error)
243 return (error);
244
245 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
246 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
247 if (error) {
248 free(elements, M_MACTEMP);
249 return (error);
250 }
251
252 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
253 error = fget(td, uap->fd, cap_rights_init_one(&rights, CAP_MAC_GET),
254 &fp);
255 if (error)
256 goto out;
257
258 switch (fp->f_type) {
259 case DTYPE_FIFO:
260 case DTYPE_VNODE:
261 if (!(mac_labeled & MPC_OBJECT_VNODE)) {
262 error = EINVAL;
263 goto out_fdrop;
264 }
265 vp = fp->f_vnode;
266 intlabel = mac_vnode_label_alloc();
267 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
268 mac_vnode_copy_label(vp->v_label, intlabel);
269 VOP_UNLOCK(vp);
270 error = mac_vnode_externalize_label(intlabel, elements,
271 buffer, mac.m_buflen);
272 mac_vnode_label_free(intlabel);
273 break;
274
275 case DTYPE_PIPE:
276 if (!(mac_labeled & MPC_OBJECT_PIPE)) {
277 error = EINVAL;
278 goto out_fdrop;
279 }
280 pipe = fp->f_data;
281 intlabel = mac_pipe_label_alloc();
282 PIPE_LOCK(pipe);
283 mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel);
284 PIPE_UNLOCK(pipe);
285 error = mac_pipe_externalize_label(intlabel, elements,
286 buffer, mac.m_buflen);
287 mac_pipe_label_free(intlabel);
288 break;
289
290 case DTYPE_SOCKET:
291 if (!(mac_labeled & MPC_OBJECT_SOCKET)) {
292 error = EINVAL;
293 goto out_fdrop;
294 }
295 so = fp->f_data;
296 intlabel = mac_socket_label_alloc(M_WAITOK);
297 SOCK_LOCK(so);
298 mac_socket_copy_label(so->so_label, intlabel);
299 SOCK_UNLOCK(so);
300 error = mac_socket_externalize_label(intlabel, elements,
301 buffer, mac.m_buflen);
302 mac_socket_label_free(intlabel);
303 break;
304
305 default:
306 error = EINVAL;
307 }
308 if (error == 0)
309 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
310 out_fdrop:
311 fdrop(fp, td);
312 out:
313 free(buffer, M_MACTEMP);
314 free(elements, M_MACTEMP);
315 return (error);
316 }
317
318 int
sys___mac_get_file(struct thread * td,struct __mac_get_file_args * uap)319 sys___mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
320 {
321
322 return (kern___mac_get_path(td, uap->path_p, uap->mac_p, FOLLOW));
323 }
324
325 int
sys___mac_get_link(struct thread * td,struct __mac_get_link_args * uap)326 sys___mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
327 {
328
329 return (kern___mac_get_path(td, uap->path_p, uap->mac_p, NOFOLLOW));
330 }
331
332 static int
kern___mac_get_path(struct thread * td,const char * path_p,struct mac * mac_p,int follow)333 kern___mac_get_path(struct thread *td, const char *path_p, struct mac *mac_p,
334 int follow)
335 {
336 char *elements, *buffer;
337 struct nameidata nd;
338 struct label *intlabel;
339 struct mac mac;
340 int error;
341
342 if (!(mac_labeled & MPC_OBJECT_VNODE))
343 return (EINVAL);
344
345 error = copyin(mac_p, &mac, sizeof(mac));
346 if (error)
347 return (error);
348
349 error = mac_check_structmac_consistent(&mac);
350 if (error)
351 return (error);
352
353 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
354 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
355 if (error) {
356 free(elements, M_MACTEMP);
357 return (error);
358 }
359
360 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
361 NDINIT(&nd, LOOKUP, LOCKLEAF | follow, UIO_USERSPACE, path_p);
362 error = namei(&nd);
363 if (error)
364 goto out;
365
366 intlabel = mac_vnode_label_alloc();
367 mac_vnode_copy_label(nd.ni_vp->v_label, intlabel);
368 error = mac_vnode_externalize_label(intlabel, elements, buffer,
369 mac.m_buflen);
370 vput(nd.ni_vp);
371 NDFREE_PNBUF(&nd);
372 mac_vnode_label_free(intlabel);
373
374 if (error == 0)
375 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
376
377 out:
378 free(buffer, M_MACTEMP);
379 free(elements, M_MACTEMP);
380
381 return (error);
382 }
383
384 int
sys___mac_set_fd(struct thread * td,struct __mac_set_fd_args * uap)385 sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
386 {
387 struct label *intlabel;
388 struct pipe *pipe;
389 struct socket *so;
390 struct file *fp;
391 struct mount *mp;
392 struct vnode *vp;
393 struct mac mac;
394 cap_rights_t rights;
395 char *buffer;
396 int error;
397
398 error = copyin(uap->mac_p, &mac, sizeof(mac));
399 if (error)
400 return (error);
401
402 error = mac_check_structmac_consistent(&mac);
403 if (error)
404 return (error);
405
406 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
407 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
408 if (error) {
409 free(buffer, M_MACTEMP);
410 return (error);
411 }
412
413 error = fget(td, uap->fd, cap_rights_init_one(&rights, CAP_MAC_SET),
414 &fp);
415 if (error)
416 goto out;
417
418 switch (fp->f_type) {
419 case DTYPE_FIFO:
420 case DTYPE_VNODE:
421 if (!(mac_labeled & MPC_OBJECT_VNODE)) {
422 error = EINVAL;
423 goto out_fdrop;
424 }
425 intlabel = mac_vnode_label_alloc();
426 error = mac_vnode_internalize_label(intlabel, buffer);
427 if (error) {
428 mac_vnode_label_free(intlabel);
429 break;
430 }
431 vp = fp->f_vnode;
432 error = vn_start_write(vp, &mp, V_WAIT | V_PCATCH);
433 if (error != 0) {
434 mac_vnode_label_free(intlabel);
435 break;
436 }
437 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
438 error = vn_setlabel(vp, intlabel, td->td_ucred);
439 VOP_UNLOCK(vp);
440 vn_finished_write(mp);
441 mac_vnode_label_free(intlabel);
442 break;
443
444 case DTYPE_PIPE:
445 if (!(mac_labeled & MPC_OBJECT_PIPE)) {
446 error = EINVAL;
447 goto out_fdrop;
448 }
449 intlabel = mac_pipe_label_alloc();
450 error = mac_pipe_internalize_label(intlabel, buffer);
451 if (error == 0) {
452 pipe = fp->f_data;
453 PIPE_LOCK(pipe);
454 error = mac_pipe_label_set(td->td_ucred,
455 pipe->pipe_pair, intlabel);
456 PIPE_UNLOCK(pipe);
457 }
458 mac_pipe_label_free(intlabel);
459 break;
460
461 case DTYPE_SOCKET:
462 if (!(mac_labeled & MPC_OBJECT_SOCKET)) {
463 error = EINVAL;
464 goto out_fdrop;
465 }
466 intlabel = mac_socket_label_alloc(M_WAITOK);
467 error = mac_socket_internalize_label(intlabel, buffer);
468 if (error == 0) {
469 so = fp->f_data;
470 error = mac_socket_label_set(td->td_ucred, so,
471 intlabel);
472 }
473 mac_socket_label_free(intlabel);
474 break;
475
476 default:
477 error = EINVAL;
478 }
479 out_fdrop:
480 fdrop(fp, td);
481 out:
482 free(buffer, M_MACTEMP);
483 return (error);
484 }
485
486 int
sys___mac_set_file(struct thread * td,struct __mac_set_file_args * uap)487 sys___mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
488 {
489
490 return (kern___mac_set_path(td, uap->path_p, uap->mac_p, FOLLOW));
491 }
492
493 int
sys___mac_set_link(struct thread * td,struct __mac_set_link_args * uap)494 sys___mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
495 {
496
497 return (kern___mac_set_path(td, uap->path_p, uap->mac_p, NOFOLLOW));
498 }
499
500 static int
kern___mac_set_path(struct thread * td,const char * path_p,struct mac * mac_p,int follow)501 kern___mac_set_path(struct thread *td, const char *path_p, struct mac *mac_p,
502 int follow)
503 {
504 struct label *intlabel;
505 struct nameidata nd;
506 struct mount *mp;
507 struct mac mac;
508 char *buffer;
509 int error;
510
511 if (!(mac_labeled & MPC_OBJECT_VNODE))
512 return (EINVAL);
513
514 error = copyin(mac_p, &mac, sizeof(mac));
515 if (error)
516 return (error);
517
518 error = mac_check_structmac_consistent(&mac);
519 if (error)
520 return (error);
521
522 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
523 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
524 if (error) {
525 free(buffer, M_MACTEMP);
526 return (error);
527 }
528
529 intlabel = mac_vnode_label_alloc();
530 error = mac_vnode_internalize_label(intlabel, buffer);
531 free(buffer, M_MACTEMP);
532 if (error)
533 goto out;
534
535 NDINIT(&nd, LOOKUP, LOCKLEAF | follow, UIO_USERSPACE, path_p);
536 error = namei(&nd);
537 if (error == 0) {
538 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | V_PCATCH);
539 if (error == 0) {
540 error = vn_setlabel(nd.ni_vp, intlabel,
541 td->td_ucred);
542 vn_finished_write(mp);
543 }
544 vput(nd.ni_vp);
545 NDFREE_PNBUF(&nd);
546 }
547 out:
548 mac_vnode_label_free(intlabel);
549 return (error);
550 }
551
552 int
sys_mac_syscall(struct thread * td,struct mac_syscall_args * uap)553 sys_mac_syscall(struct thread *td, struct mac_syscall_args *uap)
554 {
555 struct mac_policy_conf *mpc;
556 char target[MAC_MAX_POLICY_NAME];
557 int error;
558
559 error = copyinstr(uap->policy, target, sizeof(target), NULL);
560 if (error)
561 return (error);
562
563 error = ENOSYS;
564 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {
565 if (strcmp(mpc->mpc_name, target) == 0 &&
566 mpc->mpc_ops->mpo_syscall != NULL) {
567 error = mpc->mpc_ops->mpo_syscall(td,
568 uap->call, uap->arg);
569 goto out;
570 }
571 }
572
573 if (!LIST_EMPTY(&mac_policy_list)) {
574 mac_policy_slock_sleep();
575 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
576 if (strcmp(mpc->mpc_name, target) == 0 &&
577 mpc->mpc_ops->mpo_syscall != NULL) {
578 error = mpc->mpc_ops->mpo_syscall(td,
579 uap->call, uap->arg);
580 break;
581 }
582 }
583 mac_policy_sunlock_sleep();
584 }
585 out:
586 return (error);
587 }
588
589 #else /* !MAC */
590
591 int
sys___mac_get_pid(struct thread * td,struct __mac_get_pid_args * uap)592 sys___mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
593 {
594
595 return (ENOSYS);
596 }
597
598 int
sys___mac_get_proc(struct thread * td,struct __mac_get_proc_args * uap)599 sys___mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
600 {
601
602 return (ENOSYS);
603 }
604
605 int
sys___mac_set_proc(struct thread * td,struct __mac_set_proc_args * uap)606 sys___mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
607 {
608
609 return (ENOSYS);
610 }
611
612 int
sys___mac_get_fd(struct thread * td,struct __mac_get_fd_args * uap)613 sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
614 {
615
616 return (ENOSYS);
617 }
618
619 int
sys___mac_get_file(struct thread * td,struct __mac_get_file_args * uap)620 sys___mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
621 {
622
623 return (ENOSYS);
624 }
625
626 int
sys___mac_get_link(struct thread * td,struct __mac_get_link_args * uap)627 sys___mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
628 {
629
630 return (ENOSYS);
631 }
632
633 int
sys___mac_set_fd(struct thread * td,struct __mac_set_fd_args * uap)634 sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
635 {
636
637 return (ENOSYS);
638 }
639
640 int
sys___mac_set_file(struct thread * td,struct __mac_set_file_args * uap)641 sys___mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
642 {
643
644 return (ENOSYS);
645 }
646
647 int
sys___mac_set_link(struct thread * td,struct __mac_set_link_args * uap)648 sys___mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
649 {
650
651 return (ENOSYS);
652 }
653
654 int
sys_mac_syscall(struct thread * td,struct mac_syscall_args * uap)655 sys_mac_syscall(struct thread *td, struct mac_syscall_args *uap)
656 {
657
658 return (ENOSYS);
659 }
660
661 #endif /* !MAC */
662