secmodel_securelevel.c revision 1.4
1 /* $NetBSD: secmodel_securelevel.c,v 1.4 2007/11/25 09:39:26 elad Exp $ */ 2 /*- 3 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This file contains kauth(9) listeners needed to implement the traditional 31 * NetBSD securelevel. 32 * 33 * The securelevel is a system-global indication on what operations are 34 * allowed or not. It affects all users, including root. 35 */ 36 37 #include <sys/cdefs.h> 38 __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.4 2007/11/25 09:39:26 elad Exp $"); 39 40 #ifdef _KERNEL_OPT 41 #include "opt_insecure.h" 42 #endif /* _KERNEL_OPT */ 43 44 #include <sys/types.h> 45 #include <sys/param.h> 46 #include <sys/kauth.h> 47 48 #include <sys/conf.h> 49 #include <sys/mount.h> 50 #include <sys/sysctl.h> 51 #include <sys/vnode.h> 52 53 #include <miscfs/specfs/specdev.h> 54 55 #include <secmodel/securelevel/securelevel.h> 56 57 static int securelevel; 58 59 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device; 60 61 /* 62 * sysctl helper routine for securelevel. ensures that the value 63 * only rises unless the caller has pid 1 (assumed to be init). 64 */ 65 int 66 secmodel_securelevel_sysctl(SYSCTLFN_ARGS) 67 { 68 int newsecurelevel, error; 69 struct sysctlnode node; 70 71 newsecurelevel = securelevel; 72 node = *rnode; 73 node.sysctl_data = &newsecurelevel; 74 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 75 if (error || newp == NULL) 76 return (error); 77 78 if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1) 79 return (EPERM); 80 81 securelevel = newsecurelevel; 82 83 return (error); 84 } 85 86 void 87 secmodel_securelevel_init(void) 88 { 89 #ifdef INSECURE 90 securelevel = -1; 91 #else 92 securelevel = 0; 93 #endif /* INSECURE */ 94 } 95 96 SYSCTL_SETUP(sysctl_security_securelevel_setup, 97 "sysctl security securelevel setup") 98 { 99 /* 100 * For compatibility, we create a kern.securelevel variable. 101 */ 102 sysctl_createv(clog, 0, NULL, NULL, 103 CTLFLAG_PERMANENT, 104 CTLTYPE_NODE, "kern", NULL, 105 NULL, 0, NULL, 0, 106 CTL_KERN, CTL_EOL); 107 108 sysctl_createv(clog, 0, NULL, NULL, 109 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 110 CTLTYPE_INT, "securelevel", 111 SYSCTL_DESCR("System security level"), 112 secmodel_securelevel_sysctl, 0, NULL, 0, 113 CTL_KERN, KERN_SECURELVL, CTL_EOL); 114 } 115 116 void 117 secmodel_securelevel_start(void) 118 { 119 l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 120 secmodel_securelevel_system_cb, NULL); 121 l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, 122 secmodel_securelevel_process_cb, NULL); 123 l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, 124 secmodel_securelevel_network_cb, NULL); 125 l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 126 secmodel_securelevel_machdep_cb, NULL); 127 l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE, 128 secmodel_securelevel_device_cb, NULL); 129 } 130 131 #if defined(_LKM) 132 void 133 secmodel_securelevel_stop(void) 134 { 135 kauth_unlisten_scope(l_system); 136 kauth_unlisten_scope(l_process); 137 kauth_unlisten_scope(l_network); 138 kauth_unlisten_scope(l_machdep); 139 kauth_unlisten_scope(l_device); 140 } 141 #endif /* _LKM */ 142 143 /* 144 * kauth(9) listener 145 * 146 * Security model: Traditional NetBSD 147 * Scope: System 148 * Responsibility: Securelevel 149 */ 150 int 151 secmodel_securelevel_system_cb(kauth_cred_t cred, 152 kauth_action_t action, void *cookie, void *arg0, void *arg1, 153 void *arg2, void *arg3) 154 { 155 int result; 156 enum kauth_system_req req; 157 158 result = KAUTH_RESULT_DEFER; 159 req = (enum kauth_system_req)arg0; 160 161 switch (action) { 162 case KAUTH_SYSTEM_CHSYSFLAGS: 163 if (securelevel > 0) 164 result = KAUTH_RESULT_DENY; 165 break; 166 167 case KAUTH_SYSTEM_TIME: 168 switch (req) { 169 case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET: 170 if (securelevel > 0) 171 result = KAUTH_RESULT_DENY; 172 break; 173 174 case KAUTH_REQ_SYSTEM_TIME_SYSTEM: { 175 struct timespec *ts = arg1; 176 struct timeval *delta = arg2; 177 178 /* 179 * Don't allow the time to be set forward so far it will wrap 180 * and become negative, thus allowing an attacker to bypass 181 * the next check below. The cutoff is 1 year before rollover 182 * occurs, so even if the attacker uses adjtime(2) to move 183 * the time past the cutoff, it will take a very long time 184 * to get to the wrap point. 185 * 186 * XXX: we check against INT_MAX since on 64-bit 187 * platforms, sizeof(int) != sizeof(long) and 188 * time_t is 32 bits even when atv.tv_sec is 64 bits. 189 */ 190 if (securelevel > 1 && 191 ((ts->tv_sec > INT_MAX - 365*24*60*60) || 192 (delta->tv_sec < 0 || delta->tv_usec < 0))) 193 result = KAUTH_RESULT_DENY; 194 195 break; 196 } 197 198 default: 199 break; 200 } 201 break; 202 203 case KAUTH_SYSTEM_LKM: 204 if (securelevel > 0) 205 result = KAUTH_RESULT_DENY; 206 break; 207 208 case KAUTH_SYSTEM_MOUNT: 209 switch (req) { 210 case KAUTH_REQ_SYSTEM_MOUNT_NEW: 211 if (securelevel > 1) 212 result = KAUTH_RESULT_DENY; 213 214 break; 215 216 case KAUTH_REQ_SYSTEM_MOUNT_UPDATE: 217 if (securelevel > 1) { 218 struct mount *mp = arg1; 219 u_long flags = (u_long)arg2; 220 221 /* Can only degrade from read/write to read-only. */ 222 if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD | 223 MNT_FORCE | MNT_UPDATE)) 224 result = KAUTH_RESULT_DENY; 225 } 226 227 break; 228 229 default: 230 break; 231 } 232 233 break; 234 235 case KAUTH_SYSTEM_SYSCTL: 236 switch (req) { 237 case KAUTH_REQ_SYSTEM_SYSCTL_ADD: 238 case KAUTH_REQ_SYSTEM_SYSCTL_DELETE: 239 case KAUTH_REQ_SYSTEM_SYSCTL_DESC: 240 if (securelevel > 0) 241 result = KAUTH_RESULT_DENY; 242 break; 243 244 default: 245 break; 246 } 247 break; 248 249 case KAUTH_SYSTEM_SETIDCORE: 250 if (securelevel > 0) 251 result = KAUTH_RESULT_DENY; 252 break; 253 254 case KAUTH_SYSTEM_DEBUG: 255 switch (req) { 256 case KAUTH_REQ_SYSTEM_DEBUG_IPKDB: 257 if (securelevel > 0) 258 result = KAUTH_RESULT_DENY; 259 break; 260 261 default: 262 break; 263 } 264 break; 265 } 266 267 return (result); 268 } 269 270 /* 271 * kauth(9) listener 272 * 273 * Security model: Traditional NetBSD 274 * Scope: Process 275 * Responsibility: Securelevel 276 */ 277 int 278 secmodel_securelevel_process_cb(kauth_cred_t cred, 279 kauth_action_t action, void *cookie, void *arg0, 280 void *arg1, void *arg2, void *arg3) 281 { 282 struct proc *p; 283 int result; 284 285 result = KAUTH_RESULT_DEFER; 286 p = arg0; 287 288 switch (action) { 289 case KAUTH_PROCESS_CANPROCFS: { 290 enum kauth_process_req req; 291 292 req = (enum kauth_process_req)arg2; 293 switch (req) { 294 case KAUTH_REQ_PROCESS_CANPROCFS_READ: 295 break; 296 297 case KAUTH_REQ_PROCESS_CANPROCFS_RW: 298 case KAUTH_REQ_PROCESS_CANPROCFS_WRITE: 299 if ((p == initproc) && (securelevel > -1)) 300 result = KAUTH_RESULT_DENY; 301 302 break; 303 304 default: 305 break; 306 } 307 308 break; 309 } 310 311 case KAUTH_PROCESS_CANPTRACE: 312 case KAUTH_PROCESS_CANSYSTRACE: 313 if ((p == initproc) && (securelevel >= 0)) 314 result = KAUTH_RESULT_DENY; 315 316 break; 317 318 case KAUTH_PROCESS_CORENAME: 319 if (securelevel > 1) 320 result = KAUTH_RESULT_DENY; 321 break; 322 } 323 324 return (result); 325 } 326 327 /* 328 * kauth(9) listener 329 * 330 * Security model: Traditional NetBSD 331 * Scope: Network 332 * Responsibility: Securelevel 333 */ 334 int 335 secmodel_securelevel_network_cb(kauth_cred_t cred, 336 kauth_action_t action, void *cookie, void *arg0, 337 void *arg1, void *arg2, void *arg3) 338 { 339 int result; 340 enum kauth_network_req req; 341 342 result = KAUTH_RESULT_DEFER; 343 req = (enum kauth_network_req)arg0; 344 345 switch (action) { 346 case KAUTH_NETWORK_FIREWALL: 347 switch (req) { 348 case KAUTH_REQ_NETWORK_FIREWALL_FW: 349 case KAUTH_REQ_NETWORK_FIREWALL_NAT: 350 if (securelevel > 1) 351 result = KAUTH_RESULT_DENY; 352 break; 353 354 default: 355 break; 356 } 357 break; 358 359 case KAUTH_NETWORK_FORWSRCRT: 360 if (securelevel > 0) 361 result = KAUTH_RESULT_DENY; 362 break; 363 } 364 365 return (result); 366 } 367 368 /* 369 * kauth(9) listener 370 * 371 * Security model: Traditional NetBSD 372 * Scope: Machdep 373 * Responsibility: Securelevel 374 */ 375 int 376 secmodel_securelevel_machdep_cb(kauth_cred_t cred, 377 kauth_action_t action, void *cookie, void *arg0, 378 void *arg1, void *arg2, void *arg3) 379 { 380 int result; 381 382 result = KAUTH_RESULT_DEFER; 383 384 switch (action) { 385 case KAUTH_MACHDEP_IOPERM_SET: 386 case KAUTH_MACHDEP_IOPL: 387 if (securelevel > 0) 388 result = KAUTH_RESULT_DENY; 389 break; 390 391 case KAUTH_MACHDEP_UNMANAGEDMEM: 392 if (securelevel > 0) 393 result = KAUTH_RESULT_DENY; 394 break; 395 } 396 397 return (result); 398 } 399 400 /* 401 * kauth(9) listener 402 * 403 * Security model: Traditional NetBSD 404 * Scope: Device 405 * Responsibility: Securelevel 406 */ 407 int 408 secmodel_securelevel_device_cb(kauth_cred_t cred, 409 kauth_action_t action, void *cookie, void *arg0, 410 void *arg1, void *arg2, void *arg3) 411 { 412 int result; 413 414 result = KAUTH_RESULT_DEFER; 415 416 switch (action) { 417 case KAUTH_DEVICE_RAWIO_SPEC: { 418 struct vnode *vp, *bvp; 419 enum kauth_device_req req; 420 dev_t dev; 421 int d_type; 422 423 req = (enum kauth_device_req)arg0; 424 vp = arg1; 425 426 KASSERT(vp != NULL); 427 428 dev = vp->v_un.vu_specinfo->si_rdev; 429 d_type = D_OTHER; 430 bvp = NULL; 431 432 /* Handle /dev/mem and /dev/kmem. */ 433 if ((vp->v_type == VCHR) && iskmemdev(dev)) { 434 switch (req) { 435 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 436 break; 437 438 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 439 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 440 if (securelevel > 0) 441 result = KAUTH_RESULT_DENY; 442 break; 443 } 444 445 break; 446 } 447 448 switch (req) { 449 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ: 450 break; 451 452 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE: 453 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW: 454 switch (vp->v_type) { 455 case VCHR: { 456 const struct cdevsw *cdev; 457 458 cdev = cdevsw_lookup(dev); 459 if (cdev != NULL) { 460 dev_t blkdev; 461 462 blkdev = devsw_chr2blk(dev); 463 if (blkdev != NODEV) { 464 vfinddev(blkdev, VBLK, &bvp); 465 if (bvp != NULL) 466 d_type = (cdev->d_flag 467 & D_TYPEMASK); 468 } 469 } 470 471 break; 472 } 473 case VBLK: { 474 const struct bdevsw *bdev; 475 476 bdev = bdevsw_lookup(dev); 477 if (bdev != NULL) 478 d_type = (bdev->d_flag & D_TYPEMASK); 479 480 bvp = vp; 481 482 break; 483 } 484 485 default: 486 break; 487 } 488 489 if (d_type != D_DISK) 490 break; 491 492 /* 493 * XXX: This is bogus. We should be failing the request 494 * XXX: not only if this specific slice is mounted, but 495 * XXX: if it's on a disk with any other mounted slice. 496 */ 497 if (vfs_mountedon(bvp) && (securelevel > 0)) 498 break; 499 500 if (securelevel > 1) 501 result = KAUTH_RESULT_DENY; 502 503 break; 504 } 505 506 break; 507 } 508 509 case KAUTH_DEVICE_RAWIO_PASSTHRU: 510 if (securelevel > 0) { 511 u_long bits; 512 513 bits = (u_long)arg0; 514 515 KASSERT(bits != 0); 516 KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); 517 518 if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) 519 result = KAUTH_RESULT_DENY; 520 } 521 522 break; 523 } 524 525 return (result); 526 } 527
Indexes created Fri Sep 26 20:09:58 GMT 2025