secmodel_keylock.c revision 1.4
1 /* $NetBSD: secmodel_keylock.c,v 1.4 2009/10/06 04:28:10 elad Exp $ */ 2 /*- 3 * Copyright (c) 2009 Marc Balmer <marc (at) msys.ch> 4 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This file contains kauth(9) listeners needed to implement an experimental 32 * keylock based security scheme. 33 * 34 * The position of the keylock is a system-global indication on what 35 * operations are allowed or not. It affects all users, including root. 36 * 37 * Rules: 38 * 39 * - If the number of possible keylock positions is 0, assume there is no 40 * keylock present, do not dissallow any action, i.e. do nothing 41 * 42 * - If the number of possible keylock positions is greater than 0, but the 43 * current lock position is 0, assume tampering with the lock and forbid 44 * all actions. 45 * 46 * - If the lock is in the lowest position, assume the system is locked and 47 * forbid most actions. 48 * 49 * - If the lock is in the highest position, assume the system to be open and 50 * forbid nothing. 51 * 52 * - If the security.models.keylock.order sysctl is set to a value != 0, 53 * reverse this order. 54 */ 55 56 #include <sys/cdefs.h> 57 __KERNEL_RCSID(0, "$NetBSD: secmodel_keylock.c,v 1.4 2009/10/06 04:28:10 elad Exp $"); 58 59 #include <sys/types.h> 60 #include <sys/param.h> 61 #include <sys/kauth.h> 62 63 #include <sys/conf.h> 64 #include <sys/mount.h> 65 #include <sys/sysctl.h> 66 #include <sys/vnode.h> 67 #include <sys/timevar.h> 68 69 #include <dev/keylock.h> 70 71 #include <miscfs/specfs/specdev.h> 72 73 #include <secmodel/keylock/keylock.h> 74 75 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device; 76 77 SYSCTL_SETUP(sysctl_security_keylock_setup, 78 "sysctl security keylock setup") 79 { 80 const struct sysctlnode *rnode; 81 82 sysctl_createv(clog, 0, NULL, &rnode, 83 CTLFLAG_PERMANENT, 84 CTLTYPE_NODE, "security", NULL, 85 NULL, 0, NULL, 0, 86 CTL_SECURITY, CTL_EOL); 87 88 sysctl_createv(clog, 0, &rnode, &rnode, 89 CTLFLAG_PERMANENT, 90 CTLTYPE_NODE, "models", NULL, 91 NULL, 0, NULL, 0, 92 CTL_CREATE, CTL_EOL); 93 94 sysctl_createv(clog, 0, &rnode, &rnode, 95 CTLFLAG_PERMANENT, 96 CTLTYPE_NODE, "keylock", 97 SYSCTL_DESCR("Keylock security model"), 98 NULL, 0, NULL, 0, 99 CTL_CREATE, CTL_EOL); 100 101 sysctl_createv(clog, 0, &rnode, NULL, 102 CTLFLAG_PERMANENT, 103 CTLTYPE_STRING, "name", NULL, 104 NULL, 0, __UNCONST("Keylock"), 0, 105 CTL_CREATE, CTL_EOL); 106 } 107 108 void 109 secmodel_keylock_init(void) 110 { 111 } 112 113 void 114 secmodel_keylock_start(void) 115 { 116 l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 117 secmodel_keylock_system_cb, NULL); 118 l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, 119 secmodel_keylock_process_cb, NULL); 120 l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, 121 secmodel_keylock_network_cb, NULL); 122 l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 123 secmodel_keylock_machdep_cb, NULL); 124 l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE, 125 secmodel_keylock_device_cb, NULL); 126 } 127 128 void 129 secmodel_keylock_stop(void) 130 { 131 kauth_unlisten_scope(l_system); 132 kauth_unlisten_scope(l_process); 133 kauth_unlisten_scope(l_network); 134 kauth_unlisten_scope(l_machdep); 135 kauth_unlisten_scope(l_device); 136 } 137 138 /* 139 * kauth(9) listener 140 * 141 * Security model: Multi-position keylock 142 * Scope: System 143 * Responsibility: Keylock 144 */ 145 int 146 secmodel_keylock_system_cb(kauth_cred_t cred, 147 kauth_action_t action, void *cookie, void *arg0, void *arg1, 148 void *arg2, void *arg3) 149 { 150 int result; 151 enum kauth_system_req req; 152 int kstate; 153 154 kstate = keylock_state(); 155 if (kstate == KEYLOCK_ABSENT) 156 return KAUTH_RESULT_DEFER; 157 else if (kstate == KEYLOCK_TAMPER) 158 return KAUTH_RESULT_DENY; 159 160 result = KAUTH_RESULT_DEFER; 161 req = (enum kauth_system_req)arg0; 162 163 switch (action) { 164 case KAUTH_SYSTEM_CHSYSFLAGS: 165 if (kstate == KEYLOCK_CLOSE) 166 result = KAUTH_RESULT_DENY; 167 break; 168 169 case KAUTH_SYSTEM_TIME: 170 switch (req) { 171 case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET: 172 if (kstate == KEYLOCK_CLOSE) 173 result = KAUTH_RESULT_DENY; 174 break; 175 176 case KAUTH_REQ_SYSTEM_TIME_SYSTEM: { 177 struct timespec *ts = arg1; 178 struct timespec *delta = arg2; 179 180 if (keylock_position() > 1 && time_wraps(ts, delta)) 181 result = KAUTH_RESULT_DENY; 182 break; 183 } 184 default: 185 break; 186 } 187 break; 188 189 case KAUTH_SYSTEM_MODULE: 190 if (kstate == KEYLOCK_CLOSE) 191 result = KAUTH_RESULT_DENY; 192 break; 193 194 case KAUTH_SYSTEM_MOUNT: 195 switch (req) { 196 case KAUTH_REQ_SYSTEM_MOUNT_NEW: 197 if (kstate == KEYLOCK_CLOSE) 198 result = KAUTH_RESULT_DENY; 199 200 break; 201 202 case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: 203 if (kstate == KEYLOCK_CLOSE) { 204 struct mount *mp = arg1; 205 u_long flags = (u_long)arg2; 206 207 /* 208 * Can only degrade from read/write to 209 * read-only. 210 */ 211 if (flags != (mp->mnt_flag | MNT_RDONLY | 212 MNT_RELOAD | MNT_FORCE | MNT_UPDATE)) 213 result = KAUTH_RESULT_DENY; 214 } 215 break; 216 default: 217 break; 218 } 219 220 break; 221 222 case KAUTH_SYSTEM_SYSCTL: 223 switch (req) { 224 case KAUTH_REQ_SYSTEM_SYSCTL_ADD: 225 case KAUTH_REQ_SYSTEM_SYSCTL_DELETE: 226 case KAUTH_REQ_SYSTEM_SYSCTL_DESC: 227 if (kstate == KEYLOCK_CLOSE) 228 result = KAUTH_RESULT_DENY; 229 break; 230 default: 231 break; 232 } 233 break; 234 235 case KAUTH_SYSTEM_SETIDCORE: 236 if (kstate == KEYLOCK_CLOSE) 237 result = KAUTH_RESULT_DENY; 238 break; 239 240 case KAUTH_SYSTEM_DEBUG: 241 switch (req) { 242 case KAUTH_REQ_SYSTEM_DEBUG_IPKDB: 243 if (kstate == KEYLOCK_CLOSE) 244 result = KAUTH_RESULT_DENY; 245 break; 246 default: 247 break; 248 } 249 break; 250 } 251 252 return result; 253 } 254 255 /* 256 * kauth(9) listener 257 * 258 * Security model: Multi-position keylock 259 * Scope: Process 260 * Responsibility: Keylock 261 */ 262 int 263 secmodel_keylock_process_cb(kauth_cred_t cred, 264 kauth_action_t action, void *cookie, void *arg0, 265 void *arg1, void *arg2, void *arg3) 266 { 267 struct proc *p; 268 int result, kstate; 269 270 kstate = keylock_state(); 271 if (kstate == KEYLOCK_ABSENT) 272 return KAUTH_RESULT_DEFER; 273 else if (kstate == KEYLOCK_TAMPER) 274 return KAUTH_RESULT_DENY; 275 276 result = KAUTH_RESULT_DEFER; 277 p = arg0; 278 279 switch (action) { 280 case KAUTH_PROCESS_PROCFS: { 281 enum kauth_process_req req; 282 283 req = (enum kauth_process_req)arg2; 284 switch (req) { 285 case KAUTH_REQ_PROCESS_PROCFS_READ: 286 break; 287 288 case KAUTH_REQ_PROCESS_PROCFS_RW: 289 case KAUTH_REQ_PROCESS_PROCFS_WRITE: 290 if ((p == initproc) && (kstate != KEYLOCK_OPEN)) 291 result = KAUTH_RESULT_DENY; 292 293 break; 294 default: 295 break; 296 } 297 298 break; 299 } 300 301 case KAUTH_PROCESS_PTRACE: 302 if ((p == initproc) && (kstate != KEYLOCK_OPEN)) 303 result = KAUTH_RESULT_DENY; 304 305 break; 306 307 case KAUTH_PROCESS_CORENAME: 308 if (kstate == KEYLOCK_CLOSE) 309 result = KAUTH_RESULT_DENY; 310 break; 311 } 312 return result; 313 } 314 315 /* 316 * kauth(9) listener 317 * 318 * Security model: Multi-position keylock 319 * Scope: Network 320 * Responsibility: Keylock 321 */ 322 int 323 secmodel_keylock_network_cb(kauth_cred_t cred, 324 kauth_action_t action, void *cookie, void *arg0, 325 void *arg1, void *arg2, void *arg3) 326 { 327 int result, kstate; 328 enum kauth_network_req req; 329 330 kstate = keylock_state(); 331 if (kstate == KEYLOCK_ABSENT) 332 return KAUTH_RESULT_DEFER; 333 else if (kstate == KEYLOCK_TAMPER) 334 return KAUTH_RESULT_DENY; 335 336 result = KAUTH_RESULT_DEFER; 337 req = (enum kauth_network_req)arg0; 338 339 switch (action) { 340 case KAUTH_NETWORK_FIREWALL: 341 switch (req) { 342 case KAUTH_REQ_NETWORK_FIREWALL_FW: 343 case KAUTH_REQ_NETWORK_FIREWALL_NAT: 344 if (kstate == KEYLOCK_CLOSE) 345 result = KAUTH_RESULT_DENY; 346 break; 347 348 default: 349 break; 350 } 351 break; 352 353 case KAUTH_NETWORK_FORWSRCRT: 354 if (kstate != KEYLOCK_OPEN) 355 result = KAUTH_RESULT_DENY; 356 break; 357 } 358 359 return result; 360 } 361 362 /* 363 * kauth(9) listener 364 * 365 * Security model: Multi-position keylock 366 * Scope: Machdep 367 * Responsibility: Keylock 368 */ 369 int 370 secmodel_keylock_machdep_cb(kauth_cred_t cred, 371 kauth_action_t action, void *cookie, void *arg0, 372 void *arg1, void *arg2, void *arg3) 373 { 374 int result, kstate; 375 376 kstate = keylock_state(); 377 if (kstate == KEYLOCK_ABSENT) 378 return KAUTH_RESULT_DEFER; 379 else if (kstate == KEYLOCK_TAMPER) 380 return KAUTH_RESULT_DENY; 381 382 result = KAUTH_RESULT_DEFER; 383 384 switch (action) { 385 case KAUTH_MACHDEP_IOPERM_SET: 386 case KAUTH_MACHDEP_IOPL: 387 if (kstate != KEYLOCK_OPEN) 388 result = KAUTH_RESULT_DENY; 389 break; 390 391 case KAUTH_MACHDEP_UNMANAGEDMEM: 392 if (kstate != KEYLOCK_OPEN) 393 result = KAUTH_RESULT_DENY; 394 break; 395 } 396 397 return result; 398 } 399 400 /* 401 * kauth(9) listener 402 * 403 * Security model: Multi-position keylock 404 * Scope: Device 405 * Responsibility: Keylock 406 */ 407 int 408 secmodel_keylock_device_cb(kauth_cred_t cred, 409 kauth_action_t action, void *cookie, void *arg0, 410 void *arg1, void *arg2, void *arg3) 411 { 412 int result, kstate; 413 414 kstate = keylock_state(); 415 if (kstate == KEYLOCK_ABSENT) 416 return KAUTH_RESULT_DEFER; 417 else if (kstate == KEYLOCK_TAMPER) 418 return KAUTH_RESULT_DENY; 419 420 result = KAUTH_RESULT_DEFER; 421 422 switch (action) { 423 case KAUTH_DEVICE_RAWIO_SPEC: { 424 struct vnode *vp; 425 enum kauth_device_req req; 426 427 req = (enum kauth_device_req)arg0; 428 vp = arg1; 429 430 KASSERT(vp != NULL); 431 432 /* Handle /dev/mem and /dev/kmem. */ 433 if (iskmemvp(vp)) { 434 switch (req) { 435 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 436 break; 437 438 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 439 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 440 if (kstate != KEYLOCK_OPEN) 441 result = KAUTH_RESULT_DENY; 442 break; 443 default: 444 break; 445 } 446 break; 447 } 448 449 switch (req) { 450 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 451 break; 452 453 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 454 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 455 error = rawdev_mounted(vp, NULL); 456 457 if (error == EINVAL) 458 break; 459 460 if (error && (kstate != KEYLOCK_OPEN)) 461 break; 462 463 if (kstate == KEYLOCK_CLOSE) 464 result = KAUTH_RESULT_DENY; 465 466 break; 467 default: 468 break; 469 } 470 break; 471 } 472 473 case KAUTH_DEVICE_RAWIO_PASSTHRU: 474 if (kstate != KEYLOCK_OPEN) { 475 u_long bits; 476 477 bits = (u_long)arg0; 478 479 KASSERT(bits != 0); 480 KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) 481 == 0); 482 483 if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) 484 result = KAUTH_RESULT_DENY; 485 } 486 break; 487 488 case KAUTH_DEVICE_GPIO_PINSET: 489 if (kstate != KEYLOCK_OPEN) 490 result = KAUTH_RESULT_DENY; 491 break; 492 default: 493 break; 494 } 495 return result; 496 } 497
Indexes created Mon Sep 29 21:09:56 GMT 2025