Home | History | Annotate | Line # | Download | only in securelevel
secmodel_securelevel.c revision 1.31 
      1 /* $NetBSD: secmodel_securelevel.c,v 1.31 2018/04/26 18:54:09 alnsn Exp $ */
      2 /*-
      3  * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org>
      4  * All rights reserved.
      5  *
      6  * Redistribution and use in source and binary forms, with or without
      7  * modification, are permitted provided that the following conditions
      8  * are met:
      9  * 1. Redistributions of source code must retain the above copyright
     10  *    notice, this list of conditions and the following disclaimer.
     11  * 2. Redistributions in binary form must reproduce the above copyright
     12  *    notice, this list of conditions and the following disclaimer in the
     13  *    documentation and/or other materials provided with the distribution.
     14  * 3. The name of the author may not be used to endorse or promote products
     15  *    derived from this software without specific prior written permission.
     16  *
     17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
     18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
     19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
     20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
     21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     27  */
     28 
     29 /*
     30  * This file contains kauth(9) listeners needed to implement the traditional
     31  * NetBSD securelevel.
     32  *
     33  * The securelevel is a system-global indication on what operations are
     34  * allowed or not. It affects all users, including root.
     35  */
     36 
     37 #include <sys/cdefs.h>
     38 __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.31 2018/04/26 18:54:09 alnsn Exp $");
     39 
     40 #ifdef _KERNEL_OPT
     41 #include "opt_insecure.h"
     42 #endif /* _KERNEL_OPT */
     43 
     44 #include <sys/types.h>
     45 #include <sys/param.h>
     46 #include <sys/kauth.h>
     47 
     48 #include <sys/conf.h>
     49 #include <sys/mount.h>
     50 #include <sys/sysctl.h>
     51 #include <sys/vnode.h>
     52 #include <sys/module.h>
     53 #include <sys/timevar.h>
     54 
     55 #include <miscfs/specfs/specdev.h>
     56 
     57 #include <secmodel/secmodel.h>
     58 #include <secmodel/securelevel/securelevel.h>
     59 
     60 MODULE(MODULE_CLASS_SECMODEL, securelevel, NULL);
     61 
     62 static int securelevel;
     63 
     64 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device,
     65     l_vnode;
     66 
     67 static secmodel_t securelevel_sm;
     68 static struct sysctllog *securelevel_sysctl_log;
     69 
     70 /*
     71  * Sysctl helper routine for securelevel. Ensures that the value only rises
     72  * unless the caller is init.
     73  */
     74 int
     75 secmodel_securelevel_sysctl(SYSCTLFN_ARGS)
     76 {
     77 	int newsecurelevel, error;
     78 	struct sysctlnode node;
     79 
     80 	newsecurelevel = securelevel;
     81 	node = *rnode;
     82 	node.sysctl_data = &newsecurelevel;
     83 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
     84 	if (error || newp == NULL)
     85 		return (error);
     86 
     87 	if ((newsecurelevel < securelevel) && (l->l_proc != initproc))
     88 		return (EPERM);
     89 
     90 	securelevel = newsecurelevel;
     91 
     92 	return (error);
     93 }
     94 
     95 void
     96 sysctl_security_securelevel_setup(struct sysctllog **clog)
     97 {
     98 	const struct sysctlnode *rnode, *rnode2;
     99 
    100 	sysctl_createv(clog, 0, NULL, &rnode,
    101 		       CTLFLAG_PERMANENT,
    102 		       CTLTYPE_NODE, "models", NULL,
    103 		       NULL, 0, NULL, 0,
    104 		       CTL_SECURITY, CTL_CREATE, CTL_EOL);
    105 
    106 	/* Compatibility: security.models.bsd44 */
    107 	rnode2 = rnode;
    108 	sysctl_createv(clog, 0, &rnode2, &rnode2,
    109 		       CTLFLAG_PERMANENT,
    110 		       CTLTYPE_NODE, "bsd44", NULL,
    111 		       NULL, 0, NULL, 0,
    112 		       CTL_CREATE, CTL_EOL);
    113 
    114         /* Compatibility: security.models.bsd44.securelevel */
    115 	sysctl_createv(clog, 0, &rnode2, NULL,
    116 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
    117 		       CTLTYPE_INT, "securelevel",
    118 		       SYSCTL_DESCR("System security level"),
    119 		       secmodel_securelevel_sysctl, 0, NULL, 0,
    120 		       CTL_CREATE, CTL_EOL);
    121 
    122 	sysctl_createv(clog, 0, &rnode, &rnode,
    123 		       CTLFLAG_PERMANENT,
    124 		       CTLTYPE_NODE, "securelevel", NULL,
    125 		       NULL, 0, NULL, 0,
    126 		       CTL_CREATE, CTL_EOL);
    127 
    128 	sysctl_createv(clog, 0, &rnode, NULL,
    129 		       CTLFLAG_PERMANENT,
    130 		       CTLTYPE_STRING, "name", NULL,
    131 		       NULL, 0, __UNCONST(SECMODEL_SECURELEVEL_NAME), 0,
    132 		       CTL_CREATE, CTL_EOL);
    133 
    134 	sysctl_createv(clog, 0, &rnode, NULL,
    135 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
    136 		       CTLTYPE_INT, "securelevel",
    137 		       SYSCTL_DESCR("System security level"),
    138 		       secmodel_securelevel_sysctl, 0, NULL, 0,
    139 		       CTL_CREATE, CTL_EOL);
    140 
    141 	/* Compatibility: kern.securelevel */
    142 
    143 	sysctl_createv(clog, 0, NULL, NULL,
    144 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
    145 		       CTLTYPE_INT, "securelevel",
    146 		       SYSCTL_DESCR("System security level"),
    147 		       secmodel_securelevel_sysctl, 0, NULL, 0,
    148 		       CTL_KERN, KERN_SECURELVL, CTL_EOL);
    149 }
    150 
    151 void
    152 secmodel_securelevel_init(void)
    153 {
    154 #ifdef INSECURE
    155 	securelevel = -1;
    156 #else
    157 	securelevel = 0;
    158 #endif /* INSECURE */
    159 }
    160 
    161 void
    162 secmodel_securelevel_start(void)
    163 {
    164 	l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
    165 	    secmodel_securelevel_system_cb, NULL);
    166 	l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
    167 	    secmodel_securelevel_process_cb, NULL);
    168 	l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
    169 	    secmodel_securelevel_network_cb, NULL);
    170 	l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
    171 	    secmodel_securelevel_machdep_cb, NULL);
    172 	l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
    173 	    secmodel_securelevel_device_cb, NULL);
    174 	l_vnode = kauth_listen_scope(KAUTH_SCOPE_VNODE,
    175 	    secmodel_securelevel_vnode_cb, NULL);
    176 }
    177 
    178 void
    179 secmodel_securelevel_stop(void)
    180 {
    181 	kauth_unlisten_scope(l_system);
    182 	kauth_unlisten_scope(l_process);
    183 	kauth_unlisten_scope(l_network);
    184 	kauth_unlisten_scope(l_machdep);
    185 	kauth_unlisten_scope(l_device);
    186 	kauth_unlisten_scope(l_vnode);
    187 }
    188 
    189 static int
    190 securelevel_eval(const char *what, void *arg, void *ret)
    191 {
    192 	int error = 0;
    193 
    194 	if (strcasecmp(what, "is-securelevel-above") == 0) {
    195 		int level = (int)(uintptr_t)arg;
    196 		bool *bp = ret;
    197 
    198 		*bp = (securelevel > level);
    199 	} else {
    200 		error = ENOENT;
    201 	}
    202 
    203 	return error;
    204 }
    205 
    206 static int
    207 securelevel_modcmd(modcmd_t cmd, void *arg)
    208 {
    209 	int error = 0;
    210 
    211 	switch (cmd) {
    212 	case MODULE_CMD_INIT:
    213 		secmodel_securelevel_init();
    214 		error = secmodel_register(&securelevel_sm,
    215 		    SECMODEL_SECURELEVEL_ID, SECMODEL_SECURELEVEL_NAME,
    216 		    NULL, securelevel_eval, NULL);
    217 		if (error != 0)
    218 			printf("securelevel_modcmd::init: secmodel_register "
    219 			    "returned %d\n", error);
    220 
    221 		secmodel_securelevel_start();
    222 		sysctl_security_securelevel_setup(&securelevel_sysctl_log);
    223 		break;
    224 
    225 	case MODULE_CMD_FINI:
    226 		sysctl_teardown(&securelevel_sysctl_log);
    227 		secmodel_securelevel_stop();
    228 
    229 		error = secmodel_deregister(securelevel_sm);
    230 		if (error != 0)
    231 			printf("securelevel_modcmd::fini: secmodel_deregister "
    232 			    "returned %d\n", error);
    233 
    234 		break;
    235 
    236 	case MODULE_CMD_AUTOUNLOAD:
    237 		error = EPERM;
    238 		break;
    239 
    240 	default:
    241 		error = ENOTTY;
    242 		break;
    243 	}
    244 
    245 	return (error);
    246 }
    247 
    248 /*
    249  * kauth(9) listener
    250  *
    251  * Security model: Traditional NetBSD
    252  * Scope: System
    253  * Responsibility: Securelevel
    254  */
    255 int
    256 secmodel_securelevel_system_cb(kauth_cred_t cred, kauth_action_t action,
    257     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
    258 {
    259 	int result;
    260 	enum kauth_system_req req;
    261 
    262 	result = KAUTH_RESULT_DEFER;
    263 	req = (enum kauth_system_req)arg0;
    264 
    265 	switch (action) {
    266 	case KAUTH_SYSTEM_CHSYSFLAGS:
    267 		/* Deprecated. */
    268 		if (securelevel > 0)
    269 			result = KAUTH_RESULT_DENY;
    270 		break;
    271 
    272 	case KAUTH_SYSTEM_TIME:
    273 		switch (req) {
    274 		case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
    275 			if (securelevel > 0)
    276 				result = KAUTH_RESULT_DENY;
    277 			break;
    278 
    279 		case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {
    280 			struct timespec *ts = arg1;
    281 			struct timespec *delta = arg2;
    282 
    283 			if (securelevel > 1 && time_wraps(ts, delta))
    284 				result = KAUTH_RESULT_DENY;
    285 
    286 			break;
    287 		}
    288 
    289 		default:
    290 			break;
    291 		}
    292 		break;
    293 
    294 	case KAUTH_SYSTEM_MAP_VA_ZERO:
    295 		if (securelevel > 0)
    296 			result = KAUTH_RESULT_DENY;
    297 		break;
    298 
    299 	case KAUTH_SYSTEM_MODULE:
    300 		if (securelevel > 0)
    301 			result = KAUTH_RESULT_DENY;
    302 		break;
    303 
    304 	case KAUTH_SYSTEM_MOUNT:
    305 		switch (req) {
    306 		case KAUTH_REQ_SYSTEM_MOUNT_NEW:
    307 			if (securelevel > 1)
    308 				result = KAUTH_RESULT_DENY;
    309 
    310 			break;
    311 
    312 		case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
    313 			if (securelevel > 1) {
    314 				struct mount *mp = arg1;
    315 				u_long flags = (u_long)arg2;
    316 
    317 				/* Can only degrade from read/write to read-only. */
    318 				if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD |
    319 				    MNT_FORCE | MNT_UPDATE))
    320 					result = KAUTH_RESULT_DENY;
    321 			}
    322 
    323 			break;
    324 
    325 		default:
    326 			break;
    327 		}
    328 
    329 		break;
    330 
    331 	case KAUTH_SYSTEM_SYSCTL:
    332 		switch (req) {
    333 		case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
    334 		case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
    335 		case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
    336 			if (securelevel > 0)
    337 				result = KAUTH_RESULT_DENY;
    338 			break;
    339 
    340 		default:
    341 			break;
    342 		}
    343 		break;
    344 
    345 	case KAUTH_SYSTEM_SETIDCORE:
    346 		if (securelevel > 0)
    347 			result = KAUTH_RESULT_DENY;
    348 		break;
    349 
    350 	case KAUTH_SYSTEM_DEBUG:
    351 		switch (req) {
    352 		case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
    353 			if (securelevel > 0)
    354 				result = KAUTH_RESULT_DENY;
    355 			break;
    356 
    357 		default:
    358 			break;
    359 		}
    360 		break;
    361 
    362 	default:
    363 		break;
    364 	}
    365 
    366 	return (result);
    367 }
    368 
    369 /*
    370  * kauth(9) listener
    371  *
    372  * Security model: Traditional NetBSD
    373  * Scope: Process
    374  * Responsibility: Securelevel
    375  */
    376 int
    377 secmodel_securelevel_process_cb(kauth_cred_t cred, kauth_action_t action,
    378     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
    379 {
    380 	struct proc *p;
    381 	int result;
    382 
    383 	result = KAUTH_RESULT_DEFER;
    384 	p = arg0;
    385 
    386 	switch (action) {
    387 	case KAUTH_PROCESS_PROCFS: {
    388 		enum kauth_process_req req;
    389 
    390 		req = (enum kauth_process_req)arg2;
    391 		switch (req) {
    392 		case KAUTH_REQ_PROCESS_PROCFS_READ:
    393 			break;
    394 
    395 		case KAUTH_REQ_PROCESS_PROCFS_RW:
    396 		case KAUTH_REQ_PROCESS_PROCFS_WRITE:
    397 			if ((p == initproc) && (securelevel > -1))
    398 				result = KAUTH_RESULT_DENY;
    399 
    400 			break;
    401 
    402 		default:
    403 			break;
    404 		}
    405 
    406 		break;
    407 		}
    408 
    409 	case KAUTH_PROCESS_PTRACE:
    410 		if ((p == initproc) && (securelevel > -1))
    411 			result = KAUTH_RESULT_DENY;
    412 
    413 		break;
    414 
    415 	case KAUTH_PROCESS_CORENAME:
    416 		if (securelevel > 1)
    417 			result = KAUTH_RESULT_DENY;
    418 		break;
    419 
    420 	default:
    421 		break;
    422 	}
    423 
    424 	return (result);
    425 }
    426 
    427 /*
    428  * kauth(9) listener
    429  *
    430  * Security model: Traditional NetBSD
    431  * Scope: Network
    432  * Responsibility: Securelevel
    433  */
    434 int
    435 secmodel_securelevel_network_cb(kauth_cred_t cred, kauth_action_t action,
    436     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
    437 {
    438 	int result;
    439 	enum kauth_network_req req;
    440 
    441 	result = KAUTH_RESULT_DEFER;
    442 	req = (enum kauth_network_req)arg0;
    443 
    444 	switch (action) {
    445 	case KAUTH_NETWORK_FIREWALL:
    446 		switch (req) {
    447 		case KAUTH_REQ_NETWORK_FIREWALL_FW:
    448 		case KAUTH_REQ_NETWORK_FIREWALL_NAT:
    449 			if (securelevel > 1)
    450 				result = KAUTH_RESULT_DENY;
    451 			break;
    452 
    453 		default:
    454 			break;
    455 		}
    456 		break;
    457 
    458 	case KAUTH_NETWORK_FORWSRCRT:
    459 		if (securelevel > 0)
    460 			result = KAUTH_RESULT_DENY;
    461 		break;
    462 
    463 	default:
    464 		break;
    465 	}
    466 
    467 	return (result);
    468 }
    469 
    470 /*
    471  * kauth(9) listener
    472  *
    473  * Security model: Traditional NetBSD
    474  * Scope: Machdep
    475  * Responsibility: Securelevel
    476  */
    477 int
    478 secmodel_securelevel_machdep_cb(kauth_cred_t cred, kauth_action_t action,
    479     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
    480 {
    481 	int result;
    482 
    483 	result = KAUTH_RESULT_DEFER;
    484 
    485 	switch (action) {
    486 	case KAUTH_MACHDEP_IOPERM_SET:
    487 	case KAUTH_MACHDEP_IOPL:
    488 		if (securelevel > 0)
    489 			result = KAUTH_RESULT_DENY;
    490 		break;
    491 
    492 	case KAUTH_MACHDEP_UNMANAGEDMEM:
    493 		if (securelevel > 0)
    494 			result = KAUTH_RESULT_DENY;
    495 		break;
    496 
    497 	case KAUTH_MACHDEP_SVS_DISABLE:
    498 		if (securelevel > 0)
    499 			result = KAUTH_RESULT_DENY;
    500 		break;
    501 
    502 	case KAUTH_MACHDEP_CPU_UCODE_APPLY:
    503 		if (securelevel > 1)
    504 			result = KAUTH_RESULT_DENY;
    505 		break;
    506 
    507 	default:
    508 		break;
    509 	}
    510 
    511 	return (result);
    512 }
    513 
    514 /*
    515  * kauth(9) listener
    516  *
    517  * Security model: Traditional NetBSD
    518  * Scope: Device
    519  * Responsibility: Securelevel
    520  */
    521 int
    522 secmodel_securelevel_device_cb(kauth_cred_t cred, kauth_action_t action,
    523     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
    524 {
    525 	int result;
    526 
    527 	result = KAUTH_RESULT_DEFER;
    528 
    529 	switch (action) {
    530 	case KAUTH_DEVICE_RAWIO_SPEC: {
    531 		struct vnode *vp;
    532 		enum kauth_device_req req;
    533 
    534 		req = (enum kauth_device_req)arg0;
    535 		vp = arg1;
    536 
    537 		KASSERT(vp != NULL);
    538 
    539 		/* Handle /dev/mem and /dev/kmem. */
    540 		if (iskmemvp(vp)) {
    541 			switch (req) {
    542 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
    543 				break;
    544 
    545 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
    546 			case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
    547 				if (securelevel > 0)
    548 					result = KAUTH_RESULT_DENY;
    549 
    550 				break;
    551 
    552 			default:
    553 				break;
    554 			}
    555 
    556 			break;
    557 		}
    558 
    559 		switch (req) {
    560 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
    561 			break;
    562 
    563 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
    564 		case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: {
    565 			int error;
    566 
    567 			error = rawdev_mounted(vp, NULL);
    568 
    569 			/* Not a disk. */
    570 			if (error == EINVAL)
    571 				break;
    572 
    573 			if (error && securelevel > 0)
    574 				result = KAUTH_RESULT_DENY;
    575 
    576 			if (securelevel > 1)
    577 				result = KAUTH_RESULT_DENY;
    578 
    579 			break;
    580 			}
    581 
    582 		default:
    583 			break;
    584 		}
    585 
    586 		break;
    587 		}
    588 
    589 	case KAUTH_DEVICE_RAWIO_PASSTHRU:
    590 		if (securelevel > 0) {
    591 			u_long bits;
    592 
    593 			bits = (u_long)arg0;
    594 
    595 			KASSERT(bits != 0);
    596 			KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0);
    597 
    598 			if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF)
    599 				result = KAUTH_RESULT_DENY;
    600 		}
    601 
    602 		break;
    603 
    604 	case KAUTH_DEVICE_GPIO_PINSET:
    605 		if (securelevel > 0)
    606 			result = KAUTH_RESULT_DENY;
    607 		break;
    608 
    609 	case KAUTH_DEVICE_RND_ADDDATA_ESTIMATE:
    610 		if (securelevel > 0)
    611 			result = KAUTH_RESULT_DENY;
    612 		break;
    613 
    614 	default:
    615 		break;
    616 	}
    617 
    618 	return (result);
    619 }
    620 
    621 int
    622 secmodel_securelevel_vnode_cb(kauth_cred_t cred, kauth_action_t action,
    623     void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
    624 {
    625 	int result;
    626 
    627 	result = KAUTH_RESULT_DEFER;
    628 
    629 	if ((action & KAUTH_VNODE_WRITE_SYSFLAGS) &&
    630 	    (action & KAUTH_VNODE_HAS_SYSFLAGS)) {
    631 		if (securelevel > 0)
    632 			result = KAUTH_RESULT_DENY;
    633 	}
    634 
    635 	return (result);
    636 }
    637 
    638