Give users the ability to load a mac_bsdextended(4) ruleset on boot (defaults

to NO of course). Provide a basic ruleset file, rc.bsdextended, but allow the filename to be overridden through rc.conf. Discussed with: rwatson (awhile ago)
2004-09-29 00:12:28 +00:00 · 2004-09-29 00:12:28 +00:00 · 2bf857d4fd
commit 2bf857d4fd
parent d0514db4ed
4 changed files with 214 additions and 1 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -468,6 +468,9 @@ performance_throttle_state="HIGH"	# Online throttling state
 economy_cx_lowest="LOW"			# Offline CPU idle state
 economy_throttle_state="HIGH"		# Offline throttling state
 virecover_enable="YES"	# Perform housekeeping for the vi(1) editor
+ugidfw_enable="NO"	# Load mac_bsdextended(1) rules on boot
+bsdextended_script="/etc/rc.bsdextended"	# Default mac_bsdextended(4)
+						# ruleset file.

 ##############################################################
 ### Jail Configuration #######################################
--- a/etc/rc.bsdextended
+++ b/etc/rc.bsdextended
@ -0,0 +1,158 @@
+#!/bin/sh
+#
+# Copyright (c) 2004  Tom Rhodes
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+####
+# Sample startup policy for the mac_bsdextended(4) security module.
+#
+# Suck in the system configuration variables.
+####
+if [ -z "${source_rc_confs_defined}" ]; then
+        if [ -r /etc/defaults/rc.conf ]; then
+                . /etc/defaults/rc.conf
+                source_rc_confs
+        elif [ -r /etc/rc.conf ]; then
+                . /etc/rc.conf
+        fi
+fi
+
+####
+# Set ugidfw(8) to CMD:
+####
+CMD=/usr/sbin/ugidfw
+
+####
+# WARNING: recommended reading is the handbook's MAC
+# chapter and the ugidfw(8)
+# manual page.  You can lock yourself out of the system
+# very quickly by setting incorrect values here.
+####
+
+####
+# Set the value of 'x' to system users.  This would be nice but it
+# does not get the \n proper.  Work around is used below.
+#x=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`;
+#l=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`;
+####
+
+####
+# Build a generic list of rules here, these should be
+# modified before using this script.
+# ugidfw add 1 subject uid USER1 object uid USER2 mode n
+# ugidfw add 2 subject gid USER1 object gid USER2 mode n
+#
+# For apache to read user files, the ruleadd must give
+# it permissions by default.
+####
+${CMD} add subject uid 80 object not uid 80 mode rxws;
+${CMD} add subject gid 80 object not gid 80 mode rxws;
+
+####
+# majordomo compat:
+#${CMD} add subject uid 54 object not uid 54 mode rxws;
+${CMD} add subject gid 26 object gid 54 mode rxws;
+
+####
+# This is for root:
+${CMD} add subject uid 0 object not uid 0 mode arxws;
+${CMD} add subject gid 0 object not gid 0 mode arxws;
+
+####
+# And for mailnull:
+${CMD} add subject uid 26 object not uid 26 mode rxws;
+${CMD} add subject gid 26 object not gid 26 mode rxws;
+
+####
+# And for majordomo:
+${CMD} add subject uid 54 object not uid 54 mode rxws;
+${CMD} add subject gid 54 object not gid 54 mode rxws;
+
+####
+# And for bin:
+${CMD} add subject uid 3 object not uid 3 mode rxws;
+${CMD} add subject gid 7 object not gid 7 mode rxws;
+
+####
+# And for mail/pop:
+${CMD} add subject uid 68 object not uid 68 mode rxws;
+${CMD} add subject gid 6 object not gid 6 mode arxws;
+
+####
+# And for smmsp:
+${CMD} add subject uid 25 object not uid 25 mode rxws;
+${CMD} add subject gid 25 object not gid 25 mode rxws;
+
+####
+# And for mailnull:
+${CMD} add subject uid 26 object not uid 26 mode rxws;
+${CMD} add subject gid 26 object not gid 26 mode rxws;
+
+####
+# For cyrus:
+${CMD} add subject uid 60 object not uid 60 mode rxws;
+${CMD} add subject gid 60 object not gid 60 mode rxws;
+
+####
+# For stunnel:
+${CMD} add subject uid 1018 object not uid 1018 mode rxws;
+${CMD} add subject gid 1018 object not gid 1018 mode rxws;
+
+####
+# For the nobody account:
+${CMD} add subject uid 65534 object not uid 65534 mode rxws;
+${CMD} add subject gid 65534 object not gid 65534 mode rxws;
+
+####
+# NOTICE: The next script adds a rule to allow
+#	 access their mailbox which is owned by GID `6'.
+#	 Removing this will give mailbox lock issues.
+for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`;
+    do ${CMD} add subject uid $x object gid 6 mode arwxs;
+done;
+
+####
+# Work around majordomo problem where gid is `4'.
+for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`;
+    do ${CMD} add subject uid $x object gid 4 mode arwxs;
+done;
+
+####
+# Use some script to get a list of users and
+# add all users to mode n for all other users.  This
+# will isolate all users from other user home directories while
+# permitting them to use commands and browse the system.
+for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`;
+    do ${CMD} add subject not uid $x object uid $x mode n;
+done;
+
+###
+# Do the same thing but only for group ids in place of
+# user IDs.
+for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`;
+    do ${CMD} add subject not gid $x object uid $x mode n;
+done;
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@ -34,7 +34,7 @@ FILES=	DAEMON LOGIN NETWORKING SERVERS \
 	serial sppp sshd swap1 \
 	syscons sysctl syslogd \
 	timed tmp \
-	usbd \
+	ugidfw usbd \
 	var vinum virecover \
 	watchdogd \
 	ypbind yppasswdd ypserv \
--- a/etc/rc.d/ugidfw
+++ b/etc/rc.d/ugidfw
@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# $FreeBSD$
+
+# PROVIDE: ugidfw
+# REQUIRE:
+# BEFORE: LOGIN
+# KEYWORD: FreeBSD nojail
+
+. /etc/rc.subr
+
+name="ugidfw"
+rcvar="ugidfw_enable"
+start_cmd="ugidfw_start"
+start_precmd="ugidfw_precmd"
+stop_cmd="ugidfw_stop"
+
+ugidfw_precmd()
+{
+	if ! sysctl security.mac.bsdextended
+          then kldload mac_bsdextended
+	    if [ "$?" -ne "0" ]
+	      then warn Unable to load the mac_bsdextended module.
+	      return 1
+	else
+	  return 0
+	  fi
+	fi
+	return 0
+}
+
+ugidfw_start()
+{
+	# set the default policy script if none was specified
+	[ -z "${bsdextended_script}" ] && bsdextended_script=/etc/rc.bsdextended
+
+	if [ -r "${bsdextended_script}" ]; then
+		. "${bsdextended_script}"
+		echo -n 'MAC bsdextended rules loaded sucessfully.'
+	fi
+	echo '.'
+}
+
+ugidfw_stop()
+{
+	# Disable the policy
+	#
+	kldunload mac_bsdextended
+}
+
+load_rc_config $name
+run_rc_command "$1"