When devfs cloning takes place, provide access to the credential of the

process that caused the clone event to take place for the device driver creating the device. This allows cloned device drivers to adapt the device node based on security aspects of the process, such as the uid, gid, and MAC label. - Add a cred reference to struct cdev, so that when a device node is instantiated as a vnode, the cloning credential can be exposed to MAC. - Add make_dev_cred(), a version of make_dev() that additionally accepts the credential to stick in the struct cdev. Implement it and make_dev() in terms of a back-end make_dev_credv(). - Add a new event handler, dev_clone_cred, which can be registered to receive the credential instead of dev_clone, if desired. - Modify the MAC entry point mac_create_devfs_device() to accept an optional credential pointer (may be NULL), so that MAC policies can inspect and act on the label or other elements of the credential when initializing the skeleton device protections. - Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(), so that the pty clone credential is exposed to the MAC Framework. While currently primarily focussed on MAC policies, this change is also a prerequisite for changes to allow ptys to be instantiated with the UID of the process looking up the pty. This requires further changes to the pty driver -- in particular, to immediately recycle pty nodes on last close so that the credential-related state can be recreated on next lookup. Submitted by: Andrew Reisse <andrew.reisse@sparta.com> Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA MFC after: 1 week MFC note: Merge to 6.x, but not 5.x for ABI reasons
2005-07-14 10:22:09 +00:00 · 2005-07-14 10:22:09 +00:00 · d26dd2d99e
commit d26dd2d99e
parent f16eb1e821
15 changed files with 99 additions and 34 deletions
--- a/sys/fs/devfs/devfs_devs.c
+++ b/sys/fs/devfs/devfs_devs.c
@ -324,7 +324,8 @@ devfs_populate(struct devfs_mount *dm)
 				de->de_dirent->d_type = DT_CHR;
 			}
 #ifdef MAC
-			mac_create_devfs_device(dm->dm_mount, dev, de);
+			mac_create_devfs_device(dev->si_cred, dm->dm_mount,
+			    dev, de);
 #endif
 			*dep = de;
 			de->de_dir = dd;
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@ -705,9 +705,13 @@ devfs_lookupx(ap)
 		goto notfound;

 	cdev = NULL;
-	EVENTHANDLER_INVOKE(dev_clone, pname, strlen(pname), &cdev);
-	if (cdev == NULL)
-		goto notfound;
+	EVENTHANDLER_INVOKE(dev_clone_cred, td->td_ucred, pname,
+	    strlen(pname), &cdev);
+	if (cdev == NULL) {
+		EVENTHANDLER_INVOKE(dev_clone, pname, strlen(pname), &cdev);
+		if (cdev == NULL)
+			goto notfound;
+	}

 	devfs_populate(dmp);

--- a/sys/kern/kern_conf.c
+++ b/sys/kern/kern_conf.c
@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/poll.h>
 #include <sys/ctype.h>
 #include <sys/tty.h>
+#include <sys/ucred.h>
 #include <machine/stdarg.h>

 static MALLOC_DEFINE(M_DEVT, "cdev", "cdev storage");
@ -51,6 +52,9 @@ static MALLOC_DEFINE(M_DEVT, "cdev", "cdev storage");
 static struct mtx devmtx;
 static void freedev(struct cdev *dev);
 static void destroy_devl(struct cdev *dev);
+static struct cdev *make_dev_credv(struct cdevsw *devsw, int minornr,
+	    struct ucred *cr, uid_t uid, gid_t gid, int mode, const char *fmt,
+	    va_list ap);

 void
 dev_lock(void)
@ -300,6 +304,8 @@ static void
 freedev(struct cdev *dev)
 {

+	if (dev->si_cred != NULL)
+		crfree(dev->si_cred);
 	free(dev, M_DEVT);
 }

@ -370,11 +376,11 @@ prep_cdevsw(struct cdevsw *devsw)
 	dev_unlock();
 }

-struct cdev *
-make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, const char *fmt, ...)
+static struct cdev *
+make_dev_credv(struct cdevsw *devsw, int minornr, struct ucred *cr, uid_t uid,
+    gid_t gid, int mode, const char *fmt, va_list ap)
 {
 	struct cdev *dev;
-	va_list ap;
 	int i;

 	KASSERT((minornr & ~MAXMINOR) == 0,
@ -400,16 +406,18 @@ make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, cons
 	    ("make_dev() by driver %s on pre-existing device (min=%x, name=%s)",
 	    devsw->d_name, minor(dev), devtoname(dev)));

-	va_start(ap, fmt);
 	i = vsnrprintf(dev->__si_namebuf, sizeof dev->__si_namebuf, 32, fmt, ap);
 	if (i > (sizeof dev->__si_namebuf - 1)) {
 		printf("WARNING: Device name truncated! (%s)\n", 
 		    dev->__si_namebuf);
 	}
-	va_end(ap);
 		
 	dev->si_devsw = devsw;
 	dev->si_flags |= SI_NAMED;
+	if (cr != NULL)
+		dev->si_cred = crhold(cr);
+	else
+		dev->si_cred = NULL;
 	dev->si_uid = uid;
 	dev->si_gid = gid;
 	dev->si_mode = mode;
@ -419,6 +427,33 @@ make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode, cons
 	return (dev);
 }

+struct cdev *
+make_dev(struct cdevsw *devsw, int minornr, uid_t uid, gid_t gid, int mode,
+    const char *fmt, ...)
+{
+	struct cdev *dev;
+	va_list ap;
+
+	va_start(ap, fmt);
+	dev = make_dev_credv(devsw, minornr, NULL, uid, gid, mode, fmt, ap);
+	va_end(ap);
+	return (dev);
+}
+
+struct cdev *
+make_dev_cred(struct cdevsw *devsw, int minornr, struct ucred *cr, uid_t uid,
+    gid_t gid, int mode, const char *fmt, ...)
+{
+	struct cdev *dev;
+	va_list ap;
+
+	va_start(ap, fmt);
+	dev = make_dev_credv(devsw, minornr, cr, uid, gid, mode, fmt, ap);
+	va_end(ap);
+
+	return (dev);
+}
+
 int
 dev_named(struct cdev *pdev, const char *name)
 {
--- a/sys/kern/tty_pty.c
+++ b/sys/kern/tty_pty.c
@ -63,7 +63,7 @@ static MALLOC_DEFINE(M_PTY, "ptys", "pty data structures");
 static void ptsstart(struct tty *tp);
 static void ptsstop(struct tty *tp, int rw);
 static void ptcwakeup(struct tty *tp, int flag);
-static struct cdev *ptyinit(struct cdev *cdev);
+static struct cdev *ptyinit(struct cdev *cdev, struct thread *td);

 static	d_open_t	ptsopen;
 static	d_close_t	ptsclose;
@ -132,7 +132,7 @@ static char *names = "pqrsPQRS";
 *      than 256 ptys.
 */
 static struct cdev *
-ptyinit(struct cdev *devc)
+ptyinit(struct cdev *devc, struct thread *td)
 {
 	struct cdev *devs;
 	struct ptsc *pt;
@ -146,7 +146,7 @@ ptyinit(struct cdev *devc)
 	devc->si_flags &= ~SI_CHEAPCLONE;

 	pt = malloc(sizeof(*pt), M_PTY, M_WAITOK | M_ZERO);
-	pt->devs = devs = make_dev(&pts_cdevsw, n,
+	pt->devs = devs = make_dev_cred(&pts_cdevsw, n, td->td_ucred,
 	    UID_ROOT, GID_WHEEL, 0666, "tty%c%r", names[n / 32], n % 32);
 	pt->devc = devc;

@ -272,7 +272,7 @@ ptcopen(struct cdev *dev, int flag, int devtype, struct thread *td)
 	struct ptsc *pt;

 	if (!dev->si_drv1)
-		ptyinit(dev);
+		ptyinit(dev, td);
 	if (!dev->si_drv1)
 		return(ENXIO);
 	tp = dev->si_tty;
@ -681,7 +681,8 @@ ptsioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, struct thread *td
 }

 static void
-pty_clone(void *arg, char *name, int namelen, struct cdev **dev)
+pty_clone(void *arg, struct ucred *cr, char *name, int namelen,
+    struct cdev **dev)
 {
 	int u;

@ -708,7 +709,7 @@ pty_clone(void *arg, char *name, int namelen, struct cdev **dev)
 		u += name[4] - 'a' + 10;
 	else
 		return;
-	*dev = make_dev(&ptc_cdevsw, u,
+	*dev = make_dev_cred(&ptc_cdevsw, u, cr,
 	    UID_ROOT, GID_WHEEL, 0666, "pty%c%r", names[u / 32], u % 32);
 	dev_ref(*dev);
 	(*dev)->si_flags |= SI_CHEAPCLONE;
@ -719,7 +720,7 @@ static void
 ptc_drvinit(void *unused)
 {

-	EVENTHANDLER_REGISTER(dev_clone, pty_clone, 0, 1000);
+	EVENTHANDLER_REGISTER(dev_clone_cred, pty_clone, 0, 1000);
 }

 SYSINIT(ptcdev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE,ptc_drvinit,NULL)
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@ -200,8 +200,8 @@ void	mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
 int	mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
 void	mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
-void	mac_create_devfs_device(struct mount *mp, struct cdev *dev,
-	    struct devfs_dirent *de);
+void	mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+	    struct cdev *dev, struct devfs_dirent *de);
 void	mac_create_devfs_directory(struct mount *mp, char *dirname,
 	    int dirnamelen, struct devfs_dirent *de);
 void	mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@ -11,6 +11,9 @@
 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
 * as part of the DARPA CHATS research program.
 *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract 
+ * N66001-04-C-6019 ("SEFOS").
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -191,7 +194,8 @@ struct mac_policy_ops {
 	void	(*mpo_associate_vnode_singlelabel)(struct mount *mp,
 		    struct label *fslabel, struct vnode *vp,
 		    struct label *vlabel);
-	void	(*mpo_create_devfs_device)(struct mount *mp, struct cdev *dev,
+	void	(*mpo_create_devfs_device)(struct ucred *cred,
+		    struct mount *mp, struct cdev *dev,
 		    struct devfs_dirent *de, struct label *label);
 	void	(*mpo_create_devfs_directory)(struct mount *mp, char *dirname,
 		    int dirnamelen, struct devfs_dirent *de,
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@ -2,6 +2,7 @@
 * Copyright (c) 1999-2002 Robert N. M. Watson
 * Copyright (c) 2001 Ilmar S. Habibulin
 * Copyright (c) 2001-2005 McAfee, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
 * All rights reserved.
 *
 * This software was developed by Robert Watson and Ilmar Habibulin for the
@ -12,6 +13,9 @@
 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
 * CHATS research program.
 *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract 
+ * N66001-04-C-6019 ("SEFOS").
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -939,10 +943,11 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 }

 void
-mac_create_devfs_device(struct mount *mp, struct cdev *dev, struct devfs_dirent *de)
+mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *de)
 {

-	MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label);
+	MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label);
 }

 void
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -780,8 +780,8 @@ mac_biba_copy_label(struct label *src, struct label *dest)
 * a lot like file system objects.
 */
 static void
-mac_biba_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 	struct mac_biba *mac_biba;
 	int biba_type;
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@ -900,8 +900,8 @@ mac_lomac_copy_label(struct label *src, struct label *dest)
 * a lot like file system objects.
 */
 static void
-mac_lomac_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 	struct mac_lomac *mac_lomac;
 	int lomac_type;
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -746,8 +746,8 @@ mac_mls_copy_label(struct label *src, struct label *dest)
 * a lot like file system objects.
 */
 static void
-mac_mls_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 	struct mac_mls *mac_mls;
 	int mls_type;
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@ -187,8 +187,8 @@ stub_associate_vnode_singlelabel(struct mount *mp,
 }

 static void
-stub_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+stub_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {

 }
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@ -865,10 +865,13 @@ mac_test_associate_vnode_singlelabel(struct mount *mp,
 }

 static void
-mac_test_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {

+	if (cred != NULL) {
+		ASSERT_CRED_LABEL(cred->cr_label);
+	}
 	ASSERT_DEVFS_LABEL(label);
 }

--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@ -68,6 +68,7 @@ struct cdev {
 	uid_t		si_uid;
 	gid_t		si_gid;
 	mode_t		si_mode;
+	struct ucred	*si_cred;
 	u_int		si_drv0;
 	int		si_refcount;
 	LIST_ENTRY(cdev)	si_list;
@ -253,6 +254,9 @@ void	dev_rel(struct cdev *dev);
 void	dev_strategy(struct cdev *dev, struct buf *bp);
 struct cdev *make_dev(struct cdevsw *_devsw, int _minor, uid_t _uid, gid_t _gid,
 		int _perms, const char *_fmt, ...) __printflike(6, 7);
+struct cdev *make_dev_cred(struct cdevsw *_devsw, int _minor,
+		struct ucred *_cr, uid_t _uid, gid_t _gid, int _perms,
+		const char *_fmt, ...) __printflike(7, 8);
 struct cdev *make_dev_alias(struct cdev *_pdev, const char *_fmt, ...) __printflike(2, 3);
 int	dev2unit(struct cdev *_dev);
 void	dev_lock(void);
@ -280,6 +284,10 @@ typedef void (*dev_clone_fn)(void *arg, char *name, int namelen, struct cdev **r
 int dev_stdclone(char *_name, char **_namep, const char *_stem, int *_unit);
 EVENTHANDLER_DECLARE(dev_clone, dev_clone_fn);

+typedef void (*dev_clone_cred_fn)(void *arg, struct ucred *cred, char *name,
+	int namelen, struct cdev **result);
+EVENTHANDLER_DECLARE(dev_clone_cred, dev_clone_cred_fn);
+
 /* Stuff relating to kernel-dump */

 struct dumperinfo {
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@ -200,8 +200,8 @@ void	mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
 int	mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
 void	mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
-void	mac_create_devfs_device(struct mount *mp, struct cdev *dev,
-	    struct devfs_dirent *de);
+void	mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+	    struct cdev *dev, struct devfs_dirent *de);
 void	mac_create_devfs_directory(struct mount *mp, char *dirname,
 	    int dirnamelen, struct devfs_dirent *de);
 void	mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@ -11,6 +11,9 @@
 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
 * as part of the DARPA CHATS research program.
 *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract 
+ * N66001-04-C-6019 ("SEFOS").
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@ -191,7 +194,8 @@ struct mac_policy_ops {
 	void	(*mpo_associate_vnode_singlelabel)(struct mount *mp,
 		    struct label *fslabel, struct vnode *vp,
 		    struct label *vlabel);
-	void	(*mpo_create_devfs_device)(struct mount *mp, struct cdev *dev,
+	void	(*mpo_create_devfs_device)(struct ucred *cred,
+		    struct mount *mp, struct cdev *dev,
 		    struct devfs_dirent *de, struct label *label);
 	void	(*mpo_create_devfs_directory)(struct mount *mp, char *dirname,
 		    int dirnamelen, struct devfs_dirent *de,