From nobody Wed Apr 20 06:08:37 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 21A5811DCAD5; Wed, 20 Apr 2022 06:08:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Kjqx20P8lz52Y8; Wed, 20 Apr 2022 06:08:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650434918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rF2or1Ff5Ib/nfLjehFJHQTmrK3CBeq+HH6KSb+TkTQ=; b=RXbF7Qf1OHdOLYxdgjewcSUR1nTakxN+NlTQunsDRGxc+hv85n81tGi9dyvFU1nphAVUCY mFi2YcnGKIbGjUOnqn7W1zEC7+Xuzr2TGMRu5ndeiVpr44SOXdge1uAtm4F8LkMf81MNF3 6lVlWCjlT4/kACS2Ezudz8OHrU8xLqM6ZbyUcK+Xe2rKxbKADhFR4xhpM/W8L15eQVSkHj A12pv7bsMhSQxKI9HiXZB10TwVmeG18AZQMJZr0AxGbctoHkJFy4uK6rEJTemmgCT/cJta J/phyzebcZHmS2mrIjxUWNGX0SssSZFOIgakyl9HHAh9Ma43tUA2P23brrRBbw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DD98064C4; Wed, 20 Apr 2022 06:08:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23K68bcJ037804; Wed, 20 Apr 2022 06:08:37 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23K68brx037803; Wed, 20 Apr 2022 06:08:37 GMT (envelope-from git) Date: Wed, 20 Apr 2022 06:08:37 GMT Message-Id: <202204200608.23K68brx037803@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Wojciech Macek Subject: git: 14b7706264f6 - main - mac_pimd: Support for privilege drop in pimd List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: wma X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 14b7706264f6695a7403360711a610fb50e62909 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650434918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=rF2or1Ff5Ib/nfLjehFJHQTmrK3CBeq+HH6KSb+TkTQ=; b=WUPIsTAf0UcKJIPF58PYNu7zOsMNMyJKN+7qez1S2ORAT7CgPW+xe+UXdbnwVwF9pJClG2 1Yw5AfJEbRiexpNDKFhxd+7u8tffv49VfT+GHMZh+GORDCulEX7/MPTxt1IKBPgnGiLg2Q pjwNOoqU3PQZhPwa7fSqwGbbxJu5Su57HfCLVYqrNCxXssvkSlZz298qanuwIKJFVt978n BZb56ZMe0Fc4PScRyFv7SVNOeQ/hcXjeF06eD4a0K5I+sgN6kyHpaTw5zoIcw/odEnBrNS B7t1YUm2B4Ud1eRv5XhWejXLpZ7+f6uBMiWMJvaZ85FBOyfDpTqfX7iFiOiZkQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650434918; a=rsa-sha256; cv=none; b=W9xrY1zMUdCFY0QXsFBGOvy0iGAaFv4XrtXMgG/n1MUtQBPW9mGs/an84+TXHj63PpPBQm dSvN7PFgTvClUcYdkcM+DCr7ihbZr5UbzJEMMu9NYBLFdoUaFwrAiOjnioF4OhkX2uE4nH aKzxLomdF1hAmowSSV2e+SlecoEbYBLpUqitbASyEdk0UqTCINq0MK82s08qNF4o7XqOy0 +QP10xgiOiS44c1gYPJpOHwdrqSQ394kn5qfaiQDtmcENQxRTjlQKAf5pfSC9Rag4D27x/ lNqoa0bYApE8qxsZR8yZw3KlBNfPm9dj8cK+eIrJbPvn7mPHcQ88xJp+3UeVRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by wma: URL: https://cgit.FreeBSD.org/src/commit/?id=14b7706264f6695a7403360711a610fb50e62909 commit 14b7706264f6695a7403360711a610fb50e62909 Author: Wojciech Macek AuthorDate: 2022-04-19 07:53:19 +0000 Commit: Wojciech Macek CommitDate: 2022-04-20 06:07:37 +0000 mac_pimd: Support for privilege drop in pimd Create new kernel module for privilege check in case the user wants to run pimd daemon. Sponsored by: Stormshield Obtained from: Semihalf --- sys/modules/Makefile | 1 + sys/modules/mac_pimd/Makefile | 8 +++++ sys/security/mac_pimd/mac_pimd.c | 75 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+) diff --git a/sys/modules/Makefile b/sys/modules/Makefile index 944a76163748..857c97fa0bf3 100644 --- a/sys/modules/Makefile +++ b/sys/modules/Makefile @@ -223,6 +223,7 @@ SUBDIR= \ mac_none \ mac_ntpd \ mac_partition \ + mac_pimd \ mac_portacl \ mac_priority \ mac_seeotheruids \ diff --git a/sys/modules/mac_pimd/Makefile b/sys/modules/mac_pimd/Makefile new file mode 100644 index 000000000000..3e69a4a69abc --- /dev/null +++ b/sys/modules/mac_pimd/Makefile @@ -0,0 +1,8 @@ +# $FreeBSD$ + +.PATH: ${SRCTOP}/sys/security/mac_pimd + +KMOD= mac_pimd +SRCS= mac_pimd.c + +.include diff --git a/sys/security/mac_pimd/mac_pimd.c b/sys/security/mac_pimd/mac_pimd.c new file mode 100644 index 000000000000..4b14906ec261 --- /dev/null +++ b/sys/security/mac_pimd/mac_pimd.c @@ -0,0 +1,75 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2022 Semihalf, Stormshield + * Copyright (c) 2018 Ian Lepore + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include +#include +#include +#include + +#include + +SYSCTL_DECL(_security_mac); + +static SYSCTL_NODE(_security_mac, OID_AUTO, pimd, + CTLFLAG_RW | CTLFLAG_MPSAFE, 0, + "mac_pimd policy controls"); + +static int pimd_enabled = 0; +SYSCTL_INT(_security_mac_pimd, OID_AUTO, enabled, CTLFLAG_RWTUN, + &pimd_enabled, 0, "Enable mac_pimd policy"); + +static int pimd_uid = 0; +SYSCTL_INT(_security_mac_pimd, OID_AUTO, uid, CTLFLAG_RWTUN, + &pimd_uid, 0, "User id for pimd user"); + +static int +pimd_priv_grant(struct ucred *cred, int priv) +{ + + if (pimd_enabled && cred->cr_uid == pimd_uid) { + switch (priv) { + case PRIV_NETINET_MROUTE: + return (0); + default: + break; + } + } + return (EPERM); +} + +static struct mac_policy_ops pimd_ops = +{ + .mpo_priv_grant = pimd_priv_grant, +}; + +MAC_POLICY_SET(&pimd_ops, mac_pimd, "MAC/pimd", + MPC_LOADTIME_FLAG_UNLOADOK, NULL);