git: 14b7706264f6 - main - mac_pimd: Support for privilege drop in pimd

From: Wojciech Macek <wma_at_FreeBSD.org>
Date: Wed, 20 Apr 2022 06:08:37 UTC
The branch main has been updated by wma:

URL: https://cgit.FreeBSD.org/src/commit/?id=14b7706264f6695a7403360711a610fb50e62909

commit 14b7706264f6695a7403360711a610fb50e62909
Author:     Wojciech Macek <wma@FreeBSD.org>
AuthorDate: 2022-04-19 07:53:19 +0000
Commit:     Wojciech Macek <wma@FreeBSD.org>
CommitDate: 2022-04-20 06:07:37 +0000

    mac_pimd: Support for privilege drop in pimd
    
    Create new kernel module for privilege check in case
    the user wants to run pimd daemon.
    
    Sponsored by:           Stormshield
    Obtained from:          Semihalf
---
 sys/modules/Makefile             |  1 +
 sys/modules/mac_pimd/Makefile    |  8 +++++
 sys/security/mac_pimd/mac_pimd.c | 75 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+)

diff --git a/sys/modules/Makefile b/sys/modules/Makefile
index 944a76163748..857c97fa0bf3 100644
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -223,6 +223,7 @@ SUBDIR=	\
 	mac_none \
 	mac_ntpd \
 	mac_partition \
+	mac_pimd \
 	mac_portacl \
 	mac_priority \
 	mac_seeotheruids \
diff --git a/sys/modules/mac_pimd/Makefile b/sys/modules/mac_pimd/Makefile
new file mode 100644
index 000000000000..3e69a4a69abc
--- /dev/null
+++ b/sys/modules/mac_pimd/Makefile
@@ -0,0 +1,8 @@
+# $FreeBSD$
+
+.PATH: ${SRCTOP}/sys/security/mac_pimd
+
+KMOD=	mac_pimd
+SRCS=	mac_pimd.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_pimd/mac_pimd.c b/sys/security/mac_pimd/mac_pimd.c
new file mode 100644
index 000000000000..4b14906ec261
--- /dev/null
+++ b/sys/security/mac_pimd/mac_pimd.c
@@ -0,0 +1,75 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2022 Semihalf, Stormshield
+ * Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/sysctl.h>
+#include <sys/ucred.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, pimd,
+    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
+    "mac_pimd policy controls");
+
+static int pimd_enabled = 0;
+SYSCTL_INT(_security_mac_pimd, OID_AUTO, enabled, CTLFLAG_RWTUN,
+    &pimd_enabled, 0, "Enable mac_pimd policy");
+
+static int pimd_uid = 0;
+SYSCTL_INT(_security_mac_pimd, OID_AUTO, uid, CTLFLAG_RWTUN,
+    &pimd_uid, 0, "User id for pimd user");
+
+static int
+pimd_priv_grant(struct ucred *cred, int priv)
+{
+
+	if (pimd_enabled && cred->cr_uid == pimd_uid) {
+		switch (priv) {
+		case PRIV_NETINET_MROUTE:
+			return (0);
+		default:
+			break;
+		}
+	}
+	return (EPERM);
+}
+
+static struct mac_policy_ops pimd_ops =
+{
+	.mpo_priv_grant = pimd_priv_grant,
+};
+
+MAC_POLICY_SET(&pimd_ops, mac_pimd, "MAC/pimd",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);