6 files changed, 89 insertions, 0 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index b91cda327e14..42291898cd97 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1193,6 +1193,7 @@ options 	MAC_IFOFF
 options 	MAC_LOMAC
 options 	MAC_MLS
 options 	MAC_NONE
+options 	MAC_NTPD
 options 	MAC_PARTITION
 options 	MAC_PORTACL
 options 	MAC_SEEOTHERUIDS
diff --git a/sys/conf/files b/sys/conf/files
index de14eee1adb5..a2a9b912438f 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -4887,6 +4887,7 @@ security/mac_ifoff/mac_ifoff.c	optional mac_ifoff
 security/mac_lomac/mac_lomac.c	optional mac_lomac
 security/mac_mls/mac_mls.c	optional mac_mls
 security/mac_none/mac_none.c	optional mac_none
+security/mac_ntpd/mac_ntpd.c	optional mac_ntpd
 security/mac_partition/mac_partition.c optional mac_partition
 security/mac_portacl/mac_portacl.c optional mac_portacl
 security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
diff --git a/sys/conf/options b/sys/conf/options
index 147dddf9e4f7..f1b132cc7a43 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -158,6 +158,7 @@ MAC_IFOFF	opt_dontuse.h
 MAC_LOMAC	opt_dontuse.h
 MAC_MLS		opt_dontuse.h
 MAC_NONE	opt_dontuse.h
+MAC_NTPD	opt_dontuse.h
 MAC_PARTITION	opt_dontuse.h
 MAC_PORTACL	opt_dontuse.h
 MAC_SEEOTHERUIDS	opt_dontuse.h
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
index 09b3d7835f04..f4f9ad02328c 100644
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -230,6 +230,7 @@ SUBDIR=	\
 	mac_lomac \
 	mac_mls \
 	mac_none \
+	mac_ntpd \
 	mac_partition \
 	mac_portacl \
 	mac_seeotheruids \
diff --git a/sys/modules/mac_ntpd/Makefile b/sys/modules/mac_ntpd/Makefile
new file mode 100644
index 000000000000..07a6880a54a0
--- /dev/null
+++ b/sys/modules/mac_ntpd/Makefile
@@ -0,0 +1,8 @@
+# $FreeBSD$
+
+.PATH: ${SRCTOP}/sys/security/mac_ntpd
+
+KMOD=	mac_ntpd
+SRCS=	mac_ntpd.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_ntpd/mac_ntpd.c b/sys/security/mac_ntpd/mac_ntpd.c
new file mode 100644
index 000000000000..7a586e94b9f1
--- /dev/null
+++ b/sys/security/mac_ntpd/mac_ntpd.c
@@ -0,0 +1,77 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/sysctl.h>
+#include <sys/ucred.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, ntpd, CTLFLAG_RW, 0,
+    "mac_ntpd policy controls");
+
+static int ntpd_enabled = 1;
+SYSCTL_INT(_security_mac_ntpd, OID_AUTO, enabled, CTLFLAG_RWTUN,
+    &ntpd_enabled, 0, "Enable mac_ntpd policy");
+
+static int ntpd_uid = 123;
+SYSCTL_INT(_security_mac_ntpd, OID_AUTO, uid, CTLFLAG_RWTUN,
+    &ntpd_uid, 0, "User id for ntpd user");
+
+static int
+ntpd_priv_grant(struct ucred *cred, int priv)
+{
+
+	if (ntpd_enabled && cred->cr_uid == ntpd_uid) {
+		switch (priv) {
+		case PRIV_ADJTIME:
+		case PRIV_CLOCK_SETTIME:
+		case PRIV_NTP_ADJTIME:
+		case PRIV_NETINET_RESERVEDPORT:
+		case PRIV_NETINET_REUSEPORT:
+			return (0);
+		default:
+			break;
+		}
+	}
+	return (EPERM);
+}
+
+static struct mac_policy_ops ntpd_ops =
+{
+	.mpo_priv_grant = ntpd_priv_grant,
+};
+
+MAC_POLICY_SET(&ntpd_ops, mac_ntpd, "MAC/ntpd",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);