From owner-p4-projects@FreeBSD.ORG Tue Nov 14 18:48:14 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0DD4116A415; Tue, 14 Nov 2006 18:48:14 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE4B316A407 for ; Tue, 14 Nov 2006 18:48:13 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2548143D6E for ; Tue, 14 Nov 2006 18:48:11 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAEImBjc010940 for ; Tue, 14 Nov 2006 18:48:11 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAEImAE1010922 for perforce@freebsd.org; Tue, 14 Nov 2006 18:48:10 GMT (envelope-from millert@freebsd.org) Date: Tue, 14 Nov 2006 18:48:10 GMT Message-Id: <200611141848.kAEImAE1010922@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 109955 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 18:48:14 -0000 http://perforce.freebsd.org/chv.cgi?CH=109955 Change 109955 by millert@millert_g5tower on 2006/11/14 18:47:59 Add an mprotect check. Doesn't really do anything at the moment since there is no label to check. Could be useful for preventing a process from making its stack executable but apparently only mac-on-intel has no-exec stack. As a result, this will likely get changed significantly in the future or simply removed. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_mman.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#13 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#21 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#11 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#16 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#19 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#35 edit .. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#8 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_mman.c#5 (text+ko) ==== @@ -634,13 +634,16 @@ } int -mprotect(__unused struct proc *p, struct mprotect_args *uap, __unused register_t *retval) +mprotect(struct proc *p, struct mprotect_args *uap, __unused register_t *retval) { register vm_prot_t prot; mach_vm_offset_t user_addr; mach_vm_size_t user_size; kern_return_t result; vm_map_t user_map; +#ifdef MAC + int error; +#endif AUDIT_ARG(addr, uap->addr); AUDIT_ARG(len, uap->len); @@ -667,13 +670,19 @@ #ifdef MAC /* - * There is no MAC check for mprotect for 2 reasons: + * The MAC check for mprotect is of limited use for 2 reasons: * Without mmap revocation, the caller could have asked for the max * protections initially instead of a reduced set, so a mprotect * check would offer no new security. - * It is nontrivial to extract the vnode from the pager object(s) + * It is not possible to extract the vnode from the pager object(s) * of the target memory range. + * However, the MAC check may be used to prevent a process from, + * e.g., making the stack executable. */ + error = mac_proc_check_mprotect(proc_ucred(p), p, (void *)user_addr, + (size_t)user_size, prot); + if (error) + return (error); #endif result = mach_vm_protect(user_map, user_addr, user_size, FALSE, prot); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#13 (text+ko) ==== @@ -411,8 +411,8 @@ int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp); int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, - int prot); +int mac_proc_check_mprotect(struct ucred *cred, struct proc *proc, + void *addr, size_t size, int prot); int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode); int mac_vnode_check_read(struct ucred *active_cred, ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#21 (text+ko) ==== @@ -3596,6 +3596,29 @@ ); /** + @brief Access control check for setting memory protections + @param cred Subject credential + @param proc User process requesting the change + @param addr Start address of the memory range + @param size Length address of the memory range + @param prot Memory protections, see mmap(2) + + Determine whether the subject identified by the credential should + be allowed to set the specified memory protections on memory mapped + in the process proc. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. +*/ +typedef int mpo_proc_check_mprotect_t( + struct ucred *cred, + struct proc *proc, + void *addr, + size_t size, + int prot +); + +/** @brief Access control check for setting the Login Context @param p0 Calling process @param p Effected process @@ -4679,27 +4702,6 @@ ); /** - @brief Access control check for setting memory protections - @param cred Subject credential - @param vp Mapped vnode - @param label Policy label associated with vp - @param prot Memory protections, see mmap(2) - - Determine whether the subject identified by the credential should - be allowed to set the specified memory protections on memory mapped - from the vnode vp. - - @return Return 0 if access is granted, otherwise an appropriate value for - errno should be returned. -*/ -typedef int mpo_vnode_check_mprotect_t( - struct ucred *cred, - struct vnode *vp, - struct label *label, - int prot -); - -/** @brief Access control check for open @param cred Subject credential @param vp Object vnode @@ -5573,6 +5575,7 @@ mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; mpo_proc_check_getauid_t *mpo_proc_check_getauid; mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; + mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; mpo_proc_check_sched_t *mpo_proc_check_sched; mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; mpo_proc_check_setauid_t *mpo_proc_check_setauid; @@ -5615,7 +5618,6 @@ mpo_vnode_check_link_t *mpo_vnode_check_link; mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; - mpo_vnode_check_mprotect_t *mpo_vnode_check_mprotect; mpo_vnode_check_open_t *mpo_vnode_check_open; mpo_vnode_check_read_t *mpo_vnode_check_read; mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#11 (text+ko) ==== @@ -392,3 +392,14 @@ return (error); } #endif /* LCTX */ + +int +mac_proc_check_mprotect(struct ucred *cred, struct proc *proc, + void *addr, size_t size, int prot) +{ + int error; + + MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot); + return (error); +} + ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#16 (text+ko) ==== @@ -514,15 +514,6 @@ } int -mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) -{ - int error; - - MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot); - return (error); -} - -int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#3 (text+ko) ==== @@ -117,6 +117,7 @@ typedef mpo_proc_check_getaudit_t( typedef mpo_proc_check_getauid_t( typedef mpo_proc_check_getlcid_t( +typedef mpo_proc_check_mprotect_t( typedef mpo_proc_check_sched_t( typedef mpo_proc_check_setaudit_t( typedef mpo_proc_check_setauid_t( @@ -212,7 +213,6 @@ typedef mpo_vnode_check_link_t( typedef mpo_vnode_check_listextattr_t( typedef mpo_vnode_check_lookup_t( -typedef mpo_vnode_check_mprotect_t( typedef mpo_vnode_check_open_t( typedef mpo_vnode_check_read_t( typedef mpo_vnode_check_readdir_t( ==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#11 (text+ko) ==== @@ -518,11 +518,11 @@ } static int -color_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, - struct label *label, int prot) +color_proc_check_mprotect(struct ucred *cred, struct proc *proc, + void *addr, size_t size, int prot) { - return (co_maybe_promote_process(cred, label)); + // Nothing yet } static int @@ -709,6 +709,7 @@ .mpo_lctx_notify_leave = color_lctx_notify_leave, .mpo_lctx_label_update = color_lctx_label_update, .mpo_proc_check_signal = color_proc_check_signal, + .mpo_proc_check_mprotect = color_proc_check_mprotect, .mpo_vnode_check_access = color_vnode_check_access, .mpo_vnode_check_chdir = color_vnode_check_chdir, @@ -724,7 +725,6 @@ .mpo_vnode_check_link = color_vnode_check_link, .mpo_vnode_check_listextattr = color_vnode_check_listextattr, .mpo_vnode_check_lookup = color_vnode_check_lookup, - .mpo_vnode_check_mprotect = color_vnode_check_mprotect, .mpo_vnode_check_open = color_vnode_check_open, .mpo_vnode_check_read = color_vnode_check_read, .mpo_vnode_check_readdir = color_vnode_check_readdir, ==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#19 (text+ko) ==== @@ -3498,24 +3498,14 @@ } static int -mac_mls_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, - struct label *vlabel, int prot) +mac_mls_proc_check_mprotect(struct ucred *cred, struct proc *proc, + void *addr, size_t size, int prot) { - struct mac_mls *subj, *obj; - int r, w; if (!mac_mls_enabled) return (0); - subj = SLOT(cred->cr_label); - obj = SLOT(vlabel); - r = mac_mls_dominate_effective(subj, obj); - w = mac_mls_dominate_effective(obj, subj); - - if (!r && ((prot & VM_PROT_READ) || (prot & VM_PROT_EXECUTE))) - return (EACCES); - if (!w && (prot & VM_PROT_WRITE)) - return (EACCES); +#warning Implement mac_mls_proc_check_mprotect() return (0); } @@ -4090,7 +4080,7 @@ .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup, .mpo_file_check_mmap = mac_mls_file_check_mmap, .mpo_file_check_mmap_downgrade = mac_mls_file_check_mmap_downgrade, - .mpo_vnode_check_mprotect = mac_mls_vnode_check_mprotect, + .mpo_proc_check_mprotect = mac_mls_proc_check_mprotect, .mpo_vnode_check_open = mac_mls_vnode_check_open, .mpo_vnode_check_read = mac_mls_vnode_check_read, .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir, ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#35 (text+ko) ==== @@ -2940,9 +2940,11 @@ } static int -sebsd_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, - struct label *label, int prot) +sebsd_proc_check_mprotect(struct ucred *cred, struct proc *proc, + void *addr, size_t size, int prot) { + /* XXX - check that stack is not being made executable */ +#ifdef notyet u_int32_t av; /* @@ -2959,6 +2961,7 @@ return (vnode_has_perm(cred, vp, NULL, av)); } +#endif return (0); } @@ -3634,6 +3637,7 @@ .mpo_port_check_hold_receive = sebsd_port_check_hold_recv, .mpo_proc_check_debug = sebsd_proc_check_debug, .mpo_proc_check_getaudit = sebsd_proc_check_getaudit, + .mpo_proc_check_mprotect = sebsd_proc_check_mprotect, .mpo_proc_check_sched = sebsd_proc_check_sched, .mpo_proc_check_setaudit = sebsd_proc_check_setaudit, .mpo_proc_check_setlcid = sebsd_proc_check_setlcid, @@ -3678,7 +3682,6 @@ // .mpo_vnode_check_kqfilter = sebsd_vnode_check_kqfilter, .mpo_vnode_check_link = sebsd_vnode_check_link, .mpo_vnode_check_lookup = sebsd_vnode_check_lookup, - .mpo_vnode_check_mprotect = sebsd_vnode_check_mprotect, .mpo_vnode_check_open = sebsd_vnode_check_open, .mpo_vnode_check_read = sebsd_vnode_check_read, .mpo_vnode_check_readdir = sebsd_vnode_check_readdir, ==== //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#8 (text+ko) ==== @@ -333,13 +333,6 @@ } static int -vanity_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, struct label *label, int prot) -{ - VANITY(vp); - return (0); -} - -static int vanity_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) { VANITY(vp); @@ -508,7 +501,6 @@ .mpo_vnode_check_link = vanity_vnode_check_link, .mpo_vnode_check_listextattr = vanity_vnode_check_listextattr, .mpo_vnode_check_lookup = vanity_vnode_check_lookup, - .mpo_vnode_check_mprotect = vanity_vnode_check_mprotect, .mpo_vnode_check_open = vanity_vnode_check_open, .mpo_vnode_check_read = vanity_vnode_check_read, .mpo_vnode_check_readdir = vanity_vnode_check_readdir,