1101099Srwatson/*- 2166905Srwatson * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3126097Srwatson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. 4172930Srwatson * Copyright (c) 2006 SPARTA, Inc. 5101099Srwatson * All rights reserved. 6101099Srwatson * 7101099Srwatson * This software was developed by Robert Watson for the TrustedBSD Project. 8101099Srwatson * 9106393Srwatson * This software was developed for the FreeBSD Project in part by Network 10106393Srwatson * Associates Laboratories, the Security Research Division of Network 11106393Srwatson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12106393Srwatson * as part of the DARPA CHATS research program. 13101099Srwatson * 14172930Srwatson * This software was enhanced by SPARTA ISSO under SPAWAR contract 15172930Srwatson * N66001-04-C-6019 ("SEFOS"). 16172930Srwatson * 17101099Srwatson * Redistribution and use in source and binary forms, with or without 18101099Srwatson * modification, are permitted provided that the following conditions 19101099Srwatson * are met: 20101099Srwatson * 1. Redistributions of source code must retain the above copyright 21101099Srwatson * notice, this list of conditions and the following disclaimer. 22101099Srwatson * 2. Redistributions in binary form must reproduce the above copyright 23101099Srwatson * notice, this list of conditions and the following disclaimer in the 24101099Srwatson * documentation and/or other materials provided with the distribution. 25101099Srwatson * 26101099Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27101099Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28101099Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29101099Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30101099Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31101099Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32101099Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33101099Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34101099Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35101099Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36101099Srwatson * SUCH DAMAGE. 37101099Srwatson * 38101099Srwatson * $FreeBSD$ 39101099Srwatson */ 40101099Srwatson 41101099Srwatson/* 42101099Srwatson * Developed by the TrustedBSD Project. 43168976Srwatson * 44101099Srwatson * Prevent processes owned by a particular uid from seeing various transient 45101099Srwatson * kernel objects associated with other uids. 46101099Srwatson */ 47101099Srwatson 48101099Srwatson#include <sys/param.h> 49101099Srwatson#include <sys/kernel.h> 50166905Srwatson#include <sys/module.h> 51164033Srwatson#include <sys/priv.h> 52101099Srwatson#include <sys/proc.h> 53101099Srwatson#include <sys/systm.h> 54183980Sbz#include <sys/socket.h> 55101099Srwatson#include <sys/socketvar.h> 56101099Srwatson#include <sys/sysctl.h> 57101099Srwatson 58183980Sbz#include <net/route.h> 59183980Sbz#include <netinet/in.h> 60183980Sbz#include <netinet/in_pcb.h> 61183980Sbz 62165469Srwatson#include <security/mac/mac_policy.h> 63101099Srwatson 64101099SrwatsonSYSCTL_DECL(_security_mac); 65101099Srwatson 66227309Sedstatic SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0, 67101099Srwatson "TrustedBSD mac_seeotheruids policy controls"); 68101099Srwatson 69172955Srwatsonstatic int seeotheruids_enabled = 1; 70101099SrwatsonSYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW, 71172955Srwatson &seeotheruids_enabled, 0, "Enforce seeotheruids policy"); 72101099Srwatson 73101099Srwatson/* 74101099Srwatson * Exception: allow credentials to be aware of other credentials with the 75101099Srwatson * same primary gid. 76101099Srwatson */ 77101099Srwatsonstatic int primarygroup_enabled = 0; 78101099SrwatsonSYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, primarygroup_enabled, 79101099Srwatson CTLFLAG_RW, &primarygroup_enabled, 0, "Make an exception for credentials " 80101099Srwatson "with the same real primary group id"); 81101099Srwatson 82101099Srwatson/* 83150764Strhodes * Exception: allow the root user to be aware of other credentials by virtue 84150764Strhodes * of privilege. 85150764Strhodes */ 86150764Strhodesstatic int suser_privileged = 1; 87150764StrhodesSYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged, 88150764Strhodes CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser"); 89150764Strhodes 90150764Strhodes/* 91101099Srwatson * Exception: allow processes with a specific gid to be exempt from the 92101099Srwatson * policy. One sysctl enables this functionality; the other sets the 93101099Srwatson * exempt gid. 94101099Srwatson */ 95101099Srwatsonstatic int specificgid_enabled = 0; 96101099SrwatsonSYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid_enabled, 97101099Srwatson CTLFLAG_RW, &specificgid_enabled, 0, "Make an exception for credentials " 98101099Srwatson "with a specific gid as their real primary group id or group set"); 99101099Srwatson 100101099Srwatsonstatic gid_t specificgid = 0; 101217325SmdfSYSCTL_UINT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW, 102101099Srwatson &specificgid, 0, "Specific gid to be exempt from seeotheruids policy"); 103101099Srwatson 104101099Srwatsonstatic int 105172955Srwatsonseeotheruids_check(struct ucred *cr1, struct ucred *cr2) 106101099Srwatson{ 107101099Srwatson 108172955Srwatson if (!seeotheruids_enabled) 109101099Srwatson return (0); 110101099Srwatson 111101099Srwatson if (primarygroup_enabled) { 112168976Srwatson if (cr1->cr_rgid == cr2->cr_rgid) 113101099Srwatson return (0); 114101099Srwatson } 115101099Srwatson 116101099Srwatson if (specificgid_enabled) { 117168976Srwatson if (cr1->cr_rgid == specificgid || 118168976Srwatson groupmember(specificgid, cr1)) 119101099Srwatson return (0); 120101099Srwatson } 121101099Srwatson 122168976Srwatson if (cr1->cr_ruid == cr2->cr_ruid) 123101099Srwatson return (0); 124101099Srwatson 125150764Strhodes if (suser_privileged) { 126170587Srwatson if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, 0) == 0) 127150764Strhodes return (0); 128150764Strhodes } 129139614Srwatson 130101099Srwatson return (ESRCH); 131101099Srwatson} 132101099Srwatson 133101099Srwatsonstatic int 134173138Srwatsonseeotheruids_proc_check_debug(struct ucred *cred, struct proc *p) 135101099Srwatson{ 136101099Srwatson 137173138Srwatson return (seeotheruids_check(cred, p->p_ucred)); 138101099Srwatson} 139101099Srwatson 140101099Srwatsonstatic int 141173138Srwatsonseeotheruids_proc_check_sched(struct ucred *cred, struct proc *p) 142101099Srwatson{ 143101099Srwatson 144172955Srwatson return (seeotheruids_check(cred, p->p_ucred)); 145101099Srwatson} 146101099Srwatson 147101099Srwatsonstatic int 148173138Srwatsonseeotheruids_proc_check_signal(struct ucred *cred, struct proc *p, 149173138Srwatson int signum) 150101099Srwatson{ 151101099Srwatson 152172955Srwatson return (seeotheruids_check(cred, p->p_ucred)); 153101099Srwatson} 154101099Srwatson 155101099Srwatsonstatic int 156173138Srwatsonseeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2) 157101099Srwatson{ 158101099Srwatson 159173138Srwatson return (seeotheruids_check(cr1, cr2)); 160101099Srwatson} 161101099Srwatson 162101099Srwatsonstatic int 163183980Sbzseeotheruids_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, 164183980Sbz struct label *inplabel) 165183980Sbz{ 166183980Sbz 167183980Sbz return (seeotheruids_check(cred, inp->inp_cred)); 168183980Sbz} 169183980Sbz 170183980Sbzstatic int 171172955Srwatsonseeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, 172168976Srwatson struct label *solabel) 173101099Srwatson{ 174101099Srwatson 175172955Srwatson return (seeotheruids_check(cred, so->so_cred)); 176101099Srwatson} 177101099Srwatson 178172955Srwatsonstatic struct mac_policy_ops seeotheruids_ops = 179101099Srwatson{ 180172955Srwatson .mpo_proc_check_debug = seeotheruids_proc_check_debug, 181172955Srwatson .mpo_proc_check_sched = seeotheruids_proc_check_sched, 182172955Srwatson .mpo_proc_check_signal = seeotheruids_proc_check_signal, 183173138Srwatson .mpo_cred_check_visible = seeotheruids_cred_check_visible, 184183980Sbz .mpo_inpcb_check_visible = seeotheruids_inpcb_check_visible, 185172955Srwatson .mpo_socket_check_visible = seeotheruids_socket_check_visible, 186101099Srwatson}; 187101099Srwatson 188172955SrwatsonMAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids, 189187016Srwatson "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 190