xref: /freebsd-14-stable/sys/security/mac_veriexec/mac_veriexec.c (revision 62d3e81935c6b642bc6a3ffb0b909c14d15efbed)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2011-2023 Juniper Networks, Inc.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 
31 #include "opt_capsicum.h"
32 #include "opt_mac.h"
33 
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/capsicum.h>
37 #include <sys/eventhandler.h>
38 #include <sys/fcntl.h>
39 #include <sys/file.h>
40 #include <sys/filedesc.h>
41 #include <sys/imgact.h>
42 #include <sys/jail.h>
43 #include <sys/kernel.h>
44 #include <sys/mac.h>
45 #include <sys/mount.h>
46 #include <sys/namei.h>
47 #include <sys/priv.h>
48 #include <sys/proc.h>
49 #include <sys/sbuf.h>
50 #include <sys/stat.h>
51 #include <sys/sysctl.h>
52 #include <sys/vnode.h>
53 #ifdef COMPAT_FREEBSD32
54 #include <sys/sysent.h>
55 #include <sys/stdint.h>
56 #include <sys/abi_compat.h>
57 #endif
58 #include <fs/nullfs/null.h>
59 #include <security/mac/mac_framework.h>
60 #include <security/mac/mac_policy.h>
61 
62 #include "mac_veriexec.h"
63 #include "mac_veriexec_internal.h"
64 
65 #define	SLOT(l) \
66 	mac_label_get((l), mac_veriexec_slot)
67 #define	SLOT_SET(l, v) \
68 	mac_label_set((l), mac_veriexec_slot, (v))
69 
70 #ifdef MAC_VERIEXEC_DEBUG
71 #define	MAC_VERIEXEC_DBG(_lvl, _fmt, ...)				\
72 	do {								\
73 		VERIEXEC_DEBUG((_lvl), (MAC_VERIEXEC_FULLNAME ": " _fmt	\
74 		     "\n", ##__VA_ARGS__));				\
75 	} while(0)
76 #else
77 #define	MAC_VERIEXEC_DBG(_lvl, _fmt, ...)
78 #endif
79 
80 static int sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS);
81 static int sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS);
82 static struct mac_policy_ops mac_veriexec_ops;
83 
84 SYSCTL_NODE(_security_mac, OID_AUTO, veriexec, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
85     "MAC/veriexec policy controls");
86 
87 int	mac_veriexec_debug;
88 SYSCTL_INT(_security_mac_veriexec, OID_AUTO, debug, CTLFLAG_RW,
89     &mac_veriexec_debug, 0, "Debug level");
90 
91 static int	mac_veriexec_state;
92 SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, state,
93     CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_NEEDGIANT,
94     0, 0, sysctl_mac_veriexec_state, "A",
95     "Verified execution subsystem state");
96 
97 SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
98     CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_SKIP | CTLFLAG_NEEDGIANT,
99     0, 0, sysctl_mac_veriexec_db,
100     "A", "Verified execution fingerprint database");
101 
102 
103 static int mac_veriexec_slot;
104 
105 static int mac_veriexec_block_unlink;
106 SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
107     &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
108 
109 MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
110 
111 /**
112  * @internal
113  * @brief Handler for security.mac.veriexec.db sysctl
114  *
115  * Display a human-readable form of the current fingerprint database.
116  */
117 static int
sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS)118 sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS)
119 {
120 	struct sbuf sb;
121 	int error;
122 
123 	error = sysctl_wire_old_buffer(req, 0);
124 	if (error != 0)
125 		return (error);
126 
127 	sbuf_new_for_sysctl(&sb, NULL, 1024, req);
128 	mac_veriexec_metadata_print_db(&sb);
129 	error = sbuf_finish(&sb);
130 	sbuf_delete(&sb);
131 
132 	return (error);
133 }
134 
135 /**
136  * @internal
137  * @brief Generate human-readable output about the current verified execution
138  *        state.
139  *
140  * @param sbp		sbuf to write output to
141  */
142 static void
mac_veriexec_print_state(struct sbuf * sbp)143 mac_veriexec_print_state(struct sbuf *sbp)
144 {
145 
146 	if (mac_veriexec_state & VERIEXEC_STATE_INACTIVE)
147 		sbuf_printf(sbp, "inactive ");
148 	if (mac_veriexec_state & VERIEXEC_STATE_LOADED)
149 		sbuf_printf(sbp, "loaded ");
150 	if (mac_veriexec_state & VERIEXEC_STATE_ACTIVE)
151 		sbuf_printf(sbp, "active ");
152 	if (mac_veriexec_state & VERIEXEC_STATE_ENFORCE)
153 		sbuf_printf(sbp, "enforce ");
154 	if (mac_veriexec_state & VERIEXEC_STATE_LOCKED)
155 		sbuf_printf(sbp, "locked ");
156 	if (mac_veriexec_state != 0)
157 		sbuf_trim(sbp);
158 }
159 
160 /**
161  * @internal
162  * @brief Handler for security.mac.veriexec.state sysctl
163  *
164  * Display a human-readable form of the current verified execution subsystem
165  * state.
166  */
167 static int
sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS)168 sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS)
169 {
170 	struct sbuf sb;
171 	int error;
172 
173 	sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND);
174 	mac_veriexec_print_state(&sb);
175 	sbuf_finish(&sb);
176 
177 	error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb));
178 	sbuf_delete(&sb);
179 	return (error);
180 }
181 
182 /**
183  * @internal
184  * @brief Event handler called when a virtual file system is mounted.
185  *
186  * We need to record the file system identifier in the MAC per-policy slot
187  * assigned to veriexec, so we have a key to use in order to reference the
188  * mount point in the meta-data store.
189  *
190  * @param arg		unused argument
191  * @param mp		mount point that is being mounted
192  * @param fsrootvp	vnode of the file system root
193  * @param td		calling thread
194  */
195 static void
mac_veriexec_vfs_mounted(void * arg __unused,struct mount * mp,struct vnode * fsrootvp,struct thread * td)196 mac_veriexec_vfs_mounted(void *arg __unused, struct mount *mp,
197     struct vnode *fsrootvp, struct thread *td)
198 {
199 	struct vattr va;
200 	int error;
201 
202 	error = VOP_GETATTR(fsrootvp, &va, td->td_ucred);
203 	if (error)
204 		return;
205 
206 	SLOT_SET(mp->mnt_label, va.va_fsid);
207 	MAC_VERIEXEC_DBG(3, "set fsid to %ju for mount %p",
208 	    (uintmax_t)va.va_fsid, mp);
209 }
210 
211 /**
212  * @internal
213  * @brief Event handler called when a virtual file system is unmounted.
214  *
215  * If we recorded a file system identifier in the MAC per-policy slot assigned
216  * to veriexec, then we need to tell the meta-data store to clean up.
217  *
218  * @param arg		unused argument
219  * @param mp		mount point that is being unmounted
220  * @param td		calling thread
221  */
222 static void
mac_veriexec_vfs_unmounted(void * arg __unused,struct mount * mp,struct thread * td)223 mac_veriexec_vfs_unmounted(void *arg __unused, struct mount *mp,
224     struct thread *td)
225 {
226 	dev_t fsid;
227 
228 	fsid = SLOT(mp->mnt_label);
229 	if (fsid) {
230 		MAC_VERIEXEC_DBG(3, "fsid %ju, cleaning up mount",
231 		    (uintmax_t)fsid);
232 		mac_veriexec_metadata_unmounted(fsid, td);
233 	}
234 }
235 
236 /**
237  * @internal
238  * @brief The mount point is being initialized, set the value in the MAC
239  *     per-policy slot for veriexec to zero.
240  *
241  * @note A value of zero in this slot indicates no file system identifier
242  *     is assigned.
243  *
244  * @param label the label that is being initialized
245  */
246 static void
mac_veriexec_mount_init_label(struct label * label)247 mac_veriexec_mount_init_label(struct label *label)
248 {
249 
250 	SLOT_SET(label, 0);
251 }
252 
253 /**
254  * @internal
255  * @brief The mount-point is being destroyed, reset the value in the MAC
256  *     per-policy slot for veriexec back to zero.
257  *
258  * @note A value of zero in this slot indicates no file system identifier
259  *     is assigned.
260  *
261  * @param label the label that is being destroyed
262  */
263 static void
mac_veriexec_mount_destroy_label(struct label * label)264 mac_veriexec_mount_destroy_label(struct label *label)
265 {
266 
267 	SLOT_SET(label, 0);
268 }
269 
270 /**
271  * @internal
272  * @brief The vnode label is being initialized, set the value in the MAC
273  *     per-policy slot for veriexec to @c FINGERPRINT_INVALID
274  *
275  * @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid.
276  *
277  * @param label		the label that is being initialized
278  */
279 static void
mac_veriexec_vnode_init_label(struct label * label)280 mac_veriexec_vnode_init_label(struct label *label)
281 {
282 
283 	SLOT_SET(label, FINGERPRINT_INVALID);
284 }
285 
286 /**
287  * @internal
288  * @brief The vnode label is being destroyed, reset the value in the MAC
289  *        per-policy slot for veriexec back to @c FINGERPRINT_INVALID
290  *
291  * @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid.
292  *
293  * @param label		the label that is being destroyed
294  */
295 static void
mac_veriexec_vnode_destroy_label(struct label * label)296 mac_veriexec_vnode_destroy_label(struct label *label)
297 {
298 
299 	SLOT_SET(label, FINGERPRINT_INVALID);
300 }
301 
302 /**
303  * @internal
304  * @brief Copy the value in the MAC per-policy slot assigned to veriexec from
305  *        the @p src label to the @p dest label
306  */
307 static void
mac_veriexec_copy_label(struct label * src,struct label * dest)308 mac_veriexec_copy_label(struct label *src, struct label *dest)
309 {
310 
311 	SLOT_SET(dest, SLOT(src));
312 }
313 
314 /**
315  * @internal
316  * @brief Check if the requested process can be debugged
317  *
318  * @param cred		credentials to use
319  * @param p		process to debug
320  *
321  * @return 0 if debugging is allowed, otherwise an error code.
322  */
323 static int
mac_veriexec_proc_check_debug(struct ucred * cred,struct proc * p)324 mac_veriexec_proc_check_debug(struct ucred *cred, struct proc *p)
325 {
326 	int error, flags;
327 
328 	/* If we are not enforcing veriexec, nothing for us to check */
329 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
330 		return (0);
331 
332 	error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
333 	if (error != 0)
334 		return (0);
335 
336 	error = (flags & (VERIEXEC_NOTRACE|VERIEXEC_TRUSTED)) ? EACCES : 0;
337 	MAC_VERIEXEC_DBG(4, "%s flags=%#x error=%d", __func__, flags, error);
338 
339 	return (error);
340 }
341 
342 /**
343  * @internal
344  * @brief A KLD load has been requested and needs to be validated.
345  *
346  * @param cred		credentials to use
347  * @param vp		vnode of the KLD that has been requested
348  * @param vlabel	vnode label assigned to the vnode
349  *
350  * @return 0 if the KLD load is allowed, otherwise an error code.
351  */
352 static int
mac_veriexec_kld_check_load(struct ucred * cred,struct vnode * vp,struct label * vlabel)353 mac_veriexec_kld_check_load(struct ucred *cred, struct vnode *vp,
354     struct label *vlabel)
355 {
356 	struct vattr va;
357 	struct thread *td = curthread;
358 	fingerprint_status_t status;
359 	int error;
360 
361 	/*
362 	 * If we are not actively enforcing, allow it
363 	 */
364 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
365 		return (0);
366 
367 	/* Get vnode attributes */
368 	error = VOP_GETATTR(vp, &va, cred);
369 	if (error)
370 		return (error);
371 
372 	/*
373 	 * Fetch the fingerprint status for the vnode
374 	 * (starting with files first)
375 	 */
376 	error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td,
377 	    VERIEXEC_FILES_FIRST);
378 	if (error && error != EAUTH)
379 		return (error);
380 
381 	/*
382 	 * By now we should have status...
383 	 */
384 	status = mac_veriexec_get_fingerprint_status(vp);
385 	switch (status) {
386 	case FINGERPRINT_FILE:
387 	case FINGERPRINT_VALID:
388 	case FINGERPRINT_INDIRECT:
389 		if (error)
390 			return (error);
391 		break;
392 	default:
393 		/*
394 		 * kldload should fail unless there is a valid fingerprint
395 		 * registered.
396 		 */
397 		MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev %ju, "
398 		    "file %ju.%ju\n", status, (uintmax_t)va.va_fsid,
399 		    (uintmax_t)va.va_fileid, (uintmax_t)va.va_gen);
400 		return (EAUTH);
401 	}
402 
403 	/* Everything is good, allow the KLD to be loaded */
404 	return (0);
405 }
406 
407 /**
408  * @internal
409  * @brief Check privileges that veriexec needs to be concerned about.
410  *
411  * The following privileges are checked by this function:
412  *  - PRIV_KMEM_WRITE\n
413  *    Check if writes to /dev/mem and /dev/kmem are allowed\n
414  *    (Only trusted processes are allowed)
415  *  - PRIV_VERIEXEC_CONTROL\n
416  *    Check if manipulating veriexec is allowed\n
417  *    (only trusted processes are allowed)
418  *
419  * @param cred		credentials to use
420  * @param priv		privilege to check
421  *
422  * @return 0 if the privilege is allowed, error code otherwise.
423  */
424 static int
mac_veriexec_priv_check(struct ucred * cred,int priv)425 mac_veriexec_priv_check(struct ucred *cred, int priv)
426 {
427 	int error;
428 
429 	/* If we are not enforcing veriexec, nothing for us to check */
430 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
431 		return (0);
432 
433 	error = 0;
434 	switch (priv) {
435 	case PRIV_KMEM_WRITE:
436 	case PRIV_VERIEXEC_CONTROL:
437 		/*
438 		 * Do not allow writing to memory or manipulating veriexec,
439 		 * unless trusted
440 		 */
441 		if (mac_veriexec_proc_is_trusted(cred, curproc) == 0 &&
442 		    mac_priv_grant(cred, priv) != 0)
443 			error = EPERM;
444 		MAC_VERIEXEC_DBG(4, "%s priv=%d error=%d", __func__, priv,
445 		    error);
446 		break;
447 	default:
448 		break;
449 	}
450 	return (error);
451 }
452 
453 /**
454  * @internal
455  * @brief Check if the requested sysctl should be allowed
456  *
457  * @param cred         credentials to use
458  * @param oidp         sysctl OID
459  * @param arg1         first sysctl argument
460  * @param arg2         second sysctl argument
461  * @param req          sysctl request information
462  *
463  * @return 0 if the sysctl should be allowed, otherwise an error code.
464  */
465 static int
mac_veriexec_sysctl_check(struct ucred * cred,struct sysctl_oid * oidp,void * arg1,int arg2,struct sysctl_req * req)466 mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp,
467     void *arg1, int arg2, struct sysctl_req *req)
468 {
469 	struct sysctl_oid *oid;
470 
471 	/* If we are not enforcing veriexec, nothing for us to check */
472 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
473 		return (0);
474 
475 	oid = oidp;
476 	if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
477 		return (EPERM);		/* XXX call mac_veriexec_priv_check? */
478 	}
479 	return 0;
480 }
481 
482 /**
483  * @internal
484  * @brief A program is being executed and needs to be validated.
485  *
486  * @param cred		credentials to use
487  * @param vp		vnode of the program that is being executed
488  * @param label		vnode label assigned to the vnode
489  * @param imgp		parameters for the image to be executed
490  * @param execlabel	optional exec label
491  *
492  * @return 0 if the program should be allowed to execute, otherwise an error
493  *     code.
494  */
495 static int
mac_veriexec_vnode_check_exec(struct ucred * cred __unused,struct vnode * vp __unused,struct label * label __unused,struct image_params * imgp,struct label * execlabel __unused)496 mac_veriexec_vnode_check_exec(struct ucred *cred __unused,
497     struct vnode *vp __unused, struct label *label __unused,
498     struct image_params *imgp, struct label *execlabel __unused)
499 {
500 	struct thread *td = curthread;
501 	int error;
502 
503 	error = mac_veriexec_fingerprint_check_image(imgp, 0, td);
504 	return (error);
505 }
506 
507 /**
508  * @brief Check fingerprint for the specified vnode and validate it
509  *
510  * @param cred		credentials to use
511  * @param vp		vnode of the file
512  * @param accmode	access mode to check (read, write, append, create,
513  *			verify, etc.)
514  *
515  * @return 0 if the file validated, otherwise an error code.
516  */
517 static int
mac_veriexec_check_vp(struct ucred * cred,struct vnode * vp,accmode_t accmode)518 mac_veriexec_check_vp(struct ucred *cred, struct vnode *vp, accmode_t accmode)
519 {
520 	struct vattr va;
521 	struct thread *td = curthread;
522 	fingerprint_status_t status;
523 	int error;
524 
525 	/* Get vnode attributes */
526 	error = VOP_GETATTR(vp, &va, cred);
527 	if (error)
528 		return (error);
529 
530 	/* Get the fingerprint status for the file */
531 	error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td,
532 	    VERIEXEC_FILES_FIRST);
533 	if (error && error != EAUTH)
534 		return (error);
535 
536 	/*
537 	 * By now we should have status...
538 	 */
539 	status = mac_veriexec_get_fingerprint_status(vp);
540 	if (accmode & VWRITE) {
541 		/*
542 		 * If file has a fingerprint then deny the write request,
543 		 * otherwise invalidate the status so we don't keep checking
544 		 * for the file having a fingerprint.
545 		 */
546 		switch (status) {
547 		case FINGERPRINT_FILE:
548 		case FINGERPRINT_VALID:
549 		case FINGERPRINT_INDIRECT:
550 			MAC_VERIEXEC_DBG(2,
551 			    "attempted write to fingerprinted file for dev "
552 			    "%ju, file %ju.%ju\n", (uintmax_t)va.va_fsid,
553 			    (uintmax_t)va.va_fileid, (uintmax_t)va.va_gen);
554 			return (EPERM);
555 		default:
556 			break;
557 		}
558 	}
559 	if (accmode & VVERIFY) {
560 		switch (status) {
561 		case FINGERPRINT_FILE:
562 		case FINGERPRINT_VALID:
563 		case FINGERPRINT_INDIRECT:
564 			if (error)
565 				return (error);
566 			break;
567 		default:
568 			/* Allow for overriding verification requirement */
569 			if (mac_priv_grant(cred, PRIV_VERIEXEC_NOVERIFY) == 0)
570 				return (0);
571 			/*
572 			 * Caller wants open to fail unless there is a valid
573 			 * fingerprint registered.
574 			 */
575 			MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev "
576 			    "%ju, file %ju.%ju\n", status,
577 			    (uintmax_t)va.va_fsid, (uintmax_t)va.va_fileid,
578 			    (uintmax_t)va.va_gen);
579 			return (EAUTH);
580 		}
581 	}
582 	return (0);
583 }
584 
585 /**
586  * @brief Opening a file has been requested and may need to be validated.
587  *
588  * @param cred		credentials to use
589  * @param vp		vnode of the file to open
590  * @param label		vnode label assigned to the vnode
591  * @param accmode	access mode to use for opening the file (read, write,
592  * 			append, create, verify, etc.)
593  *
594  * @return 0 if opening the file should be allowed, otherwise an error code.
595  */
596 static int
mac_veriexec_vnode_check_open(struct ucred * cred,struct vnode * vp,struct label * label __unused,accmode_t accmode)597 mac_veriexec_vnode_check_open(struct ucred *cred, struct vnode *vp,
598 	struct label *label __unused, accmode_t accmode)
599 {
600 	int error;
601 
602 	/*
603 	 * Look for the file on the fingerprint lists iff it has not been seen
604 	 * before.
605 	 */
606 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
607 		return (0);
608 
609 	error = mac_veriexec_check_vp(cred, vp, accmode);
610 	return (error);
611 }
612 
613 /**
614  * @brief Unlink on a file has been requested and may need to be validated.
615  *
616  * @param cred		credentials to use
617  * @param dvp		parent directory for file vnode vp
618  * @param dlabel	vnode label assigned to the directory vnode
619  * @param vp		vnode of the file to unlink
620  * @param label		vnode label assigned to the vnode
621  * @param cnp		component name for vp
622  *
623  *
624  * @return 0 if opening the file should be allowed, otherwise an error code.
625  */
626 static int
mac_veriexec_vnode_check_unlink(struct ucred * cred,struct vnode * dvp __unused,struct label * dvplabel __unused,struct vnode * vp,struct label * label __unused,struct componentname * cnp __unused)627 mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused,
628     struct label *dvplabel __unused, struct vnode *vp,
629     struct label *label __unused, struct componentname *cnp __unused)
630 {
631 	int error;
632 
633 	/*
634 	 * Look for the file on the fingerprint lists iff it has not been seen
635 	 * before.
636 	 */
637 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
638 		return (0);
639 
640 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
641 	if (error == 0) {
642 		/*
643 		 * The target is verified, so disallow replacement.
644 		 */
645 		MAC_VERIEXEC_DBG(2,
646     "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);
647 
648 		return (EAUTH);
649 	}
650 	return (0);
651 }
652 
653 /**
654  * @brief Rename the file has been requested and may need to be validated.
655  *
656  * @param cred		credentials to use
657  * @param dvp		parent directory for file vnode vp
658  * @param dlabel	vnode label assigned to the directory vnode
659  * @param vp		vnode of the file to rename
660  * @param label		vnode label assigned to the vnode
661  * @param cnp		component name for vp
662  *
663  *
664  * @return 0 if opening the file should be allowed, otherwise an error code.
665  */
666 static int
mac_veriexec_vnode_check_rename_from(struct ucred * cred,struct vnode * dvp __unused,struct label * dvplabel __unused,struct vnode * vp,struct label * label __unused,struct componentname * cnp __unused)667 mac_veriexec_vnode_check_rename_from(struct ucred *cred,
668     struct vnode *dvp __unused, struct label *dvplabel __unused,
669     struct vnode *vp, struct label *label __unused,
670     struct componentname *cnp __unused)
671 {
672 	int error;
673 
674 	/*
675 	 * Look for the file on the fingerprint lists iff it has not been seen
676 	 * before.
677 	 */
678 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
679 		return (0);
680 
681 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
682 	if (error == 0) {
683 		/*
684 		 * The target is verified, so disallow replacement.
685 		 */
686 		MAC_VERIEXEC_DBG(2,
687     "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);
688 		return (EAUTH);
689 	}
690 	return (0);
691 }
692 
693 
694 /**
695  * @brief Rename to file into the directory (overwrite the file name) has been
696  * requested and may need to be validated.
697  *
698  * @param cred		credentials to use
699  * @param dvp		parent directory for file vnode vp
700  * @param dlabel	vnode label assigned to the directory vnode
701  * @param vp		vnode of the overwritten file
702  * @param label		vnode label assigned to the vnode
703  * @param samedir	1 if the source and destination directories are the same
704  * @param cnp		component name for vp
705  *
706  *
707  * @return 0 if opening the file should be allowed, otherwise an error code.
708  */
709 	static int
mac_veriexec_vnode_check_rename_to(struct ucred * cred,struct vnode * dvp __unused,struct label * dvplabel __unused,struct vnode * vp,struct label * label __unused,int samedir __unused,struct componentname * cnp __unused)710 mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unused,
711     struct label *dvplabel __unused, struct vnode *vp,
712     struct label *label __unused, int samedir __unused,
713     struct componentname *cnp __unused)
714 {
715 	int error;
716 	/*
717 	 * If there is no existing file to overwrite, vp and label will be
718 	 * NULL.
719 	 */
720 	if (vp == NULL)
721 		return (0);
722 
723 	/*
724 	 * Look for the file on the fingerprint lists iff it has not been seen
725 	 * before.
726 	 */
727 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
728 		return (0);
729 
730 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
731 	if (error == 0) {
732 		/*
733 		 * The target is verified, so disallow replacement.
734 		 */
735 		MAC_VERIEXEC_DBG(2,
736     "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);
737 		return (EAUTH);
738 	}
739 	return (0);
740 }
741 
742 
743 /**
744  * @brief Check mode changes on file to ensure they should be allowed.
745  *
746  * We cannot allow chmod of SUID or SGID on verified files.
747  *
748  * @param cred		credentials to use
749  * @param vp		vnode of the file to open
750  * @param label		vnode label assigned to the vnode
751  * @param mode		mode flags to set
752  *
753  * @return 0 if the mode change should be allowed, EAUTH otherwise.
754  */
755 static int
mac_veriexec_vnode_check_setmode(struct ucred * cred,struct vnode * vp,struct label * label __unused,mode_t mode)756 mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
757     struct label *label __unused, mode_t mode)
758 {
759 	int error;
760 
761 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
762 		return (0);
763 
764 	/*
765 	 * Prohibit chmod of verified set-[gu]id file.
766 	 */
767 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
768 	if (error == EAUTH)		/* target not verified */
769 		return (0);
770 	if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
771 		return (EAUTH);
772 
773 	return (0);
774 }
775 
776 /**
777  * @internal
778  * @brief Initialize the mac_veriexec MAC policy
779  *
780  * @param mpc		MAC policy configuration
781  */
782 static void
mac_veriexec_init(struct mac_policy_conf * mpc __unused)783 mac_veriexec_init(struct mac_policy_conf *mpc __unused)
784 {
785 	/* Initialize state */
786 	mac_veriexec_state = VERIEXEC_STATE_INACTIVE;
787 
788 	/* Initialize meta-data storage */
789 	mac_veriexec_metadata_init();
790 
791 	/* Initialize fingerprint ops */
792 	mac_veriexec_fingerprint_init();
793 
794 	/* Register event handlers */
795 	EVENTHANDLER_REGISTER(vfs_mounted, mac_veriexec_vfs_mounted, NULL,
796 	    EVENTHANDLER_PRI_FIRST);
797 	EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
798 	    EVENTHANDLER_PRI_LAST);
799 
800 	/* Check if unlink control is activated via tunable value */
801 	if (!mac_veriexec_block_unlink)
802 		mac_veriexec_ops.mpo_vnode_check_unlink = NULL;
803 }
804 
805 #ifdef COMPAT_FREEBSD32
806 struct mac_veriexec_syscall_params32  {
807 	char fp_type[VERIEXEC_FPTYPELEN];
808 	unsigned char fingerprint[MAXFINGERPRINTLEN];
809 	char label[MAXLABELLEN];
810 	uint32_t labellen;
811 	unsigned char flags;
812 };
813 
814 struct mac_veriexec_syscall_params_args32 {
815 	union {
816 		pid_t pid;
817 		uint32_t filename;
818 	} u;				  /* input only */
819 	uint32_t params;		  /* result */
820 };
821 #endif
822 
823 /**
824  * @internal
825  * @brief MAC policy-specific syscall for mac_veriexec
826  *
827  * The following syscalls are implemented:
828  *   - @c MAC_VERIEXEC_CHECK_SYSCALL
829  *        Check if the file referenced by a file descriptor has a fingerprint
830  *        registered in the meta-data store.
831  *
832  * @param td		calling thread
833  * @param call		system call number
834  * @param arg		arugments to the syscall
835  *
836  * @return 0 on success, otherwise an error code.
837  */
838 static int
mac_veriexec_syscall(struct thread * td,int call,void * arg)839 mac_veriexec_syscall(struct thread *td, int call, void *arg)
840 {
841 	struct image_params img;
842 	struct nameidata nd;
843 	cap_rights_t rights;
844 	struct vattr va;
845 	struct file *fp;
846 	struct mac_veriexec_syscall_params_args pargs;
847 	struct mac_veriexec_syscall_params result;
848 #ifdef COMPAT_FREEBSD32
849 	struct mac_veriexec_syscall_params_args32 pargs32;
850 	struct mac_veriexec_syscall_params32 result32;
851 #endif
852 	struct mac_veriexec_file_info *ip;
853 	struct proc *proc;
854 	struct vnode *textvp;
855 	int error, flags, proc_locked;
856 
857 	nd.ni_vp = NULL;
858 	proc_locked = 0;
859 	textvp = NULL;
860 	switch (call) {
861 	case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL:
862 	case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL:
863 #ifdef COMPAT_FREEBSD32
864 		if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
865 			error = copyin(arg, &pargs32, sizeof(pargs32));
866 			if (error)
867 				return error;
868 			bzero(&pargs, sizeof(pargs));
869 			switch (call) {
870 			case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL:
871 				CP(pargs32, pargs, u.pid);
872 				break;
873 			case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL:
874 				PTRIN_CP(pargs32, pargs, u.filename);
875 				break;
876 			}
877 			PTRIN_CP(pargs32, pargs, params);
878 		} else
879 #endif
880 		error = copyin(arg, &pargs, sizeof(pargs));
881 		if (error)
882 			return error;
883 		break;
884 	}
885 
886 	switch (call) {
887 	case MAC_VERIEXEC_CHECK_FD_SYSCALL:
888 		/* Get the vnode associated with the file descriptor passed */
889 		error = getvnode(td, (uintptr_t) arg,
890 		    cap_rights_init_one(&rights, CAP_READ), &fp);
891 		if (error)
892 			return (error);
893 		if (fp->f_type != DTYPE_VNODE) {
894 			MAC_VERIEXEC_DBG(3, "MAC_VERIEXEC_CHECK_SYSCALL: "
895 			    "file is not vnode type (type=0x%x)",
896 			    fp->f_type);
897 			error = EINVAL;
898 			goto cleanup_file;
899 		}
900 
901 		/*
902 		 * setup the bits of image_params that are used by
903 		 * mac_veriexec_check_fingerprint().
904 		 */
905 		bzero(&img, sizeof(img));
906 		img.proc = td->td_proc;
907 		img.vp = fp->f_vnode;
908 		img.attr = &va;
909 
910 		/*
911 		 * Get vnode attributes
912 		 * (need to obtain a lock on the vnode first)
913 		 */
914 		vn_lock(img.vp, LK_EXCLUSIVE | LK_RETRY);
915 		error = VOP_GETATTR(fp->f_vnode, &va,  td->td_ucred);
916 		if (error)
917 			goto check_done;
918 
919 		MAC_VERIEXEC_DBG(2, "mac_veriexec_fingerprint_check_image: "
920 		    "va_mode=%o, check_files=%d\n", va.va_mode,
921 		    ((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0));
922 		error = mac_veriexec_fingerprint_check_image(&img,
923 		    ((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0), td);
924 check_done:
925 		/* Release the lock we obtained earlier */
926 		VOP_UNLOCK(img.vp);
927 cleanup_file:
928 		fdrop(fp, td);
929 		break;
930 	case MAC_VERIEXEC_CHECK_PATH_SYSCALL:
931 		/* Look up the path to get the vnode */
932 		NDINIT(&nd, LOOKUP,
933 		    FOLLOW | LOCKLEAF | LOCKSHARED | AUDITVNODE1,
934 		    UIO_USERSPACE, arg);
935 		flags = FREAD;
936 		error = vn_open(&nd, &flags, 0, NULL);
937 		if (error != 0)
938 			break;
939 		NDFREE_PNBUF(&nd);
940 
941 		/* Check the fingerprint status of the vnode */
942 		error = mac_veriexec_check_vp(td->td_ucred, nd.ni_vp, VVERIFY);
943 		/* nd.ni_vp cleaned up below */
944 		break;
945 	case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL:
946 		if (pargs.u.pid == 0 || pargs.u.pid == curproc->p_pid) {
947 			proc = curproc;
948 		} else {
949 			proc = pfind(pargs.u.pid);
950 			if (proc == NULL)
951 				return (EINVAL);
952 			proc_locked = 1;
953 		}
954 		textvp = proc->p_textvp;
955 		/* FALLTHROUGH */
956 	case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL:
957 		if (textvp == NULL) {
958 			/* Look up the path to get the vnode */
959 			NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
960 			    UIO_USERSPACE, pargs.u.filename);
961 			flags = FREAD;
962 			error = vn_open(&nd, &flags, 0, NULL);
963 			if (error != 0)
964 				break;
965 
966 			NDFREE_PNBUF(&nd);
967 			textvp = nd.ni_vp;
968 		}
969 		error = VOP_GETATTR(textvp, &va, curproc->p_ucred);
970 		if (proc_locked)
971 			PROC_UNLOCK(proc);
972 		if (error != 0)
973 			break;
974 
975 		error = mac_veriexec_metadata_get_file_info(va.va_fsid,
976 		    va.va_fileid, va.va_gen, NULL, &ip, FALSE);
977 		if (error != 0)
978 			break;
979 
980 #ifdef COMPAT_FREEBSD32
981 		if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
982 			bzero(&result32, sizeof(result32));
983 			result32.flags = ip->flags;
984 			strlcpy(result32.fp_type, ip->ops->type, sizeof(result32.fp_type));
985 			result.labellen = ip->labellen;
986 			CP(result, result32, labellen);
987 			if (ip->labellen > 0)
988 				strlcpy(result32.label, ip->label, sizeof(result32.label));
989 			result32.label[result.labellen] = '\0';
990 			memcpy(result32.fingerprint, ip->fingerprint,
991 			    ip->ops->digest_len);
992 
993 			error = copyout(&result32, pargs.params, sizeof(result32));
994 			break;		/* yes */
995 		}
996 #endif
997 		bzero(&result, sizeof(result));
998 		result.flags = ip->flags;
999 		strlcpy(result.fp_type, ip->ops->type, sizeof(result.fp_type));
1000 		result.labellen = ip->labellen;
1001 		if (ip->labellen > 0)
1002 			strlcpy(result.label, ip->label, sizeof(result.label));
1003 		result.label[result.labellen] = '\0';
1004 		memcpy(result.fingerprint, ip->fingerprint,
1005 		    ip->ops->digest_len);
1006 
1007 		error = copyout(&result, pargs.params, sizeof(result));
1008 		break;
1009 	default:
1010 		error = EOPNOTSUPP;
1011 	}
1012 	if (nd.ni_vp != NULL) {
1013 		VOP_UNLOCK(nd.ni_vp);
1014 		vn_close(nd.ni_vp, FREAD, td->td_ucred, td);
1015 	}
1016 	return (error);
1017 }
1018 
1019 static struct mac_policy_ops mac_veriexec_ops =
1020 {
1021 	.mpo_init = mac_veriexec_init,
1022 	.mpo_kld_check_load = mac_veriexec_kld_check_load,
1023 	.mpo_mount_destroy_label = mac_veriexec_mount_destroy_label,
1024 	.mpo_mount_init_label = mac_veriexec_mount_init_label,
1025 	.mpo_priv_check = mac_veriexec_priv_check,
1026 	.mpo_proc_check_debug = mac_veriexec_proc_check_debug,
1027 	.mpo_syscall = mac_veriexec_syscall,
1028 	.mpo_system_check_sysctl = mac_veriexec_sysctl_check,
1029 	.mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
1030 	.mpo_vnode_check_open = mac_veriexec_vnode_check_open,
1031 	.mpo_vnode_check_unlink = mac_veriexec_vnode_check_unlink,
1032 	.mpo_vnode_check_rename_to = mac_veriexec_vnode_check_rename_to,
1033 	.mpo_vnode_check_rename_from = mac_veriexec_vnode_check_rename_from,
1034 	.mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode,
1035 	.mpo_vnode_copy_label = mac_veriexec_copy_label,
1036 	.mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
1037 	.mpo_vnode_init_label = mac_veriexec_vnode_init_label,
1038 };
1039 
1040 MAC_POLICY_SET(&mac_veriexec_ops, mac_veriexec, MAC_VERIEXEC_FULLNAME,
1041     MPC_LOADTIME_FLAG_NOTLATE, &mac_veriexec_slot);
1042 MODULE_VERSION(mac_veriexec, MAC_VERIEXEC_VERSION);
1043 
1044 static struct vnode *
mac_veriexec_bottom_vnode(struct vnode * vp)1045 mac_veriexec_bottom_vnode(struct vnode *vp)
1046 {
1047 	struct vnode *ldvp = NULL;
1048 
1049 	/*
1050 	 * XXX This code is bogus. nullfs is not the only stacking
1051 	 * filesystem. Less bogus code would add a VOP to reach bottom
1052 	 * vnode and would not make assumptions how to get there.
1053 	 */
1054 	if (vp->v_mount != NULL &&
1055 	    strcmp(vp->v_mount->mnt_vfc->vfc_name, "nullfs") == 0)
1056 		ldvp = NULLVPTOLOWERVP(vp);
1057 	return (ldvp);
1058 }
1059 
1060 /**
1061  * @brief Get the fingerprint status set on a vnode.
1062  *
1063  * @param vp		vnode to obtain fingerprint status from
1064  *
1065  * @return Fingerprint status assigned to the vnode.
1066  */
1067 fingerprint_status_t
mac_veriexec_get_fingerprint_status(struct vnode * vp)1068 mac_veriexec_get_fingerprint_status(struct vnode *vp)
1069 {
1070 	fingerprint_status_t fps;
1071 	struct vnode *ldvp;
1072 
1073 	fps = SLOT(vp->v_label);
1074 	switch (fps) {
1075 	case FINGERPRINT_VALID:
1076 	case FINGERPRINT_INDIRECT:
1077 	case FINGERPRINT_FILE:
1078 		break;
1079 	default:
1080 		/* we may need to recurse */
1081 		ldvp = mac_veriexec_bottom_vnode(vp);
1082 		if (ldvp != NULL)
1083 			return mac_veriexec_get_fingerprint_status(ldvp);
1084 		break;
1085 	}
1086 	return fps;
1087 }
1088 
1089 /**
1090  * @brief Get the current verified execution subsystem state.
1091  *
1092  * @return Current set of verified execution subsystem state flags.
1093  */
1094 int
mac_veriexec_get_state(void)1095 mac_veriexec_get_state(void)
1096 {
1097 
1098 	return (mac_veriexec_state);
1099 }
1100 
1101 /**
1102  * @brief Determine if the verified execution subsystem state has specific
1103  *     flags set.
1104  *
1105  * @param state		mask of flags to check
1106  *
1107  * @return State flags set within the masked bits
1108  */
1109 int
mac_veriexec_in_state(int state)1110 mac_veriexec_in_state(int state)
1111 {
1112 
1113 	return (mac_veriexec_state & state);
1114 }
1115 
1116 /**
1117  * @brief Set the fingerprint status for a vnode
1118  *
1119  * Fingerprint status is stored in the MAC per-policy slot assigned to
1120  * mac_veriexec.
1121  *
1122  * @param vp		vnode to store the fingerprint status on
1123  * @param fp_status	fingerprint status to store
1124  */
1125 void
mac_veriexec_set_fingerprint_status(struct vnode * vp,fingerprint_status_t fp_status)1126 mac_veriexec_set_fingerprint_status(struct vnode *vp,
1127     fingerprint_status_t fp_status)
1128 {
1129 	struct vnode *ldvp;
1130 
1131 	/* recurse until we find the real storage */
1132 	ldvp = mac_veriexec_bottom_vnode(vp);
1133 	if (ldvp != NULL) {
1134 		mac_veriexec_set_fingerprint_status(ldvp, fp_status);
1135 		return;
1136 	}
1137 	SLOT_SET(vp->v_label, fp_status);
1138 }
1139 
1140 /**
1141  * @brief Set verified execution subsystem state flags
1142  *
1143  * @note Flags can only be added to the current state, not removed.
1144  *
1145  * @param state		state flags to add to the current state
1146  */
1147 void
mac_veriexec_set_state(int state)1148 mac_veriexec_set_state(int state)
1149 {
1150 
1151 	mac_veriexec_state |= state;
1152 }
1153 
1154 /**
1155  * @brief Determine if the process is trusted
1156  *
1157  * @param cred		credentials to use
1158  * @param p		the process in question
1159  *
1160  * @return 1 if the process is trusted, otherwise 0.
1161  */
1162 int
mac_veriexec_proc_is_trusted(struct ucred * cred,struct proc * p)1163 mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p)
1164 {
1165 	int already_locked, error, flags;
1166 
1167 	/* Make sure we lock the process if we do not already have the lock */
1168 	already_locked = PROC_LOCKED(p);
1169 	if (!already_locked)
1170 		PROC_LOCK(p);
1171 
1172 	error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
1173 
1174 	/* Unlock the process if we locked it previously */
1175 	if (!already_locked)
1176 		PROC_UNLOCK(p);
1177 
1178 	/* Any errors, deny access */
1179 	if (error != 0)
1180 		return (0);
1181 
1182 	/* Check that the trusted flag is set */
1183 	return ((flags & VERIEXEC_TRUSTED) == VERIEXEC_TRUSTED);
1184 }
1185