From 10d0d9cf473dc5f0ce1bf263ead445ffe7819154 Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 6 Nov 2006 13:42:10 +0000 Subject: Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov , Skip Ford , Antoine Brodin --- sys/security/audit/audit.c | 4 +++- sys/security/audit/audit_pipe.c | 6 +++--- sys/security/audit/audit_syscalls.c | 19 ++++++++++--------- sys/security/mac/mac_net.c | 9 +++++---- sys/security/mac/mac_policy.h | 4 ++++ sys/security/mac/mac_system.c | 6 ++++++ sys/security/mac_bsdextended/mac_bsdextended.c | 3 +++ sys/security/mac_lomac/mac_lomac.c | 5 ++++- sys/security/mac_partition/mac_partition.c | 3 ++- sys/security/mac_portacl/mac_portacl.c | 4 +++- sys/security/mac_seeotheruids/mac_seeotheruids.c | 3 ++- 11 files changed, 45 insertions(+), 21 deletions(-) (limited to 'sys/security') diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c index bb6f929..c8121a0 100644 --- a/sys/security/audit/audit.c +++ b/sys/security/audit/audit.c @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -509,7 +510,8 @@ audit_syscall_enter(unsigned short code, struct thread *td) * audit record is still required for this event by * re-calling au_preselect(). */ - if (audit_in_failure && suser(td) != 0) { + if (audit_in_failure && + priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) { cv_wait(&audit_fail_cv, &audit_mtx); panic("audit_failing_stop: thread continued"); } diff --git a/sys/security/audit/audit_pipe.c b/sys/security/audit/audit_pipe.c index 6bea514..3cc41ef 100644 --- a/sys/security/audit/audit_pipe.c +++ b/sys/security/audit/audit_pipe.c @@ -626,9 +626,9 @@ audit_pipe_clone(void *arg, struct ucred *cred, char *name, int namelen, } /* - * Audit pipe open method. Explicit suser check isn't used as this allows - * file permissions on the special device to be used to grant audit review - * access. + * Audit pipe open method. Explicit privilege check isn't used as this + * allows file permissions on the special device to be used to grant audit + * review access. Those file permissions should be managed carefully. */ static int audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index fb55511..65772a8 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -66,7 +67,7 @@ audit(struct thread *td, struct audit_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SUBMIT); if (error) return (error); @@ -156,7 +157,7 @@ auditon(struct thread *td, struct auditon_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); AUDIT_ARG(cmd, uap->cmd); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_CONTROL); if (error) return (error); @@ -404,7 +405,7 @@ getauid(struct thread *td, struct getauid_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); @@ -428,7 +429,7 @@ setauid(struct thread *td, struct setauid_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SETAUDIT); if (error) return (error); @@ -468,7 +469,7 @@ getaudit(struct thread *td, struct getaudit_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); @@ -489,7 +490,7 @@ setaudit(struct thread *td, struct setaudit_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SETAUDIT); if (error) return (error); @@ -518,7 +519,7 @@ getaudit_addr(struct thread *td, struct getaudit_addr_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); return (ENOSYS); @@ -533,7 +534,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SETAUDIT); if (error) return (error); return (ENOSYS); @@ -557,7 +558,7 @@ auditctl(struct thread *td, struct auditctl_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_CONTROL); if (error) return (error); diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index eb602da..7279dc8 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -470,11 +471,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, } /* - * XXX: Note that this is a redundant privilege check, since - * policies impose this check themselves if required by the - * policy. Eventually, this should go away. + * XXX: Note that this is a redundant privilege check, since policies + * impose this check themselves if required by the policy. + * Eventually, this should go away. */ - error = suser_cred(cred, 0); + error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); if (error) { mac_ifnet_label_free(intlabel); return (error); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 7db278c..f7c5670 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -596,6 +596,8 @@ typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label); typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); +typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); +typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); struct mac_policy_ops { /* @@ -886,6 +888,8 @@ struct mac_policy_ops { mpo_check_vnode_write_t mpo_check_vnode_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; + mpo_priv_check_t mpo_priv_check; + mpo_priv_grant_t mpo_priv_grant; }; /* diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index eef66e6..79108a3 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -60,6 +60,12 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, &mac_enforce_system, 0, "Enforce MAC policy on system operations"); TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); +/* + * XXXRW: Some of these checks now duplicate privilege checks. However, + * others provide additional security context that may be useful to policies. + * We need to review these and remove ones that are pure duplicates. + */ + int mac_check_kenv_dump(struct ucred *cred) { diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index 7dec0d1..c32c514 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -456,6 +456,9 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, { int error, i; + /* + * XXXRW: More specific privilege selection needed? + */ if (suser_cred(cred, 0) == 0) return (0); diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 07484d1..7ca6e77 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -1697,8 +1698,10 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, * Rely on the traditional superuser status for the LOMAC * interface relabel requirements. XXXMAC: This will go * away. + * + * XXXRW: This is also redundant to a higher layer check. */ - error = suser_cred(cred, 0); + error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); if (error) return (EPERM); diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index fe3d8e8..5ce8d20 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -191,7 +192,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) * in a partition in the first place, but this didn't * interact well with sendmail. */ - error = suser_cred(cred, 0); + error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0); } return (error); diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c index 80cd053..5218531 100644 --- a/sys/security/mac_portacl/mac_portacl.c +++ b/sys/security/mac_portacl/mac_portacl.c @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -427,7 +428,8 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port) mtx_unlock(&rule_mtx); if (error != 0 && mac_portacl_suser_exempt != 0) - error = suser_cred(cred, SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL); return (error); } diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c index b15dc00..f8c02d2 100644 --- a/sys/security/mac_seeotheruids/mac_seeotheruids.c +++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -126,7 +127,7 @@ mac_seeotheruids_check(struct ucred *u1, struct ucred *u2) return (0); if (suser_privileged) { - if (suser_cred(u1, 0) == 0) + if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) == 0) return (0); } -- cgit v1.1