From nobody Mon Jul 18 22:06:57 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lmwzj6KFTz1GpcM; Mon, 18 Jul 2022 22:06:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Lmwzj42Rrz3yVM; Mon, 18 Jul 2022 22:06:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658182017; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=733DVMAigX/V9fjXuk9Oktd8lmAA0A19vfsLm2IR68U=; b=GZJnhZWQ0KhPRwiSJ6db0ooToZ2hlwPiqIFsNuZFze/RC1QWlvzgM50wuFpLHDZfYkjFj/ oi5RKbYJ9l8/eVtowWhWkGzZt8hwuHF9KretzOQpD1thE48VWwLg4aBwlTzljwcJX9Q6Xk OtblMWVoD87OJT/d+Je3NfkIYegcAbNJRCsKXhRKthlIksl6UgvSCfBqymvuyVVfUzLssV QrVXxv0+nPbUKy8JUvOku51rURM1pxj2KOKtMluFNg9wpJCdlidmwN2LNGnF6PtdfFlAPw sUiXNKAynyQDtv8F3XXm46M+L0jeDNVjL4eoIe127atzo2mf4rog47EHVacHSQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lmwzj2gxwzvy4; Mon, 18 Jul 2022 22:06:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26IM6vWE048238; Mon, 18 Jul 2022 22:06:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26IM6vMQ048237; Mon, 18 Jul 2022 22:06:57 GMT (envelope-from git) Date: Mon, 18 Jul 2022 22:06:57 GMT Message-Id: <202207182206.26IM6vMQ048237@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Allan Jude Subject: git: 4e2121c10afc - main - mac_ddb: add some validation functions List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: allanjude X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4e2121c10afc3d9273368eae776fe31d0c68ba6a Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1658182017; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=733DVMAigX/V9fjXuk9Oktd8lmAA0A19vfsLm2IR68U=; b=DMDDkw8LyG9bxOHEYa5NxtE7s3zrHIJoP0L//FPgwUc3Dn2rQZs0l6uApEwvqRGxrg9iK0 onxImqkXqK00Kmy6cwD/JQYishOCm//JoxNizHTIeAqY7kr+Na2tr81dhpwjm7jwZeOthg mpQ4bRlC+2ZcBcyxW7KYsaPpMOgzqP3GNtgCdx1JIMMzmFrikdgb80TQrbqprS4a/Ejug4 dEiIqiWQ+eEIwkmUJDxpnjdJ951Wie88Y4qF2P0K1zFnsv2IMJLQFfyQhBah/UN8fzE+6o szrB/UWVSyDUD2thkv3/RkrG9MMDTTggOzXzBvc6v4WDnJe4QTs4VGe2aoSToQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658182017; a=rsa-sha256; cv=none; b=uVbOt5UTw/C48yBxcKUpEdznHR1kxOgsOL65/szXNwbn/lc0J6388VbWclyOgvStk0zXlS jZcCk931nphhzseyIUrEWzIFujBfWAinXaL6HBTzr+0uiaGMDhZnimjKh5EU3SMECGwG34 Dyzs/lSOz5v8ls1m7Zu1ivDtRD2BfdYveuo1XZelOsnuSRWC2dgEckbL+dy4LzXlnSpcWj cAqOb9mLM387eRLyXwrBvKefzFzuE2EgcRQAdLs4Agix7yOPPrw3pLlxRQOX4h/wOEG1hh iSRw+gujD3pLw+BgZRft45YunUxRok2E1vvIGdIkpj8fyWlQFoTNpA/imGP0Sw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by allanjude: URL: https://cgit.FreeBSD.org/src/commit/?id=4e2121c10afc3d9273368eae776fe31d0c68ba6a commit 4e2121c10afc3d9273368eae776fe31d0c68ba6a Author: Mitchell Horne AuthorDate: 2022-07-18 21:25:00 +0000 Commit: Allan Jude CommitDate: 2022-07-18 22:06:22 +0000 mac_ddb: add some validation functions These global objects are easy to validate, so provide the helper functions to do so and include these commands in the allow lists. Reviewed by: markj Sponsored by: Juniper Networks, Inc. Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D35372 --- sys/security/mac_ddb/mac_ddb.c | 101 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/sys/security/mac_ddb/mac_ddb.c b/sys/security/mac_ddb/mac_ddb.c index 8f07a664b7eb..89cba3145945 100644 --- a/sys/security/mac_ddb/mac_ddb.c +++ b/sys/security/mac_ddb/mac_ddb.c @@ -29,11 +29,17 @@ */ #include +#include #include #include +#include #include +#include +#include #include +#include + #include #include @@ -67,6 +73,11 @@ typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count, char *modif); static db_validation_fn_t db_thread_valid; +static db_validation_fn_t db_show_ffs_valid; +static db_validation_fn_t db_show_prison_valid; +static db_validation_fn_t db_show_proc_valid; +static db_validation_fn_t db_show_rman_valid; +static db_validation_fn_t db_show_vnet_valid; struct cmd_list_item { const char *name; @@ -80,7 +91,12 @@ static const struct cmd_list_item command_list[] = { /* List of ddb(4) 'show' commands which are allowed by this policy. */ static const struct cmd_list_item show_command_list[] = { + { "ffs", db_show_ffs_valid }, + { "prison", db_show_prison_valid }, + { "proc", db_show_proc_valid }, + { "rman", db_show_rman_valid }, { "thread", db_thread_valid }, + { "vnet", db_show_vnet_valid }, }; static int @@ -103,6 +119,91 @@ db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) return (EACCES); } +static int +db_show_ffs_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) +{ + struct mount *mp; + + /* No addr will show all mounts. */ + if (!have_addr) + return (0); + + TAILQ_FOREACH(mp, &mountlist, mnt_list) + if ((void *)mp == (void *)addr) + return (0); + + return (EACCES); +} + +static int +db_show_prison_valid(db_expr_t addr, bool have_addr, db_expr_t count, + char *modif) +{ + struct prison *pr; + int pr_id; + + if (!have_addr || addr == 0) + return (0); + + /* prison can match by pointer address or ID. */ + pr_id = (int)addr; + TAILQ_FOREACH(pr, &allprison, pr_list) + if (pr->pr_id == pr_id || (void *)pr == (void *)addr) + return (0); + + return (EACCES); +} + +static int +db_show_proc_valid(db_expr_t addr, bool have_addr, db_expr_t count, + char *modif) +{ + struct proc *p; + int i; + + /* Default will show the current proc. */ + if (!have_addr) + return (0); + + for (i = 0; i <= pidhash; i++) { + LIST_FOREACH(p, &pidhashtbl[i], p_hash) { + if ((void *)p == (void *)addr) + return (0); + } + } + + return (EACCES); +} + +static int +db_show_rman_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) +{ + struct rman *rm; + + TAILQ_FOREACH(rm, &rman_head, rm_link) { + if ((void *)rm == (void *)rm) + return (0); + } + + return (EACCES); +} + +static int +db_show_vnet_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) +{ + VNET_ITERATOR_DECL(vnet); + + if (!have_addr) + return (0); + + VNET_FOREACH(vnet) { + if ((void *)vnet == (void *)addr) + return (0); + } + + return (EACCES); +} + static int command_match(struct db_command *cmd, struct cmd_list_item item) {