mac_do(4): Revamp manual page after MAC/do updates
The new manual page in particular describes MAC/do's new rules syntax
and the jail support, as well as security considerations explaining the
overall design and how to leverage it in the most secure fashion.
Reviewed by: bapt, otis, Alexander Ziaee <concussious at runbox.com> (in part)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48153
(cherry picked from commit bc201841d13928c2a088fb07ac0a010b36eafa13)
MAC/do: Apply a rule on real UID/GID instead of effective ones
We intend MAC/do to authorize transitions based on the "real" identity
information of the calling process, rather than transiently-acquired
effective IDs.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47845
(cherry picked from commit de701f9bdbe0ede691a0439d1c469082b94fe234)
MAC/do: Fix a compilation warning about an unused function
grant_supplementary_group_from_flags() had been used in previous
versions of the recent changes, but recently has not been needed
anymore. It has been kept around just in case deliberately, by analogy
with grant_primary_group_from_flags() (this one still being used).
(cherry picked from commit f1ddb6fb8c4d051a205dae3a848776c9d56f86ff)
MAC/do: Convert internal TAILQs to STAILQs
We only browse these forward and never need to remove arbitrary elements
from them.
No functional change (intended).
Reviewed by: bapt, emaste
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47624
(cherry picked from commit c7fc71c6af0761f81ecafdb281dd43a081b3b22f)
mdo(1): Use setcred() to change credentials
As this is the only system call that MAC/do currently supports, and the
only one that really can be for transitions involving simultaneous
changes of user and group IDs.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47621
(cherry picked from commit e395e354823b690ba19ecc8e3688bacec6f67ad3)
MAC/do: parse_rules(): Tolerate blanks around tokens
To this end, we introduce the strsep_noblanks() function, designed to be
a drop-in replacement for strstep(), and use it in place of the latter.
We had taken care of calling strsep() even when the remaining sub-string
was not delimited (i.e., with empty string as its second argument), so
this commit only has mechanical replacements of existing calls.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47623
(cherry picked from commit 4a03b64517b3151064c52e213ebbc068ab1430d1)
MAC/do: toast_rules(): Minor simplification
Use the most common pattern to browse and delete elements of a list, as it reads quicker.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47622
(cherry picked from commit 2110eef4bf608b6c1facc57c68d02960b6d880c9)
MAC/do: Introduce rules reference counting
This is going to be used in subsequent commits to keep rules alive even
if disconnected from their jail in the meantime. We'll indeed have to
release the prison lock between two uses (outright rejection, final
granting) where the rules must absolutely stay the same for security reasons.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47619
(cherry picked from commit 3d8d91a5b32c219c7ee47840dcacbaf8c7480267)
MAC/do: Interpret the new rules specification; Monitor setcred()
TL;DR:
Now monitor setcred() calls, and reject or grant them according to the
new rules specification.
Drop monitoring setuid() and setgroups(). As previously explained in
the commit introducing the setcred() system call, MAC/do must know the
entire new credentials while the old ones are still available to be able
to approve or reject the requested changes. To this end, the chosen
approach was to introduce a new system call, setcred(), instead of
modifying existing ones to be able to participate in a "prepare than
commit"-like protocol.
******
The MAC framework typically calls several hooks of its registered
policies as part of the privilege checking/granting process. Each
system call calls some dedicated hook early, to which it usually passes
[112 lines not shown]
New setcred() system call and associated MAC hooks
This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.
Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
[40 lines not shown]
MAC/do: Output errors when parsing rules
So that administrators can more easily know what the problem is with the
rules they are trying to set.
The new sysctl 'security.mac.do.print_parse_error' controls whether
trying to set sysctl 'security.mac.do.rules' with invalid rules triggers
printing of the error on the system console.
Setting jail parameters directlty reports an error to the calling
process thanks to the VFS options mechanism used by the jail machinery,
so is not controlled by the new sysctl setting.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47617
(cherry picked from commit 87c06b7d026f2beeb3c2f695567ef72aa3a427ea)
MAC/do: Support multiple users and groups as single rule's targets
Supporting group targets is a requirement for MAC/do to be able to
enforce a limited set of valid new groups passed to setgroups().
Additionally, it must be possible for this set of groups to also depend
on the target UID, since users and groups are quite tied in UNIX (users
are automatically placed in only the groups specified through
'/etc/passwd' (primary group) and '/etc/group' (supplementary ones)).
These requirements call for a re-design of the specification of the
rules specification string and of 'struct rule'.
A rules specification string is now a list of rules separated by ';'
(instead of ','). One rule is still composed of a "from" part and
a "to" (or "target") part, both being separated by ':' (as before).
The first part, "from", is matched against the credentials of the
process calling setuid()/setgroups(). Its specification remains
unchanged: It is a '<type>=<id>' clause, where <type> is either "uid" or
[69 lines not shown]
MAC/do: Better parsing for IDs (strtoui_strict())
Introduce strtoui_strict(), which signals an error on overflow contrary
to the in-kernel strto*() family of functions which have no 'errno' to
set and thus do not allow callers to distinguish a genuine maximum value
on input and overflow.
It is built on top of strtoq() and the 'quad_t' type in order to achieve
this distinction and also to still support negative inputs with the
usual meaning for these functions. See the introduced comments for more
details.
Use strtoui_strict() to read IDs instead of strtol().
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47614
(cherry picked from commit 0af43c029048e1ad2f8b140a3baf3851785c12d9)
MAC/do: Rename private OSD slot by removing 'mac_do_' prefix
This variable is static and holds the OSD slot number for jails that
MAC/do uses to store rules.
In the same vein as previous renames, simplify it by removing the
redundant prefix, as this name cannot appear in code outside of
'mac_do.c', nor in stack traces on panic.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47772
(cherry picked from commit 40a664a463bab87505c8d42816a71202e8ad7bd9)
MAC/do: Ease input/output of ID types
Have a static constant array mapping numerical ID types to their
canonical representations ('id_type_to_str').
New parse_id_type() that parses a type thanks to 'id_type_to_str' and
with a special case to accept also 'any'.
Have parse_rule_element() use parse_id_type(). A later commit will add
a second call to the latter for the destination ID.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47615
(cherry picked from commit 65766063f85d8b8fe8b24a50250a12a122974c26)
MAC/do: 'struct rule': IDs and types as 'u_int', rename fields
This is in preparation for introducing a common conversion function for
IDs and to simplify code a bit by removing the from-IDs union and not
having to introduce a new one for to-IDs in a later commit.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47613
(cherry picked from commit 6aadc7b2ee055fba58984fec715b6e2a754f9d3e)
MAC/do: parse_rule_element(): Bug in parsing the origin ID
The ID field was allowed to be empty, which would be then parsed as 0 by
strtol(). There remains bugs in this function, where parsing for from-
or to- IDs accepts spaces and produces 0, but this will conveniently be
fixed in a later commit introducing strtoui_strict().
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47612
(cherry picked from commit fa4352b74580832d7b501d34d09a564438a82c3d)
MAC/do: jail_check()/jail_set(): Revamp
Handle JAIL_SYS_DISABLE the same as JAIL_SYS_NEW with an empty rules
specification, coherently with jail_get(). Also accept JAIL_SYS_DISABLE
in "mac.do" without "mac.do.rules" being specified.
The default value for "mac.do", if not passed explicitly, is either
JAIL_SYS_NEW if "mac.do.rules" is present and non-empty, or
JAIL_SYS_DISABLE if present and empty or not present.
Perform all cheap sanity checks in jail_check(), and have these
materialized as well in jail_set() under INVARIANTS. Cheap checks are
type and coherency checks between the values of "mac.do" and
"mac.do.rules". They don't include parsing the "mac.do.rules" string
but just checking its length (when applicable). In a nutshell,
JAIL_SYS_DISABLE and JAIL_SYS_INHERIT are allowed iff "mac.do.rules"
isn't specified or is with an empty string, and JAIL_SYS_NEW is allowed
iff "mac.do.rules" is specified (the latter may be empty, in which case
this is equivalent to JAIL_SYS_DISABLE).
[13 lines not shown]
MAC/do: Prefix internal functions used as hooks/callbacks
So that we immediately know whether a kernel stack involves MAC/do.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47607
(cherry picked from commit 11ba1f2fe2d4e151ffc0a66d03a0691a7b8d2866)
MAC/do: Fix jail_get() (PR_METHOD_GET)
- Properly fill 'jsys' before copying it out (we would leak bytes from
the kernel stack). When the current jail has its own 'struct rules',
set it to the special value JAIL_SYS_DISABLE if it in fact holds no
rules.
- Don't forget to unlock the jail holding rules on error.
- Correctly return errors.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47609
(cherry picked from commit 2a20ce91dc29e5a80f4eeb9352cf3169cd1891b9)
MAC/do: Remove the 'prison0' special cases in the common paths
The rules on 'prison0' are initialized in init(), now using
set_empty_rules().
Until the jail is destroyed, they can never be uninitialized by a call
to osd_jail_del(), since the only chain to call it is
mac_do_prison_set() -> remove_rules() -> osd_jail_del(), and
mac_do_prison_set() (method PR_METHOD_SET) can never be called on
'prison0'. This guarantees that find_rules() always find a valid
'rules' pointer to return.
There's no need to do anything special in destroy() for 'prison0', as
osd_jail_deregister() now takes care of it.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47603
[2 lines not shown]
MAC/do: parse_rule_element(): Fix a panic, harden, simplify
The panic is caused by dereferencing 'element' at a point where it can
be NULL (if string ends at the ':').
Harden and simplify by enforcing the control flow rule in this function
that jumping to the end is reserved for error cases.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47605
(cherry picked from commit add521c1a5d21ec84454009d42d1dcd688d77008)
