Commit Graph

167 Commits

Author SHA1 Message Date
maxv
2e3cbeb9fe secmodel_extensions_system_cb() is not mount-specific, even though
KAUTH_SYSTEM_MOUNT happens to be the only option handled here.

Put everything into a swith(action). No functional change.
2015-12-12 14:57:52 +00:00
knakahara
a604df282c Add kernel code to support intrctl(8). 2015-08-17 06:16:02 +00:00
maxv
fc666c5147 Do not release secmodels_lock when it is not held.
Sent on tech-kern@, ok lars@
2014-11-04 16:01:58 +00:00
pooka
4f6fb3bf35 Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
2014-02-25 18:30:08 +00:00
martin
b2066a0272 Make the callback deal with embryonic connections which do not have
credentials yet. Fixes PR kern/47598.
2013-02-28 15:23:24 +00:00
jym
5dbef361fb Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).

Reported by tls@ on tech-security@.

XXX will ask for pull-up for -6.
2013-01-28 00:51:29 +00:00
pooka
e51fe9c308 kill some -Wunused-but-set-variable warnings 2012-11-13 20:10:02 +00:00
cheusov
87e5d7b5fb KNF fix. spaces vs. tab 2012-06-27 10:15:25 +00:00
elad
0c9d8d15c9 Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

    http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
    http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
    http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
2012-03-13 18:40:26 +00:00
cegger
a02b2c29fa fix secmodel implementation of CPU_UCODE.
ok wiz@ for the manpages
ok elad@
2012-01-17 10:47:26 +00:00
cegger
a3f6c06746 Support CPU microcode loading via cpuctl(8).
Implemented and enabled via CPU_UCODE kernel config option
for x86 and Xen Dom0.
Tested on different AMD machines with different
CPU families.

ok wiz@ for the manpages
ok releng@
ok core@ via releng@
2012-01-13 16:05:14 +00:00
jym
8f63b92041 build fix for keylock secmodel(9). 2011-12-08 11:01:59 +00:00
jym
a2b939da56 secmodel_eval(9) may want to access securelevel before it is set
to the right value, so init it first before registering secmodel(9).
2011-12-05 00:13:30 +00:00
jym
bb108ddab3 When user_set_cpu_affinity is non-zero, only allow users to modify
the CPU affinity of the LWPs they own.
2011-12-04 21:04:51 +00:00
jym
926571dfa7 Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.

When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:

    bool isroot;
    error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
        cred, &isroot);
    if (error == 0 && !isroot)
            result = KAUTH_RESULT_DENY;

This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.

Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.

Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.

We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).

The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.

Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.

Documentation is incoming, I am proof-reading my writings.

Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.

See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html

XXX might consider va0 mapping too.

XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
2011-12-04 19:24:58 +00:00
jym
80a390c3fa The secmodel(9)s init, start and stop routines are managed by each
secmodel module(7), so there is no point in calling suser/securelevel
routines from bsd44. This leads to unwanted cross-secmodel dependencies.

Do not call secmodel_bsd44_init() from secmodel_overlay_init(). Doing so
resets all curtain/securelevel values, which is not really needed when
loading an overlay filter.

Remove the secmodel_register/deregister comments, they will be
implemented differently in an upcoming patch.

ok elad@ (via private mail).
2011-11-28 22:28:33 +00:00
jym
35de13d139 Whitespace fixes. 2011-11-28 20:57:51 +00:00
tls
4924aa205a Load entropy at system boot (only works at securelevel < 1); save
at system shutdown.  Disable with random_seed=NO in rc.conf if desired.

Goes to some trouble to never load or save to network filesystems.

Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.
2011-11-23 10:47:48 +00:00
elad
190f3232cd Use the socket credentials, now that we have them, instead of uidinfo. 2009-12-29 04:25:30 +00:00
elad
dadcd7355c Rename KAUTH_GENERIC_CANSEE to KAUTH_GENERIC_UNUSED1 and remove handling for
the former.

(I'll remove it from the header next time a kernel version bump happens.)
2009-12-24 19:02:07 +00:00
stacktic
c461e11537 Fixed security.models.suser.curtain to deny when uid does not match.
OK pooka@
2009-11-18 09:47:18 +00:00
elad
1570e68c40 - Move kauth_init() a little bit higher.
- Add spec_init() to authorize special device actions (and passthru too for
  the time being). Move policy out of secmodel_suser.
2009-11-14 18:36:56 +00:00
cegger
570ca15b16 buildfix: define integer before use. i386 ALL kernel builds again 2009-10-19 08:20:21 +00:00
elad
c8cfab9333 Extract usermount policy to its own routine. 2009-10-07 01:31:41 +00:00
elad
1e17e53958 Compare against initproc, not pid 1, to check if it's init (unify). 2009-10-07 01:06:57 +00:00
elad
2cb56be586 Add a (weak aliased) machdep_init() as a place to do machdep initialization
that can't happen as early as the other init functions as called from
cpu_startup() -- for example, register kauth(9) listeners.

Put unprivileged policy in the x86 code; used by i386, amd64, and xen.
2009-10-06 21:07:05 +00:00
elad
14dd40c754 Allow root to do things that the subsystem allows as well (unify).
This is important in the case someone manages to load the suser secmodel
and remove subsystem specific listeners; without this change they would
have ended up with a root user that can only do privileged operations.
2009-10-06 20:34:22 +00:00
elad
0bef641c61 Unify: >= 0 -> > -1. 2009-10-06 05:03:58 +00:00
elad
ce7ff2b92d Cosmetic changes to declarations. No functional change. 2009-10-06 05:01:51 +00:00
elad
756638cf95 Factor out a block of code that appears in three places (Veriexec, keylock,
and securelevel) so that others can use it as well.
2009-10-06 04:28:10 +00:00
elad
4c9fcb77c3 - Add usermount_common_policy() that implements some common (everything
but access control) user mounting policies: enforced MNT_NOSUID and
  MNT_NODEV, no MNT_EXPORT, MNT_EXEC propagation. This can be useful for
  secmodels that are interested in simply adding finer grained user mount
  support.

- Add a mount subsystem listener for KAUTH_REQ_SYSTEM_MOUNT_GET.
2009-10-05 04:20:13 +00:00
elad
a39251ecc2 Introduce time_wraps() to check if setting the time will wrap it (or
close to it). Useful for secmodels.

Replace open-coded form with it in secmodel code (securelevel, keylock).

Note: I need to find a way to make secmodel_keylock.c ~<100 lines.
2009-10-03 20:48:42 +00:00
elad
5b3a96a24d Move KAUTH_NETWORK_BIND::KAUTH_REQ_NETWORK_BIND_PORT policy back to the
subsystem (or close to it).

Note: Revisit KAUTH_REQ_NETWORK_BIND_PRIVPORT.
2009-10-03 03:59:39 +00:00
elad
82ce55ed44 Move policies for KAUTH_PROCESS_{CANSEE,CORENAME,STOPFLAG,FORK} back to
the subsystem.

Note: Consider killing the signal listener and sticking
      KAUTH_PROCESS_SIGNAL here as well.
2009-10-03 03:38:31 +00:00
elad
e62043d705 One less include. 2009-10-03 03:02:55 +00:00
elad
eab999856c Make this file a little bit smaller by collapsing cases. 2009-10-03 02:06:11 +00:00
elad
0dd621a02d Move clockctl policy exception back to the subsystem. 2009-10-03 02:01:12 +00:00
elad
0a0bbb40a7 secmodel_bsd44_curtain -> secmodel_suser_curtain (static). 2009-10-03 01:52:14 +00:00
elad
cee5cd7dd4 Move default network interface policy back to the subsystem. 2009-10-03 01:46:39 +00:00
elad
111de3833c Finish moving socket policy to the subsystem. 2009-10-03 01:41:39 +00:00
elad
452ced03bd Move sched policy back to the subsystem. 2009-10-03 01:30:25 +00:00
elad
6991fd9ea2 Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.
2009-10-03 00:37:01 +00:00
elad
212f5fa214 Move kevent policy back to the subsystem. 2009-10-03 00:14:07 +00:00
elad
abc7a4290b Put module loading policy back in the subsystem.
Revisit: consider moving kauth_init() above module_init() in main().
2009-10-03 00:06:37 +00:00
elad
1f98cab201 Put the tty opening policy back in the subsystem.
Remove include we don't need from the secmodel code.
2009-10-02 23:58:53 +00:00
elad
510083464f Move some of the socket policy back to the subsystem.
Remove include we don't need in the secmodel code.
2009-10-02 23:50:16 +00:00
elad
8751f894d8 Put signal delivery policy back in the subsystem. 2009-10-02 23:24:15 +00:00
elad
c2ba1b2a75 Remove includes we don't need. 2009-10-02 23:18:12 +00:00
elad
9f0d81cf10 Move routing socket security policy back to the subsystem. 2009-10-02 23:16:21 +00:00
elad
198c6aa6f5 - Squeeze function declarations where possible,
- KAUTH_RESULT_DEFER is the default (set at the beginning of each listener)
  and as such does not need to be set explicitly in the switches.
2009-10-02 23:06:33 +00:00