secmodel_securelevel.c revision 1.1
1 /* $NetBSD: secmodel_securelevel.c,v 1.1 2007/11/21 22:49:09 elad Exp $ */ 2 /*- 3 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This file contains kauth(9) listeners needed to implement the traditional 31 * NetBSD securelevel. 32 * 33 * The securelevel is a system-global indication on what operations are 34 * allowed or not. It affects all users, including root. 35 */ 36 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.1 2007/11/21 22:49:09 elad Exp $"); 39 40 #ifdef _KERNEL_OPT 41 #include "opt_insecure.h" 42 #endif /* _KERNEL_OPT */ 43 44 #include <sys/types.h> 45 #include <sys/param.h> 46 #include <sys/kauth.h> 47 48 #include <sys/conf.h> 49 #include <sys/mount.h> 50 #include <sys/sysctl.h> 51 #include <sys/vnode.h> 52 53 #include <miscfs/specfs/specdev.h> 54 55 #include <secmodel/securelevel/securelevel.h> 56 57 static int securelevel; 58 59 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device; 60 61 /* 62 * sysctl helper routine for securelevel. ensures that the value 63 * only rises unless the caller has pid 1 (assumed to be init). 64 */ 65 int 66 secmodel_securelevel_sysctl(SYSCTLFN_ARGS) 67 { 68 int newsecurelevel, error; 69 struct sysctlnode node; 70 71 newsecurelevel = securelevel; 72 node = *rnode; 73 node.sysctl_data = &newsecurelevel; 74 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 75 if (error || newp == NULL) 76 return (error); 77 78 if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1) 79 return (EPERM); 80 81 securelevel = newsecurelevel; 82 83 return (error); 84 } 85 86 void 87 secmodel_securelevel_init(void) 88 { 89 #ifdef INSECURE 90 securelevel = -1; 91 #else 92 securelevel = 0; 93 #endif /* INSECURE */ 94 } 95 96 SYSCTL_SETUP(sysctl_security_securelevel_setup, 97 "sysctl security securelevel setup") 98 { 99 /* 100 * For compatibility, we create a kern.securelevel variable. 101 */ 102 sysctl_createv(clog, 0, NULL, NULL, 103 CTLFLAG_PERMANENT, 104 CTLTYPE_NODE, "kern", NULL, 105 NULL, 0, NULL, 0, 106 CTL_KERN, CTL_EOL); 107 108 sysctl_createv(clog, 0, NULL, NULL, 109 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 110 CTLTYPE_INT, "securelevel", 111 SYSCTL_DESCR("System security level"), 112 secmodel_securelevel_sysctl, 0, NULL, 0, 113 CTL_KERN, KERN_SECURELVL, CTL_EOL); 114 } 115 116 void 117 secmodel_securelevel_start(void) 118 { 119 l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 120 secmodel_securelevel_system_cb, NULL); 121 l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, 122 secmodel_securelevel_process_cb, NULL); 123 l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, 124 secmodel_securelevel_network_cb, NULL); 125 l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 126 secmodel_securelevel_machdep_cb, NULL); 127 l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE, 128 secmodel_securelevel_device_cb, NULL); 129 } 130 131 #if defined(_LKM) 132 void 133 secmodel_securelevel_stop(void) 134 { 135 kauth_unlisten_scope(l_system); 136 kauth_unlisten_scope(l_process); 137 kauth_unlisten_scope(l_network); 138 kauth_unlisten_scope(l_machdep); 139 kauth_unlisten_scope(l_device); 140 } 141 #endif /* _LKM */ 142 143 /* 144 * kauth(9) listener 145 * 146 * Security model: Traditional NetBSD 147 * Scope: System 148 * Responsibility: Securelevel 149 */ 150 int 151 secmodel_securelevel_system_cb(kauth_cred_t cred, 152 kauth_action_t action, void *cookie, void *arg0, void *arg1, 153 void *arg2, void *arg3) 154 { 155 int result; 156 enum kauth_system_req req; 157 158 result = KAUTH_RESULT_DENY; 159 req = (enum kauth_system_req)arg0; 160 161 switch (action) { 162 case KAUTH_SYSTEM_CHSYSFLAGS: 163 if (securelevel < 1) 164 result = KAUTH_RESULT_ALLOW; 165 break; 166 167 case KAUTH_SYSTEM_TIME: 168 switch (req) { 169 case KAUTH_REQ_SYSTEM_TIME_BACKWARDS: 170 if (securelevel < 2) 171 result = KAUTH_RESULT_ALLOW; 172 break; 173 174 case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET: 175 if (securelevel < 1) 176 result = KAUTH_RESULT_ALLOW; 177 break; 178 179 default: 180 result = KAUTH_RESULT_DEFER; 181 break; 182 } 183 break; 184 185 case KAUTH_SYSTEM_LKM: 186 if (securelevel < 1) 187 result = KAUTH_RESULT_ALLOW; 188 break; 189 190 case KAUTH_SYSTEM_MOUNT: 191 switch (req) { 192 case KAUTH_REQ_SYSTEM_MOUNT_NEW: 193 if (securelevel > 1) 194 break; 195 196 result = KAUTH_RESULT_ALLOW; 197 break; 198 199 case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: 200 if (securelevel > 1) { 201 struct mount *mp = arg1; 202 u_long flags = (u_long)arg2; 203 204 /* Can only degrade from read/write to read-only. */ 205 if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD | 206 MNT_FORCE | MNT_UPDATE)) 207 break; 208 } 209 210 result = KAUTH_RESULT_ALLOW; 211 212 break; 213 214 default: 215 result = KAUTH_RESULT_DEFER; 216 break; 217 } 218 219 break; 220 221 case KAUTH_SYSTEM_SYSCTL: 222 switch (req) { 223 case KAUTH_REQ_SYSTEM_SYSCTL_ADD: 224 case KAUTH_REQ_SYSTEM_SYSCTL_DELETE: 225 case KAUTH_REQ_SYSTEM_SYSCTL_DESC: 226 if (securelevel < 1) 227 result = KAUTH_RESULT_ALLOW; 228 break; 229 230 default: 231 result = KAUTH_RESULT_DEFER; 232 break; 233 } 234 break; 235 236 case KAUTH_SYSTEM_SETIDCORE: 237 if (securelevel < 1) 238 result = KAUTH_RESULT_ALLOW; 239 break; 240 241 case KAUTH_SYSTEM_DEBUG: 242 switch (req) { 243 case KAUTH_REQ_SYSTEM_DEBUG_IPKDB: 244 if (securelevel < 1) 245 result = KAUTH_RESULT_ALLOW; 246 break; 247 248 default: 249 result = KAUTH_RESULT_DEFER; 250 break; 251 } 252 break; 253 254 default: 255 result = KAUTH_RESULT_DEFER; 256 break; 257 } 258 259 return (result); 260 } 261 262 /* 263 * kauth(9) listener 264 * 265 * Security model: Traditional NetBSD 266 * Scope: Process 267 * Responsibility: Securelevel 268 */ 269 int 270 secmodel_securelevel_process_cb(kauth_cred_t cred, 271 kauth_action_t action, void *cookie, void *arg0, 272 void *arg1, void *arg2, void *arg3) 273 { 274 struct proc *p; 275 int result; 276 277 result = KAUTH_RESULT_DENY; 278 p = arg0; 279 280 switch (action) { 281 case KAUTH_PROCESS_CANPROCFS: { 282 enum kauth_process_req req; 283 284 req = (enum kauth_process_req)arg2; 285 switch (req) { 286 case KAUTH_REQ_PROCESS_CANPROCFS_READ: 287 result = KAUTH_RESULT_ALLOW; 288 break; 289 290 case KAUTH_REQ_PROCESS_CANPROCFS_RW: 291 case KAUTH_REQ_PROCESS_CANPROCFS_WRITE: 292 if ((p == initproc) && (securelevel > -1)) 293 result = KAUTH_RESULT_DENY; 294 else 295 result = KAUTH_RESULT_ALLOW; 296 297 break; 298 default: 299 result = KAUTH_RESULT_DEFER; 300 break; 301 } 302 303 break; 304 } 305 306 case KAUTH_PROCESS_CANPTRACE: 307 case KAUTH_PROCESS_CANSYSTRACE: 308 if ((p == initproc) && (securelevel >= 0)) { 309 result = KAUTH_RESULT_DENY; 310 break; 311 } 312 313 result = KAUTH_RESULT_ALLOW; 314 315 break; 316 317 case KAUTH_PROCESS_CORENAME: 318 if (securelevel < 2) 319 result = KAUTH_RESULT_ALLOW; 320 break; 321 322 default: 323 result = KAUTH_RESULT_DEFER; 324 break; 325 } 326 327 return (result); 328 } 329 330 /* 331 * kauth(9) listener 332 * 333 * Security model: Traditional NetBSD 334 * Scope: Network 335 * Responsibility: Securelevel 336 */ 337 int 338 secmodel_securelevel_network_cb(kauth_cred_t cred, 339 kauth_action_t action, void *cookie, void *arg0, 340 void *arg1, void *arg2, void *arg3) 341 { 342 int result; 343 enum kauth_network_req req; 344 345 result = KAUTH_RESULT_DENY; 346 req = (enum kauth_network_req)arg0; 347 348 switch (action) { 349 case KAUTH_NETWORK_FIREWALL: 350 switch (req) { 351 case KAUTH_REQ_NETWORK_FIREWALL_FW: 352 case KAUTH_REQ_NETWORK_FIREWALL_NAT: 353 if (securelevel < 2) 354 result = KAUTH_RESULT_ALLOW; 355 break; 356 357 default: 358 result = KAUTH_RESULT_DEFER; 359 break; 360 } 361 break; 362 363 case KAUTH_NETWORK_FORWSRCRT: 364 if (securelevel < 1) 365 result = KAUTH_RESULT_ALLOW; 366 break; 367 368 default: 369 result = KAUTH_RESULT_DEFER; 370 break; 371 } 372 373 return (result); 374 } 375 376 /* 377 * kauth(9) listener 378 * 379 * Security model: Traditional NetBSD 380 * Scope: Machdep 381 * Responsibility: Securelevel 382 */ 383 int 384 secmodel_securelevel_machdep_cb(kauth_cred_t cred, 385 kauth_action_t action, void *cookie, void *arg0, 386 void *arg1, void *arg2, void *arg3) 387 { 388 int result; 389 390 result = KAUTH_RESULT_DENY; 391 392 switch (action) { 393 case KAUTH_MACHDEP_IOPERM_SET: 394 case KAUTH_MACHDEP_IOPL: 395 if (securelevel < 1) 396 result = KAUTH_RESULT_ALLOW; 397 break; 398 399 case KAUTH_MACHDEP_UNMANAGEDMEM: 400 if (securelevel <= 0) 401 result = KAUTH_RESULT_ALLOW; 402 break; 403 404 default: 405 result = KAUTH_RESULT_DEFER; 406 break; 407 } 408 409 return (result); 410 } 411 412 /* 413 * kauth(9) listener 414 * 415 * Security model: Traditional NetBSD 416 * Scope: Device 417 * Responsibility: Securelevel 418 */ 419 int 420 secmodel_securelevel_device_cb(kauth_cred_t cred, 421 kauth_action_t action, void *cookie, void *arg0, 422 void *arg1, void *arg2, void *arg3) 423 { 424 int result; 425 426 result = KAUTH_RESULT_DENY; 427 428 switch (action) { 429 case KAUTH_DEVICE_RAWIO_SPEC: { 430 struct vnode *vp, *bvp; 431 enum kauth_device_req req; 432 dev_t dev; 433 int d_type; 434 435 req = (enum kauth_device_req)arg0; 436 vp = arg1; 437 438 KASSERT(vp != NULL); 439 440 dev = vp->v_un.vu_specinfo->si_rdev; 441 d_type = D_OTHER; 442 bvp = NULL; 443 444 /* Handle /dev/mem and /dev/kmem. */ 445 if ((vp->v_type == VCHR) && iskmemdev(dev)) { 446 switch (req) { 447 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 448 result = KAUTH_RESULT_ALLOW; 449 break; 450 451 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 452 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 453 if (securelevel < 1) 454 result = KAUTH_RESULT_ALLOW; 455 break; 456 457 default: 458 result = KAUTH_RESULT_DEFER; 459 break; 460 } 461 462 break; 463 } 464 465 switch (req) { 466 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 467 result = KAUTH_RESULT_ALLOW; 468 break; 469 470 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 471 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 472 switch (vp->v_type) { 473 case VCHR: { 474 const struct cdevsw *cdev; 475 476 cdev = cdevsw_lookup(dev); 477 if (cdev != NULL) { 478 dev_t blkdev; 479 480 blkdev = devsw_chr2blk(dev); 481 if (blkdev != NODEV) { 482 vfinddev(blkdev, VBLK, &bvp); 483 if (bvp != NULL) 484 d_type = (cdev->d_flag 485 & D_TYPEMASK); 486 } 487 } 488 489 break; 490 } 491 case VBLK: { 492 const struct bdevsw *bdev; 493 494 bdev = bdevsw_lookup(dev); 495 if (bdev != NULL) 496 d_type = (bdev->d_flag & D_TYPEMASK); 497 498 bvp = vp; 499 500 break; 501 } 502 default: 503 result = KAUTH_RESULT_DEFER; 504 break; 505 } 506 507 if (d_type != D_DISK) { 508 result = KAUTH_RESULT_ALLOW; 509 break; 510 } 511 512 /* 513 * XXX: This is bogus. We should be failing the request 514 * XXX: not only if this specific slice is mounted, but 515 * XXX: if it's on a disk with any other mounted slice. 516 */ 517 if (vfs_mountedon(bvp) && (securelevel > 0)) 518 break; 519 520 if (securelevel < 2) 521 result = KAUTH_RESULT_ALLOW; 522 523 break; 524 525 default: 526 result = KAUTH_RESULT_DEFER; 527 break; 528 } 529 530 break; 531 } 532 533 case KAUTH_DEVICE_RAWIO_PASSTHRU: { 534 if (securelevel > 0) { 535 u_long bits; 536 537 bits = (u_long)arg0; 538 539 KASSERT(bits != 0); 540 KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); 541 542 if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) 543 result = KAUTH_RESULT_DENY; 544 else 545 result = KAUTH_RESULT_ALLOW; 546 } else 547 result = KAUTH_RESULT_ALLOW; 548 549 break; 550 } 551 552 default: 553 result = KAUTH_RESULT_DEFER; 554 break; 555 } 556 557 return (result); 558 } 559
Indexes created Wed Sep 24 05:09:52 GMT 2025