1 | /* |
2 | * Copyright (c) 2007 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | |
29 | /*- |
30 | * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson |
31 | * Copyright (c) 2001 Ilmar S. Habibulin |
32 | * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc. |
33 | * Copyright (c) 2005 SPARTA, Inc. |
34 | * All rights reserved. |
35 | * |
36 | * This software was developed by Robert Watson and Ilmar Habibulin for the |
37 | * TrustedBSD Project. |
38 | * |
39 | * This software was developed for the FreeBSD Project in part by Network |
40 | * Associates Laboratories, the Security Research Division of Network |
41 | * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), |
42 | * as part of the DARPA CHATS research program. |
43 | * |
44 | * Redistribution and use in source and binary forms, with or without |
45 | * modification, are permitted provided that the following conditions |
46 | * are met: |
47 | * 1. Redistributions of source code must retain the above copyright |
48 | * notice, this list of conditions and the following disclaimer. |
49 | * 2. Redistributions in binary form must reproduce the above copyright |
50 | * notice, this list of conditions and the following disclaimer in the |
51 | * documentation and/or other materials provided with the distribution. |
52 | * |
53 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
54 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
55 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
56 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
57 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
58 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
59 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
60 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
61 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
62 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
63 | * SUCH DAMAGE. |
64 | * |
65 | */ |
66 | |
67 | #ifndef _SECURITY_MAC_INTERNAL_H_ |
68 | #define _SECURITY_MAC_INTERNAL_H_ |
69 | |
70 | #ifndef PRIVATE |
71 | #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" |
72 | #endif |
73 | |
74 | #include <string.h> |
75 | #include <sys/param.h> |
76 | #include <sys/queue.h> |
77 | #include <security/mac.h> |
78 | #include <security/mac_framework.h> |
79 | #include <security/mac_policy.h> |
80 | #include <security/mac_data.h> |
81 | #include <sys/sysctl.h> |
82 | #include <kern/locks.h> |
83 | #include <sys/kernel.h> |
84 | #include <sys/lock.h> |
85 | #include <sys/malloc.h> |
86 | #include <sys/sbuf.h> |
87 | #include <sys/proc.h> |
88 | #include <sys/systm.h> |
89 | #include <sys/socket.h> |
90 | #include <sys/socketvar.h> |
91 | #include <sys/vnode.h> |
92 | #include <mach/sdt.h> |
93 | |
94 | /* |
95 | * MAC Framework sysctl namespace. |
96 | */ |
97 | |
98 | SYSCTL_DECL(_security); |
99 | SYSCTL_DECL(_security_mac); |
100 | |
101 | extern int mac_late; |
102 | |
103 | struct mac_policy_list_element { |
104 | struct mac_policy_conf *mpc; |
105 | }; |
106 | |
107 | struct mac_policy_list { |
108 | u_int numloaded; |
109 | u_int max; |
110 | u_int maxindex; |
111 | u_int staticmax; |
112 | u_int chunks; |
113 | u_int freehint; |
114 | struct mac_policy_list_element *entries; |
115 | }; |
116 | |
117 | typedef struct mac_policy_list mac_policy_list_t; |
118 | |
119 | |
120 | /* |
121 | * Policy that has registered with the framework for a specific |
122 | * label namespace name. |
123 | */ |
124 | struct mac_label_listener { |
125 | mac_policy_handle_t mll_handle; |
126 | SLIST_ENTRY(mac_label_listener) mll_list; |
127 | }; |
128 | |
129 | SLIST_HEAD(mac_label_listeners_t, mac_label_listener); |
130 | |
131 | /* |
132 | * Type of list used to manage label namespace names. |
133 | */ |
134 | struct mac_label_element { |
135 | char mle_name[MAC_MAX_LABEL_ELEMENT_NAME]; |
136 | struct mac_label_listeners_t mle_listeners; |
137 | SLIST_ENTRY(mac_label_element) mle_list; |
138 | }; |
139 | |
140 | SLIST_HEAD(mac_label_element_list_t, mac_label_element); |
141 | |
142 | /* |
143 | * MAC Framework global variables. |
144 | */ |
145 | |
146 | extern struct mac_label_element_list_t mac_label_element_list; |
147 | extern struct mac_label_element_list_t mac_static_label_element_list; |
148 | |
149 | extern struct mac_policy_list mac_policy_list; |
150 | |
151 | /* |
152 | * global flags to control whether a MACF subsystem is configured |
153 | * at all in the system. |
154 | */ |
155 | extern unsigned int mac_device_enforce; |
156 | extern unsigned int mac_pipe_enforce; |
157 | extern unsigned int mac_posixsem_enforce; |
158 | extern unsigned int mac_posixshm_enforce; |
159 | extern unsigned int mac_proc_enforce; |
160 | extern unsigned int mac_socket_enforce; |
161 | extern unsigned int mac_system_enforce; |
162 | extern unsigned int mac_sysvmsg_enforce; |
163 | extern unsigned int mac_sysvsem_enforce; |
164 | extern unsigned int mac_sysvshm_enforce; |
165 | extern unsigned int mac_vm_enforce; |
166 | extern unsigned int mac_vnode_enforce; |
167 | |
168 | extern unsigned int mac_label_vnodes; |
169 | extern unsigned int mac_vnode_label_count; |
170 | |
171 | static bool mac_proc_check_enforce(proc_t p); |
172 | |
173 | static __inline__ bool |
174 | mac_proc_check_enforce(proc_t p) |
175 | { |
176 | #if CONFIG_MACF |
177 | // Don't apply policies to the kernel itself. |
178 | return p != kernproc; |
179 | #else |
180 | #pragma unused(p) |
181 | return false; |
182 | #endif // CONFIG_MACF |
183 | } |
184 | |
185 | static bool mac_cred_check_enforce(kauth_cred_t cred); |
186 | |
187 | static __inline__ bool |
188 | mac_cred_check_enforce(kauth_cred_t cred) |
189 | { |
190 | #if CONFIG_MACF |
191 | return cred != proc_ucred_unsafe(p: kernproc); |
192 | #else |
193 | #pragma unused(p) |
194 | return false; |
195 | #endif // CONFIG_MACF |
196 | } |
197 | |
198 | /* |
199 | * MAC Framework infrastructure functions. |
200 | */ |
201 | |
202 | int mac_error_select(int error1, int error2); |
203 | |
204 | void mac_policy_list_busy(void); |
205 | int mac_policy_list_conditional_busy(void); |
206 | void mac_policy_list_unbusy(void); |
207 | |
208 | #if KERNEL |
209 | int mac_check_structmac_consistent(struct user_mac *mac); |
210 | #else |
211 | int mac_check_structmac_consistent(struct mac *mac); |
212 | #endif |
213 | |
214 | int mac_cred_label_externalize(struct label *, char *e, char *out, size_t olen, int flags); |
215 | int mac_vnode_label_externalize(struct label *, char *e, char *out, size_t olen, int flags); |
216 | |
217 | int mac_cred_label_internalize(struct label *label, char *string); |
218 | int mac_vnode_label_internalize(struct label *label, char *string); |
219 | |
220 | typedef int (^mac_getter_t)(char *, char *, size_t); |
221 | typedef int (^mac_setter_t)(char *, size_t); |
222 | |
223 | int mac_do_get(struct proc *p, user_addr_t mac_p, mac_getter_t getter); |
224 | int mac_do_set(struct proc *p, user_addr_t mac_p, mac_setter_t setter); |
225 | |
226 | #define MAC_POLICY_ITERATE(...) do { \ |
227 | struct mac_policy_conf *mpc; \ |
228 | u_int i; \ |
229 | \ |
230 | for (i = 0; i < mac_policy_list.staticmax; i++) { \ |
231 | mpc = mac_policy_list.entries[i].mpc; \ |
232 | if (mpc == NULL) \ |
233 | continue; \ |
234 | \ |
235 | __VA_ARGS__ \ |
236 | } \ |
237 | if (mac_policy_list_conditional_busy() != 0) { \ |
238 | for (; i <= mac_policy_list.maxindex; i++) { \ |
239 | mpc = mac_policy_list.entries[i].mpc; \ |
240 | if (mpc == NULL) \ |
241 | continue; \ |
242 | \ |
243 | __VA_ARGS__ \ |
244 | } \ |
245 | mac_policy_list_unbusy(); \ |
246 | } \ |
247 | } while (0) |
248 | |
249 | enum mac_iterate_types { |
250 | MAC_ITERATE_CHECK = 0, // error starts at 0, callbacks can change it |
251 | MAC_ITERATE_GRANT = 1, // error starts as EPERM, callbacks can clear it |
252 | MAC_ITERATE_PERFORM = 2, // no result |
253 | }; |
254 | |
255 | /* |
256 | * MAC_CHECK performs the designated check by walking the policy |
257 | * module list and checking with each as to how it feels about the |
258 | * request. Note that it returns its value via 'error' in the scope |
259 | * of the caller. |
260 | */ |
261 | #define MAC_CHECK(check, args...) do { \ |
262 | error = 0; \ |
263 | MAC_POLICY_ITERATE({ \ |
264 | if (mpc->mpc_ops->mpo_ ## check != NULL) { \ |
265 | DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_CHECK); \ |
266 | int __step_err = mpc->mpc_ops->mpo_ ## check (args); \ |
267 | DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_err); \ |
268 | error = mac_error_select(__step_err, error); \ |
269 | } \ |
270 | }); \ |
271 | } while (0) |
272 | |
273 | /* |
274 | * MAC_GRANT performs the designated check by walking the policy |
275 | * module list and checking with each as to how it feels about the |
276 | * request. Unlike MAC_CHECK, it grants if any policies return '0', |
277 | * and otherwise returns EPERM. Note that it returns its value via |
278 | * 'error' in the scope of the caller. |
279 | */ |
280 | #define MAC_GRANT(check, args...) do { \ |
281 | error = EPERM; \ |
282 | MAC_POLICY_ITERATE({ \ |
283 | if (mpc->mpc_ops->mpo_ ## check != NULL) { \ |
284 | DTRACE_MACF3(mac__call__ ## check, void *, mpc, int, error, int, MAC_ITERATE_GRANT); \ |
285 | int __step_res = mpc->mpc_ops->mpo_ ## check (args); \ |
286 | if (__step_res == 0) { \ |
287 | error = 0; \ |
288 | } \ |
289 | DTRACE_MACF2(mac__rslt__ ## check, void *, mpc, int, __step_res); \ |
290 | } \ |
291 | }); \ |
292 | } while (0) |
293 | |
294 | #define MAC_INTERNALIZE(obj, label, instring) \ |
295 | mac_internalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _label_internalize), label, instring) |
296 | |
297 | #define MAC_EXTERNALIZE(obj, label, elementlist, outbuf, outbuflen) \ |
298 | mac_externalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _label_externalize), label, elementlist, outbuf, outbuflen) |
299 | |
300 | #define MAC_EXTERNALIZE_AUDIT(obj, label, outbuf, outbuflen) \ |
301 | mac_externalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _label_externalize_audit), label, "*", outbuf, outbuflen) |
302 | |
303 | #define MAC_PERFORM_CALL(operation, mpc) DTRACE_MACF3(mac__call__ ## operation, void *, mpc, int, 0, int, MAC_ITERATE_PERFORM) |
304 | #define MAC_PERFORM_RSLT(operation, mpc) DTRACE_MACF2(mac__rslt__ ## operation, void *, mpc, int, 0) |
305 | |
306 | /* |
307 | * MAC_PERFORM performs the designated operation by walking the policy |
308 | * module list and invoking that operation for each policy. |
309 | */ |
310 | #define MAC_PERFORM(operation, args...) do { \ |
311 | MAC_POLICY_ITERATE({ \ |
312 | if (mpc->mpc_ops->mpo_ ## operation != NULL) { \ |
313 | MAC_PERFORM_CALL(operation, mpc); \ |
314 | mpc->mpc_ops->mpo_ ## operation (args); \ |
315 | MAC_PERFORM_RSLT(operation, mpc); \ |
316 | } \ |
317 | }); \ |
318 | } while (0) |
319 | |
320 | |
321 | # |
322 | struct __mac_get_pid_args; |
323 | struct __mac_get_proc_args; |
324 | struct __mac_set_proc_args; |
325 | struct __mac_get_lcid_args; |
326 | struct __mac_get_fd_args; |
327 | struct __mac_get_file_args; |
328 | struct __mac_get_link_args; |
329 | struct __mac_set_fd_args; |
330 | struct __mac_set_file_args; |
331 | struct __mac_syscall_args; |
332 | |
333 | void mac_policy_addto_labellist(const mac_policy_handle_t, int); |
334 | void mac_policy_removefrom_labellist(const mac_policy_handle_t); |
335 | |
336 | int mac_externalize(size_t mpo_externalize_off, struct label *label, |
337 | const char *elementlist, char *outbuf, size_t outbuflen); |
338 | int mac_internalize(size_t mpo_internalize_off, struct label *label, |
339 | char *elementlist); |
340 | #endif /* !_SECURITY_MAC_INTERNAL_H_ */ |
341 | |