secmodel_securelevel.c revision 1.8 1 /* $NetBSD: secmodel_securelevel.c,v 1.8 2008/01/23 15:04:41 elad Exp $ */
2 /*-
3 * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 /*
30 * This file contains kauth(9) listeners needed to implement the traditional
31 * NetBSD securelevel.
32 *
33 * The securelevel is a system-global indication on what operations are
34 * allowed or not. It affects all users, including root.
35 */
36
37 #include <sys/cdefs.h>
38 __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.8 2008/01/23 15:04:41 elad Exp $");
39
40 #ifdef _KERNEL_OPT
41 #include "opt_insecure.h"
42 #endif /* _KERNEL_OPT */
43
44 #include <sys/types.h>
45 #include <sys/param.h>
46 #include <sys/kauth.h>
47
48 #include <sys/conf.h>
49 #include <sys/mount.h>
50 #include <sys/sysctl.h>
51 #include <sys/vnode.h>
52
53 #include <miscfs/specfs/specdev.h>
54
55 #include <secmodel/securelevel/securelevel.h>
56
57 static int securelevel;
58
59 static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device;
60
61 /*
62 * sysctl helper routine for securelevel. ensures that the value
63 * only rises unless the caller has pid 1 (assumed to be init).
64 */
65 int
66 secmodel_securelevel_sysctl(SYSCTLFN_ARGS)
67 {
68 int newsecurelevel, error;
69 struct sysctlnode node;
70
71 newsecurelevel = securelevel;
72 node = *rnode;
73 node.sysctl_data = &newsecurelevel;
74 error = sysctl_lookup(SYSCTLFN_CALL(&node));
75 if (error || newp == NULL)
76 return (error);
77
78 if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1)
79 return (EPERM);
80
81 securelevel = newsecurelevel;
82
83 return (error);
84 }
85
86 void
87 secmodel_securelevel_init(void)
88 {
89 #ifdef INSECURE
90 securelevel = -1;
91 #else
92 securelevel = 0;
93 #endif /* INSECURE */
94 }
95
96 SYSCTL_SETUP(sysctl_security_securelevel_setup,
97 "sysctl security securelevel setup")
98 {
99 /*
100 * For compatibility, we create a kern.securelevel variable.
101 */
102 sysctl_createv(clog, 0, NULL, NULL,
103 CTLFLAG_PERMANENT,
104 CTLTYPE_NODE, "kern", NULL,
105 NULL, 0, NULL, 0,
106 CTL_KERN, CTL_EOL);
107
108 sysctl_createv(clog, 0, NULL, NULL,
109 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
110 CTLTYPE_INT, "securelevel",
111 SYSCTL_DESCR("System security level"),
112 secmodel_securelevel_sysctl, 0, NULL, 0,
113 CTL_KERN, KERN_SECURELVL, CTL_EOL);
114 }
115
116 void
117 secmodel_securelevel_start(void)
118 {
119 l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
120 secmodel_securelevel_system_cb, NULL);
121 l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
122 secmodel_securelevel_process_cb, NULL);
123 l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
124 secmodel_securelevel_network_cb, NULL);
125 l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
126 secmodel_securelevel_machdep_cb, NULL);
127 l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
128 secmodel_securelevel_device_cb, NULL);
129 }
130
131 #if defined(_LKM)
132 void
133 secmodel_securelevel_stop(void)
134 {
135 kauth_unlisten_scope(l_system);
136 kauth_unlisten_scope(l_process);
137 kauth_unlisten_scope(l_network);
138 kauth_unlisten_scope(l_machdep);
139 kauth_unlisten_scope(l_device);
140 }
141 #endif /* _LKM */
142
143 /*
144 * kauth(9) listener
145 *
146 * Security model: Traditional NetBSD
147 * Scope: System
148 * Responsibility: Securelevel
149 */
150 int
151 secmodel_securelevel_system_cb(kauth_cred_t cred,
152 kauth_action_t action, void *cookie, void *arg0, void *arg1,
153 void *arg2, void *arg3)
154 {
155 int result;
156 enum kauth_system_req req;
157
158 result = KAUTH_RESULT_DEFER;
159 req = (enum kauth_system_req)arg0;
160
161 switch (action) {
162 case KAUTH_SYSTEM_CHSYSFLAGS:
163 if (securelevel > 0)
164 result = KAUTH_RESULT_DENY;
165 break;
166
167 case KAUTH_SYSTEM_TIME:
168 switch (req) {
169 case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
170 if (securelevel > 0)
171 result = KAUTH_RESULT_DENY;
172 break;
173
174 case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {
175 struct timespec *ts = arg1;
176 struct timeval *delta = arg2;
177
178 /*
179 * Don't allow the time to be set forward so far it will wrap
180 * and become negative, thus allowing an attacker to bypass
181 * the next check below. The cutoff is 1 year before rollover
182 * occurs, so even if the attacker uses adjtime(2) to move
183 * the time past the cutoff, it will take a very long time
184 * to get to the wrap point.
185 *
186 * XXX: we check against INT_MAX since on 64-bit
187 * platforms, sizeof(int) != sizeof(long) and
188 * time_t is 32 bits even when atv.tv_sec is 64 bits.
189 */
190 if (securelevel > 1 &&
191 ((ts->tv_sec > INT_MAX - 365*24*60*60) ||
192 (delta->tv_sec < 0 || delta->tv_usec < 0)))
193 result = KAUTH_RESULT_DENY;
194
195 break;
196 }
197
198 default:
199 break;
200 }
201 break;
202
203 case KAUTH_SYSTEM_LKM:
204 case KAUTH_SYSTEM_MODULE:
205 if (securelevel > 0)
206 result = KAUTH_RESULT_DENY;
207 break;
208
209 case KAUTH_SYSTEM_MOUNT:
210 switch (req) {
211 case KAUTH_REQ_SYSTEM_MOUNT_NEW:
212 if (securelevel > 1)
213 result = KAUTH_RESULT_DENY;
214
215 break;
216
217 case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
218 if (securelevel > 1) {
219 struct mount *mp = arg1;
220 u_long flags = (u_long)arg2;
221
222 /* Can only degrade from read/write to read-only. */
223 if (flags != (mp->mnt_flag | MNT_RDONLY | MNT_RELOAD |
224 MNT_FORCE | MNT_UPDATE))
225 result = KAUTH_RESULT_DENY;
226 }
227
228 break;
229
230 default:
231 break;
232 }
233
234 break;
235
236 case KAUTH_SYSTEM_SYSCTL:
237 switch (req) {
238 case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
239 case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
240 case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
241 if (securelevel > 0)
242 result = KAUTH_RESULT_DENY;
243 break;
244
245 default:
246 break;
247 }
248 break;
249
250 case KAUTH_SYSTEM_SETIDCORE:
251 if (securelevel > 0)
252 result = KAUTH_RESULT_DENY;
253 break;
254
255 case KAUTH_SYSTEM_DEBUG:
256 switch (req) {
257 case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
258 if (securelevel > 0)
259 result = KAUTH_RESULT_DENY;
260 break;
261
262 default:
263 break;
264 }
265 break;
266 }
267
268 return (result);
269 }
270
271 /*
272 * kauth(9) listener
273 *
274 * Security model: Traditional NetBSD
275 * Scope: Process
276 * Responsibility: Securelevel
277 */
278 int
279 secmodel_securelevel_process_cb(kauth_cred_t cred,
280 kauth_action_t action, void *cookie, void *arg0,
281 void *arg1, void *arg2, void *arg3)
282 {
283 struct proc *p;
284 int result;
285
286 result = KAUTH_RESULT_DEFER;
287 p = arg0;
288
289 switch (action) {
290 case KAUTH_PROCESS_PROCFS: {
291 enum kauth_process_req req;
292
293 req = (enum kauth_process_req)arg2;
294 switch (req) {
295 case KAUTH_REQ_PROCESS_PROCFS_READ:
296 break;
297
298 case KAUTH_REQ_PROCESS_PROCFS_RW:
299 case KAUTH_REQ_PROCESS_PROCFS_WRITE:
300 if ((p == initproc) && (securelevel > -1))
301 result = KAUTH_RESULT_DENY;
302
303 break;
304
305 default:
306 break;
307 }
308
309 break;
310 }
311
312 case KAUTH_PROCESS_PTRACE:
313 if ((p == initproc) && (securelevel >= 0))
314 result = KAUTH_RESULT_DENY;
315
316 break;
317
318 case KAUTH_PROCESS_CORENAME:
319 if (securelevel > 1)
320 result = KAUTH_RESULT_DENY;
321 break;
322 }
323
324 return (result);
325 }
326
327 /*
328 * kauth(9) listener
329 *
330 * Security model: Traditional NetBSD
331 * Scope: Network
332 * Responsibility: Securelevel
333 */
334 int
335 secmodel_securelevel_network_cb(kauth_cred_t cred,
336 kauth_action_t action, void *cookie, void *arg0,
337 void *arg1, void *arg2, void *arg3)
338 {
339 int result;
340 enum kauth_network_req req;
341
342 result = KAUTH_RESULT_DEFER;
343 req = (enum kauth_network_req)arg0;
344
345 switch (action) {
346 case KAUTH_NETWORK_FIREWALL:
347 switch (req) {
348 case KAUTH_REQ_NETWORK_FIREWALL_FW:
349 case KAUTH_REQ_NETWORK_FIREWALL_NAT:
350 if (securelevel > 1)
351 result = KAUTH_RESULT_DENY;
352 break;
353
354 default:
355 break;
356 }
357 break;
358
359 case KAUTH_NETWORK_FORWSRCRT:
360 if (securelevel > 0)
361 result = KAUTH_RESULT_DENY;
362 break;
363 }
364
365 return (result);
366 }
367
368 /*
369 * kauth(9) listener
370 *
371 * Security model: Traditional NetBSD
372 * Scope: Machdep
373 * Responsibility: Securelevel
374 */
375 int
376 secmodel_securelevel_machdep_cb(kauth_cred_t cred,
377 kauth_action_t action, void *cookie, void *arg0,
378 void *arg1, void *arg2, void *arg3)
379 {
380 int result;
381
382 result = KAUTH_RESULT_DEFER;
383
384 switch (action) {
385 case KAUTH_MACHDEP_IOPERM_SET:
386 case KAUTH_MACHDEP_IOPL:
387 if (securelevel > 0)
388 result = KAUTH_RESULT_DENY;
389 break;
390
391 case KAUTH_MACHDEP_UNMANAGEDMEM:
392 if (securelevel > 0)
393 result = KAUTH_RESULT_DENY;
394 break;
395 }
396
397 return (result);
398 }
399
400 /*
401 * kauth(9) listener
402 *
403 * Security model: Traditional NetBSD
404 * Scope: Device
405 * Responsibility: Securelevel
406 */
407 int
408 secmodel_securelevel_device_cb(kauth_cred_t cred,
409 kauth_action_t action, void *cookie, void *arg0,
410 void *arg1, void *arg2, void *arg3)
411 {
412 int result;
413
414 result = KAUTH_RESULT_DEFER;
415
416 switch (action) {
417 case KAUTH_DEVICE_RAWIO_SPEC: {
418 struct vnode *vp, *bvp;
419 enum kauth_device_req req;
420 dev_t dev;
421 int d_type;
422
423 req = (enum kauth_device_req)arg0;
424 vp = arg1;
425
426 KASSERT(vp != NULL);
427
428 dev = vp->v_rdev;
429 d_type = D_OTHER;
430 bvp = NULL;
431
432 /* Handle /dev/mem and /dev/kmem. */
433 if ((vp->v_type == VCHR) && iskmemdev(dev)) {
434 switch (req) {
435 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
436 break;
437
438 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
439 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
440 if (securelevel > 0)
441 result = KAUTH_RESULT_DENY;
442 break;
443 }
444
445 break;
446 }
447
448 switch (req) {
449 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
450 break;
451
452 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
453 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
454 switch (vp->v_type) {
455 case VCHR: {
456 const struct cdevsw *cdev;
457
458 cdev = cdevsw_lookup(dev);
459 if (cdev != NULL) {
460 dev_t blkdev;
461
462 blkdev = devsw_chr2blk(dev);
463 if (blkdev != NODEV) {
464 vfinddev(blkdev, VBLK, &bvp);
465 if (bvp != NULL)
466 d_type = (cdev->d_flag
467 & D_TYPEMASK);
468 }
469 }
470
471 break;
472 }
473 case VBLK: {
474 const struct bdevsw *bdev;
475
476 bdev = bdevsw_lookup(dev);
477 if (bdev != NULL)
478 d_type = (bdev->d_flag & D_TYPEMASK);
479
480 bvp = vp;
481
482 break;
483 }
484
485 default:
486 break;
487 }
488
489 if (d_type != D_DISK)
490 break;
491
492 /*
493 * XXX: This is bogus. We should be failing the request
494 * XXX: not only if this specific slice is mounted, but
495 * XXX: if it's on a disk with any other mounted slice.
496 */
497 if (vfs_mountedon(bvp) && (securelevel > 0))
498 break;
499
500 if (securelevel > 1)
501 result = KAUTH_RESULT_DENY;
502
503 break;
504 }
505
506 break;
507 }
508
509 case KAUTH_DEVICE_RAWIO_PASSTHRU:
510 if (securelevel > 0) {
511 u_long bits;
512
513 bits = (u_long)arg0;
514
515 KASSERT(bits != 0);
516 KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0);
517
518 if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF)
519 result = KAUTH_RESULT_DENY;
520 }
521
522 break;
523 }
524
525 return (result);
526 }
527