1 1.1 riastrad /* $NetBSD: secmodel_extensions_vfs.c,v 1.1 2023/04/22 13:54:19 riastradh Exp $ */ 2 1.1 riastrad 3 1.1 riastrad /*- 4 1.1 riastrad * Copyright (c) 2011 Elad Efrat <elad (at) NetBSD.org> 5 1.1 riastrad * All rights reserved. 6 1.1 riastrad * 7 1.1 riastrad * Redistribution and use in source and binary forms, with or without 8 1.1 riastrad * modification, are permitted provided that the following conditions 9 1.1 riastrad * are met: 10 1.1 riastrad * 1. Redistributions of source code must retain the above copyright 11 1.1 riastrad * notice, this list of conditions and the following disclaimer. 12 1.1 riastrad * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 riastrad * notice, this list of conditions and the following disclaimer in the 14 1.1 riastrad * documentation and/or other materials provided with the distribution. 15 1.1 riastrad * 3. The name of the author may not be used to endorse or promote products 16 1.1 riastrad * derived from this software without specific prior written permission. 17 1.1 riastrad * 18 1.1 riastrad * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 1.1 riastrad * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 1.1 riastrad * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 1.1 riastrad * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 1.1 riastrad * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 1.1 riastrad * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 1.1 riastrad * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 1.1 riastrad * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 1.1 riastrad * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 1.1 riastrad * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 1.1 riastrad */ 29 1.1 riastrad 30 1.1 riastrad #include <sys/cdefs.h> 31 1.1 riastrad __KERNEL_RCSID(0, "$NetBSD: secmodel_extensions_vfs.c,v 1.1 2023/04/22 13:54:19 riastradh Exp $"); 32 1.1 riastrad 33 1.1 riastrad #include <sys/types.h> 34 1.1 riastrad #include <sys/param.h> 35 1.1 riastrad 36 1.1 riastrad #include <sys/kauth.h> 37 1.1 riastrad #include <sys/vnode.h> 38 1.1 riastrad 39 1.1 riastrad #include <secmodel/secmodel.h> 40 1.1 riastrad #include <secmodel/extensions/extensions.h> 41 1.1 riastrad #include <secmodel/extensions/extensions_impl.h> 42 1.1 riastrad 43 1.1 riastrad static int dovfsusermount; 44 1.1 riastrad static int hardlink_check_uid; 45 1.1 riastrad static int hardlink_check_gid; 46 1.1 riastrad 47 1.1 riastrad static kauth_listener_t l_system, l_vnode; 48 1.1 riastrad 49 1.1 riastrad static int secmodel_extensions_system_cb(kauth_cred_t, kauth_action_t, 50 1.1 riastrad void *, void *, void *, void *, void *); 51 1.1 riastrad static int secmodel_extensions_vnode_cb(kauth_cred_t, kauth_action_t, 52 1.1 riastrad void *, void *, void *, void *, void *); 53 1.1 riastrad 54 1.1 riastrad void 55 1.1 riastrad secmodel_extensions_vfs_start(void) 56 1.1 riastrad { 57 1.1 riastrad 58 1.1 riastrad l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 59 1.1 riastrad secmodel_extensions_system_cb, NULL); 60 1.1 riastrad l_vnode = kauth_listen_scope(KAUTH_SCOPE_VNODE, 61 1.1 riastrad secmodel_extensions_vnode_cb, NULL); 62 1.1 riastrad } 63 1.1 riastrad 64 1.1 riastrad void 65 1.1 riastrad secmodel_extensions_vfs_stop(void) 66 1.1 riastrad { 67 1.1 riastrad 68 1.1 riastrad kauth_unlisten_scope(l_system); 69 1.1 riastrad kauth_unlisten_scope(l_vnode); 70 1.1 riastrad } 71 1.1 riastrad 72 1.1 riastrad void 73 1.1 riastrad secmodel_extensions_vfs_sysctl(struct sysctllog **clog, 74 1.1 riastrad const struct sysctlnode *rnode) 75 1.1 riastrad { 76 1.1 riastrad 77 1.1 riastrad sysctl_createv(clog, 0, &rnode, NULL, 78 1.1 riastrad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 79 1.1 riastrad CTLTYPE_INT, "usermount", 80 1.1 riastrad SYSCTL_DESCR("Whether unprivileged users may mount " 81 1.1 riastrad "filesystems"), 82 1.1 riastrad sysctl_extensions_user_handler, 0, &dovfsusermount, 0, 83 1.1 riastrad CTL_CREATE, CTL_EOL); 84 1.1 riastrad 85 1.1 riastrad sysctl_createv(clog, 0, &rnode, NULL, 86 1.1 riastrad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 87 1.1 riastrad CTLTYPE_INT, "hardlink_check_uid", 88 1.1 riastrad SYSCTL_DESCR("Whether unprivileged users can hardlink "\ 89 1.1 riastrad "to files they don't own"), 90 1.1 riastrad sysctl_extensions_user_handler, 0, 91 1.1 riastrad &hardlink_check_uid, 0, 92 1.1 riastrad CTL_CREATE, CTL_EOL); 93 1.1 riastrad 94 1.1 riastrad sysctl_createv(clog, 0, &rnode, NULL, 95 1.1 riastrad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 96 1.1 riastrad CTLTYPE_INT, "hardlink_check_gid", 97 1.1 riastrad SYSCTL_DESCR("Whether unprivileged users can hardlink "\ 98 1.1 riastrad "to files that are not in their " \ 99 1.1 riastrad "group membership"), 100 1.1 riastrad sysctl_extensions_user_handler, 0, 101 1.1 riastrad &hardlink_check_gid, 0, 102 1.1 riastrad CTL_CREATE, CTL_EOL); 103 1.1 riastrad 104 1.1 riastrad /* Compatibility: vfs.generic.usermount */ 105 1.1 riastrad sysctl_createv(clog, 0, NULL, NULL, 106 1.1 riastrad CTLFLAG_PERMANENT, 107 1.1 riastrad CTLTYPE_NODE, "generic", 108 1.1 riastrad SYSCTL_DESCR("Non-specific vfs related information"), 109 1.1 riastrad NULL, 0, NULL, 0, 110 1.1 riastrad CTL_VFS, VFS_GENERIC, CTL_EOL); 111 1.1 riastrad 112 1.1 riastrad sysctl_createv(clog, 0, NULL, NULL, 113 1.1 riastrad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 114 1.1 riastrad CTLTYPE_INT, "usermount", 115 1.1 riastrad SYSCTL_DESCR("Whether unprivileged users may mount " 116 1.1 riastrad "filesystems"), 117 1.1 riastrad sysctl_extensions_user_handler, 0, &dovfsusermount, 0, 118 1.1 riastrad CTL_VFS, VFS_GENERIC, VFS_USERMOUNT, CTL_EOL); 119 1.1 riastrad } 120 1.1 riastrad 121 1.1 riastrad static int 122 1.1 riastrad secmodel_extensions_system_cb(kauth_cred_t cred, kauth_action_t action, 123 1.1 riastrad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 124 1.1 riastrad { 125 1.1 riastrad vnode_t *vp; 126 1.1 riastrad struct vattr va; 127 1.1 riastrad struct mount *mp; 128 1.1 riastrad u_long flags; 129 1.1 riastrad int result; 130 1.1 riastrad enum kauth_system_req req; 131 1.1 riastrad int error; 132 1.1 riastrad 133 1.1 riastrad req = (enum kauth_system_req)(uintptr_t)arg0; 134 1.1 riastrad result = KAUTH_RESULT_DEFER; 135 1.1 riastrad 136 1.1 riastrad switch (action) { 137 1.1 riastrad case KAUTH_SYSTEM_MOUNT: 138 1.1 riastrad if (dovfsusermount == 0) 139 1.1 riastrad break; 140 1.1 riastrad switch (req) { 141 1.1 riastrad case KAUTH_REQ_SYSTEM_MOUNT_NEW: 142 1.1 riastrad vp = (vnode_t *)arg1; 143 1.1 riastrad mp = vp->v_mount; 144 1.1 riastrad flags = (u_long)arg2; 145 1.1 riastrad 146 1.1 riastrad /* 147 1.1 riastrad * Ensure that the user owns the directory onto which 148 1.1 riastrad * the mount is attempted. 149 1.1 riastrad */ 150 1.1 riastrad vn_lock(vp, LK_SHARED | LK_RETRY); 151 1.1 riastrad error = VOP_GETATTR(vp, &va, cred); 152 1.1 riastrad VOP_UNLOCK(vp); 153 1.1 riastrad if (error) 154 1.1 riastrad break; 155 1.1 riastrad 156 1.1 riastrad if (va.va_uid != kauth_cred_geteuid(cred)) 157 1.1 riastrad break; 158 1.1 riastrad 159 1.1 riastrad error = usermount_common_policy(mp, flags); 160 1.1 riastrad if (error) 161 1.1 riastrad break; 162 1.1 riastrad 163 1.1 riastrad result = KAUTH_RESULT_ALLOW; 164 1.1 riastrad 165 1.1 riastrad break; 166 1.1 riastrad 167 1.1 riastrad case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT: 168 1.1 riastrad mp = arg1; 169 1.1 riastrad 170 1.1 riastrad /* Must own the mount. */ 171 1.1 riastrad if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred)) 172 1.1 riastrad result = KAUTH_RESULT_ALLOW; 173 1.1 riastrad 174 1.1 riastrad break; 175 1.1 riastrad 176 1.1 riastrad case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: 177 1.1 riastrad mp = arg1; 178 1.1 riastrad flags = (u_long)arg2; 179 1.1 riastrad 180 1.1 riastrad /* Must own the mount. */ 181 1.1 riastrad if (mp->mnt_stat.f_owner == kauth_cred_geteuid(cred) && 182 1.1 riastrad usermount_common_policy(mp, flags) == 0) 183 1.1 riastrad result = KAUTH_RESULT_ALLOW; 184 1.1 riastrad 185 1.1 riastrad break; 186 1.1 riastrad 187 1.1 riastrad default: 188 1.1 riastrad break; 189 1.1 riastrad } 190 1.1 riastrad break; 191 1.1 riastrad 192 1.1 riastrad default: 193 1.1 riastrad break; 194 1.1 riastrad } 195 1.1 riastrad 196 1.1 riastrad return (result); 197 1.1 riastrad } 198 1.1 riastrad 199 1.1 riastrad static int 200 1.1 riastrad secmodel_extensions_vnode_cb(kauth_cred_t cred, kauth_action_t action, 201 1.1 riastrad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 202 1.1 riastrad { 203 1.1 riastrad int error; 204 1.1 riastrad bool isroot; 205 1.1 riastrad struct vattr va; 206 1.1 riastrad 207 1.1 riastrad if ((action & KAUTH_VNODE_ADD_LINK) == 0) 208 1.1 riastrad return KAUTH_RESULT_DEFER; 209 1.1 riastrad 210 1.1 riastrad error = VOP_GETATTR((vnode_t *)arg0, &va, cred); 211 1.1 riastrad if (error) 212 1.1 riastrad goto checkroot; 213 1.1 riastrad 214 1.1 riastrad if (hardlink_check_uid && kauth_cred_geteuid(cred) != va.va_uid) 215 1.1 riastrad goto checkroot; 216 1.1 riastrad 217 1.1 riastrad if (hardlink_check_gid && kauth_cred_groupmember(cred, va.va_gid) != 0) 218 1.1 riastrad goto checkroot; 219 1.1 riastrad 220 1.1 riastrad return KAUTH_RESULT_DEFER; 221 1.1 riastrad checkroot: 222 1.1 riastrad error = secmodel_eval("org.netbsd.secmodel.suser", "is-root", 223 1.1 riastrad cred, &isroot); 224 1.1 riastrad if (error || !isroot) 225 1.1 riastrad return KAUTH_RESULT_DENY; 226 1.1 riastrad 227 1.1 riastrad return KAUTH_RESULT_DEFER; 228 1.1 riastrad } 229 1.1 riastrad 230
Indexes created Mon Sep 22 21:09:42 GMT 2025