From nobody Mon Jul 18 22:06:56 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lmwzh46L7z1GpFq; Mon, 18 Jul 2022 22:06:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lmwzh2yw2z3yZS; Mon, 18 Jul 2022 22:06:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658182016; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JsLbLIRYgPngEnhhteu78yrSQMPtMC9z9SeUfvvrifc=; b=gI6hK2pFuWvD8O5EOstGy7oEVgtWp5VRONV5vOwSImf3iQV4nsdeS3lgs8JfrbihZz4kxC a4atMwqjS9UE+KYy7/Zt3VqbJdDeIyngmaIYttZAQiiW7ADES/6VSHPkXUvYpmLvXtYXua 8WpfgrohyZwvfrKqQtyr/8p65weM/XnIkEBUB1a1429y0MMEjD9enAmDy+0ImEVX7VgVu6 rbVow2Eg40zdpxVKla5SqqizS74mobJArvJQdUQo/Ezk9xyAuoAUxzfwkcMmaQs98ryUJU YCbHs8mpoVzIO/Qlm9JOeR4H+5tMeM95CTobaYU27KdB5dJ82j/o+dUTnbuTNg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lmwzh1QJSzvsh; Mon, 18 Jul 2022 22:06:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26IM6ure048214; Mon, 18 Jul 2022 22:06:56 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26IM6ubT048213; Mon, 18 Jul 2022 22:06:56 GMT (envelope-from git) Date: Mon, 18 Jul 2022 22:06:56 GMT Message-Id: <202207182206.26IM6ubT048213@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Allan Jude Subject: git: 287d467c5db5 - main - mac: add new mac_ddb(4) policy List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: allanjude X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 287d467c5db5a46f13566a2f9dae80a695335c73 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658182016; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JsLbLIRYgPngEnhhteu78yrSQMPtMC9z9SeUfvvrifc=; b=Ur5VWj0465/7C0JpkB1cnNNPpTETIcOVY5OEhzMOqINWQ4L5Fi5XTDX+n72DJfvMhiw+3a m52X9lj5cYjE9pitJSF5968qrGSxqj/zHvPGXgNPXUsnvMfXdqyWXGMKpBUwlni3onMQ0p ojZjKh2tsNwIGpN2lymkkXzNPPgtNJCDm1fiOEhuI04islJ0N/hxQ/qX3wfvSPof0U3jdi E/jNq9/TuT1BdpTycD7PCWTBhEs6EP99aOI6eBnjsqfR5juscO4GM7hvkJ1rdb1yH8Rz/8 m2hUZE5SxTbqeYQF4CNd5cORf72Tta6xNiK1JnUrQppJci3Gq7CGPM2+0nnkLw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658182016; a=rsa-sha256; cv=none; b=IHMjhkK49Dmo+0BsfpfMKIgJcEY0W3yIdMbJRHNpbnB2W7UQV6cGZ6Xpa467BqtXweuTkB aXk203Q4+Osgg9MraFF9JbTzY+d6M71W+ezB9u0lRnTZEFmZSVPr+Xl6KDCET4hP1tPIoW 9uQqYN95OHqmnw1lswoOcpquHBo6YZjZhuVzcTLsNTP/dBc2O4Bbr9aI87mtxxK0iJcYi5 cOYAObsWfsmPrhCdNiXiuMsg27gfaU9lF4gobPWWolZ7h4IfXIvyjIe+IyRrCXFKY47ny7 HY75snXoPkfafSln9kaYK7yChTIBlPEJHjUjjW4IQs8skey2R1s8PLsDxsUv8A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by allanjude: URL: https://cgit.FreeBSD.org/src/commit/?id=287d467c5db5a46f13566a2f9dae80a695335c73 commit 287d467c5db5a46f13566a2f9dae80a695335c73 Author: Mitchell Horne AuthorDate: 2022-07-18 21:24:06 +0000 Commit: Allan Jude CommitDate: 2022-07-18 22:06:15 +0000 mac: add new mac_ddb(4) policy Generally, access to the kernel debugger is considered to be unsafe from a security perspective since it presents an unrestricted interface to inspect or modify the system state, including sensitive data such as signing keys. However, having some access to debugger functionality on production systems may be useful in determining the cause of a panic or hang. Therefore, it is desirable to have an optional policy which allows limited use of ddb(4) while disabling the functionality which could reveal system secrets. This loadable MAC module allows for the use of some ddb(4) commands while preventing the execution of others. The commands have been broadly grouped into three categories: - Those which are 'safe' and will not emit sensitive data (e.g. trace). Generally, these commands are deterministic and don't accept arguments. - Those which are definitively unsafe (e.g. examine , search ) - Commands which may be safe to execute depending on the arguments provided (e.g. show thread ). Safe commands have been flagged as such with the DB_CMD_MEMSAFE flag. Commands requiring extra validation can provide a function to do so. For example, 'show thread ' can be used as long as addr can be checked against the system's list of process structures. The policy also prevents debugger backends other than ddb(4) from executing, for example gdb(4). Reviewed by: markj, pauamma_gundo.com (manpages) Sponsored by: Juniper Networks, Inc. Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D35371 --- sbin/ddb/ddb.8 | 1 + share/man/man4/ddb.4 | 1 + share/man/man4/mac.4 | 6 +- share/man/man4/mac_bsdextended.4 | 1 + share/man/man4/mac_ddb.4 | 108 ++++++++++++++++ share/man/man4/mac_lomac.4 | 1 + share/man/man4/mac_mls.4 | 1 + share/man/man4/mac_none.4 | 1 + share/man/man4/mac_partition.4 | 1 + share/man/man4/mac_portacl.4 | 1 + share/man/man4/mac_seeotheruids.4 | 1 + share/man/man4/mac_stub.4 | 1 + share/man/man4/mac_test.4 | 1 + share/man/man9/mac.9 | 1 + sys/conf/NOTES | 1 + sys/conf/files | 1 + sys/conf/options | 1 + sys/ddb/ddb.h | 1 + sys/modules/Makefile | 4 + sys/modules/mac_ddb/Makefile | 6 + sys/security/mac_ddb/mac_ddb.c | 266 ++++++++++++++++++++++++++++++++++++++ 21 files changed, 404 insertions(+), 2 deletions(-) diff --git a/sbin/ddb/ddb.8 b/sbin/ddb/ddb.8 index 0fb9687991e5..54e5aa1b390c 100644 --- a/sbin/ddb/ddb.8 +++ b/sbin/ddb/ddb.8 @@ -150,6 +150,7 @@ and manual pages. .Sh SEE ALSO .Xr ddb 4 , +.Xr mac_ddb 4 , .Xr textdump 4 , .Xr sysctl 8 .Sh HISTORY diff --git a/share/man/man4/ddb.4 b/share/man/man4/ddb.4 index cfc2d37287e1..6dec3924ef79 100644 --- a/share/man/man4/ddb.4 +++ b/share/man/man4/ddb.4 @@ -1602,6 +1602,7 @@ directory. .Xr kgdb 1 , .Xr acpi 4 , .Xr CAM 4 , +.Xr mac_ddb 4 , .Xr mac_test 4 , .Xr netgraph 4 , .Xr textdump 4 , diff --git a/share/man/man4/mac.4 b/share/man/man4/mac.4 index ecc13257960d..98d685143d88 100644 --- a/share/man/man4/mac.4 +++ b/share/man/man4/mac.4 @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 20, 2021 +.Dd June 29, 2022 .Dt MAC 4 .Os .Sh NAME @@ -51,10 +51,11 @@ security provisions such as file permissions and superuser checks. .Pp Currently, the following MAC policy modules are shipped with .Fx : -.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only" +.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only" .It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" .It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only .It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time +.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time .It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time .It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only .It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only @@ -201,6 +202,7 @@ man page. .Xr mac 3 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man4/mac_bsdextended.4 b/share/man/man4/mac_bsdextended.4 index f55e113aabb0..a8f9aa2f786f 100644 --- a/share/man/man4/mac_bsdextended.4 +++ b/share/man/man4/mac_bsdextended.4 @@ -117,6 +117,7 @@ Currently does nothing interesting. .Xr syslog 3 , .Xr mac 4 , .Xr mac_biba 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man4/mac_ddb.4 b/share/man/man4/mac_ddb.4 new file mode 100644 index 000000000000..5127fa78c052 --- /dev/null +++ b/share/man/man4/mac_ddb.4 @@ -0,0 +1,108 @@ +.\" Copyright (c) 2022 Klara Systems +.\" +.\" This software was developed by Mitchell Horne +.\" under sponsorship from Juniper Networks and Klara Systems. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd June 29, 2022 +.Dt MAC_DDB 4 +.Os +.Sh NAME +.Nm mac_ddb +.Nd "Restricted kernel debugger interface policy" +.Sh SYNOPSIS +To compile the ddb policy +into your kernel, place the following lines in your kernel +configuration file: +.Bd -ragged -offset indent +.Cd "options MAC" +.Cd "options MAC_DDB" +.Ed +.Pp +Alternately, to load the ddb module at boot time, place the following line +in your kernel configuration file: +.Bd -ragged -offset indent +.Cd "options MAC" +.Ed +.Pp +and in +.Xr loader.conf 5 : +.Bd -literal -offset indent +mac_ddb_load="YES" +.Ed +.Sh DESCRIPTION +The +.Nm +policy module implements a MAC policy which restricts the set of commands that +can be used at the +.Xr ddb 4 +command prompt. +The subset of permitted commands is limited to those which do not read or write +to arbitrary memory locations. +This is done to deter the possible extraction of system secrets while still +allowing enough debugger functionality to diagnose a kernel panic. +For example, the +.Ic trace +or +.Ic show registers +commands are allowed by this policy, but +.Ic show Cm buffer Ar addr +is not. +.Pp +All debugger commands that are declared with the +.Va DB_CMD_MEMSAFE +flag are allowed by +.Nm . +The policy provides validation functions to conditionally allow some additional +commands, based on the user provided arguments. +.Pp +When loaded, the +.Nm +policy also ensures that only the +.Xr ddb 4 +debugger backend may be executed; +.Xr gdb 4 +may not. +.Ss Label Format +No labels are defined for +.Nm . +.Sh SEE ALSO +.Xr ddb 4 , +.Xr mac 4 , +.Xr mac_biba 4 , +.Xr mac_bsdextended 4 , +.Xr mac_ifoff 4 , +.Xr mac_lomac 4 , +.Xr mac_mls 4 , +.Xr mac_none 4 , +.Xr mac_partition 4 , +.Xr mac_portacl 4 , +.Xr mac_seeotheruids 4 , +.Xr mac_test 4 , +.Xr mac 9 +.Sh BUGS +While the MAC Framework design is intended to support the containment of +the root user, not all attack channels are currently protected by entry +point checks. +As such, MAC Framework policies should not be relied on, in isolation, +to protect against a malicious privileged user. diff --git a/share/man/man4/mac_lomac.4 b/share/man/man4/mac_lomac.4 index 273a585d0ccd..2085655ec40c 100644 --- a/share/man/man4/mac_lomac.4 +++ b/share/man/man4/mac_lomac.4 @@ -194,6 +194,7 @@ man pages. .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_mls 4 , .Xr mac_none 4 , diff --git a/share/man/man4/mac_mls.4 b/share/man/man4/mac_mls.4 index 9f98c465bd37..54502f96ab2c 100644 --- a/share/man/man4/mac_mls.4 +++ b/share/man/man4/mac_mls.4 @@ -210,6 +210,7 @@ allow the superuser to bypass MLS protections. .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_none 4 , diff --git a/share/man/man4/mac_none.4 b/share/man/man4/mac_none.4 index ea5b75b34f53..45b4ae6b91e6 100644 --- a/share/man/man4/mac_none.4 +++ b/share/man/man4/mac_none.4 @@ -71,6 +71,7 @@ No labels are defined for .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man4/mac_partition.4 b/share/man/man4/mac_partition.4 index e19b1bc49731..ecf65ea8d518 100644 --- a/share/man/man4/mac_partition.4 +++ b/share/man/man4/mac_partition.4 @@ -91,6 +91,7 @@ partition/none .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man4/mac_portacl.4 b/share/man/man4/mac_portacl.4 index 2ecee26ca2fa..fce539376b15 100644 --- a/share/man/man4/mac_portacl.4 +++ b/share/man/man4/mac_portacl.4 @@ -194,6 +194,7 @@ This tunable will exempt port 0 allocation from rule checking. .Xr ip 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_mls 4 , .Xr mac_none 4 , diff --git a/share/man/man4/mac_seeotheruids.4 b/share/man/man4/mac_seeotheruids.4 index 7cc3e8880915..1b45d55614aa 100644 --- a/share/man/man4/mac_seeotheruids.4 +++ b/share/man/man4/mac_seeotheruids.4 @@ -90,6 +90,7 @@ No labels are defined for .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man4/mac_stub.4 b/share/man/man4/mac_stub.4 index 77896876470e..66c5b978b2ac 100644 --- a/share/man/man4/mac_stub.4 +++ b/share/man/man4/mac_stub.4 @@ -74,6 +74,7 @@ No labels are defined for .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man4/mac_test.4 b/share/man/man4/mac_test.4 index 6f14792faee7..9039c4b46282 100644 --- a/share/man/man4/mac_test.4 +++ b/share/man/man4/mac_test.4 @@ -76,6 +76,7 @@ No labels are defined for .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/share/man/man9/mac.9 b/share/man/man9/mac.9 index 8913321a2d38..91b1aef88c94 100644 --- a/share/man/man9/mac.9 +++ b/share/man/man9/mac.9 @@ -152,6 +152,7 @@ for information on the MAC Framework APIs. .Xr posix1e 3 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , +.Xr mac_ddb 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 178a778b77c7..93da6c78a4b6 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1235,6 +1235,7 @@ options AUDIT options MAC options MAC_BIBA options MAC_BSDEXTENDED +options MAC_DDB options MAC_IFOFF options MAC_LOMAC options MAC_MLS diff --git a/sys/conf/files b/sys/conf/files index 4e1279adc073..b8339ba7fda7 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -5137,6 +5137,7 @@ security/mac/mac_sysv_sem.c optional mac security/mac/mac_sysv_shm.c optional mac security/mac/mac_vfs.c optional mac security/mac_biba/mac_biba.c optional mac_biba +security/mac_ddb/mac_ddb.c optional mac_ddb security/mac_bsdextended/mac_bsdextended.c optional mac_bsdextended security/mac_bsdextended/ugidfw_system.c optional mac_bsdextended security/mac_bsdextended/ugidfw_vnode.c optional mac_bsdextended diff --git a/sys/conf/options b/sys/conf/options index fda513ee484a..e57fe7a0f5bc 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -156,6 +156,7 @@ LIBICONV MAC opt_global.h MAC_BIBA opt_dontuse.h MAC_BSDEXTENDED opt_dontuse.h +MAC_DDB opt_dontuse.h MAC_IFOFF opt_dontuse.h MAC_LOMAC opt_dontuse.h MAC_MLS opt_dontuse.h diff --git a/sys/ddb/ddb.h b/sys/ddb/ddb.h index 4c8a4f165461..2fa4bfeb495c 100644 --- a/sys/ddb/ddb.h +++ b/sys/ddb/ddb.h @@ -99,6 +99,7 @@ LIST_HEAD(db_command_table, db_command); extern struct db_command_table db_cmd_table; extern struct db_command_table db_show_table; extern struct db_command_table db_show_all_table; +extern struct db_command_table db_show_active_table; /* * Type signature for a function implementing a ddb command. diff --git a/sys/modules/Makefile b/sys/modules/Makefile index e494c93b4ba7..d624df4c4e0e 100644 --- a/sys/modules/Makefile +++ b/sys/modules/Makefile @@ -219,6 +219,7 @@ SUBDIR= \ lpt \ ${_mac_biba} \ ${_mac_bsdextended} \ + ${_mac_ddb} \ ${_mac_ifoff} \ ${_mac_lomac} \ ${_mac_mls} \ @@ -546,6 +547,9 @@ _vmware= vmware .if ${KERN_OPTS:MMAC} || defined(ALL_MODULES) _mac_biba= mac_biba _mac_bsdextended= mac_bsdextended +.if ${KERN_OPTS:MDDB} || defined(ALL_MODULES) +_mac_ddb= mac_ddb +.endif _mac_ifoff= mac_ifoff _mac_lomac= mac_lomac _mac_mls= mac_mls diff --git a/sys/modules/mac_ddb/Makefile b/sys/modules/mac_ddb/Makefile new file mode 100644 index 000000000000..2aa542d77e7d --- /dev/null +++ b/sys/modules/mac_ddb/Makefile @@ -0,0 +1,6 @@ +.PATH: ${SRCTOP}/sys/security/mac_ddb + +KMOD= mac_ddb +SRCS= mac_ddb.c + +.include diff --git a/sys/security/mac_ddb/mac_ddb.c b/sys/security/mac_ddb/mac_ddb.c new file mode 100644 index 000000000000..8f07a664b7eb --- /dev/null +++ b/sys/security/mac_ddb/mac_ddb.c @@ -0,0 +1,266 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2021-2022 Klara Systems + * + * This software was developed by Mitchell Horne + * under sponsorship from Juniper Networks and Klara Systems. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include + +#include +#include + +#include + +/* + * This module provides a limited interface to the ddb(4) kernel debugger. The + * intent is to allow execution of useful debugging commands while disallowing + * the execution of commands which may be used to inspect/modify arbitrary + * system memory. + * + * Commands which are deterministic in their output or effect and that have + * been flagged with DB_CMD_MEMSAFE in their definition will be allowed. + * + * Other commands are valid within this context so long as there is some + * constraint placed on their input arguments. This applies to most 'show' + * commands which accept an arbitrary address. If the provided address can be + * validated as a real instance of the object (e.g. the 'show proc' address + * points to a real struct proc in the process list), then the command may be + * executed. This module defines several validation functions which are used to + * conditionally allow or block the execution of some commands. For these + * commands we define and apply the DB_CMD_VALIDATE flag. + * + * Any other commands not flagged with DM_CMD_MEMSAFE or DB_CMD_VALIDATE are + * considered unsafe for execution. + */ + +#define DB_CMD_VALIDATE DB_MAC1 + +typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count, + char *modif); + +static db_validation_fn_t db_thread_valid; + +struct cmd_list_item { + const char *name; + db_validation_fn_t *validate_fn; +}; + +/* List of top-level ddb(4) commands which are allowed by this policy. */ +static const struct cmd_list_item command_list[] = { + { "thread", db_thread_valid }, +}; + +/* List of ddb(4) 'show' commands which are allowed by this policy. */ +static const struct cmd_list_item show_command_list[] = { + { "thread", db_thread_valid }, +}; + +static int +db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) +{ + struct thread *thr; + lwpid_t tid; + + /* Default will show the current proc. */ + if (!have_addr) + return (0); + + /* Validate the provided addr OR tid against the thread list. */ + tid = db_hex2dec(addr); + for (thr = kdb_thr_first(); thr != NULL; thr = kdb_thr_next(thr)) { + if ((void *)thr == (void *)addr || tid == thr->td_tid) + return (0); + } + + return (EACCES); +} + +static int +command_match(struct db_command *cmd, struct cmd_list_item item) +{ + db_validation_fn_t *vfn; + int n; + + n = strcmp(cmd->name, item.name); + if (n != 0) + return (n); + + /* Got an exact match. Update the command struct */ + vfn = item.validate_fn; + if (vfn != NULL) { + cmd->flag |= DB_CMD_VALIDATE; + cmd->mac_priv = vfn; + } + return (0); +} + +static void +mac_ddb_init(struct mac_policy_conf *conf) +{ + struct db_command *cmd, *prev; + int i, n; + + /* The command lists are sorted lexographically, as are our arrays. */ + + /* Register basic commands. */ + for (i = 0, cmd = prev = NULL; i < nitems(command_list); i++) { + LIST_FOREACH_FROM(cmd, &db_cmd_table, next) { + n = command_match(cmd, command_list[i]); + if (n == 0) { + /* Got an exact match. */ + prev = cmd; + break; + } else if (n > 0) { + /* Desired command is not registered. */ + break; + } + } + + /* Next search begins at the previous match. */ + cmd = prev; + } + + /* Register 'show' commands which require validation. */ + for (i = 0, cmd = prev = NULL; i < nitems(show_command_list); i++) { + LIST_FOREACH_FROM(cmd, &db_show_table, next) { + n = command_match(cmd, show_command_list[i]); + if (n == 0) { + /* Got an exact match. */ + prev = cmd; + break; + } else if (n > 0) { + /* Desired command is not registered. */ + break; + } + } + + /* Next search begins at the previous match. */ + cmd = prev; + } + +#ifdef INVARIANTS + /* Verify the lists are sorted correctly. */ + const char *a, *b; + + for (i = 0; i < nitems(command_list) - 1; i++) { + a = command_list[i].name; + b = command_list[i + 1].name; + if (strcmp(a, b) > 0) + panic("%s: command_list[] not alphabetical: %s,%s", + __func__, a, b); + } + for (i = 0; i < nitems(show_command_list) - 1; i++) { + a = show_command_list[i].name; + b = show_command_list[i + 1].name; + if (strcmp(a, b) > 0) + panic("%s: show_command_list[] not alphabetical: %s,%s", + __func__, a, b); + } +#endif +} + +static int +mac_ddb_command_register(struct db_command_table *table, + struct db_command *cmd) +{ + int i, n; + + if ((cmd->flag & DB_CMD_MEMSAFE) != 0) + return (0); + + /* For other commands, search the allow-lists. */ + if (table == &db_show_table) { + for (i = 0; i < nitems(show_command_list); i++) { + n = command_match(cmd, show_command_list[i]); + if (n == 0) + /* Got an exact match. */ + return (0); + else if (n > 0) + /* Command is not in the policy list. */ + break; + } + } else if (table == &db_cmd_table) { + for (i = 0; i < nitems(command_list); i++) { + n = command_match(cmd, command_list[i]); + if (n == 0) + /* Got an exact match. */ + return (0); + else if (n > 0) + /* Command is not in the policy list. */ + break; + } + } + + /* The command will not be registered. */ + return (EACCES); +} + +static int +mac_ddb_command_exec(struct db_command *cmd, db_expr_t addr, + bool have_addr, db_expr_t count, char *modif) +{ + db_validation_fn_t *vfn = cmd->mac_priv; + + /* Validate the command and args based on policy. */ + if ((cmd->flag & DB_CMD_VALIDATE) != 0) { + MPASS(vfn != NULL); + if (vfn(addr, have_addr, count, modif) == 0) + return (0); + } else if ((cmd->flag & DB_CMD_MEMSAFE) != 0) + return (0); + + return (EACCES); +} + +static int +mac_ddb_check_backend(struct kdb_dbbe *be) +{ + + /* Only allow DDB backend to execute. */ + if (strcmp(be->dbbe_name, "ddb") == 0) + return (0); + + return (EACCES); +} + +/* + * Register functions with MAC Framework policy entry points. + */ +static struct mac_policy_ops mac_ddb_ops = +{ + .mpo_init = mac_ddb_init, + + .mpo_ddb_command_register = mac_ddb_command_register, + .mpo_ddb_command_exec = mac_ddb_command_exec, + + .mpo_kdb_check_backend = mac_ddb_check_backend, +}; +MAC_POLICY_SET(&mac_ddb_ops, mac_ddb, "MAC/DDB", 0, NULL);