diff options
-rw-r--r-- | sys/i386/i386/sys_machdep.c | 5 | ||||
-rw-r--r-- | sys/kern/kern_linker.c | 5 | ||||
-rw-r--r-- | sys/kern/kern_time.c | 14 | ||||
-rw-r--r-- | sys/nfsserver/nfs_syscalls.c | 8 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 8 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 63 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 218 | ||||
-rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 209 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 32 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 36 |
11 files changed, 387 insertions, 215 deletions
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c index f53f49a..738d77e 100644 --- a/sys/i386/i386/sys_machdep.c +++ b/sys/i386/i386/sys_machdep.c @@ -57,7 +57,6 @@ __FBSDID("$FreeBSD$"); #include <machine/sysarch.h> #include <security/audit/audit.h> -#include <security/mac/mac_framework.h> #include <vm/vm_kern.h> /* for kernel_map */ @@ -289,10 +288,6 @@ i386_set_ioperm(td, uap) int i, error; char *iomap; -#ifdef MAC - if ((error = mac_check_sysarch_ioperm(td->td_ucred)) != 0) - return (error); -#endif if ((error = priv_check(td, PRIV_IO)) != 0) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index cdbc10b..d8150fe 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -562,11 +562,6 @@ linker_file_unload(linker_file_t file, int flags) /* Refuse to unload modules if securelevel raised. */ if (securelevel > 0) return (EPERM); -#ifdef MAC - error = mac_check_kld_unload(curthread->td_ucred); - if (error) - return (error); -#endif KLD_LOCK_ASSERT(); KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs)); diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 2a3df94..c434b93 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -32,8 +32,6 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); -#include "opt_mac.h" - #include <sys/param.h> #include <sys/systm.h> #include <sys/limits.h> @@ -56,8 +54,6 @@ __FBSDID("$FreeBSD$"); #include <sys/timetc.h> #include <sys/vnode.h> -#include <security/mac/mac_framework.h> - #include <vm/vm.h> #include <vm/vm_extern.h> @@ -272,11 +268,6 @@ kern_clock_settime(struct thread *td, clockid_t clock_id, struct timespec *ats) struct timeval atv; int error; -#ifdef MAC - error = mac_check_system_settime(td->td_ucred); - if (error) - return (error); -#endif if ((error = priv_check(td, PRIV_CLOCK_SETTIME)) != 0) return (error); if (clock_id != CLOCK_REALTIME) @@ -479,11 +470,6 @@ kern_settimeofday(struct thread *td, struct timeval *tv, struct timezone *tzp) { int error; -#ifdef MAC - error = mac_check_system_settime(td->td_ucred); - if (error) - return (error); -#endif error = priv_check(td, PRIV_SETTIMEOFDAY); if (error) return (error); diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c index ab247ea..4e0b468 100644 --- a/sys/nfsserver/nfs_syscalls.c +++ b/sys/nfsserver/nfs_syscalls.c @@ -36,7 +36,6 @@ __FBSDID("$FreeBSD$"); #include "opt_inet6.h" -#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -74,8 +73,6 @@ __FBSDID("$FreeBSD$"); #include <nfsserver/nfsm_subs.h> #include <nfsserver/nfsrvcache.h> -#include <security/mac/mac_framework.h> - static MALLOC_DEFINE(M_NFSSVC, "nfss_srvsock", "Nfs server structure"); MALLOC_DEFINE(M_NFSRVDESC, "nfss_srvdesc", "NFS server socket descriptor"); @@ -134,11 +131,6 @@ nfssvc(struct thread *td, struct nfssvc_args *uap) KASSERT(!mtx_owned(&Giant), ("nfssvc(): called with Giant")); -#ifdef MAC - error = mac_check_system_nfsd(td->td_ucred); - if (error) - return (error); -#endif error = priv_check(td, PRIV_NFS_DAEMON); if (error) return (error); diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index f127456..98b04c0 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -282,7 +282,6 @@ int mac_check_kenv_set(struct ucred *cred, char *name, char *value); int mac_check_kenv_unset(struct ucred *cred, char *name); int mac_check_kld_load(struct ucred *cred, struct vnode *vp); int mac_check_kld_stat(struct ucred *cred); -int mac_check_kld_unload(struct ucred *cred); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); @@ -335,14 +334,11 @@ int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_stat(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); -int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); int mac_check_system_audit(struct ucred *cred, void *record, int length); int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp); int mac_check_system_auditon(struct ucred *cred, int cmd); -int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); -int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index ade77f6..451633f 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -420,7 +420,6 @@ typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name); typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp, struct label *vlabel); typedef int (*mpo_check_kld_stat_t)(struct ucred *cred); -typedef int (*mpo_check_kld_unload_t)(struct ucred *cred); typedef int (*mpo_mpo_placeholder19_t)(void); typedef int (*mpo_mpo_placeholder20_t)(void); typedef int (*mpo_check_mount_stat_t)(struct ucred *cred, @@ -505,7 +504,6 @@ typedef int (*mpo_check_socket_stat_t)(struct ucred *cred, struct socket *so, struct label *socketlabel); typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, struct socket *so, struct label *socketlabel); -typedef int (*mpo_check_sysarch_ioperm_t)(struct ucred *cred); typedef int (*mpo_check_system_acct_t)(struct ucred *cred, struct vnode *vp, struct label *vlabel); typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, @@ -513,9 +511,7 @@ typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); -typedef int (*mpo_check_system_nfsd_t)(struct ucred *cred); typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); -typedef int (*mpo_check_system_settime_t)(struct ucred *cred); typedef int (*mpo_check_system_swapon_t)(struct ucred *cred, struct vnode *vp, struct label *label); typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred, @@ -817,7 +813,6 @@ struct mac_policy_ops { mpo_check_kenv_unset_t mpo_check_kenv_unset; mpo_check_kld_load_t mpo_check_kld_load; mpo_check_kld_stat_t mpo_check_kld_stat; - mpo_check_kld_unload_t mpo_check_kld_unload; mpo_placeholder_t _mpo_placeholder19; mpo_placeholder_t _mpo_placeholder20; mpo_check_mount_stat_t mpo_check_mount_stat; @@ -862,14 +857,11 @@ struct mac_policy_ops { mpo_check_socket_send_t mpo_check_socket_send; mpo_check_socket_stat_t mpo_check_socket_stat; mpo_check_socket_visible_t mpo_check_socket_visible; - mpo_check_sysarch_ioperm_t mpo_check_sysarch_ioperm; mpo_check_system_acct_t mpo_check_system_acct; mpo_check_system_audit_t mpo_check_system_audit; mpo_check_system_auditctl_t mpo_check_system_auditctl; mpo_check_system_auditon_t mpo_check_system_auditon; - mpo_check_system_nfsd_t mpo_check_system_nfsd; mpo_check_system_reboot_t mpo_check_system_reboot; - mpo_check_system_settime_t mpo_check_system_settime; mpo_check_system_swapon_t mpo_check_system_swapon; mpo_check_system_swapoff_t mpo_check_system_swapoff; mpo_check_system_sysctl_t mpo_check_system_sysctl; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 32a9b79..07a975c 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. + * Copyright (c) 2007 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * Portions of this software were developed by Robert Watson for the + * TrustedBSD Project. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -29,6 +33,16 @@ * SUCH DAMAGE. */ +/* + * MAC Framework entry points relating to overall operation of system, + * including global services such as the kernel environment and loadable + * modules. + * + * System checks often align with existing privilege checks, but provide + * additional security context that may be relevant to policies, such as the + * specific object being operated on. + */ + #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); @@ -48,12 +62,6 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> -/* - * XXXRW: Some of these checks now duplicate privilege checks. However, - * others provide additional security context that may be useful to policies. - * We need to review these and remove ones that are pure duplicates. - */ - int mac_check_kenv_dump(struct ucred *cred) { @@ -117,25 +125,6 @@ mac_check_kld_stat(struct ucred *cred) } int -mac_check_kld_unload(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_kld_unload, cred); - - return (error); -} - -int -mac_check_sysarch_ioperm(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_sysarch_ioperm, cred); - return (error); -} - -int mac_check_system_acct(struct ucred *cred, struct vnode *vp) { int error; @@ -151,16 +140,6 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp) } int -mac_check_system_nfsd(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_system_nfsd, cred); - - return (error); -} - -int mac_check_system_reboot(struct ucred *cred, int howto) { int error; @@ -171,16 +150,6 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int -mac_check_system_settime(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_system_settime, cred); - - return (error); -} - -int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; @@ -203,8 +172,8 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) } int -mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, - int arg2, struct sysctl_req *req) +mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { int error; diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index abb817d..30dbf79 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -36,6 +36,7 @@ /* * Developed by the TrustedBSD Project. + * * Biba fixed label mandatory integrity policy. */ @@ -47,6 +48,7 @@ #include <sys/malloc.h> #include <sys/mman.h> #include <sys/mount.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/sbuf.h> #include <sys/systm.h> @@ -1913,19 +1915,6 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, static int -mac_biba_check_kld_unload(struct ucred *cred) -{ - struct mac_biba *subj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(cred->cr_label); - - return (mac_biba_subject_privileged(subj)); -} - -static int mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { @@ -2259,8 +2248,13 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, return (0); } +/* + * Some system privileges are allowed regardless of integrity grade; others + * are allowed only when running with privilege with respect to the Biba + * policy as they might otherwise allow bypassing of the integrity policy. + */ static int -mac_biba_check_sysarch_ioperm(struct ucred *cred) +mac_biba_priv_check(struct ucred *cred, int priv) { struct mac_biba *subj; int error; @@ -2268,12 +2262,178 @@ mac_biba_check_sysarch_ioperm(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(cred->cr_label); + /* + * Exempt only specific privileges from the Biba integrity policy. + */ + switch (priv) { + case PRIV_KTRACE: + case PRIV_MSGBUF: - error = mac_biba_subject_privileged(subj); - if (error) - return (error); + /* + * Allow processes to manipulate basic process audit properties, and + * to submit audit records. + */ + case PRIV_AUDIT_GETAUDIT: + case PRIV_AUDIT_SETAUDIT: + case PRIV_AUDIT_SUBMIT: + + /* + * Allow processes to manipulate their regular UNIX credentials. + */ + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETGROUPS: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + + /* + * Allow processes to perform system monitoring. + */ + case PRIV_SEEOTHERGIDS: + case PRIV_SEEOTHERUIDS: + break; + + /* + * Allow access to general process debugging facilities. We + * separately control debugging based on MAC label. + */ + case PRIV_DEBUG_DIFFCRED: + case PRIV_DEBUG_SUGID: + case PRIV_DEBUG_UNPRIV: + + /* + * Allow manipulating jails. + */ + case PRIV_JAIL_ATTACH: + + /* + * Allow privilege with respect to the Partition policy, but not the + * Privs policy. + */ + case PRIV_MAC_PARTITION: + + /* + * Allow privilege with respect to process resource limits and login + * context. + */ + case PRIV_PROC_LIMIT: + case PRIV_PROC_SETLOGIN: + case PRIV_PROC_SETRLIMIT: + + /* + * Allow System V and POSIX IPC privileges. + */ + case PRIV_IPC_READ: + case PRIV_IPC_WRITE: + case PRIV_IPC_ADMIN: + case PRIV_IPC_MSGSIZE: + case PRIV_MQ_ADMIN: + + /* + * Allow certain scheduler manipulations -- possibly this should be + * controlled by more fine-grained policy, as potentially low + * integrity processes can deny CPU to higher integrity ones. + */ + case PRIV_SCHED_DIFFCRED: + case PRIV_SCHED_SETPRIORITY: + case PRIV_SCHED_RTPRIO: + case PRIV_SCHED_SETPOLICY: + case PRIV_SCHED_SET: + case PRIV_SCHED_SETPARAM: + /* + * More IPC privileges. + */ + case PRIV_SEM_WRITE: + + /* + * Allow signaling privileges subject to integrity policy. + */ + case PRIV_SIGNAL_DIFFCRED: + case PRIV_SIGNAL_SUGID: + + /* + * Allow access to only limited sysctls from lower integrity levels; + * piggy-back on the Jail definition. + */ + case PRIV_SYSCTL_WRITEJAIL: + + /* + * Allow TTY-based privileges, subject to general device access using + * labels on TTY device nodes, but not console privilege. + */ + case PRIV_TTY_DRAINWAIT: + case PRIV_TTY_DTRWAIT: + case PRIV_TTY_EXCLUSIVE: + case PRIV_TTY_PRISON: + case PRIV_TTY_STI: + case PRIV_TTY_SETA: + + /* + * Grant most VFS privileges, as almost all are in practice bounded + * by more specific checks using labels. + */ + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_ADMIN: + case PRIV_VFS_EXEC: + case PRIV_VFS_LOOKUP: + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_CHOWN: + case PRIV_VFS_CHROOT: + case PRIV_VFS_RETAINSUGID: + case PRIV_VFS_EXCEEDQUOTA: + case PRIV_VFS_FCHROOT: + case PRIV_VFS_FHOPEN: + case PRIV_VFS_FHSTATFS: + case PRIV_VFS_GENERATION: + case PRIV_VFS_GETFH: + case PRIV_VFS_GETQUOTA: + case PRIV_VFS_LINK: + case PRIV_VFS_MOUNT: + case PRIV_VFS_MOUNT_OWNER: + case PRIV_VFS_MOUNT_PERM: + case PRIV_VFS_MOUNT_SUIDDIR: + case PRIV_VFS_MOUNT_NONUSER: + case PRIV_VFS_SETGID: + case PRIV_VFS_STICKYFILE: + case PRIV_VFS_SYSFLAGS: + case PRIV_VFS_UNMOUNT: + + /* + * Allow VM privileges; it would be nice if these were subject to + * resource limits. + */ + case PRIV_VM_MADV_PROTECT: + case PRIV_VM_MLOCK: + case PRIV_VM_MUNLOCK: + + /* + * Allow some but not all network privileges. In general, dont allow + * reconfiguring the network stack, just normal use. + */ + case PRIV_NETATALK_RESERVEDPORT: + case PRIV_NETINET_RESERVEDPORT: + case PRIV_NETINET_RAW: + case PRIV_NETINET_REUSEPORT: + case PRIV_NETIPX_RESERVEDPORT: + case PRIV_NETIPX_RAW: + break; + + /* + * All remaining system privileges are allow only if the process + * holds privilege with respect to the Biba policy. + */ + default: + subj = SLOT(cred->cr_label); + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + } return (0); } @@ -2348,24 +2508,6 @@ mac_biba_check_system_auditon(struct ucred *cred, int cmd) } static int -mac_biba_check_system_settime(struct ucred *cred) -{ - struct mac_biba *subj; - int error; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(cred->cr_label); - - error = mac_biba_subject_privileged(subj); - if (error) - return (error); - - return (0); -} - -static int mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -3226,7 +3368,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl, .mpo_check_sysv_shmget = mac_biba_check_sysv_shmget, .mpo_check_kld_load = mac_biba_check_kld_load, - .mpo_check_kld_unload = mac_biba_check_kld_unload, .mpo_check_mount_stat = mac_biba_check_mount_stat, .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, .mpo_check_pipe_poll = mac_biba_check_pipe_poll, @@ -3246,11 +3387,9 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_socket_deliver = mac_biba_check_socket_deliver, .mpo_check_socket_relabel = mac_biba_check_socket_relabel, .mpo_check_socket_visible = mac_biba_check_socket_visible, - .mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm, .mpo_check_system_acct = mac_biba_check_system_acct, .mpo_check_system_auditctl = mac_biba_check_system_auditctl, .mpo_check_system_auditon = mac_biba_check_system_auditon, - .mpo_check_system_settime = mac_biba_check_system_settime, .mpo_check_system_swapon = mac_biba_check_system_swapon, .mpo_check_system_swapoff = mac_biba_check_system_swapoff, .mpo_check_system_sysctl = mac_biba_check_system_sysctl, @@ -3287,6 +3426,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_vnode_write = mac_biba_check_vnode_write, .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, .mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall, + .mpo_priv_check = mac_biba_priv_check, }; MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index d24e63f..c52cf70 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -36,6 +36,7 @@ /* * Developed by the TrustedBSD Project. + * * Low-watermark floating label mandatory integrity policy. */ @@ -1786,22 +1787,6 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_kld_unload(struct ucred *cred) -{ - struct mac_lomac *subj; - - if (!mac_lomac_enabled) - return (0); - - subj = SLOT(cred->cr_label); - - if (mac_lomac_subject_privileged(subj)) - return (EPERM); - - return (0); -} - -static int mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -2045,6 +2030,196 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket, return (0); } +/* + * Some system privileges are allowed regardless of integrity grade; others + * are allowed only when running with privilege with respect to the LOMAC + * policy as they might otherwise allow bypassing of the integrity policy. + */ +static int +mac_lomac_priv_check(struct ucred *cred, int priv) +{ + struct mac_lomac *subj; + int error; + + if (!mac_lomac_enabled) + return (0); + + /* + * Exempt only specific privileges from the LOMAC integrity policy. + */ + switch (priv) { + case PRIV_KTRACE: + case PRIV_MSGBUF: + + /* + * Allow processes to manipulate basic process audit properties, and + * to submit audit records. + */ + case PRIV_AUDIT_GETAUDIT: + case PRIV_AUDIT_SETAUDIT: + case PRIV_AUDIT_SUBMIT: + + /* + * Allow processes to manipulate their regular UNIX credentials. + */ + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETGROUPS: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + + /* + * Allow processes to perform system monitoring. + */ + case PRIV_SEEOTHERGIDS: + case PRIV_SEEOTHERUIDS: + break; + + /* + * Allow access to general process debugging facilities. We + * separately control debugging based on MAC label. + */ + case PRIV_DEBUG_DIFFCRED: + case PRIV_DEBUG_SUGID: + case PRIV_DEBUG_UNPRIV: + + /* + * Allow manipulating jails. + */ + case PRIV_JAIL_ATTACH: + + /* + * Allow privilege with respect to the Partition policy, but not the + * Privs policy. + */ + case PRIV_MAC_PARTITION: + + /* + * Allow privilege with respect to process resource limits and login + * context. + */ + case PRIV_PROC_LIMIT: + case PRIV_PROC_SETLOGIN: + case PRIV_PROC_SETRLIMIT: + + /* + * Allow System V and POSIX IPC privileges. + */ + case PRIV_IPC_READ: + case PRIV_IPC_WRITE: + case PRIV_IPC_ADMIN: + case PRIV_IPC_MSGSIZE: + case PRIV_MQ_ADMIN: + + /* + * Allow certain scheduler manipulations -- possibly this should be + * controlled by more fine-grained policy, as potentially low + * integrity processes can deny CPU to higher integrity ones. + */ + case PRIV_SCHED_DIFFCRED: + case PRIV_SCHED_SETPRIORITY: + case PRIV_SCHED_RTPRIO: + case PRIV_SCHED_SETPOLICY: + case PRIV_SCHED_SET: + case PRIV_SCHED_SETPARAM: + + /* + * More IPC privileges. + */ + case PRIV_SEM_WRITE: + + /* + * Allow signaling privileges subject to integrity policy. + */ + case PRIV_SIGNAL_DIFFCRED: + case PRIV_SIGNAL_SUGID: + + /* + * Allow access to only limited sysctls from lower integrity levels; + * piggy-back on the Jail definition. + */ + case PRIV_SYSCTL_WRITEJAIL: + + /* + * Allow TTY-based privileges, subject to general device access using + * labels on TTY device nodes, but not console privilege. + */ + case PRIV_TTY_DRAINWAIT: + case PRIV_TTY_DTRWAIT: + case PRIV_TTY_EXCLUSIVE: + case PRIV_TTY_PRISON: + case PRIV_TTY_STI: + case PRIV_TTY_SETA: + + /* + * Grant most VFS privileges, as almost all are in practice bounded + * by more specific checks using labels. + */ + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_ADMIN: + case PRIV_VFS_EXEC: + case PRIV_VFS_LOOKUP: + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_CHOWN: + case PRIV_VFS_CHROOT: + case PRIV_VFS_RETAINSUGID: + case PRIV_VFS_EXCEEDQUOTA: + case PRIV_VFS_FCHROOT: + case PRIV_VFS_FHOPEN: + case PRIV_VFS_FHSTATFS: + case PRIV_VFS_GENERATION: + case PRIV_VFS_GETFH: + case PRIV_VFS_GETQUOTA: + case PRIV_VFS_LINK: + case PRIV_VFS_MOUNT: + case PRIV_VFS_MOUNT_OWNER: + case PRIV_VFS_MOUNT_PERM: + case PRIV_VFS_MOUNT_SUIDDIR: + case PRIV_VFS_MOUNT_NONUSER: + case PRIV_VFS_SETGID: + case PRIV_VFS_STICKYFILE: + case PRIV_VFS_SYSFLAGS: + case PRIV_VFS_UNMOUNT: + + /* + * Allow VM privileges; it would be nice if these were subject to + * resource limits. + */ + case PRIV_VM_MADV_PROTECT: + case PRIV_VM_MLOCK: + case PRIV_VM_MUNLOCK: + + /* + * Allow some but not all network privileges. In general, dont allow + * reconfiguring the network stack, just normal use. + */ + case PRIV_NETATALK_RESERVEDPORT: + case PRIV_NETINET_RESERVEDPORT: + case PRIV_NETINET_RAW: + case PRIV_NETINET_REUSEPORT: + case PRIV_NETIPX_RESERVEDPORT: + case PRIV_NETIPX_RAW: + break; + + /* + * All remaining system privileges are allow only if the process + * holds privilege with respect to the LOMAC policy. + */ + default: + subj = SLOT(cred->cr_label); + error = mac_lomac_subject_privileged(subj); + if (error) + return (error); + } + return (0); +} + + static int mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, struct label *label) @@ -2748,7 +2923,6 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, .mpo_check_kld_load = mac_lomac_check_kld_load, - .mpo_check_kld_unload = mac_lomac_check_kld_unload, .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, .mpo_check_pipe_read = mac_lomac_check_pipe_read, .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel, @@ -2786,6 +2960,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_check_vnode_write = mac_lomac_check_vnode_write, .mpo_thread_userret = mac_lomac_thread_userret, .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall, + .mpo_priv_check = mac_lomac_priv_check, }; MAC_POLICY_SET(&mac_lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC", diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 9e66145..b06c02b 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -781,13 +781,6 @@ stub_check_kld_stat(struct ucred *cred) } static int -stub_check_kld_unload(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { @@ -1095,13 +1088,6 @@ stub_check_socket_visible(struct ucred *cred, struct socket *socket, } static int -stub_check_sysarch_ioperm(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_system_acct(struct ucred *cred, struct vnode *vp, struct label *vlabel) { @@ -1132,13 +1118,6 @@ stub_check_system_auditon(struct ucred *cred, int cmd) } static int -stub_check_system_nfsd(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_system_reboot(struct ucred *cred, int how) { @@ -1146,13 +1125,6 @@ stub_check_system_reboot(struct ucred *cred, int how) } static int -stub_check_system_settime(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1596,7 +1568,6 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_kenv_unset = stub_check_kenv_unset, .mpo_check_kld_load = stub_check_kld_load, .mpo_check_kld_stat = stub_check_kld_stat, - .mpo_check_kld_unload = stub_check_kld_unload, .mpo_check_mount_stat = stub_check_mount_stat, .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, .mpo_check_pipe_poll = stub_check_pipe_poll, @@ -1637,14 +1608,11 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_socket_send = stub_check_socket_send, .mpo_check_socket_stat = stub_check_socket_stat, .mpo_check_socket_visible = stub_check_socket_visible, - .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, .mpo_check_system_acct = stub_check_system_acct, .mpo_check_system_audit = stub_check_system_audit, .mpo_check_system_auditctl = stub_check_system_auditctl, .mpo_check_system_auditon = stub_check_system_auditon, - .mpo_check_system_nfsd = stub_check_system_nfsd, .mpo_check_system_reboot = stub_check_system_reboot, - .mpo_check_system_settime = stub_check_system_settime, .mpo_check_system_swapoff = stub_check_system_swapoff, .mpo_check_system_swapon = stub_check_system_swapon, .mpo_check_system_sysctl = stub_check_system_sysctl, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index d3cf5c6..5c53b15 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1536,17 +1536,6 @@ mac_test_check_kld_stat(struct ucred *cred) return (0); } -COUNTER_DECL(check_kld_unload); -static int -mac_test_check_kld_unload(struct ucred *cred) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kld_unload); - - return (0); -} - COUNTER_DECL(check_mount_stat); static int mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, @@ -1968,17 +1957,6 @@ mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, return (0); } -COUNTER_DECL(check_sysarch_ioperm); -static int -mac_test_check_sysarch_ioperm(struct ucred *cred) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysarch_ioperm); - - return (0); -} - COUNTER_DECL(check_system_acct); static int mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, @@ -2038,17 +2016,6 @@ mac_test_check_system_reboot(struct ucred *cred, int how) return (0); } -COUNTER_DECL(check_system_settime); -static int -mac_test_check_system_settime(struct ucred *cred) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_settime); - - return (0); -} - COUNTER_DECL(check_system_swapoff); static int mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, @@ -2645,7 +2612,6 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_kenv_unset = mac_test_check_kenv_unset, .mpo_check_kld_load = mac_test_check_kld_load, .mpo_check_kld_stat = mac_test_check_kld_stat, - .mpo_check_kld_unload = mac_test_check_kld_unload, .mpo_check_mount_stat = mac_test_check_mount_stat, .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, .mpo_check_pipe_poll = mac_test_check_pipe_poll, @@ -2685,13 +2651,11 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_socket_send = mac_test_check_socket_send, .mpo_check_socket_stat = mac_test_check_socket_stat, .mpo_check_socket_visible = mac_test_check_socket_visible, - .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, .mpo_check_system_acct = mac_test_check_system_acct, .mpo_check_system_audit = mac_test_check_system_audit, .mpo_check_system_auditctl = mac_test_check_system_auditctl, .mpo_check_system_auditon = mac_test_check_system_auditon, .mpo_check_system_reboot = mac_test_check_system_reboot, - .mpo_check_system_settime = mac_test_check_system_settime, .mpo_check_system_swapoff = mac_test_check_system_swapoff, .mpo_check_system_swapon = mac_test_check_system_swapon, .mpo_check_system_sysctl = mac_test_check_system_sysctl, |