PERFORCE change 21079 for review

Fri Nov 15 18:43:29 GMT 2002

http://perforce.freebsd.org/chv.cgi?CH=21079

Change 21079 by green at green_laptop_2 on 2002/11/15 10:43:26

	Add three new checks for kernel modules:
		mac_check_kldload(cred, vnode)
		mac_check_kldunload(cred)
		mac_check_kldobserve(cred)
	There's a lot of extra information that could be given to policies
	but it's decidedly all unimportant.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_linker.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#361 edit
.. //depot/projects/trustedbsd/mac/sys/kern/link_elf.c#13 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#186 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#40 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#108 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#84 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#217 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#171 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_linker.c#15 (text+ko) ====

@@ -27,6 +27,7 @@
  */
 
 #include "opt_ddb.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -38,6 +39,7 @@
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <sys/sx.h>
+#include <sys/mac.h>
 #include <sys/module.h>
 #include <sys/linker.h>
 #include <sys/fcntl.h>
@@ -474,6 +476,11 @@
 	/* Refuse to unload modules if securelevel raised. */
 	if (securelevel > 0)
 		return (EPERM);
+#ifdef MAC
+	error = mac_check_system_kldunload(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
 
 	KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs));
 	if (file->refs == 1) {
@@ -824,6 +831,12 @@
 	linker_file_t lf;
 	int error = 0;
 
+#ifdef MAC
+	error = mac_check_system_kldobserve(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
+
 	mtx_lock(&Giant);
 	td->td_retval[0] = -1;
 
@@ -854,6 +867,12 @@
 	linker_file_t lf;
 	int error = 0;
 
+#ifdef MAC
+	error = mac_check_system_kldobserve(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
+
 	mtx_lock(&Giant);
 
 	if (SCARG(uap, fileid) == 0) {
@@ -889,6 +908,12 @@
 	int namelen, version;
 	struct kld_file_stat *stat;
 
+#ifdef MAC
+	error = mac_check_system_kldobserve(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
+
 	mtx_lock(&Giant);
 
 	lf = linker_find_file_by_id(SCARG(uap, fileid));
@@ -938,6 +963,12 @@
 	module_t mp;
 	int error = 0;
 
+#ifdef MAC
+	error = mac_check_system_kldobserve(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
+
 	mtx_lock(&Giant);
 	lf = linker_find_file_by_id(SCARG(uap, fileid));
 	if (lf) {
@@ -967,6 +998,12 @@
 	struct kld_sym_lookup lookup;
 	int error = 0;
 
+#ifdef MAC
+	error = mac_check_system_kldobserve(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
+
 	mtx_lock(&Giant);
 
 	if ((error = copyin(SCARG(uap, data), &lookup, sizeof(lookup))) != 0)
@@ -1800,6 +1837,11 @@
 	linker_file_t lf;
 	int error;
 
+#ifdef MAC
+	error = mac_check_system_kldobserve(curthread->td_ucred);
+	if (error)
+		return (error);
+#endif
 	sysctl_wire_old_buffer(req, 0);
 	mtx_lock(&kld_mtx);
 	TAILQ_FOREACH(lf, &linker_files, link) {

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#361 (text+ko) ====

@@ -2592,6 +2592,50 @@
 }
 
 int
+mac_check_system_kldload(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	if (vp != NULL) {
+		ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
+	}
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_system_kldload, cred, vp,
+	    vp != NULL ? &vp->v_label : NULL);
+
+	return (error);
+}
+
+int
+mac_check_system_kldobserve(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_system_kldobserve, cred);
+
+	return (error);
+}
+
+int
+mac_check_system_kldunload(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_system_kldunload, cred);
+
+	return (error);
+}
+
+int
 mac_check_system_nfsd(struct ucred *cred)
 {
 	int error;

==== //depot/projects/trustedbsd/mac/sys/kern/link_elf.c#13 (text+ko) ====

@@ -27,11 +27,13 @@
  */
 
 #include "opt_ddb.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
@@ -556,6 +558,13 @@
     if (error)
 	return error;
     NDFREE(&nd, NDF_ONLY_PNBUF);
+#ifdef MAC
+    error = mac_check_system_kldload(curthread->td_ucred, nd.ni_vp);
+    if (error) {
+	firstpage = NULL;
+	goto out;
+    }
+#endif
 
     /*
      * Read the elf header from the file.

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#186 (text+ko) ====

@@ -1861,6 +1861,45 @@
 }
 
 static int
+mac_biba_check_system_kldload(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_biba *subj, *obj;
+	int error;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+
+	error = mac_biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	obj = SLOT(label);
+	if (!mac_biba_high_single(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+
+static int
+mac_biba_check_system_kldunload(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_biba *subj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+
+	return (mac_biba_subject_privileged(subj));
+}
+
+
+static int
 mac_biba_check_system_settime(struct ucred *cred)
 {
 	struct mac_biba *subj;
@@ -2630,6 +2669,8 @@
 	.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
 	.mpo_check_socket_visible = mac_biba_check_socket_visible,
 	.mpo_check_system_acct = mac_biba_check_system_acct,
+	.mpo_check_system_kldload = mac_biba_check_system_kldload,
+	.mpo_check_system_kldunload = mac_biba_check_system_kldunload,
 	.mpo_check_system_settime = mac_biba_check_system_settime,
 	.mpo_check_system_swapon = mac_biba_check_system_swapon,
 	.mpo_check_system_sysctl = mac_biba_check_system_sysctl,

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#40 (text+ko) ====

@@ -1998,6 +1998,44 @@
 }
 
 static int
+mac_lomac_check_system_kldload(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_lomac *subj, *obj;
+
+	if (!mac_lomac_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (mac_lomac_subject_privileged(subj))
+		return (EPERM);
+
+	if (!mac_lomac_high_single(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_lomac_check_system_kldunload(struct ucred *cred)
+{
+	struct mac_lomac *subj;
+
+	if (!mac_lomac_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+
+	if (mac_lomac_subject_privileged(subj))
+		return (EPERM);
+
+	return (0);
+}
+
+
+static int
 mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
@@ -2668,6 +2706,8 @@
 	.mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
 	.mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
 	.mpo_check_socket_visible = mac_lomac_check_socket_visible,
+	.mpo_check_system_kldload = mac_lomac_check_system_kldload,
+	.mpo_check_system_kldunload = mac_lomac_check_system_kldunload,
 	.mpo_check_system_swapon = mac_lomac_check_system_swapon,
 	.mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
 	.mpo_check_vnode_access = mac_lomac_check_vnode_open,

==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#108 (text+ko) ====

@@ -652,6 +652,28 @@
 }
 
 static int
+mac_none_check_system_kldload(struct ucred *cred, struct vnode *vp,
+    struct label *vlabel)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_system_kldobserve(struct ucred *cred)
+{
+
+	return (0);
+}
+
+static int
+mac_none_check_system_kldunload(struct ucred *cred)
+{
+
+	return (0);
+}
+
+static int
 mac_none_check_system_reboot(struct ucred *cred, int how)
 {
 
@@ -1034,6 +1056,9 @@
 	.mpo_check_socket_relabel = mac_none_check_socket_relabel,
 	.mpo_check_socket_visible = mac_none_check_socket_visible,
 	.mpo_check_system_acct = mac_none_check_system_acct,
+	.mpo_check_system_kldload = mac_none_check_system_kldload,
+	.mpo_check_system_kldobserve = mac_none_check_system_kldobserve,
+	.mpo_check_system_kldunload = mac_none_check_system_kldunload,
 	.mpo_check_system_reboot = mac_none_check_system_reboot,
 	.mpo_check_system_settime = mac_none_check_system_settime,
 	.mpo_check_system_swapon = mac_none_check_system_swapon,

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#84 (text+ko) ====

@@ -1048,6 +1048,28 @@
 }
 
 static int
+mac_test_check_system_kldload(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (0);
+}
+
+static int
+mac_test_check_system_kldobserve(struct ucred *cred)
+{
+
+	return (0);
+}
+
+static int
+mac_test_check_system_kldunload(struct ucred *cred)
+{
+
+	return (0);
+}
+
+static int
 mac_test_check_system_reboot(struct ucred *cred, int how)
 {
 
@@ -1431,6 +1453,9 @@
 	.mpo_check_socket_relabel = mac_test_check_socket_relabel,
 	.mpo_check_socket_visible = mac_test_check_socket_visible,
 	.mpo_check_system_acct = mac_test_check_system_acct,
+	.mpo_check_system_kldload = mac_test_check_system_kldload,
+	.mpo_check_system_kldobserve = mac_test_check_system_kldobserve,
+	.mpo_check_system_kldunload = mac_test_check_system_kldunload,
 	.mpo_check_system_reboot = mac_test_check_system_reboot,
 	.mpo_check_system_settime = mac_test_check_system_settime,
 	.mpo_check_system_swapon = mac_test_check_system_swapon,

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#217 (text+ko) ====

@@ -260,6 +260,9 @@
 int	mac_check_socket_send(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
 int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
+int	mac_check_system_kldload(struct ucred *cred, struct vnode *vp);
+int	mac_check_system_kldobserve(struct ucred *cred);
+int	mac_check_system_kldunload(struct ucred *cred);
 int	mac_check_system_nfsd(struct ucred *cred);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
 int	mac_check_system_settime(struct ucred *cred);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#171 (text+ko) ====

@@ -317,6 +317,10 @@
 		    struct socket *so, struct label *socketlabel);
 	int	(*mpo_check_system_acct)(struct ucred *cred,
 		    struct vnode *vp, struct label *vlabel);
+	int	(*mpo_check_system_kldload)(struct ucred *cred,
+		    struct vnode *vp, struct label *vlabel);
+	int	(*mpo_check_system_kldobserve)(struct ucred *cred);
+	int	(*mpo_check_system_kldunload)(struct ucred *cred);
 	int	(*mpo_check_system_nfsd)(struct ucred *cred);
 	int	(*mpo_check_system_reboot)(struct ucred *cred, int howto);
 	int	(*mpo_check_system_settime)(struct ucred *cred);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

