From owner-p4-projects Fri Nov 15 10:46:26 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 7DB0737B406; Fri, 15 Nov 2002 10:46:08 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1363A37B404 for ; Fri, 15 Nov 2002 10:46:08 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9196C43E75 for ; Fri, 15 Nov 2002 10:46:07 -0800 (PST) (envelope-from green@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id gAFIhTmV019178 for ; Fri, 15 Nov 2002 10:43:29 -0800 (PST) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id gAFIhTNU019175 for perforce@freebsd.org; Fri, 15 Nov 2002 10:43:29 -0800 (PST) Date: Fri, 15 Nov 2002 10:43:29 -0800 (PST) Message-Id: <200211151843.gAFIhTNU019175@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 21079 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=21079 Change 21079 by green@green_laptop_2 on 2002/11/15 10:43:26 Add three new checks for kernel modules: mac_check_kldload(cred, vnode) mac_check_kldunload(cred) mac_check_kldobserve(cred) There's a lot of extra information that could be given to policies but it's decidedly all unimportant. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_linker.c#15 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#361 edit .. //depot/projects/trustedbsd/mac/sys/kern/link_elf.c#13 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#186 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#40 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#108 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#84 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#217 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#171 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_linker.c#15 (text+ko) ==== @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_mac.h" #include #include @@ -38,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -474,6 +476,11 @@ /* Refuse to unload modules if securelevel raised. */ if (securelevel > 0) return (EPERM); +#ifdef MAC + error = mac_check_system_kldunload(curthread->td_ucred); + if (error) + return (error); +#endif KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs)); if (file->refs == 1) { @@ -824,6 +831,12 @@ linker_file_t lf; int error = 0; +#ifdef MAC + error = mac_check_system_kldobserve(curthread->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); td->td_retval[0] = -1; @@ -854,6 +867,12 @@ linker_file_t lf; int error = 0; +#ifdef MAC + error = mac_check_system_kldobserve(curthread->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); if (SCARG(uap, fileid) == 0) { @@ -889,6 +908,12 @@ int namelen, version; struct kld_file_stat *stat; +#ifdef MAC + error = mac_check_system_kldobserve(curthread->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); lf = linker_find_file_by_id(SCARG(uap, fileid)); @@ -938,6 +963,12 @@ module_t mp; int error = 0; +#ifdef MAC + error = mac_check_system_kldobserve(curthread->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); lf = linker_find_file_by_id(SCARG(uap, fileid)); if (lf) { @@ -967,6 +998,12 @@ struct kld_sym_lookup lookup; int error = 0; +#ifdef MAC + error = mac_check_system_kldobserve(curthread->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); if ((error = copyin(SCARG(uap, data), &lookup, sizeof(lookup))) != 0) @@ -1800,6 +1837,11 @@ linker_file_t lf; int error; +#ifdef MAC + error = mac_check_system_kldobserve(curthread->td_ucred); + if (error) + return (error); +#endif sysctl_wire_old_buffer(req, 0); mtx_lock(&kld_mtx); TAILQ_FOREACH(lf, &linker_files, link) { ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#361 (text+ko) ==== @@ -2592,6 +2592,50 @@ } int +mac_check_system_kldload(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_kldload, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_kldobserve(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_kldobserve, cred); + + return (error); +} + +int +mac_check_system_kldunload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_kldunload, cred); + + return (error); +} + +int mac_check_system_nfsd(struct ucred *cred) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/link_elf.c#13 (text+ko) ==== @@ -27,11 +27,13 @@ */ #include "opt_ddb.h" +#include "opt_mac.h" #include #include #include #include +#include #include #include #include @@ -556,6 +558,13 @@ if (error) return error; NDFREE(&nd, NDF_ONLY_PNBUF); +#ifdef MAC + error = mac_check_system_kldload(curthread->td_ucred, nd.ni_vp); + if (error) { + firstpage = NULL; + goto out; + } +#endif /* * Read the elf header from the file. ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#186 (text+ko) ==== @@ -1861,6 +1861,45 @@ } static int +mac_biba_check_system_kldload(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + obj = SLOT(label); + if (!mac_biba_high_single(obj)) + return (EACCES); + + return (0); +} + + +static int +mac_biba_check_system_kldunload(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + return (mac_biba_subject_privileged(subj)); +} + + +static int mac_biba_check_system_settime(struct ucred *cred) { struct mac_biba *subj; @@ -2630,6 +2669,8 @@ .mpo_check_socket_relabel = mac_biba_check_socket_relabel, .mpo_check_socket_visible = mac_biba_check_socket_visible, .mpo_check_system_acct = mac_biba_check_system_acct, + .mpo_check_system_kldload = mac_biba_check_system_kldload, + .mpo_check_system_kldunload = mac_biba_check_system_kldunload, .mpo_check_system_settime = mac_biba_check_system_settime, .mpo_check_system_swapon = mac_biba_check_system_swapon, .mpo_check_system_sysctl = mac_biba_check_system_sysctl, ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#40 (text+ko) ==== @@ -1998,6 +1998,44 @@ } static int +mac_lomac_check_system_kldload(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj, *obj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + if (!mac_lomac_high_single(obj)) + return (EACCES); + + return (0); +} + +static int +mac_lomac_check_system_kldunload(struct ucred *cred) +{ + struct mac_lomac *subj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + return (0); +} + + +static int mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2668,6 +2706,8 @@ .mpo_check_socket_deliver = mac_lomac_check_socket_deliver, .mpo_check_socket_relabel = mac_lomac_check_socket_relabel, .mpo_check_socket_visible = mac_lomac_check_socket_visible, + .mpo_check_system_kldload = mac_lomac_check_system_kldload, + .mpo_check_system_kldunload = mac_lomac_check_system_kldunload, .mpo_check_system_swapon = mac_lomac_check_system_swapon, .mpo_check_system_sysctl = mac_lomac_check_system_sysctl, .mpo_check_vnode_access = mac_lomac_check_vnode_open, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#108 (text+ko) ==== @@ -652,6 +652,28 @@ } static int +mac_none_check_system_kldload(struct ucred *cred, struct vnode *vp, + struct label *vlabel) +{ + + return (0); +} + +static int +mac_none_check_system_kldobserve(struct ucred *cred) +{ + + return (0); +} + +static int +mac_none_check_system_kldunload(struct ucred *cred) +{ + + return (0); +} + +static int mac_none_check_system_reboot(struct ucred *cred, int how) { @@ -1034,6 +1056,9 @@ .mpo_check_socket_relabel = mac_none_check_socket_relabel, .mpo_check_socket_visible = mac_none_check_socket_visible, .mpo_check_system_acct = mac_none_check_system_acct, + .mpo_check_system_kldload = mac_none_check_system_kldload, + .mpo_check_system_kldobserve = mac_none_check_system_kldobserve, + .mpo_check_system_kldunload = mac_none_check_system_kldunload, .mpo_check_system_reboot = mac_none_check_system_reboot, .mpo_check_system_settime = mac_none_check_system_settime, .mpo_check_system_swapon = mac_none_check_system_swapon, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#84 (text+ko) ==== @@ -1048,6 +1048,28 @@ } static int +mac_test_check_system_kldload(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_test_check_system_kldobserve(struct ucred *cred) +{ + + return (0); +} + +static int +mac_test_check_system_kldunload(struct ucred *cred) +{ + + return (0); +} + +static int mac_test_check_system_reboot(struct ucred *cred, int how) { @@ -1431,6 +1453,9 @@ .mpo_check_socket_relabel = mac_test_check_socket_relabel, .mpo_check_socket_visible = mac_test_check_socket_visible, .mpo_check_system_acct = mac_test_check_system_acct, + .mpo_check_system_kldload = mac_test_check_system_kldload, + .mpo_check_system_kldobserve = mac_test_check_system_kldobserve, + .mpo_check_system_kldunload = mac_test_check_system_kldunload, .mpo_check_system_reboot = mac_test_check_system_reboot, .mpo_check_system_settime = mac_test_check_system_settime, .mpo_check_system_swapon = mac_test_check_system_swapon, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#217 (text+ko) ==== @@ -260,6 +260,9 @@ int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); +int mac_check_system_kldload(struct ucred *cred, struct vnode *vp); +int mac_check_system_kldobserve(struct ucred *cred); +int mac_check_system_kldunload(struct ucred *cred); int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#171 (text+ko) ==== @@ -317,6 +317,10 @@ struct socket *so, struct label *socketlabel); int (*mpo_check_system_acct)(struct ucred *cred, struct vnode *vp, struct label *vlabel); + int (*mpo_check_system_kldload)(struct ucred *cred, + struct vnode *vp, struct label *vlabel); + int (*mpo_check_system_kldobserve)(struct ucred *cred); + int (*mpo_check_system_kldunload)(struct ucred *cred); int (*mpo_check_system_nfsd)(struct ucred *cred); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); int (*mpo_check_system_settime)(struct ucred *cred); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message