1*a9643ea8Slogwang /*-
2*a9643ea8Slogwang * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3*a9643ea8Slogwang * Copyright (c) 2006 SPARTA, Inc.
4*a9643ea8Slogwang * Copyright (c) 2007, 2009 Robert N. M. Watson
5*a9643ea8Slogwang * All rights reserved.
6*a9643ea8Slogwang *
7*a9643ea8Slogwang * This software was developed for the FreeBSD Project in part by Network
8*a9643ea8Slogwang * Associates Laboratories, the Security Research Division of Network
9*a9643ea8Slogwang * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
10*a9643ea8Slogwang * as part of the DARPA CHATS research program.
11*a9643ea8Slogwang *
12*a9643ea8Slogwang * Portions of this software were developed by Robert Watson for the
13*a9643ea8Slogwang * TrustedBSD Project.
14*a9643ea8Slogwang *
15*a9643ea8Slogwang * This software was enhanced by SPARTA ISSO under SPAWAR contract
16*a9643ea8Slogwang * N66001-04-C-6019 ("SEFOS").
17*a9643ea8Slogwang *
18*a9643ea8Slogwang * This software was developed at the University of Cambridge Computer
19*a9643ea8Slogwang * Laboratory with support from a grant from Google, Inc.
20*a9643ea8Slogwang *
21*a9643ea8Slogwang * Redistribution and use in source and binary forms, with or without
22*a9643ea8Slogwang * modification, are permitted provided that the following conditions
23*a9643ea8Slogwang * are met:
24*a9643ea8Slogwang * 1. Redistributions of source code must retain the above copyright
25*a9643ea8Slogwang * notice, this list of conditions and the following disclaimer.
26*a9643ea8Slogwang * 2. Redistributions in binary form must reproduce the above copyright
27*a9643ea8Slogwang * notice, this list of conditions and the following disclaimer in the
28*a9643ea8Slogwang * documentation and/or other materials provided with the distribution.
29*a9643ea8Slogwang *
30*a9643ea8Slogwang * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
31*a9643ea8Slogwang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
32*a9643ea8Slogwang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33*a9643ea8Slogwang * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
34*a9643ea8Slogwang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35*a9643ea8Slogwang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
36*a9643ea8Slogwang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
37*a9643ea8Slogwang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
38*a9643ea8Slogwang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
39*a9643ea8Slogwang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40*a9643ea8Slogwang * SUCH DAMAGE.
41*a9643ea8Slogwang */
42*a9643ea8Slogwang
43*a9643ea8Slogwang /*
44*a9643ea8Slogwang * MAC Framework entry points relating to overall operation of system,
45*a9643ea8Slogwang * including global services such as the kernel environment and loadable
46*a9643ea8Slogwang * modules.
47*a9643ea8Slogwang *
48*a9643ea8Slogwang * System checks often align with existing privilege checks, but provide
49*a9643ea8Slogwang * additional security context that may be relevant to policies, such as the
50*a9643ea8Slogwang * specific object being operated on.
51*a9643ea8Slogwang */
52*a9643ea8Slogwang
53*a9643ea8Slogwang #include <sys/cdefs.h>
54*a9643ea8Slogwang __FBSDID("$FreeBSD$");
55*a9643ea8Slogwang
56*a9643ea8Slogwang #include "opt_mac.h"
57*a9643ea8Slogwang
58*a9643ea8Slogwang #include <sys/param.h>
59*a9643ea8Slogwang #include <sys/kernel.h>
60*a9643ea8Slogwang #include <sys/lock.h>
61*a9643ea8Slogwang #include <sys/malloc.h>
62*a9643ea8Slogwang #include <sys/module.h>
63*a9643ea8Slogwang #include <sys/mutex.h>
64*a9643ea8Slogwang #include <sys/sdt.h>
65*a9643ea8Slogwang #include <sys/systm.h>
66*a9643ea8Slogwang #include <sys/vnode.h>
67*a9643ea8Slogwang #include <sys/sysctl.h>
68*a9643ea8Slogwang
69*a9643ea8Slogwang #include <security/mac/mac_framework.h>
70*a9643ea8Slogwang #include <security/mac/mac_internal.h>
71*a9643ea8Slogwang #include <security/mac/mac_policy.h>
72*a9643ea8Slogwang
73*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE1(kenv_check_dump, "struct ucred *");
74*a9643ea8Slogwang
75*a9643ea8Slogwang int
mac_kenv_check_dump(struct ucred * cred)76*a9643ea8Slogwang mac_kenv_check_dump(struct ucred *cred)
77*a9643ea8Slogwang {
78*a9643ea8Slogwang int error;
79*a9643ea8Slogwang
80*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(kenv_check_dump, cred);
81*a9643ea8Slogwang MAC_CHECK_PROBE1(kenv_check_dump, error, cred);
82*a9643ea8Slogwang
83*a9643ea8Slogwang return (error);
84*a9643ea8Slogwang }
85*a9643ea8Slogwang
86*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(kenv_check_get, "struct ucred *", "char *");
87*a9643ea8Slogwang
88*a9643ea8Slogwang int
mac_kenv_check_get(struct ucred * cred,char * name)89*a9643ea8Slogwang mac_kenv_check_get(struct ucred *cred, char *name)
90*a9643ea8Slogwang {
91*a9643ea8Slogwang int error;
92*a9643ea8Slogwang
93*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(kenv_check_get, cred, name);
94*a9643ea8Slogwang MAC_CHECK_PROBE2(kenv_check_get, error, cred, name);
95*a9643ea8Slogwang
96*a9643ea8Slogwang return (error);
97*a9643ea8Slogwang }
98*a9643ea8Slogwang
99*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE3(kenv_check_set, "struct ucred *", "char *",
100*a9643ea8Slogwang "char *");
101*a9643ea8Slogwang
102*a9643ea8Slogwang int
mac_kenv_check_set(struct ucred * cred,char * name,char * value)103*a9643ea8Slogwang mac_kenv_check_set(struct ucred *cred, char *name, char *value)
104*a9643ea8Slogwang {
105*a9643ea8Slogwang int error;
106*a9643ea8Slogwang
107*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(kenv_check_set, cred, name, value);
108*a9643ea8Slogwang MAC_CHECK_PROBE3(kenv_check_set, error, cred, name, value);
109*a9643ea8Slogwang
110*a9643ea8Slogwang return (error);
111*a9643ea8Slogwang }
112*a9643ea8Slogwang
113*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(kenv_check_unset, "struct ucred *", "char *");
114*a9643ea8Slogwang
115*a9643ea8Slogwang int
mac_kenv_check_unset(struct ucred * cred,char * name)116*a9643ea8Slogwang mac_kenv_check_unset(struct ucred *cred, char *name)
117*a9643ea8Slogwang {
118*a9643ea8Slogwang int error;
119*a9643ea8Slogwang
120*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(kenv_check_unset, cred, name);
121*a9643ea8Slogwang MAC_CHECK_PROBE2(kenv_check_unset, error, cred, name);
122*a9643ea8Slogwang
123*a9643ea8Slogwang return (error);
124*a9643ea8Slogwang }
125*a9643ea8Slogwang
126*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(kld_check_load, "struct ucred *", "struct vnode *");
127*a9643ea8Slogwang
128*a9643ea8Slogwang int
mac_kld_check_load(struct ucred * cred,struct vnode * vp)129*a9643ea8Slogwang mac_kld_check_load(struct ucred *cred, struct vnode *vp)
130*a9643ea8Slogwang {
131*a9643ea8Slogwang int error;
132*a9643ea8Slogwang
133*a9643ea8Slogwang ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
134*a9643ea8Slogwang
135*a9643ea8Slogwang MAC_POLICY_CHECK(kld_check_load, cred, vp, vp->v_label);
136*a9643ea8Slogwang MAC_CHECK_PROBE2(kld_check_load, error, cred, vp);
137*a9643ea8Slogwang
138*a9643ea8Slogwang return (error);
139*a9643ea8Slogwang }
140*a9643ea8Slogwang
141*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE1(kld_check_stat, "struct ucred *");
142*a9643ea8Slogwang
143*a9643ea8Slogwang int
mac_kld_check_stat(struct ucred * cred)144*a9643ea8Slogwang mac_kld_check_stat(struct ucred *cred)
145*a9643ea8Slogwang {
146*a9643ea8Slogwang int error;
147*a9643ea8Slogwang
148*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(kld_check_stat, cred);
149*a9643ea8Slogwang MAC_CHECK_PROBE1(kld_check_stat, error, cred);
150*a9643ea8Slogwang
151*a9643ea8Slogwang return (error);
152*a9643ea8Slogwang }
153*a9643ea8Slogwang
154*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(system_check_acct, "struct ucred *",
155*a9643ea8Slogwang "struct vnode *");
156*a9643ea8Slogwang
157*a9643ea8Slogwang int
mac_system_check_acct(struct ucred * cred,struct vnode * vp)158*a9643ea8Slogwang mac_system_check_acct(struct ucred *cred, struct vnode *vp)
159*a9643ea8Slogwang {
160*a9643ea8Slogwang int error;
161*a9643ea8Slogwang
162*a9643ea8Slogwang if (vp != NULL) {
163*a9643ea8Slogwang ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
164*a9643ea8Slogwang }
165*a9643ea8Slogwang
166*a9643ea8Slogwang MAC_POLICY_CHECK(system_check_acct, cred, vp,
167*a9643ea8Slogwang vp != NULL ? vp->v_label : NULL);
168*a9643ea8Slogwang MAC_CHECK_PROBE2(system_check_acct, error, cred, vp);
169*a9643ea8Slogwang
170*a9643ea8Slogwang return (error);
171*a9643ea8Slogwang }
172*a9643ea8Slogwang
173*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(system_check_reboot, "struct ucred *", "int");
174*a9643ea8Slogwang
175*a9643ea8Slogwang int
mac_system_check_reboot(struct ucred * cred,int howto)176*a9643ea8Slogwang mac_system_check_reboot(struct ucred *cred, int howto)
177*a9643ea8Slogwang {
178*a9643ea8Slogwang int error;
179*a9643ea8Slogwang
180*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(system_check_reboot, cred, howto);
181*a9643ea8Slogwang MAC_CHECK_PROBE2(system_check_reboot, error, cred, howto);
182*a9643ea8Slogwang
183*a9643ea8Slogwang return (error);
184*a9643ea8Slogwang }
185*a9643ea8Slogwang
186*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(system_check_swapon, "struct ucred *",
187*a9643ea8Slogwang "struct vnode *");
188*a9643ea8Slogwang
189*a9643ea8Slogwang int
mac_system_check_swapon(struct ucred * cred,struct vnode * vp)190*a9643ea8Slogwang mac_system_check_swapon(struct ucred *cred, struct vnode *vp)
191*a9643ea8Slogwang {
192*a9643ea8Slogwang int error;
193*a9643ea8Slogwang
194*a9643ea8Slogwang ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon");
195*a9643ea8Slogwang
196*a9643ea8Slogwang MAC_POLICY_CHECK(system_check_swapon, cred, vp, vp->v_label);
197*a9643ea8Slogwang MAC_CHECK_PROBE2(system_check_swapon, error, cred, vp);
198*a9643ea8Slogwang
199*a9643ea8Slogwang return (error);
200*a9643ea8Slogwang }
201*a9643ea8Slogwang
202*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE2(system_check_swapoff, "struct ucred *",
203*a9643ea8Slogwang "struct vnode *");
204*a9643ea8Slogwang
205*a9643ea8Slogwang int
mac_system_check_swapoff(struct ucred * cred,struct vnode * vp)206*a9643ea8Slogwang mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
207*a9643ea8Slogwang {
208*a9643ea8Slogwang int error;
209*a9643ea8Slogwang
210*a9643ea8Slogwang ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
211*a9643ea8Slogwang
212*a9643ea8Slogwang MAC_POLICY_CHECK(system_check_swapoff, cred, vp, vp->v_label);
213*a9643ea8Slogwang MAC_CHECK_PROBE2(system_check_swapoff, error, cred, vp);
214*a9643ea8Slogwang
215*a9643ea8Slogwang return (error);
216*a9643ea8Slogwang }
217*a9643ea8Slogwang
218*a9643ea8Slogwang MAC_CHECK_PROBE_DEFINE3(system_check_sysctl, "struct ucred *",
219*a9643ea8Slogwang "struct sysctl_oid *", "struct sysctl_req *");
220*a9643ea8Slogwang
221*a9643ea8Slogwang int
mac_system_check_sysctl(struct ucred * cred,struct sysctl_oid * oidp,void * arg1,int arg2,struct sysctl_req * req)222*a9643ea8Slogwang mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
223*a9643ea8Slogwang void *arg1, int arg2, struct sysctl_req *req)
224*a9643ea8Slogwang {
225*a9643ea8Slogwang int error;
226*a9643ea8Slogwang
227*a9643ea8Slogwang /*
228*a9643ea8Slogwang * XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
229*a9643ea8Slogwang * but since it's not exported from kern_sysctl.c, we can't.
230*a9643ea8Slogwang */
231*a9643ea8Slogwang MAC_POLICY_CHECK_NOSLEEP(system_check_sysctl, cred, oidp, arg1, arg2,
232*a9643ea8Slogwang req);
233*a9643ea8Slogwang MAC_CHECK_PROBE3(system_check_sysctl, error, cred, oidp, req);
234*a9643ea8Slogwang
235*a9643ea8Slogwang return (error);
236*a9643ea8Slogwang }
237