Sweep kernel replacing suser(9) calls with priv(9) calls, assigning

specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>

11 files changed, 45 insertions, 21 deletions

diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c
index bb6f929..c8121a0 100644
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@@ -42,6 +42,7 @@
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/queue.h>
 #include <sys/socket.h>
@@ -509,7 +510,8 @@ audit_syscall_enter(unsigned short code, struct thread *td)
 		 * audit record is still required for this event by
 		 * re-calling au_preselect().
 		 */
-		if (audit_in_failure && suser(td) != 0) {
+		if (audit_in_failure &&
+		    priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) {
 			cv_wait(&audit_fail_cv, &audit_mtx);
 			panic("audit_failing_stop: thread continued");
 		}
diff --git a/sys/security/audit/audit_pipe.c b/sys/security/audit/audit_pipe.c
index 6bea514..3cc41ef 100644
--- a/sys/security/audit/audit_pipe.c
+++ b/sys/security/audit/audit_pipe.c
@@ -626,9 +626,9 @@ audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen,
 }
 
 /*
- * Audit pipe open method.  Explicit suser check isn't used as this allows
- * file permissions on the special device to be used to grant audit review
- * access.
+ * Audit pipe open method.  Explicit privilege check isn't used as this
+ * allows file permissions on the special device to be used to grant audit
+ * review access.  Those file permissions should be managed carefully.
  */
 static int
 audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td)
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index fb55511..65772a8 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -32,6 +32,7 @@
 #include <sys/param.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sysproto.h>
 #include <sys/systm.h>
@@ -66,7 +67,7 @@ audit(struct thread *td, struct audit_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_SUBMIT);
 	if (error)
 		return (error);
 
@@ -156,7 +157,7 @@ auditon(struct thread *td, struct auditon_args *uap)
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
 	AUDIT_ARG(cmd, uap->cmd);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_CONTROL);
 	if (error)
 		return (error);
 
@@ -404,7 +405,7 @@ getauid(struct thread *td, struct getauid_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_GETAUDIT);
 	if (error)
 		return (error);
 
@@ -428,7 +429,7 @@ setauid(struct thread *td, struct setauid_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_SETAUDIT);
 	if (error)
 		return (error);
 
@@ -468,7 +469,7 @@ getaudit(struct thread *td, struct getaudit_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_GETAUDIT);
 	if (error)
 		return (error);
 
@@ -489,7 +490,7 @@ setaudit(struct thread *td, struct setaudit_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_SETAUDIT);
 	if (error)
 		return (error);
 
@@ -518,7 +519,7 @@ getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_GETAUDIT);
 	if (error)
 		return (error);
 	return (ENOSYS);
@@ -533,7 +534,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_SETAUDIT);
 	if (error)
 		return (error);
 	return (ENOSYS);
@@ -557,7 +558,7 @@ auditctl(struct thread *td, struct auditctl_args *uap)
 
 	if (jailed(td->td_ucred))
 		return (ENOSYS);
-	error = suser(td);
+	error = priv_check(td, PRIV_AUDIT_CONTROL);
 	if (error)
 		return (error);
 
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index eb602da..7279dc8 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/mutex.h>
 #include <sys/mac.h>
+#include <sys/priv.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
 #include <sys/mount.h>
@@ -470,11 +471,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
 	}
 
 	/*
-	 * XXX: Note that this is a redundant privilege check, since
-	 * policies impose this check themselves if required by the
-	 * policy.  Eventually, this should go away.
+	 * XXX: Note that this is a redundant privilege check, since policies
+	 * impose this check themselves if required by the policy.
+	 * Eventually, this should go away.
 	 */
-	error = suser_cred(cred, 0);
+	error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0);
 	if (error) {
 		mac_ifnet_label_free(intlabel);
 		return (error);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 7db278c..f7c5670 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -596,6 +596,8 @@ typedef int	(*mpo_check_vnode_write_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
 typedef void	(*mpo_associate_nfsd_label_t)(struct ucred *cred);
+typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
+typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
 struct mac_policy_ops {
 	/*
@@ -886,6 +888,8 @@ struct mac_policy_ops {
 	mpo_check_vnode_write_t			mpo_check_vnode_write;
 	mpo_associate_nfsd_label_t		mpo_associate_nfsd_label;
 	mpo_create_mbuf_from_firewall_t		mpo_create_mbuf_from_firewall;
+	mpo_priv_check_t			mpo_priv_check;
+	mpo_priv_grant_t			mpo_priv_grant;
 };
 
 /*
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index eef66e6..79108a3 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -60,6 +60,12 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
     &mac_enforce_system, 0, "Enforce MAC policy on system operations");
 TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
 
+/*
+ * XXXRW: Some of these checks now duplicate privilege checks.  However,
+ * others provide additional security context that may be useful to policies.
+ * We need to review these and remove ones that are pure duplicates.
+ */
+
 int
 mac_check_kenv_dump(struct ucred *cred)
 {
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index 7dec0d1..c32c514 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -456,6 +456,9 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
 {
 	int error, i;
 
+	/*
+	 * XXXRW: More specific privilege selection needed?
+	 */
 	if (suser_cred(cred, 0) == 0)
 		return (0);
 
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 07484d1..7ca6e77 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -48,6 +48,7 @@
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
@@ -1697,8 +1698,10 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
 		 * Rely on the traditional superuser status for the LOMAC
 		 * interface relabel requirements.  XXXMAC: This will go
 		 * away.
+		 *
+		 * XXXRW: This is also redundant to a higher layer check.
 		 */
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0);
 		if (error)
 			return (EPERM);
 
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index fe3d8e8..5ce8d20 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -45,6 +45,7 @@
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/mount.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
@@ -191,7 +192,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 		 * in a partition in the first place, but this didn't
 		 * interact well with sendmail.
 		 */
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0);
 	}
 
 	return (error);
diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c
index 80cd053..5218531 100644
--- a/sys/security/mac_portacl/mac_portacl.c
+++ b/sys/security/mac_portacl/mac_portacl.c
@@ -66,6 +66,7 @@
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/queue.h>
@@ -427,7 +428,8 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
 	mtx_unlock(&rule_mtx);
 
 	if (error != 0 && mac_portacl_suser_exempt != 0)
-		error = suser_cred(cred, SUSER_ALLOWJAIL);
+		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
+		    SUSER_ALLOWJAIL);
 
 	return (error);
 }
diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c
index b15dc00..f8c02d2 100644
--- a/sys/security/mac_seeotheruids/mac_seeotheruids.c
+++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c
@@ -46,6 +46,7 @@
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/mount.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
@@ -126,7 +127,7 @@ mac_seeotheruids_check(struct ucred *u1, struct ucred *u2)
 		return (0);
 
 	if (suser_privileged) {
-		if (suser_cred(u1, 0) == 0)
+		if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) == 0)
 			return (0);
 	}