Instrument sysarch() MD privileged I/O access interfaces with a MAC

check, mac_check_sysarch_ioperm(), permitting MAC security policy
modules to control access to these interfaces.  Currently, they
protect access to IOPL on i386, and setting HAE on Alpha.
Additional checks might be required on other platforms to prevent
bypass of kernel security protections by unauthorized processes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

10 files changed, 98 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 8e25d0d..c6b9c73 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -264,6 +264,7 @@ int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
 int	mac_check_socket_receive(struct ucred *cred, struct socket *so);
 int	mac_check_socket_send(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
+int	mac_check_sysarch_ioperm(struct ucred *cred);
 int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_nfsd(struct ucred *cred);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index fc08f2a..d536f05 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -322,6 +322,7 @@ struct mac_policy_ops {
 		    struct socket *so, struct label *socketlabel);
 	int	(*mpo_check_socket_visible)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel);
+	int	(*mpo_check_sysarch_ioperm)(struct ucred *cred);
 	int	(*mpo_check_system_acct)(struct ucred *cred,
 		    struct vnode *vp, struct label *vlabel);
 	int	(*mpo_check_system_nfsd)(struct ucred *cred);
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index a766006..6b2e653 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -2623,6 +2623,18 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 }
 
 int
+mac_check_sysarch_ioperm(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_sysarch_ioperm, cred);
+	return (error);
+}
+
+int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;