Page MenuHomeFreeBSD
Paste P395

mac_fileapi
ActivePublic
Actions

Authored by allanjude on Jun 17 2020, 9:29 PM.
Tags
None
Referenced Files
F6735561: raw.txt
Jun 17 2020, 9:29 PM
Subscribers
None
/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2019 Allan Jude <allanjude@FreeBSD.org>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/jail.h>
#include <sys/module.h>
#include <sys/priv.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <sys/ucred.h>
#include <sys/vnode.h>
#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
static SYSCTL_NODE(_security_mac, OID_AUTO, fileapi, CTLFLAG_RW, 0,
"mac_fileapi policy controls");
static int fileapi_enabled = 1;
SYSCTL_INT(_security_mac_fileapi, OID_AUTO, enabled, CTLFLAG_RWTUN,
&fileapi_enabled, 0, "Enable mac_fileapi policy");
static int fileapi_uid = 1041;
SYSCTL_INT(_security_mac_fileapi, OID_AUTO, uid, CTLFLAG_RWTUN,
&fileapi_uid, 0, "User id for fileapi user");
static int
fileapi_priv_grant(struct ucred *cred, int priv)
{
if (fileapi_enabled &&
cred->cr_prison->pr_id != 0 &&
cred->cr_uid == fileapi_uid) {
switch (priv) {
case PRIV_VFS_CHOWN:
case PRIV_VFS_CHROOT:
case PRIV_VFS_ADMIN:
return (0);
default:
break;
}
}
return (EPERM);
}
static int
fileapi_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
struct label *vplabel, uid_t uid, gid_t gid)
{
int error;
struct vattr va;
if (fileapi_enabled &&
cred->cr_prison->pr_id != 0 &&
cred->cr_uid == fileapi_uid) {
/*
* Ensure the file we are chown()ing is not owned by an
* unprivileged user.
*/
/* Get vnode attributes */
error = VOP_GETATTR(vp, &va, cred);
if (error)
return (error);
if (va.va_uid == 0)
return (EPERM);
}
return (0);
}
static struct mac_policy_ops fileapi_ops =
{
.mpo_priv_grant = fileapi_priv_grant,
.mpo_vnode_check_setowner = fileapi_vnode_check_setowner,
};
MAC_POLICY_SET(&fileapi_ops, mac_fileapi, "MAC/fileapi",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

Event Timeline

allanjude created this paste.Jun 17 2020, 9:29 PM
allanjude created this object in space S1 Global.