| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: secmodel_suser.c,v 1.20 2009/10/03 01:46:39 elad Exp $ */ | | 1 | /* $NetBSD: secmodel_suser.c,v 1.21 2009/10/03 01:52:14 elad Exp $ */ |
2 | /*- | | 2 | /*- |
3 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> | | 3 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> |
4 | * All rights reserved. | | 4 | * All rights reserved. |
5 | * | | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | | 7 | * modification, are permitted provided that the following conditions |
8 | * are met: | | 8 | * are met: |
9 | * 1. Redistributions of source code must retain the above copyright | | 9 | * 1. Redistributions of source code must retain the above copyright |
10 | * notice, this list of conditions and the following disclaimer. | | 10 | * notice, this list of conditions and the following disclaimer. |
11 | * 2. Redistributions in binary form must reproduce the above copyright | | 11 | * 2. Redistributions in binary form must reproduce the above copyright |
12 | * notice, this list of conditions and the following disclaimer in the | | 12 | * notice, this list of conditions and the following disclaimer in the |
13 | * documentation and/or other materials provided with the distribution. | | 13 | * documentation and/or other materials provided with the distribution. |
14 | * 3. The name of the author may not be used to endorse or promote products | | 14 | * 3. The name of the author may not be used to endorse or promote products |
| @@ -28,48 +28,48 @@ | | | @@ -28,48 +28,48 @@ |
28 | | | 28 | |
29 | /* | | 29 | /* |
30 | * This file contains kauth(9) listeners needed to implement the traditional | | 30 | * This file contains kauth(9) listeners needed to implement the traditional |
31 | * NetBSD superuser access restrictions. | | 31 | * NetBSD superuser access restrictions. |
32 | * | | 32 | * |
33 | * There are two main resources a request can be issued to: user-owned and | | 33 | * There are two main resources a request can be issued to: user-owned and |
34 | * system owned. For the first, traditional Unix access checks are done, as | | 34 | * system owned. For the first, traditional Unix access checks are done, as |
35 | * well as superuser checks. If needed, the request context is examined before | | 35 | * well as superuser checks. If needed, the request context is examined before |
36 | * a decision is made. For the latter, usually only superuser checks are done | | 36 | * a decision is made. For the latter, usually only superuser checks are done |
37 | * as normal users are not allowed to access system resources. | | 37 | * as normal users are not allowed to access system resources. |
38 | */ | | 38 | */ |
39 | | | 39 | |
40 | #include <sys/cdefs.h> | | 40 | #include <sys/cdefs.h> |
41 | __KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.20 2009/10/03 01:46:39 elad Exp $"); | | 41 | __KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.21 2009/10/03 01:52:14 elad Exp $"); |
42 | | | 42 | |
43 | #include <sys/types.h> | | 43 | #include <sys/types.h> |
44 | #include <sys/param.h> | | 44 | #include <sys/param.h> |
45 | #include <sys/kauth.h> | | 45 | #include <sys/kauth.h> |
46 | | | 46 | |
47 | #include <sys/mutex.h> | | 47 | #include <sys/mutex.h> |
48 | #include <sys/mount.h> | | 48 | #include <sys/mount.h> |
49 | #include <sys/socketvar.h> | | 49 | #include <sys/socketvar.h> |
50 | #include <sys/sysctl.h> | | 50 | #include <sys/sysctl.h> |
51 | #include <sys/vnode.h> | | 51 | #include <sys/vnode.h> |
52 | #include <sys/proc.h> | | 52 | #include <sys/proc.h> |
53 | #include <sys/uidinfo.h> | | 53 | #include <sys/uidinfo.h> |
54 | #include <sys/module.h> | | 54 | #include <sys/module.h> |
55 | | | 55 | |
56 | #include <miscfs/procfs/procfs.h> | | 56 | #include <miscfs/procfs/procfs.h> |
57 | | | 57 | |
58 | #include <secmodel/suser/suser.h> | | 58 | #include <secmodel/suser/suser.h> |
59 | | | 59 | |
60 | MODULE(MODULE_CLASS_SECMODEL, suser, NULL); | | 60 | MODULE(MODULE_CLASS_SECMODEL, suser, NULL); |
61 | | | 61 | |
62 | static int secmodel_bsd44_curtain; | | 62 | static int secmodel_suser_curtain; |
63 | /* static */ int dovfsusermount; | | 63 | /* static */ int dovfsusermount; |
64 | | | 64 | |
65 | static kauth_listener_t l_generic, l_system, l_process, l_network, l_machdep, | | 65 | static kauth_listener_t l_generic, l_system, l_process, l_network, l_machdep, |
66 | l_device, l_vnode; | | 66 | l_device, l_vnode; |
67 | | | 67 | |
68 | static struct sysctllog *suser_sysctl_log; | | 68 | static struct sysctllog *suser_sysctl_log; |
69 | | | 69 | |
70 | void | | 70 | void |
71 | sysctl_security_suser_setup(struct sysctllog **clog) | | 71 | sysctl_security_suser_setup(struct sysctllog **clog) |
72 | { | | 72 | { |
73 | const struct sysctlnode *rnode; | | 73 | const struct sysctlnode *rnode; |
74 | | | 74 | |
75 | sysctl_createv(clog, 0, NULL, &rnode, | | 75 | sysctl_createv(clog, 0, NULL, &rnode, |
| @@ -91,50 +91,50 @@ sysctl_security_suser_setup(struct sysct | | | @@ -91,50 +91,50 @@ sysctl_security_suser_setup(struct sysct |
91 | CTL_CREATE, CTL_EOL); | | 91 | CTL_CREATE, CTL_EOL); |
92 | | | 92 | |
93 | sysctl_createv(clog, 0, &rnode, NULL, | | 93 | sysctl_createv(clog, 0, &rnode, NULL, |
94 | CTLFLAG_PERMANENT, | | 94 | CTLFLAG_PERMANENT, |
95 | CTLTYPE_STRING, "name", NULL, | | 95 | CTLTYPE_STRING, "name", NULL, |
96 | NULL, 0, __UNCONST("Traditional NetBSD: Superuser"), 0, | | 96 | NULL, 0, __UNCONST("Traditional NetBSD: Superuser"), 0, |
97 | CTL_CREATE, CTL_EOL); | | 97 | CTL_CREATE, CTL_EOL); |
98 | | | 98 | |
99 | sysctl_createv(clog, 0, &rnode, NULL, | | 99 | sysctl_createv(clog, 0, &rnode, NULL, |
100 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, | | 100 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
101 | CTLTYPE_INT, "curtain", | | 101 | CTLTYPE_INT, "curtain", |
102 | SYSCTL_DESCR("Curtain information about objects to "\ | | 102 | SYSCTL_DESCR("Curtain information about objects to "\ |
103 | "users not owning them."), | | 103 | "users not owning them."), |
104 | NULL, 0, &secmodel_bsd44_curtain, 0, | | 104 | NULL, 0, &secmodel_suser_curtain, 0, |
105 | CTL_CREATE, CTL_EOL); | | 105 | CTL_CREATE, CTL_EOL); |
106 | | | 106 | |
107 | sysctl_createv(clog, 0, &rnode, NULL, | | 107 | sysctl_createv(clog, 0, &rnode, NULL, |
108 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, | | 108 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
109 | CTLTYPE_INT, "usermount", | | 109 | CTLTYPE_INT, "usermount", |
110 | SYSCTL_DESCR("Whether unprivileged users may mount " | | 110 | SYSCTL_DESCR("Whether unprivileged users may mount " |
111 | "filesystems"), | | 111 | "filesystems"), |
112 | NULL, 0, &dovfsusermount, 0, | | 112 | NULL, 0, &dovfsusermount, 0, |
113 | CTL_CREATE, CTL_EOL); | | 113 | CTL_CREATE, CTL_EOL); |
114 | | | 114 | |
115 | /* Compatibility: security.curtain */ | | 115 | /* Compatibility: security.curtain */ |
116 | sysctl_createv(clog, 0, NULL, &rnode, | | 116 | sysctl_createv(clog, 0, NULL, &rnode, |
117 | CTLFLAG_PERMANENT, | | 117 | CTLFLAG_PERMANENT, |
118 | CTLTYPE_NODE, "security", NULL, | | 118 | CTLTYPE_NODE, "security", NULL, |
119 | NULL, 0, NULL, 0, | | 119 | NULL, 0, NULL, 0, |
120 | CTL_SECURITY, CTL_EOL); | | 120 | CTL_SECURITY, CTL_EOL); |
121 | | | 121 | |
122 | sysctl_createv(clog, 0, &rnode, NULL, | | 122 | sysctl_createv(clog, 0, &rnode, NULL, |
123 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, | | 123 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
124 | CTLTYPE_INT, "curtain", | | 124 | CTLTYPE_INT, "curtain", |
125 | SYSCTL_DESCR("Curtain information about objects to "\ | | 125 | SYSCTL_DESCR("Curtain information about objects to "\ |
126 | "users not owning them."), | | 126 | "users not owning them."), |
127 | NULL, 0, &secmodel_bsd44_curtain, 0, | | 127 | NULL, 0, &secmodel_suser_curtain, 0, |
128 | CTL_CREATE, CTL_EOL); | | 128 | CTL_CREATE, CTL_EOL); |
129 | | | 129 | |
130 | /* Compatibility: vfs.generic.usermount */ | | 130 | /* Compatibility: vfs.generic.usermount */ |
131 | sysctl_createv(clog, 0, NULL, NULL, | | 131 | sysctl_createv(clog, 0, NULL, NULL, |
132 | CTLFLAG_PERMANENT, | | 132 | CTLFLAG_PERMANENT, |
133 | CTLTYPE_NODE, "vfs", NULL, | | 133 | CTLTYPE_NODE, "vfs", NULL, |
134 | NULL, 0, NULL, 0, | | 134 | NULL, 0, NULL, 0, |
135 | CTL_VFS, CTL_EOL); | | 135 | CTL_VFS, CTL_EOL); |
136 | | | 136 | |
137 | sysctl_createv(clog, 0, NULL, NULL, | | 137 | sysctl_createv(clog, 0, NULL, NULL, |
138 | CTLFLAG_PERMANENT, | | 138 | CTLFLAG_PERMANENT, |
139 | CTLTYPE_NODE, "generic", | | 139 | CTLTYPE_NODE, "generic", |
140 | SYSCTL_DESCR("Non-specific vfs related information"), | | 140 | SYSCTL_DESCR("Non-specific vfs related information"), |
| @@ -143,27 +143,27 @@ sysctl_security_suser_setup(struct sysct | | | @@ -143,27 +143,27 @@ sysctl_security_suser_setup(struct sysct |
143 | | | 143 | |
144 | sysctl_createv(clog, 0, NULL, NULL, | | 144 | sysctl_createv(clog, 0, NULL, NULL, |
145 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, | | 145 | CTLFLAG_PERMANENT|CTLFLAG_READWRITE, |
146 | CTLTYPE_INT, "usermount", | | 146 | CTLTYPE_INT, "usermount", |
147 | SYSCTL_DESCR("Whether unprivileged users may mount " | | 147 | SYSCTL_DESCR("Whether unprivileged users may mount " |
148 | "filesystems"), | | 148 | "filesystems"), |
149 | NULL, 0, &dovfsusermount, 0, | | 149 | NULL, 0, &dovfsusermount, 0, |
150 | CTL_VFS, VFS_GENERIC, VFS_USERMOUNT, CTL_EOL); | | 150 | CTL_VFS, VFS_GENERIC, VFS_USERMOUNT, CTL_EOL); |
151 | } | | 151 | } |
152 | | | 152 | |
153 | void | | 153 | void |
154 | secmodel_suser_init(void) | | 154 | secmodel_suser_init(void) |
155 | { | | 155 | { |
156 | secmodel_bsd44_curtain = 0; | | 156 | secmodel_suser_curtain = 0; |
157 | dovfsusermount = 0; | | 157 | dovfsusermount = 0; |
158 | } | | 158 | } |
159 | | | 159 | |
160 | void | | 160 | void |
161 | secmodel_suser_start(void) | | 161 | secmodel_suser_start(void) |
162 | { | | 162 | { |
163 | l_generic = kauth_listen_scope(KAUTH_SCOPE_GENERIC, | | 163 | l_generic = kauth_listen_scope(KAUTH_SCOPE_GENERIC, |
164 | secmodel_suser_generic_cb, NULL); | | 164 | secmodel_suser_generic_cb, NULL); |
165 | l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, | | 165 | l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM, |
166 | secmodel_suser_system_cb, NULL); | | 166 | secmodel_suser_system_cb, NULL); |
167 | l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, | | 167 | l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS, |
168 | secmodel_suser_process_cb, NULL); | | 168 | secmodel_suser_process_cb, NULL); |
169 | l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, | | 169 | l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK, |
| @@ -231,27 +231,27 @@ secmodel_suser_generic_cb(kauth_cred_t c | | | @@ -231,27 +231,27 @@ secmodel_suser_generic_cb(kauth_cred_t c |
231 | bool isroot; | | 231 | bool isroot; |
232 | int result; | | 232 | int result; |
233 | | | 233 | |
234 | isroot = (kauth_cred_geteuid(cred) == 0); | | 234 | isroot = (kauth_cred_geteuid(cred) == 0); |
235 | result = KAUTH_RESULT_DEFER; | | 235 | result = KAUTH_RESULT_DEFER; |
236 | | | 236 | |
237 | switch (action) { | | 237 | switch (action) { |
238 | case KAUTH_GENERIC_ISSUSER: | | 238 | case KAUTH_GENERIC_ISSUSER: |
239 | if (isroot) | | 239 | if (isroot) |
240 | result = KAUTH_RESULT_ALLOW; | | 240 | result = KAUTH_RESULT_ALLOW; |
241 | break; | | 241 | break; |
242 | | | 242 | |
243 | case KAUTH_GENERIC_CANSEE: | | 243 | case KAUTH_GENERIC_CANSEE: |
244 | if (!secmodel_bsd44_curtain) | | 244 | if (!secmodel_suser_curtain) |
245 | result = KAUTH_RESULT_ALLOW; | | 245 | result = KAUTH_RESULT_ALLOW; |
246 | else if (isroot || kauth_cred_uidmatch(cred, arg0)) | | 246 | else if (isroot || kauth_cred_uidmatch(cred, arg0)) |
247 | result = KAUTH_RESULT_ALLOW; | | 247 | result = KAUTH_RESULT_ALLOW; |
248 | | | 248 | |
249 | break; | | 249 | break; |
250 | | | 250 | |
251 | default: | | 251 | default: |
252 | break; | | 252 | break; |
253 | } | | 253 | } |
254 | | | 254 | |
255 | return (result); | | 255 | return (result); |
256 | } | | 256 | } |
257 | | | 257 | |
| @@ -515,27 +515,27 @@ secmodel_suser_process_cb(kauth_cred_t c | | | @@ -515,27 +515,27 @@ secmodel_suser_process_cb(kauth_cred_t c |
515 | result = KAUTH_RESULT_ALLOW; | | 515 | result = KAUTH_RESULT_ALLOW; |
516 | | | 516 | |
517 | break; | | 517 | break; |
518 | | | 518 | |
519 | case KAUTH_PROCESS_CANSEE: { | | 519 | case KAUTH_PROCESS_CANSEE: { |
520 | unsigned long req; | | 520 | unsigned long req; |
521 | | | 521 | |
522 | req = (unsigned long)arg1; | | 522 | req = (unsigned long)arg1; |
523 | | | 523 | |
524 | switch (req) { | | 524 | switch (req) { |
525 | case KAUTH_REQ_PROCESS_CANSEE_ARGS: | | 525 | case KAUTH_REQ_PROCESS_CANSEE_ARGS: |
526 | case KAUTH_REQ_PROCESS_CANSEE_ENTRY: | | 526 | case KAUTH_REQ_PROCESS_CANSEE_ENTRY: |
527 | case KAUTH_REQ_PROCESS_CANSEE_OPENFILES: | | 527 | case KAUTH_REQ_PROCESS_CANSEE_OPENFILES: |
528 | if (!secmodel_bsd44_curtain) | | 528 | if (!secmodel_suser_curtain) |
529 | result = KAUTH_RESULT_ALLOW; | | 529 | result = KAUTH_RESULT_ALLOW; |
530 | else if (isroot || kauth_cred_uidmatch(cred, p->p_cred)) | | 530 | else if (isroot || kauth_cred_uidmatch(cred, p->p_cred)) |
531 | result = KAUTH_RESULT_ALLOW; | | 531 | result = KAUTH_RESULT_ALLOW; |
532 | break; | | 532 | break; |
533 | | | 533 | |
534 | case KAUTH_REQ_PROCESS_CANSEE_ENV: | | 534 | case KAUTH_REQ_PROCESS_CANSEE_ENV: |
535 | if (!isroot && | | 535 | if (!isroot && |
536 | (kauth_cred_getuid(cred) != | | 536 | (kauth_cred_getuid(cred) != |
537 | kauth_cred_getuid(p->p_cred) || | | 537 | kauth_cred_getuid(p->p_cred) || |
538 | kauth_cred_getuid(cred) != | | 538 | kauth_cred_getuid(cred) != |
539 | kauth_cred_getsvuid(p->p_cred))) | | 539 | kauth_cred_getsvuid(p->p_cred))) |
540 | break; | | 540 | break; |
541 | else | | 541 | else |
| @@ -806,27 +806,27 @@ secmodel_suser_network_cb(kauth_cred_t c | | | @@ -806,27 +806,27 @@ secmodel_suser_network_cb(kauth_cred_t c |
806 | case KAUTH_REQ_NETWORK_SOCKET_OPEN: | | 806 | case KAUTH_REQ_NETWORK_SOCKET_OPEN: |
807 | case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK: | | 807 | case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK: |
808 | case KAUTH_REQ_NETWORK_SOCKET_SETPRIV: | | 808 | case KAUTH_REQ_NETWORK_SOCKET_SETPRIV: |
809 | if (isroot) | | 809 | if (isroot) |
810 | result = KAUTH_RESULT_ALLOW; | | 810 | result = KAUTH_RESULT_ALLOW; |
811 | break; | | 811 | break; |
812 | | | 812 | |
813 | case KAUTH_REQ_NETWORK_SOCKET_CANSEE: | | 813 | case KAUTH_REQ_NETWORK_SOCKET_CANSEE: |
814 | if (isroot) { | | 814 | if (isroot) { |
815 | result = KAUTH_RESULT_ALLOW; | | 815 | result = KAUTH_RESULT_ALLOW; |
816 | break; | | 816 | break; |
817 | } | | 817 | } |
818 | | | 818 | |
819 | if (secmodel_bsd44_curtain) { | | 819 | if (secmodel_suser_curtain) { |
820 | struct socket *so; | | 820 | struct socket *so; |
821 | uid_t so_uid; | | 821 | uid_t so_uid; |
822 | | | 822 | |
823 | so = (struct socket *)arg1; | | 823 | so = (struct socket *)arg1; |
824 | so_uid = so->so_uidinfo->ui_uid; | | 824 | so_uid = so->so_uidinfo->ui_uid; |
825 | if (kauth_cred_geteuid(cred) != so_uid) | | 825 | if (kauth_cred_geteuid(cred) != so_uid) |
826 | result = KAUTH_RESULT_DENY; | | 826 | result = KAUTH_RESULT_DENY; |
827 | } | | 827 | } |
828 | | | 828 | |
829 | break; | | 829 | break; |
830 | | | 830 | |
831 | default: | | 831 | default: |
832 | break; | | 832 | break; |