secmodel_securelevel.c revision 1.10
1 1.10 christos /* $NetBSD: secmodel_securelevel.c,v 1.10 2009/01/11 02:45:55 christos Exp $ */ 2 1.1 elad /*- 3 1.1 elad * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 4 1.1 elad * All rights reserved. 5 1.1 elad * 6 1.1 elad * Redistribution and use in source and binary forms, with or without 7 1.1 elad * modification, are permitted provided that the following conditions 8 1.1 elad * are met: 9 1.1 elad * 1. Redistributions of source code must retain the above copyright 10 1.1 elad * notice, this list of conditions and the following disclaimer. 11 1.1 elad * 2. Redistributions in binary form must reproduce the above copyright 12 1.1 elad * notice, this list of conditions and the following disclaimer in the 13 1.1 elad * documentation and/or other materials provided with the distribution. 14 1.1 elad * 3. The name of the author may not be used to endorse or promote products 15 1.1 elad * derived from this software without specific prior written permission. 16 1.1 elad * 17 1.1 elad * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 1.1 elad * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 1.1 elad * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 1.1 elad * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 1.1 elad * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 1.1 elad * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 1.1 elad * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 1.1 elad * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 1.1 elad * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 1.1 elad * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 1.1 elad */ 28 1.1 elad 29 1.1 elad /* 30 1.1 elad * This file contains kauth(9) listeners needed to implement the traditional 31 1.1 elad * NetBSD securelevel. 32 1.1 elad * 33 1.1 elad * The securelevel is a system-global indication on what operations are 34 1.1 elad * allowed or not. It affects all users, including root. 35 1.1 elad */ 36 1.1 elad 37 1.1 elad #include <sys/cdefs.h> 38 1.10 christos __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.10 2009/01/11 02:45:55 christos Exp $"); 39 1.1 elad 40 1.1 elad #ifdef _KERNEL_OPT 41 1.1 elad #include "opt_insecure.h" 42 1.1 elad #endif /* _KERNEL_OPT */ 43 1.1 elad 44 1.1 elad #include <sys/types.h> 45 1.1 elad #include <sys/param.h> 46 1.1 elad #include <sys/kauth.h> 47 1.1 elad 48 1.1 elad #include <sys/conf.h> 49 1.1 elad #include <sys/mount.h> 50 1.1 elad #include <sys/sysctl.h> 51 1.1 elad #include <sys/vnode.h> 52 1.1 elad 53 1.1 elad #include <miscfs/specfs/specdev.h> 54 1.1 elad 55 1.1 elad #include <secmodel/securelevel/securelevel.h> 56 1.1 elad 57 1.1 elad static int securelevel; 58 1.1 elad 59 1.1 elad static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device; 60 1.1 elad 61 1.1 elad /* 62 1.1 elad * sysctl helper routine for securelevel. ensures that the value 63 1.1 elad * only rises unless the caller has pid 1 (assumed to be init). 64 1.1 elad */ 65 1.1 elad int 66 1.1 elad secmodel_securelevel_sysctl(SYSCTLFN_ARGS) 67 1.1 elad { 68 1.1 elad int newsecurelevel, error; 69 1.1 elad struct sysctlnode node; 70 1.1 elad 71 1.1 elad newsecurelevel = securelevel; 72 1.1 elad node = *rnode; 73 1.1 elad node.sysctl_data = &newsecurelevel; 74 1.1 elad error = sysctl_lookup(SYSCTLFN_CALL(&node)); 75 1.1 elad if (error || newp == NULL) 76 1.1 elad return (error); 77 1.1 elad 78 1.1 elad if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1) 79 1.1 elad return (EPERM); 80 1.1 elad 81 1.1 elad securelevel = newsecurelevel; 82 1.1 elad 83 1.1 elad return (error); 84 1.1 elad } 85 1.1 elad 86 1.1 elad void 87 1.1 elad secmodel_securelevel_init(void) 88 1.1 elad { 89 1.1 elad #ifdef INSECURE 90 1.1 elad securelevel = -1; 91 1.1 elad #else 92 1.1 elad securelevel = 0; 93 1.1 elad #endif /* INSECURE */ 94 1.1 elad } 95 1.1 elad 96 1.1 elad SYSCTL_SETUP(sysctl_security_securelevel_setup, 97 1.1 elad "sysctl security securelevel setup") 98 1.1 elad { 99 1.1 elad /* 100 1.1 elad * For compatibility, we create a kern.securelevel variable. 101 1.1 elad */ 102 1.1 elad sysctl_createv(clog, 0, NULL, NULL, 103 1.1 elad CTLFLAG_PERMANENT, 104 1.1 elad CTLTYPE_NODE, "kern", NULL, 105 1.1 elad NULL, 0, NULL, 0, 106 1.1 elad CTL_KERN, CTL_EOL); 107 1.1 elad 108 1.1 elad sysctl_createv(clog, 0, NULL, NULL, 109 1.1 elad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 110 1.1 elad CTLTYPE_INT, "securelevel", 111 1.1 elad SYSCTL_DESCR("System security level"), 112 1.1 elad secmodel_securelevel_sysctl, 0, NULL, 0, 113 1.1 elad CTL_KERN, KERN_SECURELVL, CTL_EOL); 114 1.1 elad } 115 1.1 elad 116 1.1 elad void 117 1.1 elad secmodel_securelevel_start(void) 118 1.1 elad { 119 1.1 elad l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 120 1.1 elad secmodel_securelevel_system_cb, NULL); 121 1.1 elad l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, 122 1.1 elad secmodel_securelevel_process_cb, NULL); 123 1.1 elad l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, 124 1.1 elad secmodel_securelevel_network_cb, NULL); 125 1.1 elad l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 126 1.1 elad secmodel_securelevel_machdep_cb, NULL); 127 1.1 elad l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE, 128 1.1 elad secmodel_securelevel_device_cb, NULL); 129 1.1 elad } 130 1.1 elad 131 1.1 elad #if defined(_LKM) 132 1.1 elad void 133 1.1 elad secmodel_securelevel_stop(void) 134 1.1 elad { 135 1.1 elad kauth_unlisten_scope(l_system); 136 1.1 elad kauth_unlisten_scope(l_process); 137 1.1 elad kauth_unlisten_scope(l_network); 138 1.1 elad kauth_unlisten_scope(l_machdep); 139 1.1 elad kauth_unlisten_scope(l_device); 140 1.1 elad } 141 1.1 elad #endif /* _LKM */ 142 1.1 elad 143 1.1 elad /* 144 1.1 elad * kauth(9) listener 145 1.1 elad * 146 1.1 elad * Security model: Traditional NetBSD 147 1.1 elad * Scope: System 148 1.1 elad * Responsibility: Securelevel 149 1.1 elad */ 150 1.1 elad int 151 1.1 elad secmodel_securelevel_system_cb(kauth_cred_t cred, 152 1.1 elad kauth_action_t action, void *cookie, void *arg0, void *arg1, 153 1.1 elad void *arg2, void *arg3) 154 1.1 elad { 155 1.1 elad int result; 156 1.1 elad enum kauth_system_req req; 157 1.1 elad 158 1.2 elad result = KAUTH_RESULT_DEFER; 159 1.1 elad req = (enum kauth_system_req)arg0; 160 1.1 elad 161 1.1 elad switch (action) { 162 1.1 elad case KAUTH_SYSTEM_CHSYSFLAGS: 163 1.2 elad if (securelevel > 0) 164 1.2 elad result = KAUTH_RESULT_DENY; 165 1.1 elad break; 166 1.1 elad 167 1.1 elad case KAUTH_SYSTEM_TIME: 168 1.1 elad switch (req) { 169 1.1 elad case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET: 170 1.2 elad if (securelevel > 0) 171 1.2 elad result = KAUTH_RESULT_DENY; 172 1.1 elad break; 173 1.1 elad 174 1.3 elad case KAUTH_REQ_SYSTEM_TIME_SYSTEM: { 175 1.3 elad struct timespec *ts = arg1; 176 1.10 christos struct timespec *delta = arg2; 177 1.3 elad 178 1.3 elad /* 179 1.10 christos * Don't allow the time to be set forward so far it 180 1.10 christos * will wrap and become negative, thus allowing an 181 1.10 christos * attacker to bypass the next check below. The 182 1.10 christos * cutoff is 1 year before rollover occurs, so even 183 1.10 christos * if the attacker uses adjtime(2) to move the time 184 1.10 christos * past the cutoff, it will take a very long time 185 1.3 elad * to get to the wrap point. 186 1.3 elad */ 187 1.3 elad if (securelevel > 1 && 188 1.10 christos ((ts->tv_sec > LLONG_MAX - 365*24*60*60) || 189 1.10 christos (delta->tv_sec < 0 || delta->tv_nsec < 0))) 190 1.3 elad result = KAUTH_RESULT_DENY; 191 1.3 elad break; 192 1.3 elad } 193 1.3 elad 194 1.1 elad default: 195 1.1 elad break; 196 1.1 elad } 197 1.1 elad break; 198 1.1 elad 199 1.7 ad case KAUTH_SYSTEM_MODULE: 200 1.2 elad if (securelevel > 0) 201 1.2 elad result = KAUTH_RESULT_DENY; 202 1.1 elad break; 203 1.1 elad 204 1.1 elad case KAUTH_SYSTEM_MOUNT: 205 1.1 elad switch (req) { 206 1.1 elad case KAUTH_REQ_SYSTEM_MOUNT_NEW: 207 1.1 elad if (securelevel > 1) 208 1.2 elad result = KAUTH_RESULT_DENY; 209 1.1 elad 210 1.1 elad break; 211 1.1 elad 212 1.1 elad case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: 213 1.1 elad if (securelevel > 1) { 214 1.1 elad struct mount *mp = arg1; 215 1.1 elad u_long flags = (u_long)arg2; 216 1.1 elad 217 1.1 elad /* Can only degrade from read/write to read-only. */ 218 1.1 elad if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD | 219 1.1 elad MNT_FORCE | MNT_UPDATE)) 220 1.2 elad result = KAUTH_RESULT_DENY; 221 1.1 elad } 222 1.1 elad 223 1.1 elad break; 224 1.1 elad 225 1.1 elad default: 226 1.1 elad break; 227 1.1 elad } 228 1.1 elad 229 1.1 elad break; 230 1.1 elad 231 1.1 elad case KAUTH_SYSTEM_SYSCTL: 232 1.1 elad switch (req) { 233 1.1 elad case KAUTH_REQ_SYSTEM_SYSCTL_ADD: 234 1.1 elad case KAUTH_REQ_SYSTEM_SYSCTL_DELETE: 235 1.1 elad case KAUTH_REQ_SYSTEM_SYSCTL_DESC: 236 1.2 elad if (securelevel > 0) 237 1.2 elad result = KAUTH_RESULT_DENY; 238 1.1 elad break; 239 1.1 elad 240 1.1 elad default: 241 1.1 elad break; 242 1.1 elad } 243 1.1 elad break; 244 1.1 elad 245 1.1 elad case KAUTH_SYSTEM_SETIDCORE: 246 1.2 elad if (securelevel > 0) 247 1.2 elad result = KAUTH_RESULT_DENY; 248 1.1 elad break; 249 1.1 elad 250 1.1 elad case KAUTH_SYSTEM_DEBUG: 251 1.1 elad switch (req) { 252 1.1 elad case KAUTH_REQ_SYSTEM_DEBUG_IPKDB: 253 1.2 elad if (securelevel > 0) 254 1.2 elad result = KAUTH_RESULT_DENY; 255 1.1 elad break; 256 1.1 elad 257 1.1 elad default: 258 1.1 elad break; 259 1.1 elad } 260 1.1 elad break; 261 1.1 elad } 262 1.1 elad 263 1.1 elad return (result); 264 1.1 elad } 265 1.1 elad 266 1.1 elad /* 267 1.1 elad * kauth(9) listener 268 1.1 elad * 269 1.1 elad * Security model: Traditional NetBSD 270 1.1 elad * Scope: Process 271 1.1 elad * Responsibility: Securelevel 272 1.1 elad */ 273 1.1 elad int 274 1.1 elad secmodel_securelevel_process_cb(kauth_cred_t cred, 275 1.1 elad kauth_action_t action, void *cookie, void *arg0, 276 1.1 elad void *arg1, void *arg2, void *arg3) 277 1.1 elad { 278 1.1 elad struct proc *p; 279 1.1 elad int result; 280 1.1 elad 281 1.2 elad result = KAUTH_RESULT_DEFER; 282 1.1 elad p = arg0; 283 1.1 elad 284 1.1 elad switch (action) { 285 1.8 elad case KAUTH_PROCESS_PROCFS: { 286 1.1 elad enum kauth_process_req req; 287 1.1 elad 288 1.1 elad req = (enum kauth_process_req)arg2; 289 1.1 elad switch (req) { 290 1.8 elad case KAUTH_REQ_PROCESS_PROCFS_READ: 291 1.1 elad break; 292 1.1 elad 293 1.8 elad case KAUTH_REQ_PROCESS_PROCFS_RW: 294 1.8 elad case KAUTH_REQ_PROCESS_PROCFS_WRITE: 295 1.1 elad if ((p == initproc) && (securelevel > -1)) 296 1.1 elad result = KAUTH_RESULT_DENY; 297 1.1 elad 298 1.1 elad break; 299 1.2 elad 300 1.1 elad default: 301 1.1 elad break; 302 1.1 elad } 303 1.1 elad 304 1.1 elad break; 305 1.1 elad } 306 1.1 elad 307 1.8 elad case KAUTH_PROCESS_PTRACE: 308 1.2 elad if ((p == initproc) && (securelevel >= 0)) 309 1.1 elad result = KAUTH_RESULT_DENY; 310 1.1 elad 311 1.1 elad break; 312 1.1 elad 313 1.1 elad case KAUTH_PROCESS_CORENAME: 314 1.2 elad if (securelevel > 1) 315 1.2 elad result = KAUTH_RESULT_DENY; 316 1.1 elad break; 317 1.1 elad } 318 1.1 elad 319 1.1 elad return (result); 320 1.1 elad } 321 1.1 elad 322 1.1 elad /* 323 1.1 elad * kauth(9) listener 324 1.1 elad * 325 1.1 elad * Security model: Traditional NetBSD 326 1.1 elad * Scope: Network 327 1.1 elad * Responsibility: Securelevel 328 1.1 elad */ 329 1.1 elad int 330 1.1 elad secmodel_securelevel_network_cb(kauth_cred_t cred, 331 1.1 elad kauth_action_t action, void *cookie, void *arg0, 332 1.1 elad void *arg1, void *arg2, void *arg3) 333 1.1 elad { 334 1.1 elad int result; 335 1.1 elad enum kauth_network_req req; 336 1.1 elad 337 1.2 elad result = KAUTH_RESULT_DEFER; 338 1.1 elad req = (enum kauth_network_req)arg0; 339 1.1 elad 340 1.1 elad switch (action) { 341 1.1 elad case KAUTH_NETWORK_FIREWALL: 342 1.1 elad switch (req) { 343 1.1 elad case KAUTH_REQ_NETWORK_FIREWALL_FW: 344 1.1 elad case KAUTH_REQ_NETWORK_FIREWALL_NAT: 345 1.2 elad if (securelevel > 1) 346 1.2 elad result = KAUTH_RESULT_DENY; 347 1.1 elad break; 348 1.1 elad 349 1.1 elad default: 350 1.1 elad break; 351 1.1 elad } 352 1.1 elad break; 353 1.1 elad 354 1.1 elad case KAUTH_NETWORK_FORWSRCRT: 355 1.2 elad if (securelevel > 0) 356 1.2 elad result = KAUTH_RESULT_DENY; 357 1.1 elad break; 358 1.1 elad } 359 1.1 elad 360 1.1 elad return (result); 361 1.1 elad } 362 1.1 elad 363 1.1 elad /* 364 1.1 elad * kauth(9) listener 365 1.1 elad * 366 1.1 elad * Security model: Traditional NetBSD 367 1.1 elad * Scope: Machdep 368 1.1 elad * Responsibility: Securelevel 369 1.1 elad */ 370 1.1 elad int 371 1.1 elad secmodel_securelevel_machdep_cb(kauth_cred_t cred, 372 1.1 elad kauth_action_t action, void *cookie, void *arg0, 373 1.1 elad void *arg1, void *arg2, void *arg3) 374 1.1 elad { 375 1.1 elad int result; 376 1.1 elad 377 1.2 elad result = KAUTH_RESULT_DEFER; 378 1.1 elad 379 1.1 elad switch (action) { 380 1.1 elad case KAUTH_MACHDEP_IOPERM_SET: 381 1.1 elad case KAUTH_MACHDEP_IOPL: 382 1.2 elad if (securelevel > 0) 383 1.2 elad result = KAUTH_RESULT_DENY; 384 1.1 elad break; 385 1.1 elad 386 1.1 elad case KAUTH_MACHDEP_UNMANAGEDMEM: 387 1.2 elad if (securelevel > 0) 388 1.2 elad result = KAUTH_RESULT_DENY; 389 1.1 elad break; 390 1.1 elad } 391 1.1 elad 392 1.1 elad return (result); 393 1.1 elad } 394 1.1 elad 395 1.1 elad /* 396 1.1 elad * kauth(9) listener 397 1.1 elad * 398 1.1 elad * Security model: Traditional NetBSD 399 1.1 elad * Scope: Device 400 1.1 elad * Responsibility: Securelevel 401 1.1 elad */ 402 1.1 elad int 403 1.1 elad secmodel_securelevel_device_cb(kauth_cred_t cred, 404 1.1 elad kauth_action_t action, void *cookie, void *arg0, 405 1.1 elad void *arg1, void *arg2, void *arg3) 406 1.1 elad { 407 1.1 elad int result; 408 1.1 elad 409 1.2 elad result = KAUTH_RESULT_DEFER; 410 1.1 elad 411 1.1 elad switch (action) { 412 1.1 elad case KAUTH_DEVICE_RAWIO_SPEC: { 413 1.1 elad struct vnode *vp, *bvp; 414 1.1 elad enum kauth_device_req req; 415 1.1 elad dev_t dev; 416 1.1 elad int d_type; 417 1.1 elad 418 1.1 elad req = (enum kauth_device_req)arg0; 419 1.1 elad vp = arg1; 420 1.1 elad 421 1.1 elad KASSERT(vp != NULL); 422 1.1 elad 423 1.6 ad dev = vp->v_rdev; 424 1.1 elad d_type = D_OTHER; 425 1.1 elad bvp = NULL; 426 1.1 elad 427 1.1 elad /* Handle /dev/mem and /dev/kmem. */ 428 1.1 elad if ((vp->v_type == VCHR) && iskmemdev(dev)) { 429 1.1 elad switch (req) { 430 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 431 1.1 elad break; 432 1.1 elad 433 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 434 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 435 1.2 elad if (securelevel > 0) 436 1.2 elad result = KAUTH_RESULT_DENY; 437 1.1 elad break; 438 1.1 elad } 439 1.1 elad 440 1.1 elad break; 441 1.1 elad } 442 1.1 elad 443 1.1 elad switch (req) { 444 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 445 1.1 elad break; 446 1.1 elad 447 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 448 1.1 elad case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 449 1.1 elad switch (vp->v_type) { 450 1.1 elad case VCHR: { 451 1.1 elad const struct cdevsw *cdev; 452 1.1 elad 453 1.1 elad cdev = cdevsw_lookup(dev); 454 1.1 elad if (cdev != NULL) { 455 1.1 elad dev_t blkdev; 456 1.1 elad 457 1.1 elad blkdev = devsw_chr2blk(dev); 458 1.1 elad if (blkdev != NODEV) { 459 1.1 elad vfinddev(blkdev, VBLK, &bvp); 460 1.1 elad if (bvp != NULL) 461 1.1 elad d_type = (cdev->d_flag 462 1.1 elad & D_TYPEMASK); 463 1.1 elad } 464 1.1 elad } 465 1.1 elad 466 1.1 elad break; 467 1.1 elad } 468 1.1 elad case VBLK: { 469 1.1 elad const struct bdevsw *bdev; 470 1.1 elad 471 1.1 elad bdev = bdevsw_lookup(dev); 472 1.1 elad if (bdev != NULL) 473 1.1 elad d_type = (bdev->d_flag & D_TYPEMASK); 474 1.1 elad 475 1.1 elad bvp = vp; 476 1.1 elad 477 1.1 elad break; 478 1.1 elad } 479 1.2 elad 480 1.1 elad default: 481 1.1 elad break; 482 1.1 elad } 483 1.1 elad 484 1.2 elad if (d_type != D_DISK) 485 1.1 elad break; 486 1.1 elad 487 1.1 elad /* 488 1.1 elad * XXX: This is bogus. We should be failing the request 489 1.1 elad * XXX: not only if this specific slice is mounted, but 490 1.1 elad * XXX: if it's on a disk with any other mounted slice. 491 1.1 elad */ 492 1.1 elad if (vfs_mountedon(bvp) && (securelevel > 0)) 493 1.1 elad break; 494 1.1 elad 495 1.2 elad if (securelevel > 1) 496 1.2 elad result = KAUTH_RESULT_DENY; 497 1.1 elad 498 1.1 elad break; 499 1.1 elad } 500 1.1 elad 501 1.1 elad break; 502 1.1 elad } 503 1.1 elad 504 1.2 elad case KAUTH_DEVICE_RAWIO_PASSTHRU: 505 1.1 elad if (securelevel > 0) { 506 1.1 elad u_long bits; 507 1.1 elad 508 1.1 elad bits = (u_long)arg0; 509 1.1 elad 510 1.1 elad KASSERT(bits != 0); 511 1.1 elad KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); 512 1.1 elad 513 1.1 elad if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) 514 1.1 elad result = KAUTH_RESULT_DENY; 515 1.1 elad } 516 1.1 elad 517 1.1 elad break; 518 1.1 elad } 519 1.1 elad 520 1.1 elad return (result); 521 1.1 elad } 522
Indexes created Tue Sep 23 14:10:03 GMT 2025