From maneo@staff.seccuris.com  Thu Feb 19 16:36:55 2004
Return-Path: <maneo@staff.seccuris.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F0C216A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Feb 2004 16:36:55 -0800 (PST)
Received: from staff.seccuris.com (staff.seccuris.com [204.112.0.40])
	by mx1.FreeBSD.org (Postfix) with SMTP id C113743D1D
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Feb 2004 16:36:54 -0800 (PST)
	(envelope-from maneo@staff.seccuris.com)
Received: (qmail 78057 invoked by uid 1006); 20 Feb 2004 00:36:53 -0000
Message-Id: <20040220003653.78056.qmail@staff.seccuris.com>
Date: 20 Feb 2004 00:36:53 -0000
From: Christian S.J.Peron <maneo@sqrt.ca>
Reply-To: Christian S.J.Peron <maneo@sqrt.ca>
To: FreeBSD-gnats-submit@freebsd.org
Cc: trustedbsd-discuss@watson.org
Subject: [patch] MAC entry point for route manipulation
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         63096
>Category:       kern
>Synopsis:       [mac] [patch] MAC entry point for route manipulation
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    csjp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 19 16:40:23 PST 2004
>Closed-Date:    Tue Mar 03 15:00:07 UTC 2009
>Last-Modified:  Tue Mar 03 15:00:07 UTC 2009
>Originator:     Christian S.J. Peron
>Release:        FreeBSD 5.2-CURRENT i386
>Organization:
>Environment:
System: FreeBSD  5.2-CURRENT FreeBSD 5.2-CURRENT #11: Thu Feb 19 05:26:09 GMT 2004     cperon@:/usr/src/sys/i386/compile/ROUTER  i386 


	
>Description:
	Currently there is no way to restrict routing table manipulation from
	userspace using the MAC framework.

	I think it would be beneficial to have this functionality
	I have tested this is a static environment, meaning the routes
	on this box did not change on a regular basis.

	The following patch(s) define a hook which is invoked by 
	rt_output() in rtsock.c for the MAC framework.

How-To-Repeat:
	N/A
>How-To-Repeat:
>Fix:

--- sys/sys/mac.h.bak	Thu Feb 19 03:44:47 2004
+++ sys/sys/mac.h	Thu Feb 19 03:44:02 2004
@@ -278,6 +278,7 @@
 int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_nfsd(struct ucred *cred);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
+int	mac_check_system_route_alter(struct ucred *cred);
 int	mac_check_system_settime(struct ucred *cred);
 int	mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
--- sys/sys/mac_policy.h.bak	Thu Feb 19 03:45:32 2004
+++ sys/sys/mac_policy.h	Thu Feb 19 16:35:12 2004
@@ -356,6 +356,7 @@
 		    struct vnode *vp, struct label *vlabel);
 	int	(*mpo_check_system_nfsd)(struct ucred *cred);
 	int	(*mpo_check_system_reboot)(struct ucred *cred, int howto);
+	int	(*mpo_check_system_route_alter)(struct ucred *cred);
 	int	(*mpo_check_system_settime)(struct ucred *cred);
 	int	(*mpo_check_system_swapon)(struct ucred *cred,
 		    struct vnode *vp, struct label *label);
--- sys/security/mac/mac_system.c.bak	Thu Feb 19 01:17:26 2004
+++ sys/security/mac/mac_system.c	Thu Feb 19 16:31:13 2004
@@ -152,6 +152,19 @@
 }
 
 int
+mac_check_system_route_alter(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_system_route_alter, cred);
+
+	return(error);
+}
+
+int
 mac_check_sysarch_ioperm(struct ucred *cred)
 {
 	int error;
--- sys/net/rtsock.c.orig	Thu Nov 20 20:07:37 2003
+++ sys/net/rtsock.c	Thu Feb 19 16:33:10 2004
@@ -38,6 +38,7 @@
 #include <sys/domain.h>
 #include <sys/kernel.h>
 #include <sys/jail.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
@@ -52,6 +53,8 @@
 #include <net/raw_cb.h>
 #include <net/route.h>
 
+#include "opt_mac.h"
+
 MALLOC_DEFINE(M_RTABLE, "routetbl", "routing tables");
 
 /* NB: these are not modified */
@@ -343,6 +346,12 @@
 	 */
 	if (rtm->rtm_type != RTM_GET && (error = suser(curthread)) != 0)
 		senderr(error);
+
+#ifdef MAC
+	error = mac_check_system_route_alter(curthread->td_ucred);
+	if (error)
+		return(error);
+#endif
 
 	switch (rtm->rtm_type) {
 		struct rtentry *saved_nrt;
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Tue Feb 24 11:00:22 PST 2004 
Responsible-Changed-Why:  
Take ownership of this as it's a MAC Framework related issue.  My 
only comment so far is that it seems reasonable, but we might want 
to consider naming it mac_check_route_alter() and use this as a 
jumping off point to consider other restrictions in the routing 
table, as well as hypothesize about policy routing. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=63096 

From: "Christian S.J. Peron" <maneo@bsdpro.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/63096: [patch] MAC entry point for route manipulation
Date: Fri, 27 Feb 2004 23:53:17 +0000

 I have made some changes to my original patch group.
 This patch passes the calling cred and socket labels
 to the entry point, as well as a pointer to the mbuf
 and socket structure the routing message arrived from.
 
 This should give MAC policy developers most the usefull
 information they would require.
 
 Anyone else have any suggestions?
 
 --- sys/sys/mac.h.bak	Thu Feb 19 03:44:47 2004
 +++ sys/sys/mac.h	Fri Feb 27 19:44:20 2004
 @@ -265,6 +265,7 @@
  int	mac_check_proc_sched(struct ucred *cred, struct proc *proc);
  int	mac_check_proc_signal(struct ucred *cred, struct proc *proc,
  	    int signum);
 +int	mac_check_route_alter(struct mbuf *m, struct socket *so);
  int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
  	    struct sockaddr *sockaddr);
  int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
 --- sys/sys/mac_policy.h.bak	Thu Feb 19 03:45:32 2004
 +++ sys/sys/mac_policy.h	Fri Feb 27 19:47:27 2004
 @@ -331,6 +331,8 @@
  		    struct proc *proc);
  	int	(*mpo_check_proc_signal)(struct ucred *cred,
  		    struct proc *proc, int signum);
 +	int	(*mpo_check_route_alter)(struct mbuf *m, struct socket *so,
 +		    struct label *cr_label, struct label *so_label);
  	int	(*mpo_check_socket_bind)(struct ucred *cred,
  		    struct socket *so, struct label *socketlabel,
  		    struct sockaddr *sockaddr);
 --- sys/security/mac/mac_net.c.bak	Thu Feb 19 01:14:24 2004
 +++ sys/security/mac/mac_net.c	Fri Feb 27 19:43:28 2004
 @@ -776,6 +776,20 @@
  }
  
  int
 +mac_check_route_alter(struct mbuf *m, struct socket *so)
 +{
 +	int error;
 +
 +	if (!mac_enforce_network)
 +		return (0);
 +
 +	MAC_CHECK(check_route_alter, m, so, so->so_cred->cr_label,
 +		so->so_label);
 +
 +	return (error);
 +}
 +
 +int
  mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
      struct sockaddr *sockaddr)
  {
 --- sys/net/rtsock.c.orig	Thu Nov 20 20:07:37 2003
 +++ sys/net/rtsock.c	Fri Feb 27 19:48:30 2004
 @@ -38,6 +38,7 @@
  #include <sys/domain.h>
  #include <sys/kernel.h>
  #include <sys/jail.h>
 +#include <sys/mac.h>
  #include <sys/malloc.h>
  #include <sys/mbuf.h>
  #include <sys/proc.h>
 @@ -52,6 +53,8 @@
  #include <net/raw_cb.h>
  #include <net/route.h>
  
 +#include "opt_mac.h"
 +
  MALLOC_DEFINE(M_RTABLE, "routetbl", "routing tables");
  
  /* NB: these are not modified */
 @@ -296,6 +299,13 @@
  		return (ENOBUFS);
  	if ((m->m_flags & M_PKTHDR) == 0)
  		panic("route_output");
 +
 +#ifdef MAC
 +	error = mac_check_route_alter(m, so);
 +	if (error)
 +		return (error);
 +#endif
 +
  	len = m->m_pkthdr.len;
  	if (len < sizeof(*rtm) ||
  	    len != mtod(m, struct rt_msghdr *)->rtm_msglen) {
Responsible-Changed-From-To: rwatson->csjp 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sun Jan 13 16:04:04 UTC 2008 
Responsible-Changed-Why:  
Assign to originator since he is now burdened with a commit bit. 

Is this already covered by a priv(9) check?  If not, perhaps it should be, 
rather than an explicit entry point? 


http://www.freebsd.org/cgi/query-pr.cgi?pr=63096 
State-Changed-From-To: open->closed 
State-Changed-By: csjp 
State-Changed-When: Tue Mar 3 14:59:31 UTC 2009 
State-Changed-Why:  
I submitted this PR a long time ago. This is not the right solution 
to this problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=63096 
>Unformatted:
